General Info

File name

shipping.label.jar

Full analysis
https://app.any.run/tasks/a06e0f48-d1ac-4322-9563-d102cb1770ef
Verdict
Malicious activity
Analysis date
7/11/2019, 16:29:09
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

adwind

trojan

Indicators:

MIME:
application/java-archive
File info:
Java archive data (JAR)
MD5

2aff4a2f9c042587f817463ad1fe9101

SHA1

467a4e9b74be140f830f4d05b3e8c545acccdc09

SHA256

45689ec828b35b9ae006aca9287b109ab3f0539f149f8a1d1760ddb5ec467bb2

SSDEEP

12288:77pK2tOKclh5ZhA74yZ3hc+YSF1keYYP9VogFsOZo/TRpo:Xw2MVDE4yZRcw7Md/9C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
ADWIND was detected
  • javaw.exe (PID: 3296)
AdWind was detected
  • java.exe (PID: 3216)
  • java.exe (PID: 3716)
Loads dropped or rewritten executable
  • java.exe (PID: 3216)
  • javaw.exe (PID: 3296)
  • javaw.exe (PID: 3336)
  • explorer.exe (PID: 124)
  • java.exe (PID: 3716)
Application was dropped or rewritten from another process
  • java.exe (PID: 3216)
  • javaw.exe (PID: 3296)
  • javaw.exe (PID: 3336)
  • java.exe (PID: 3716)
Changes the autorun value in the registry
  • reg.exe (PID: 3176)
Executes scripts
  • cmd.exe (PID: 2828)
  • cmd.exe (PID: 2132)
  • cmd.exe (PID: 3384)
  • cmd.exe (PID: 3064)
  • cmd.exe (PID: 3800)
  • cmd.exe (PID: 3808)
  • cmd.exe (PID: 4084)
  • cmd.exe (PID: 3964)
Uses WMIC.EXE to obtain a system information
  • javaw.exe (PID: 3296)
Executable content was dropped or overwritten
  • javaw.exe (PID: 3296)
  • xcopy.exe (PID: 3672)
Starts CMD.EXE for commands execution
  • javaw.exe (PID: 3296)
  • java.exe (PID: 3216)
  • javaw.exe (PID: 3336)
  • java.exe (PID: 3716)
Uses REG.EXE to modify Windows registry
  • javaw.exe (PID: 3336)
Starts itself from another location
  • javaw.exe (PID: 3336)
Uses ATTRIB.EXE to modify file attributes
  • javaw.exe (PID: 3336)
Executes JAVA applets
  • explorer.exe (PID: 124)
  • javaw.exe (PID: 3336)
Creates files in the user directory
  • javaw.exe (PID: 3336)
  • xcopy.exe (PID: 3672)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0808
ZipCompression:
Deflated
ZipModifyDate:
2019:06:20 13:31:19
ZipCRC:
0x8423b824
ZipCompressedSize:
55
ZipUncompressedSize:
53
ZipFileName:
META-INF/MANIFEST.MF

Screenshots

Processes

Total processes
74
Monitored processes
27
Malicious processes
6
Suspicious processes
0

Behavior graph

+
start javaw.exe #ADWIND java.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs xcopy.exe no specs xcopy.exe explorer.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe #ADWIND java.exe cmd.exe no specs cmd.exe no specs cscript.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs wmic.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
124
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\msutb.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3336
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\shipping.label.jar.zip"
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xcopy.exe
c:\program files\java\jre1.8.0_92\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\users\admin\appdata\roaming\oracle\bin\java.dll

PID
3716
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.96298185949923173440951606721397874.class
Path
C:\Program Files\Java\jre1.8.0_92\bin\java.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xcopy.exe

PID
3964
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cscript.exe

PID
4084
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cscript.exe

PID
3120
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3096
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3800
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3808
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5085569119826637817.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3060
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3240
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5085569119826637817.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3664
CMD
xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e
Path
C:\Windows\system32\xcopy.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3672
CMD
xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e
Path
C:\Windows\system32\xcopy.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3176
CMD
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v yVlLVVfiXgC /t REG_EXPAND_SZ /d "\"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\admin\ptFqBlthrXL\UxTGFXKCbws.igqvqh\"" /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3308
CMD
attrib +h "C:\Users\admin\ptFqBlthrXL\*.*"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2992
CMD
attrib +h "C:\Users\admin\ptFqBlthrXL"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3296
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\admin\ptFqBlthrXL\UxTGFXKCbws.igqvqh
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\roaming\oracle\bin\sunec.dll
c:\users\admin\appdata\roaming\oracle\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\oracle\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\users\admin\appdata\roaming\oracle\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\users\admin\appdata\roaming\oracle\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\sunmscapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\users\admin\appdata\local\temp\windows8964126127184886149.dll
c:\windows\system32\vga.dll

PID
3216
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\admin\AppData\Local\Temp\_0.56383113900530351395098873756343851.class
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\roaming\oracle\bin\sunec.dll
c:\users\admin\appdata\roaming\oracle\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\oracle\bin\nio.dll
c:\users\admin\appdata\roaming\oracle\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\users\admin\appdata\roaming\oracle\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\sunmscapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2828
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1327936395049384574.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3064
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8508147568987943697.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3196
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1327936395049384574.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
4056
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8508147568987943697.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2132
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6885136849284561119.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3100
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6885136849284561119.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3384
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1424996635052850815.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
2304
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1424996635052850815.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3244
CMD
WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
Path
C:\Windows\System32\Wbem\WMIC.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\xml\wmi2xml.dll

Registry activity

Total events
290
Read events
288
Write events
2
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3176
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
yVlLVVfiXgC
"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\ptFqBlthrXL\UxTGFXKCbws.igqvqh"
3296
javaw.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
javaw.exe

