ID: 59483 Sample Name: OVERDUE_INVOICES20180511.qrypted.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 11:58:04 Date: 14/05/2018 Version: 22.0.0
Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Software Vulnerabilities: Networking: Remote Access Functionality: Persistence and Installation Behavior: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Lowering of HIPS / PFW / Operating System Security Settings: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Network Behavior Code Manipulations Statistics Behavior 2 4 4 4 4 5 5 6 6 7 7 7 7 7 7 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 9 9 10 10 10 10 10 12 13 14 260 260 260 261 261 261 261 262 262 262 Copyright Joe Security LLC 2018 Page 2 of 443
System Behavior Analysis cmd.exe PID: 3412 Parent PID: 3016 General File Activities Analysis 7za.exe PID: 3420 Parent PID: 3412 General File Activities File Created File Written File Read Analysis cmd.exe PID: 3452 Parent PID: 3016 General File Activities File Created Analysis java.exe PID: 3480 Parent PID: 3452 General File Activities File Created File Deleted File Written File Read Analysis java.exe PID: 3536 Parent PID: 3480 General File Activities File Created File Deleted File Written File Read Analysis cmd.exe PID: 3592 Parent PID: 3480 General File Activities Analysis cmd.exe PID: 3648 Parent PID: 3536 General Analysis cscript.exe PID: 3668 Parent PID: 3592 General File Activities File Written Analysis cscript.exe PID: 3688 Parent PID: 3648 General File Activities File Written Analysis cmd.exe PID: 3776 Parent PID: 3536 General Analysis cmd.exe PID: 3784 Parent PID: 3480 General Analysis cscript.exe PID: 3812 Parent PID: 3784 General File Activities File Written Analysis cscript.exe PID: 3824 Parent PID: 3776 General File Activities File Written Analysis xcopy.exe PID: 3904 Parent PID: 3536 General File Activities Analysis xcopy.exe PID: 3912 Parent PID: 3480 General File Activities Analysis cmd.exe PID: 3948 Parent PID: 3536 General File Activities File Written File Read Disassembly Code Analysis 262 262 262 262 262 262 263 263 290 414 415 415 415 415 415 415 415 416 416 416 418 426 426 426 426 427 427 429 437 437 438 438 438 438 438 438 438 439 439 439 439 439 439 439 440 440 440 440 440 440 440 441 441 441 441 441 441 441 442 442 442 442 442 443 443 443 Copyright Joe Security LLC 2018 Page 3 of 443
Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 59483 Start time: 11:58:04 Joe Sandbox Product: CloudBasic Start date: 14.05.2018 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 9m 12s light OVERDUE_INVOICES20180511.qrypted.jar defaultwindowsfilecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Run name: Number of analysed new started processes analysed: 26 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: without instrumentation HCA enabled EGA enabled HDC enabled Timeout MAL mal64.evad.expl.winjar@30/1237@0/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension:.jar Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: java.exe, java.exe Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 4 of 443
Strategy Score Range Reporting Detection Threshold 64 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0-5 Classification Copyright Joe Security LLC 2018 Page 5 of 443
Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Signature Overview Vulnerabilities Software Networking Access Functionality Remote and Installation Behavior Persistence Summary System / PFW / Operating System Protection Evasion HIPS Debugging Anti Analysis System Evasion Malware Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 443
Lowering of HIPS / PFW / Operating System Security Settings Language, Device and Operating System Detection Click to jump to signature section Software Vulnerabilities: Exploit detected, runtime environment starts unknown processes Networking: Found strings which match to known social media urls Urls found in memory or binary Remote Access Functionality: ADWIND Rat detected Persistence and Installation Behavior: Drops files with a non-matching file extension (content does not match file extension) Drops PE files May use bcdedit to modify the Windows boot settings Creates license or readme file System Summary: Dropped file seen in connection with other malware Creates files inside the system directory Classification label Creates files inside the user directory Creates temporary files Executable is probably coded in java Executes visual basic scripts Reads software policies SQL strings found in memory and binary Spawns processes Uses an in-process (OLE) Automation server Submission file is bigger than most known malware samples Uses new MSVCR Dlls Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Copyright Joe Security LLC 2018 Page 7 of 443