Files activity

Executable files
110
Suspicious files
11
Text files
75
Unknown types
15

Dropped files

PID
Process
Filename
Type
3296
javaw.exe
C:\Users\admin\AppData\Local\Temp\Windows8964126127184886149.dll
executable
MD5: 0b7b52302c8c5df59d960dd97e3abdaf
SHA256: a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll
executable
MD5: deee2457bde2311f3c24d1b2257364f0
SHA256: ed68df1e549a092674259b1f806a31839ca426572020a7dbe0c46e492b272ec9
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\policytool.exe
executable
MD5: 35f95392b3283b90d1f581d4766ed48f
SHA256: d81308da68136fd421eb56fa2b586ec6801ccf0827d85f495227e6d6c40fc69e
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\j2pkcs11.dll
executable
MD5: bfbf13215d29658ff8c8122efa95e16d
SHA256: 91b6e445f5b4510c9d66641b1eed925f54dc2e84f3ddb0ff16ed5b0ac4bdc977
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\resource.dll
executable
MD5: 2999d73f5764b3ac8c43e756391b09ea
SHA256: 15b4fdfe5ddb1820ddc468ac5d0e65045ca6aaea21d3a5a66ecaa8fc1ce48835
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_sw.dll
executable
MD5: b257ff6fb051a023a1482049c7cfe242
SHA256: 3f976b7efc9fe59abfe0bcde0d3b5af1cf133c64ad1508cb4a00cf2c104f5e81
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\servertool.exe
executable
MD5: 7ec73dab19a45049c9d003383086b631
SHA256: bbe145615886dbb3f4ada7617d1a15fe2aee6cea5dbe34e9c216d1bde1121891
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java.dll
executable
MD5: 0649a7b16b9f472bb9db8a6d2041cf6c
SHA256: 30a048a35865ca5bcea35ebecf7f01f08e8d20b0c4a3e9e0132540815eda1d89
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\rmid.exe
executable
MD5: 4cf042cf43f9a5c0be43a263d987c0f3
SHA256: 6513c40184d496e86e34e327c960b06d20900c3092084a708d890f5376c43cf5
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe
executable
MD5: 04205791371060574d5c345f0bb57917
SHA256: df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\rmiregistry.exe
executable
MD5: bf40067f5dafd9c46ec2f13b176433ce
SHA256: ba2d5038501cf3f3a31616a122f6cd2554d13219e717ef89c6aa1a07eb1cc145
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font.dll
executable
MD5: a65e9dbf93159c723f22cbd85f544269
SHA256: eada27806ccbf4d015f35f369b6880ef3dcc2eaa3b1ca89546fbdba8b05d9b5c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jaas_nt.dll
executable
MD5: cb36d7042e9135bb5721484f7d6a5340
SHA256: e700d076614943e138b69f4a1f177914225ca35b93fed8b43bc4a86cfd87c59c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_d3d.dll
executable
MD5: fb3c4f45e3f7d365c282062ddda1614d
SHA256: f9108ac2555dbc5a6b43cc9504394089be60eae4127397dc651e06b3e7585b00
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ssvagent.exe
executable
MD5: aa5a9a9dac9f07c7d5b64a3cd2628bcd
SHA256: 4ada2d738b490cc63f3c18f151239dfde615af8a4eaf44b8021642ff9a25b8f2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.cpl
executable
MD5: cd05e44e94beac05b27a6aa25e51a4c6
SHA256: e3259bb7ef907c0bb74e192e40e57fdf96c903bbc580975348dfef42839669ff
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\hprof.dll
executable
MD5: 9449e99b7e7c8a9ed74ac6b8e1ab0eb9
SHA256: cc82beaa275f4ed4c33b694154bebc5fd097ada50072201d250aed3f269a41b6
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_common.dll
executable
MD5: 1651ec53b5204c983348de8cacc4e1f9
SHA256: 5264316be4820cbc940e0c277698e6f95ec99a52023e5ef85c3fbe624b45cdaf
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\sunmscapi.dll
executable
MD5: 7a1fb056a2c916b17f29abac29439a05
SHA256: 9c235bbfa97e6a8fc7e09a4ac12f84c8ed8855998410e96dd44e1b64ef951a80
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_iio.dll
executable
MD5: 04b0bc87fdc454dcea0cff46fa01668c
SHA256: e880cd6207c687437dd2ca60008ea375bd99b1c07075674cad1052f41b631a97
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\instrument.dll
executable
MD5: 977b4d30e7c7e7d7a8680a48100efc81
SHA256: 1a1d2c51b3db4507e4a4ad3e5afb6728e69acf9905d3df7c9dc5adbe83f7e96e
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr120.dll
executable
MD5: 034ccadc1c073e4216e9466b720f9849
SHA256: 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\sunec.dll
executable
MD5: 7014836a75a5f90d18fe5e314cfaaedf
SHA256: 23b40cf8e64e1a262ef9ff5b9e01246c082eeaa6039b4b05f92e1bd536bd7166
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.exe
executable
MD5: be337576c806c65d53cb6a7673cde00b
SHA256: e7521e54f241e99bb5f7f2de1cd2fc49f3980dc43eb6c5b8fa251178f03616ef
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java-rmi.exe
executable
MD5: 556ad8153ad374007ec9d3f489b66e88
SHA256: 2ba8cd9a3757ecf0b8b7de612d7f827de73f7e9da114b1979fe9d429a46f8109
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\nio.dll
executable
MD5: ea6a4745bb7c9085f069fd7b52696972
SHA256: fb537564d240ac9b730941b5c0966209a5857e4d3ec0582ba0443fe391c74294
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\t2k.dll
executable
MD5: 0e2edd951a1d16c99051efa9bc5b407f
SHA256: d66f567fc2a33434063731832719cad75418c619dd30dcf6c339d2d3da32c7bb
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
executable
MD5: 85f9443836bdc0e4814d080d0de00a26
SHA256: 33fe38e43821c7e7d3b46317fab571926174492affd576f6ecd06bffe7a7c1b7
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
executable
MD5: 28d020770921def13b9a8755feadf8e9
SHA256: 379a14d561afeb364f8902c0b5193da229882c6273f2793339e1ad682af516f4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\orbd.exe
executable
MD5: 9d1e898f5892eb35346e1c38c38395e5
SHA256: 0f8cae56647464d75d2530cc9f7205c69911fced55e43a39d86ff4d435a018ed
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\splashscreen.dll
executable
MD5: 20e2531c9f14c7c5846191e131645cfc
SHA256: a6ea1b705acdda1bb3cd1c3cdcbfe7c86c81654537db8b48f65a781578ffbd77
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java_crw_demo.dll
executable
MD5: dbad383a6f62bdd6237b55be13648064
SHA256: b34e72996d2c1a9b74a932c6259256b9001b73b3e7ef8c484afb61ff2517fba3
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\j2pcsc.dll
executable
MD5: 54ede8c09212070f6a6ac4a99c91d9a9
SHA256: 7a9f32ecba3dcaeb653293780812969e2534da7b8e652a24e56271cd088c7a36
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\net.dll
executable
MD5: a91c9d88f705eac6934ce89e6c4ff63d
SHA256: 6d9bd64084180b7f1b7aa4902372879dc0400905856ac0c229ad33218f3257f1
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ssv.dll
executable
MD5: d8bea123df9f452122d25d45904e7fa8
SHA256: 5eb2d05ffc733e7ec63cb271201f87c7724793e5b92b875551ced1cebb505f3f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jdwp.dll
executable
MD5: 76cbdc3dbba3ae344a9a15839338af79
SHA256: f9a0e87300c8d094bb45834dd128e70a49d6d5d2cef20133411a769c01195c04
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\glass.dll
executable
MD5: be9d67dffcc06d2073831f5d8cde2dc0
SHA256: a92df0e1f93e29fae427da766d9b91bda4b421e6ab86aeb9cdd060b218028d35
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\pack200.exe
executable
MD5: 6cb276cacfc4181e4b648206790d25af
SHA256: 3047b67b36aee78b669fdedfe423e750b125837d92abcdc06983c34c65db71fc
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
executable
MD5: e0ab625ec3351a8ad7af34850e8c803c
SHA256: 161f737f9c90e67f0fb80e7cd9d6823f83bdd1d971108faa99c6088c278a4f2a
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jawt.dll
executable
MD5: 725967c67304ef1a35a3651e1b6b80c2
SHA256: b11633c87ac49873d1e8ef5bcf9335dbe0579f483b5c745c0034f79b3fd0ae8c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\glib-lite.dll
executable
MD5: 7ab8afd789e45c2d08cbc3233daec0bf
SHA256: 465541ef4e9337108b375984c23f5d31e6c060fed16820bb9bc5af79a2109eac
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\npt.dll
executable
MD5: 6e2865dec3270bde9f6fecc6b34b58cb
SHA256: 9145cb3b7fe40237e5c980404ade4c862d48e2d644aeba0006ec3a6f3e9505b5
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\tnameserv.exe
executable
MD5: 132c392d95a5a46a1508583a283d3cc7
SHA256: 9f37d44545726fb5aeb03285d3866266322b833cd1a1fde340497c7d9358f775
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll
executable
MD5: 9e242d7c5bf0756dd450139feaf8d67e
SHA256: 8019cd10ef1a1ddae179364934d1a0304cfcfc67be2dd7bca4ee8def93a89ef4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\fontmanager.dll
executable
MD5: 412b97d96ea9384c78851938921ee44a
SHA256: 20bef5bcd523cff21bad585af91d1c913d5535a6b20ac70f5f3d8dafb2f90f25
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr100.dll
executable
MD5: bf38660a9125935658cfa3e53fdc7d65
SHA256: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\verify.dll
executable
MD5: d8d5c97ebfa71c08fcb7e1a9edc63115
SHA256: 266d7992f7518b7cda33ba5251b0636b00ee13e6b17021311dcc1ba4dd2fc705
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javaws.exe
executable
MD5: 64c6a42537267f07fc6d63686e68330f
SHA256: 3514c54f5d552b2cb64b9e2f8d8c5f65807e1d49fe82689a16f6a3e7521fb437
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\fxplugins.dll
executable
MD5: 06fdbc35b3b4a9a36a8688030d387f56
SHA256: 1c78673777d1d48bf9e1e247bc64231817dccec4b08cc5e8c7a7fc5ae1f32501
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcp120.dll
executable
MD5: fd5cabbe52272bd76007b68186ebaf00
SHA256: 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\unpack.dll
executable
MD5: acb818dfec1b72a8c75ee82ff4d8108f
SHA256: 2864b031237c6a68eedab256732e43558b5741ae4f68a07a068438469ad907d9
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe
executable
MD5: 8cc8fe84f3d67f805d7e4f05ccff8ee8
SHA256: 11054aa4170990ad1d345a2caf15285f3157e4bf240015cc20431b7373a52fc2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\awt.dll
executable
MD5: 775d4b37e0ddbfa0eb56db38126fb444
SHA256: e5d4fc7d47a38a389884af1ea5f06f7c61c5cde6afc154a23a3cb5a127da1e34
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\lcms.dll
executable
MD5: 18d1893297df724dc8950691a6f0dc39
SHA256: e179ace7a6d6cffeb7540d67ef56d86a96cd16c421154b0a8b499722a4e957d9
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\zip.dll
executable
MD5: 7a1f4ed63a22d079f9739c1cf5c9b253
SHA256: 9a7251883229ccc36859b02894b541a369c2426a9b5cbdc7e8a10db36f13451e
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfxmedia.dll
executable
MD5: 724fc3a925b2f3a30f1df2926f85f5d1
SHA256: e62ec519aff414c1a81aeeb4cbf6de348b3b52ae527f14cedd42449e61fb1548
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll
executable
MD5: 720edc1469525dfcd3ae211e653d0241
SHA256: bff79fb05667992cc2bda9bae6e5a301baf553042f952203641ccd7e1fc4552d
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\mlib_image.dll
executable
MD5: 99e9b09d5863b32047c8727e6303d151
SHA256: bb13a4ea915965aca971da50d9b90cbc0a32c99900eb585c6e9e12232b448fef
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll
executable
MD5: 788289c1ede7337f6555cefeb9b69868
SHA256: 699e5ff6df1060df61a32e99c8fc52837f40f774bfa88136af10036f4dd4a578
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfr.dll
executable
MD5: 2204f11a218cb8675e2c20d5f601f3df
SHA256: 28da2d3e61a12408b8d9f86398f9c78f551e48404bd2c7bdccd8cbd74ed5e5a3
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\eula.dll
executable
MD5: 6f1188df337e62427791c77ea36e6eef
SHA256: dec4f2f32edc45f70e7119c9e52c4cef44bb9aa627dbec1ee70f61d37468556b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\management.dll
executable
MD5: ee87a0c0cb4291612dd37cbcee6ddf72
SHA256: 035121aee1e7f257c582837e1a0bd2e240bc1d1a791354a803e5fa165be22d87
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\wsdetect.dll
executable
MD5: 9d4fc6d63df062b08882274b977edbb9
SHA256: a78345586e443e0adc6554951946ad874f61ba2ff724fa8121df546a4b21df4a
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jjs.exe
executable
MD5: 0bece1b836681a18ff7477adae7cd970
SHA256: c4916ed2eefc2ae2394625691f5550142eda6cb33e5e713d1e203b76b2141509
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dll
executable
MD5: 94434b8739cb5cd184c63cec209f06e2
SHA256: adf4e9ce0866ff16a16f626cfc62355fb81212b1e7c95dd908e3644f88b77e91
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\keytool.exe
executable
MD5: 4951bf5b5b159d2bc43c9b29a979c154
SHA256: 8c40c13f83ea7c95b441548a455b57edac019b1cbfd6c6a068ddad33a6476ff1
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\unpack200.exe
executable
MD5: 79c7da7fa237cbad387e8592524907dc
SHA256: a6316854fe790d22e6264ee3abc3be49686e6e36299c9718be9a20bb3e9fb185
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2native.dll
executable
MD5: f39560555d06cbc2c88f94e9c96f21ee
SHA256: f5faf9f49ca7f199f572e4227896ae839596cc9f6039875f3fa3a0eaddc40084
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\bci.dll
executable
MD5: 6d8d8a26450ee4ba0be405629ea0a511
SHA256: 7945365a3cd40d043dae47849e6645675166920958300e64dea76a865bc479af
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\klist.exe
executable
MD5: c8c94465a25d872da60b718d43af0504
SHA256: 298d8e2730a3dbe942ebe0379f7303bb2872fd7f05746851e47ed7588f541477
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\client\jvm.dll
executable
MD5: 926824b862bbfe15455842d9d4900783
SHA256: 156afc715e865695ddf69d4a7db5fea2023b39748febfd86add15e9498c26639
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jli.dll
executable
MD5: 22ab805e1f217ea0033f82437d2fc5db
SHA256: 45c6aa5006ebaf8ab63f26134f2753bf4f20497942de58bc734e437e2d0f32f6
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dt_shmem.dll
executable
MD5: 0744e6a5145aa945d89a16eac835fab2
SHA256: c417390f681276ec0d55d81a91b87eae75ca245045f5c23e9b43550b708fb1a6
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ktab.exe
executable
MD5: 60ef921f2d321b36468fafb6acda65b3
SHA256: e89fe9520bcedbba20b5773598fb15e90dc828be7691adaa9d887ca585046aad
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
executable
MD5: 552aac2111a39f27bad9293d3be57345
SHA256: d1deaa4b7feebfeed58eda969c9fb9bc5791ad7e67f47c596280375cbda3f46f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\kinit.exe
executable
MD5: 4afcab972e98ecbf855f915b2739f508
SHA256: 7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dll
executable
MD5: 682cfd9431e5675900b04febe6cd4eb9
SHA256: 80111e1d706741f5ef7f661835c3aa46664666425aa1b5f93103410f2bee1213
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2ssv.dll
executable
MD5: d1d62dcb7536ae4c338a3364f5f6f3bd
SHA256: e5328bcaec7fdba85097c04d5f4f35f648753b3378fb1d9ee6ce6965b9562e90
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll
executable
MD5: cbaba29ce7925baa5b0c45dc78c1a275
SHA256: adaaa9037be30c708865a6627df9c0e43acf93d100469e5fdf83f632d2fe1829
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\kcms.dll
executable
MD5: bdd2789a8fe04e4312ee317ceb4a4d88
SHA256: 0ecd837ae93404f0aacfa6efc20f3c3ce6d1ae683e60a1c8873f07bfc8f93dc4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dt_socket.dll
executable
MD5: 138f156057245747692a68ebe50d52c2
SHA256: f0fd0268d6e410c05e7ee71ad9c96744cd5e4a97329f608041d7078faee24ed0
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jpeg.dll
executable
MD5: ec93a126e1db9503fc1ff9b49856fa3c
SHA256: 8cf3344453c02bf21ff8c79a6189f25617ca38cee2632766d0aa4ee07277bc25
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
executable
MD5: bf38660a9125935658cfa3e53fdc7d65
SHA256: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2iexp.dll
executable
MD5: 9e95023ed505c988ba4e94741383d428
SHA256: 5cd202cd92f33cbad11898331dec0791bf0bccf8ddf22849942debde007c3317
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsoundds.dll
executable
MD5: c96099a6d84497e6cb58e97c9d5b76c3
SHA256: b534c43f203c5502e43a5d0fdbfbd9422de342aade635009fab791eb82f3c020
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsdt.dll
executable
MD5: dbb92d51eb213d56c5d01052834e9183
SHA256: fe5d22121d6a683bb87b362da85cabf8aead1c171d347d0a16da64c74dd8a3bc
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll
executable
MD5: d73a1252502a5f6218c916219b52139d
SHA256: 62248d7ab742e200996bf87433b4e8478e4d8bcfbc0a2ee7cbe3a5a62f6268c3
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsound.dll
executable
MD5: cfe7513e5805ec5664ead9f86bfe91f2
SHA256: 5303366d9447a7610bd971339f27333767d399fca0a3f01154b082d47bd0a46e
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2launcher.exe
executable
MD5: f35d9cba3fe90871eb523aad831f11b0
SHA256: d8e40564694d5a2fdd85ab5345d8589e637e387d59160a74737832670da01597
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jabswitch.exe
executable
MD5: 117b4d5106cc919c29404a5904ab941b
SHA256: a764db727ed6ec056ffe163dbb83db0ad0bd15b83181288c3afcd17a35e7d587
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\meta-index
text
MD5: 77abe2551c7a5931b70f78962ac5a3c7
SHA256: c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management-agent.jar
java
MD5: b18518464264cebdd8799cbed35f3f7f
SHA256: 4d8c0e43762328ba0868d40e08dcc05f0f23a8caf51306fd636e6ea16b672d1c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr.jar
java
MD5: b2f30d9605b3cc49a278203061fc98ba
SHA256: da445853b3f321af974a7b386bb21590fa7b9cd3c58509d53d226df20f2961a2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\javaws.jar
java
MD5: eb63ff55969f491a731a7e4f3a6ff846
SHA256: 32b13e1c8e4544101edbca9b4e1f2ecaa938d64fbf754cd8d883fd61160ddca4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jce.jar
compressed
MD5: a39f61d6ed2585519d7af1e2ea029f59
SHA256: 60724d9e372fbe42759349a06d3426380ca2b9162fa01eb2c3587a58a34ad7e0
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\hijrah-config-umalqura.properties
text
MD5: 1eddfb1ee252055556f40cdc79632e98
SHA256: 69becfe0d45b62bbdbcf6fe111a8a3a041fb749b6cf38e8a2f670607e17c9ee2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fontconfig.properties.src
text
MD5: 1c2ffea868138a14fcf8ffcc375a0ab1
SHA256: 2f3067fb80574523307836e50990f575aa50aca3bc4fed9bcbdea291d36012a2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fontconfig.bfc
image
MD5: e0e5428560288e685dbffc0d2776d4a6
SHA256: aae23acc42f217a63d675f930d077939765b97e9c528b5659842515ca975111f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\javafx.properties
text
MD5: 107d23e6c7343c1f86cecf91bf42d552
SHA256: 31fc73f6ec0ecba0ad42cee311c44575b9f51f87974f7c00bf5bc90a8ae0970f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy.jar
java
MD5: a278937078cdff06328ccf717bd1edf8
SHA256: 89a5321ec48030682c800c0eab5ae6c627aba1c44b3c4e7e00a792248904e672
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\flavormap.properties
text
MD5: d8b47b11e300ef3e8be3e6e50ac6910b
SHA256: c2748e07b59398cc40cacccd47fc98a70c562f84067e9272383b45a8df72a692
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\calendars.properties
text
MD5: 40a6f317d17705b4d0241f4ebb45962d
SHA256: d93fb6d3451d1b82256b0e31aae7850152fa5df76f116a9d669aa4ace6bb68b4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\charsets.jar
java
MD5: 12bd6dc91e67e16b0f259556bee7f1cc
SHA256: 87101f1d338940ded404e718791c0c930c3a382db3213076301a9f8c5cb04f45
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\classlist
text
MD5: 7fc71a62d85ccf12996680a4080aa44e
SHA256: 01fe24232d0dbefe339f88c44a3fd3d99ff0e17ae03926ccf90b835332f5f89c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\content-types.properties
text
MD5: f507712b379fdc5a8d539811faf51d02
SHA256: 46f47b3883c7244a819ae1161113fe9d2375f881b75c9b3012d7a6b3497e030a
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\currency.data
binary
MD5: f6258230b51220609a60aa6ba70d68f3
SHA256: 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\logging.properties
text
MD5: 809c50033f825eff7fc70419aaf30317
SHA256: ce1688fe641099954572ea856953035b5188e2ca228705001368250337b9b232
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jvm.hprof.txt
text
MD5: c677ff69e70dc36a67c72a3d7ef84d28
SHA256: b055bf25b07e5ac70e99b897fb8152f288769065b5b84387362bb9cc2e6c9d38
3336
javaw.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
text
MD5: bf1e692d31ffd3e38bb514d34db2dbbd
SHA256: d8bcdb67a873ae701c40b6f71ae8fa93fea100f7c90a1251e34f5ec2a56b5f45
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\net.properties
text
MD5: 19a5c7f5186854362281a152e756ce2f
SHA256: 5d62f39e6eb46c7a731b6997a14acfeb63f5c95dfcef8de3d4d94b5d571372c6
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\accessibility.properties
text
MD5: 2ed483df31645d3d00c625c00c1e5a14
SHA256: 68ef2f3c6d7636e39c6626ed1bd700e3a6b796c25a9e5feca4533abfacd61cdf
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\plugin.jar
java
MD5: 4581a26b5603678df43c805ec9d01469
SHA256: 21ace981c82cf36b8101c445a42a7641d6309601ffd158901d7e685d97687964
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\client\Xusage.txt
text
MD5: b3174769a9e9e654812315468ae9c5fa
SHA256: 37cf4e6cdc4357cebb0ec8108d5cb0ad42611f675b926c819ae03b74ce990a08
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\client\classes.jsa
––
MD5:  ––
SHA256:  ––
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jsse.jar
java
MD5: 7a018cbe03f4eee70b040553efed42f4
SHA256: 150a521c8958ca278cfc9fcda5710b2cbed1f638fec363b90616f4d59da612d8
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\meta-index
text
MD5: 91aa6ea7320140f30379f758d626e59d
SHA256: 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\psfontj2d.properties
text
MD5: f8734590a1aec97f6b22f08d1ad1b4bb
SHA256: 7d51936fa3fd5812ae51f9f5657e0e70487dca810b985607b6c5d6603f5e6c98
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\resources.jar
java
MD5: 2e17e68f76e0b1e46b79fcce2cee4317
SHA256: 58ebb1b14954c282c49a54a4d476c68710d6bfd56fb5aac70877f629a7724739
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\psfont.properties.ja
text
MD5: 7c5514b805b4a954bc55d67b44330c69
SHA256: 0c790de696536165913685785ea8cbe1ac64acf09e2c8d92d802083a6da09393
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\rt.jar
––
MD5:  ––
SHA256:  ––
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\sound.properties
text
MD5: 4f95242740bfb7b133b879597947a41e
SHA256: 299c2360b6155eb28990ec49cd21753f97e43442fe8fab03e04f3e213df43a66
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\tzdb.dat
binary
MD5: 684b0eaeea068e64ce56f133af53132a
SHA256: b159a25b1a90868431ca5eb5c23066bfff3e5d3132b6f7f0a5870bc5b5475f7e
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\tzmappings
text
MD5: 7d4abbcfb06d083f349e27d7e6972f3c
SHA256: d936ee24810b747c54192b4b5a279f21179fe3ceb42d113d025a368ebb7cb5a7
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\cmm\sRGB.pf
icc
MD5: 1d3fda2edb4a89ab60a23c5f7c7d81dd
SHA256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\cmm\CIEXYZ.pf
icc
MD5: 10f23396e21454e6bdfb0db2d124db85
SHA256: 207d748a76c10e5fa10ec7d0494e31ab72f2bacab591371f2e9653961321fe9c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\cmm\GRAY.pf
icc
MD5: 1002f18fc4916f83e0fc7e33dcc1fa09
SHA256: 081caac386d968add4c2d722776e259380dcf78a306e14cc790b040ab876d424
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\ffjcext.zip
compressed
MD5: 4299c94a5648d83b1d7895e4ca167a65
SHA256: ff4778b55d6d27bba61bd55dab80aadfb884fc4387cb0dd8934a2db3ea87d9b8
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\cmm\LINEAR_RGB.pf
icc
MD5: a387b65159c9887265babdef9ca8dae5
SHA256: 712036aa1951427d42e3e190e714f420ca8c2dd97ef01fcd0675ee54b920db46
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\cmm\PYCC.pf
icc
MD5: 24b9dee2469f9cc8ec39d5bdb3901500
SHA256: 48122294b5c08c69b7fe1db28904969dcb6edc9aa5076e3f8768bf48b76204d0
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages.properties
text
MD5: 811bafa6f97801186910e9b1d9927fe2
SHA256: 926ccadaec649f621590d1aa5e915481016564e7ab28390c8d68bdaaf4785f1f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_it.properties
text
MD5: a81c4b0f3bf9a499429e14a881010ef6
SHA256: 550954f1f80fe0e73d74eb10ad529b454d5ebc626eb94a6b294d7d2acf06f372
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_ja.properties
text
MD5: b7279f1c3ba0b63806f37f6b9d33c314
SHA256: 8d499c1cb14d58e968a823e11d5b114408c010b053b3b38cfef7ebf9fb49096f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_fr.properties
text
MD5: c11ab66fede3042ee75dfd19032c8a72
SHA256: 8deeec35ed29348f5755801f42675e3bf3fa7ad4b1e414acca283c4da40e4d77
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_sv.properties
text
MD5: a6005be45c88900a15bc80d461b60c30
SHA256: 5ccee63720fcac2a136cf1fa90cbac05040f89ffe8c082c2d067247bfcd76b87
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_pt_BR.properties
text
MD5: ed15a441a20ea85c29521a0c7c8c3097
SHA256: 4140663a49040ff191c07d2d04588402263ec2e1679a9a1a79b790a137ee7fb8
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_de.properties
text
MD5: d77c3b5274b8161328ab5c78f66dd0d0
SHA256: c9399a33bb9c75345130b99d1d7ce886d9148f1936543587848c47b8540da640
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_ko.properties
text
MD5: fed33982e349f696ef21e35ed0dbbde3
SHA256: d9c95c31b4c1092f32bdcf40d5232b31cc09fb5b68564067c1c2a5f59d3869fa
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_es.properties
text
MD5: 6d32848bd173b9444b71922616e0645e
SHA256: be987d93e23ab7318db095727dedd8461ba6d98b9409ef8fc7f5c79fa9666b84
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_HK.properties
text
MD5: 880baacb176553deab39edbe4b74380d
SHA256: ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\[email protected]
image
MD5: cb81fed291361d1dd745202659857b1b
SHA256: 9dd5ccd6bdfdaad38f7d05a14661108e629fdd207fc7776268b566f7941e1435
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\splash.gif
image
MD5: 249053609eaf5b17ddd42149fc24c469
SHA256: 113b01304ebbf3cc729a5ca3452dda2093bd8b3ddc2ba29e5e1c1605661f90be
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
text
MD5: 880baacb176553deab39edbe4b74380d
SHA256: ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\[email protected]
image
MD5: 3fe2013854a5bdaa488a6d7208d5ddd3
SHA256: fc39d09d187739e580e47569556de0d19af28b53df5372c7e0538fd26edb7988
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\access-bridge.jar
java
MD5: 809da8f5853ac6a5aea250112a53b675
SHA256: 53546ed47dadfb8b03caf549c62b8acaab4c614d50609e3a448a5b6ea5ea05d1
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\splash_11-lic.gif
image
MD5: 9e8f541e6ceba93c12d272840cc555f8
SHA256: c5578ac349105de51c1e9109d22c7843aab525c951e312700c73d5fd427281b9
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_CN.properties
text
MD5: e6f84c081895acdfd98da0f496e1dd3d
SHA256: a1752a0175f490f61e0aad46dc6887c19711f078309062d5260e164ac844f61a
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\cldrdata.jar
java
MD5: ccd1522340a21b037b6476935bde9cba
SHA256: 3f76a2cd151b54be8b8e1923a25b47aa71e59e78f6a3b485cc6a28f4affd794b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\dnsns.jar
java
MD5: b686687e2335394008be2a5820602d07
SHA256: c79796684be18422fed927043ecff0cb4aaca3a31760d3aa04b5ce13cc1e970f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\jaccess.jar
java
MD5: 253bf7a6ca471c6ef8a65ee288ba5077
SHA256: ce9f17d0d07f63e9e1fd13a115e43e27a3f18e3316e3103bc4522a9ff0217bb9
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\jfxrt.jar
java
MD5: 5c0a903bf743405c7b660223d25c256d
SHA256: 55881f4248fd25de4de42ae2f8ff84c9ce3f191717f3c09bfbb66830e84b9ec2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\sunec.jar
compressed
MD5: a269905bbb9f7d02baa24a756e7b09d7
SHA256: e2787698d746dc25c24d3be0fa751cea6267f68b4e972cfc3df4b4eac8046245
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\nashorn.jar
java
MD5: 3c05a041e8feb3d0a125e4e0e10856df
SHA256: 26d148ad00aa59afed13fb9eac797b621f2222f127cff81b4fea9aa926063c5f
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\localedata.jar
java
MD5: 3e637a11fce44926cd2b2350b0f4fdfc
SHA256: 4a515c7f32f0664413b57111e63bb65dc079c9f3352eef2d1f16d6a8ea396ee7
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfxswt.jar
java
MD5: 37fa7eee101cf7bc16a85029f83e850a
SHA256: 14d02e34af7277679d75eb8cc1afcd47484f37f5c499124fa0389a39f42f5947
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar
compressed
MD5: 6a1fdb4ec0affe03ad2fcc4568798f37
SHA256: 044a5f93ed6015b6ce37d86c0a54b5ffd24d9a36e9fc8ea38f47da5e4c515990
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\zipfs.jar
java
MD5: c8556f18da1b0c0b4265cdb147015134
SHA256: 85b540832c1b69664b3e0ee075a2e4aaed4b9386d7aef389fd164c527bb5e3a9
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaBrightDemiBold.ttf
ttf
MD5: af0c5c24ef340aea5ccac002177e5c09
SHA256: 72cee3e6df72ad577af49c59dca2d0541060f95a881845950595e5614c486244
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\sunmscapi.jar
compressed
MD5: 570c85a9fa231e3299aba1ef62fd129b
SHA256: 59a2762b7b92a463daf57b3883e4490653ed09adc7266cc6d1d83b4f906d4670
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\ext\sunpkcs11.jar
compressed
MD5: 2e33d8f1fbeb9239c6ffc0d36de772d1
SHA256: 938c497e97e893d0b9325522475ad9fb2c365a4af832ed180b570c3e4e6fd559
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaBrightDemiItalic.ttf
ttf
MD5: 793ae1ab32085c8de36541bb6b30da7c
SHA256: 895c5262cdb6297c13725515f849ed70609dbd7c49974a382e8bbfe4a3d75f8c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaBrightRegular.ttf
ttf
MD5: 630a6fa16c414f3de6110e46717aad53
SHA256: 0faaaca3c730857d3e50fba1bbad4ca2330add217b35e22b7e67f02809fac923
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaSansDemiBold.ttf
ttf
MD5: 5dd099908b722236aa0c0047c56e5af2
SHA256: 53773357d739f89bc10087ab2a829ba057649784a9acbffee18a488b2dccb9ee
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfxwebkit.dll
––
MD5:  ––
SHA256:  ––
3664
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT
text
MD5: 89f660d2b7d58da3efd2fecd9832da9c
SHA256: f6a08c9cc04d7c6a86576c1ef50dd0a690ae5cb503efd205edb2e408bd8d557b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaBrightItalic.ttf
ttf
MD5: 4d666869c97cdb9e1381a393ffe50a3a
SHA256: d68819a70b60ff68ca945ef5ad358c31829e43ec25024a99d17174c626575e06
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaTypewriterBold.ttf
ttf
MD5: a0c96aa334f1aeaa799773db3e6cba9c
SHA256: fc908259013b90f1cbc597a510c6dd7855bf9e7830abe3fc3612ab4092edcde2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaSansRegular.ttf
ttf
MD5: b75309b925371b38997df1b25c1ea508
SHA256: f8d877b0b64600e736dfe436753e8e11acb022e59b5d7723d7d221d81dc2fcde
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fonts\LucidaTypewriterRegular.ttf
ttf
MD5: c1397e8d6e6abcd727c71fca2132e218
SHA256: d9d0aab0354c3856df81afac49bdc586e930a77428cb499007dde99ed31152ff
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\i386\jvm.cfg
text
MD5: 9aef14a90600cd453c4e472ba83c441f
SHA256: 9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\cursors.properties
text
MD5: 269d03935907969c3f11d43fef252ef1
SHA256: 7b8b63f78e2f732bd58bf8f16144c4802c513a52970c18dc0bdb789dd04078e4
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyDrop32x32.gif
image
MD5: 89cdf623e11aaf0407328fd3ada32c07
SHA256: 13c783acd580df27207dabccb10b3f0c14674560a23943ac7233df7f72d4e49d
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\invalid32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkDrop32x32.gif
image
MD5: 694a59efde0648f49fa448a46c4d8948
SHA256: 485cbe5c5144cfcd13cc6d701cdab96e4a6f8660cbc70a0a58f1b7916be64198
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveDrop32x32.gif
image
MD5: cc8dd9ab7ddf6efa2f3b8bcfa31115c0
SHA256: 12cfce05229dba939ce13375d65ca7d303ce87851ae15539c02f11d1dc824338
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr\default.jfc
xml
MD5: 41d5cd8db1f75101304308a9ee3612ff
SHA256: 0c8cd372c548e4ddcbb0fa8cd6fca09d65ec312d784f495be19baf1bf06c57f3
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr\profile.jfc
xml
MD5: 8b5c309810d64a8c62e7cdc6436f97a9
SHA256: f70e4c858a96603de6c042ea796300c232953aab17579ff4e7a47fe9ffe17c26
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\jmxremote.password.template
text
MD5: 7b46c291e7073c31d3ce0adae2f7554f
SHA256: 3d83e336c9a24d09a16063ea1355885e07f7a176a37543463596b5db8d82f8fa
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\management.properties
text
MD5: 81a43119ab15099c1d70e2d683fc8c0a
SHA256: fcacfa57ce3fe6372c2273abc032a1320be021af42553e2104db9937b6771783
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\jmxremote.access
text
MD5: f63bea1f4a31317f6f061d83215594df
SHA256: 439158eb513525feda19e0e4153ccf36a08fe6a39c0c6ceeb9fcee86899dd33c
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\blacklist
text
MD5: b2c6eae6382150192ea3912393747180
SHA256: 6c73c877b36d4abd086cb691959b180513ac5abc0c87fe9070d2d5426d3dbf71
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\snmp.acl.template
text
MD5: 71a7de7dbe2977f6ece75c904d430b62
SHA256: f1dc97da5a5d220ed5d5b71110ce8200b16cac50622b33790bb03e329c751ced
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\blacklisted.certs
text
MD5: b9c358f9d668e86fda8048982e741acc
SHA256: ddd297102146ac7f6607b35c0e0b565975739a7841da5e5a6207b6f4ebb2d822
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\local_policy.jar
compressed
MD5: 57aaaa3176dc28fc554ef0906d01041a
SHA256: b8becc3ef2e7ff7d2165dd1a4e13b9c59fd626f20a26af9a32277c1f4b5d5bc7
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\java.policy
text
MD5: 11340cd598a8517a0fd315a319716a08
SHA256: b8582889b0df36065093c642ed0f9fa2a94cc0dc6fde366980cfd818ec957250
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\cacerts
jks
MD5: 0cbb829e01dff3e17f3e905b47a86036
SHA256: 9e9a07bd4ed7eb11f1f41e5a9cd92f6ab0ab6da1872c2561a67366fd4541831d
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\javaws.policy
text
MD5: 9107d028bd329dbfe4c1f19015ed6d80
SHA256: b7a87d1f3f4b7ba1d19d0460fa4b63bd1093afc514d67fe3c356247236326425
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\java.security
text
MD5: 409c132fe4ea4abe9e5eb5a48a385b61
SHA256: 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\US_export_policy.jar
compressed
MD5: ee4ed9c75a1aaa04dfd192382c57900c
SHA256: 90012f900cf749a0e52a0775966ef575d390ad46388c49d512838983a554a870
3336
javaw.exe
C:\Users\admin\ptFqBlthrXL\ID.txt
text
MD5: 9d21ae8c4c0c3c825a91ef781cf69f7b
SHA256: 59ab6cd09adf585bd96cfc3b510ec6a1cc35fd9d1e4c821e481b464593ef103b
3336
javaw.exe
C:\Users\admin\ptFqBlthrXL\UxTGFXKCbws.igqvqh
java
MD5: 2aff4a2f9c042587f817463ad1fe9101
SHA256: 45689ec828b35b9ae006aca9287b109ab3f0539f149f8a1d1760ddb5ec467bb2
3296
javaw.exe
C:\Users\admin\.oracle_jre_usage\82de497bd14093d8.timestamp
text
MD5: 6af4af648e5ca09059b21a79d77cde9e
SHA256: c037d192936617d2f5081f53184c8d16da818c861a7a7471749f8e935b9e20c6
3296
javaw.exe
C:\Users\admin\AppData\Local\Temp\_0.56383113900530351395098873756343851.class
java
MD5: 781fb531354d6f291f1ccab48da6d39f
SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
3216
java.exe
C:\Users\admin\.oracle_jre_usage\82de497bd14093d8.timestamp
text
MD5: 89e175e34180040a55336e4aabb1f6da
SHA256: e1f407952fdd0cb2bf9f585a0793413398d2a4d058303655eb1acab0f2e1bafb
3216
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive1327936395049384574.vbs
text
MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
3296
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive8508147568987943697.vbs
text
MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
3216
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive6885136849284561119.vbs
––
MD5:  ––
SHA256:  ––
3296
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive1424996635052850815.vbs
––
MD5:  ––
SHA256:  ––
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
text
MD5: ab9db8d553033c0326bd2d38d77f84c1
SHA256: 38995534df44e0526f8c8c8d479c778a4b34627cfd69f19213cfbe019a7261ba
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\release
text
MD5: 1bccc3a965156e53be3136b3d583b7b6
SHA256: 03a4db27dea69374efbaf121c332d0af05840d16d0c1fbf127d00e65054b118a
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
text
MD5: 745d6db5fc58c63f74ce6a7d4db7e695
SHA256: c77ba9f668fee7e9b810f1493e518adf87233ac8793e4b37c9b3d1ed7846f1c0
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\Welcome.html
html
MD5: 27cf299b6d93faca73fbcdcf4aecfd93
SHA256: 3f1f0ee75588dbba3b143499d08aa9ab431e4a34e483890cfac94a8e1061b7cf
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\README.txt
text
MD5: 0f1123976b959ac5e8b89eb8c245c4bd
SHA256: 963095cf8db76fb8071fd19a3110718a42f2ab42b27a3adfd9ec58981c3e88d2
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT
text
MD5: 89f660d2b7d58da3efd2fecd9832da9c
SHA256: f6a08c9cc04d7c6a86576c1ef50dd0a690ae5cb503efd205edb2e408bd8d557b
3672
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\LICENSE
text
MD5: 98f46ab6481d87c4d77e0e91a6dbc15f
SHA256: 23f9a5c12fa839650595a32872b7360b9e030c7213580fb27dd9185538a5828c
3336
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive6911198821018429426.vbs
text
MD5: a32c109297ed1ca155598cd295c26611
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
3716
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive5085569119826637817.vbs
text
MD5: a32c109297ed1ca155598cd295c26611
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
3716
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive2155199795951945614.vbs
text
MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
3336
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive1537239535432474626.vbs
text
MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
3716
java.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
text
MD5: b5ff6d453e17b434f0ae58af86b0e79c
SHA256: d54f64bfb848338f828c578506fa121aaabae7069a6a23c49073536d5f705fca
3336
javaw.exe
C:\Users\admin\AppData\Local\Temp\_0.96298185949923173440951606721397874.class
java
MD5: 781fb531354d6f291f1ccab48da6d39f
SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
3336
javaw.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: c8366ae350e7019aefc9d1e6e6a498c6
SHA256: 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
3336
javaw.exe
C:\Users\admin\5C80808AB7785187AFB1D5EBABE9903D
compressed
MD5: e0e47c1fe053f70fa6feca20d8c3cb2c
SHA256: 5c6dae050ceb71774a5fc82ce6e3f0392daf0ffa9ec3596f70d4d07ee50b8970
3216
java.exe
C:\Users\admin\fUTkALeaTxM\ID.txt
text
MD5: f70578e07b7d9cd22a6deb5855d940e2
SHA256: f6fbfa43adac6989a0f0f0253c618793f6c275f1118cb9593b004a7e8aa6781f

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
4

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3336 javaw.exe GET 200 151.101.36.209:80 http://central.maven.org/maven2/org/mozilla/rhino/1.7.7.2/rhino-1.7.7.2.jar US
compressed
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3336 javaw.exe 151.101.36.209:80 Fastly US suspicious
3296 javaw.exe 85.217.171.128:1010 BelCloud Hosting Corporation BG malicious

DNS requests

Domain IP Reputation
central.maven.org 151.101.36.209
suspicious

Threats

PID Process Class Message
3336 javaw.exe A Network Trojan was detected ET INFO JAVA - Java Archive Download
3296 javaw.exe A Network Trojan was detected ET TROJAN Possible Adwind SSL Cert (assylias.Inc)
3296 javaw.exe A Network Trojan was detected MALWARE [PTsecurity] Backdoor.Java.Adwind.cu
3296 javaw.exe A Network Trojan was detected MALWARE [PTsecurity] Backdoor.Java.Adwind.cu

Debug output strings

No debug info.