C:\Users\user\AppData\Roaming\...\javacpl.cpl, PE32 dropped C:\Users\user\AppData\Roaming\...\dcpr.dll, PE32 dropped C:\Users\user\AppData\Roaming\...\jvm.dll, PE32 dropped xcopy.exe 213 dropped 87 other files (5 malicious) 127.0.0.1 unknown unknown Drops files with a non-matching file extension (content does not match file extension) started cmd.exe cscript.exe started java.exe started 16 cmd.exe cscript.exe ADWIND Rat detected started started started Exploit detected, runtime environment starts unknown processes cmd.exe ADWIND Rat detected cmd.exe cscript.exe started ID: 59483 Sample: Startdate: 14/05/2018 Architecture: Score: 64 Dropped file seen in connection with other malware started java.exe 13 started OVERDUE_INVOICES20180511.qrypted.jar WINDOWS cmd.exe started cscript.exe Tries to detect sandboxes and other dynamic analysis tools (process name or module) started started started cmd.exe xcopy.exe started 1 started C:\jar\com\...\TwiggenOverregulated, COM cmd.exe dropped started 7za.exe 501 dropped C:\jar\com\censual\...behaviorgraphentriceKami, DOS dropped dropped C:\jar\com\censual\...\StridulateBotryoidally, DOS 8 other files (none is malicious) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Tries to detect sandboxes and other dynamic analysis tools (process name or module) Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Lowering of HIPS / PFW / Operating System Security Settings: AV process strings found (often used to terminate AV products) Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Hide Legend Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious Copyright Joe Security LLC 2018 Page 8 of 443
Simulations Behavior and APIs Time Type Description 11:59:09 API Interceptor 2x Sleep call for process: java.exe modified 11:59:21 API Interceptor 8x Sleep call for process: cscript.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files Source Detection Scanner Label Link C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll 0% virustotal Browse C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll 0% metadefender Browse C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll 0% virustotal Browse C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll 0% metadefender Browse C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll 0% virustotal Browse C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll 0% metadefender Browse C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll 0% virustotal Browse C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll 0% virustotal Browse C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll 0% metadefender Browse C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll 0% virustotal Browse C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll 0% metadefender Browse C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll 0% virustotal Browse Unpacked PE Files No Antivirus matches Domains No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs Copyright Joe Security LLC 2018 Page 9 of 443
No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files Match C:\Users\user\AppData\Roaming\Oracle\bin\Windo wsaccessbridge.dll Associated Sample Name / URL SHA 256 Detection Link Context Ship_DocsX XXBLX384_pdf_.jar Tax Invoice.jar 0.628554001502139784.jar Product Specification PO.doc http://www.cometrosi nc.com/images/bbbbbb bb/invoice-28302.jar Proforma40773100 150 7328765.jar sjfcplkzk.jar http://futra.com.au/ 0.359970001511742001.jar cenovnik.jar vav2duep9c.jar zbqfs1n7s.jar bad.jar wowik07mv.jar 011292018.jar tiwit.jar 71DXX.exeQSQ.exe a6f75b5b4f7a49657b6cafffbde06 malicious cf84a39cc246f21086345d6307ee c35229e b667645597164100fe44d0814bc malicious 5af4ab014002b0e4bf903ae42306 3c5966e08 b21c6a312f46085d591c9b1b880 malicious e26f4a4f416738c929646d81d900 a829195d7 f70ab7562e2279c68ba4f8d7a897 malicious ccf6216ed1c8e69da10a650ba8c 7edece2ed malicious 09a69d56590a140ecde8e1cceed malicious 5083472ff6141afa67c225e5640e da73cd3c9 c3abf2c78674aae73b3f6ebf6d83 malicious 94fbd3ac06c053dab8dde3d9322 d9510627c malicious 0020925076786475c6eb0e72a0c malicious 8d9b894b0251bf858231a0a107e 3cc29aeede 754e38b15463310e66510a68846 malicious a6cb52a3694613a110a5b356a9a 8fb659ce1e b30fe3ba0d2472b4f89714ce0c69 malicious 90576dafe6a0aff78d1da8c15341 30f5d1b5 dac5b25ed447e764d536bd1a154 malicious 3c9851198bfda1a6ca66f207f15e a7934970b 5a48320c3e3dd5976aaf59ff2dfe7 malicious eb431590c3544717fb62d71f89a4 0fb3e03 16d23e425ced47509cae61d92c9 1dc1f295928ab79accbcae6dbb2 c80bac45db malicious c1eff22424b6768bafb98930f144b malicious 1000691cf2be2dfb7cf654cff4590 814c9f 01f89a19d84d39e8d1e9540ffdd8 malicious 85f9b077c9ab66372149532d7d6 dd1f467e2 Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Copyright Joe Security LLC 2018 Page 10 of 443
Match C:\Users\user\AppData\Roaming\Oracle\bin\JavaA ccessbridge.dll C:\Users\user\AppData\Roaming\Oracle\bin\JAWT AccessBridge.dll Associated Sample Name / URL SHA 256 Detection Link Context Swift copy 27.02.18_ pdf.jar CONT_WX_BAS.jar FULL ORIGINAL DOCUMENTS 2FC1.jar FnRoEYlPgUU.Ptfypi Ship_DocsX XXBLX384_pdf_.jar Tax Invoice.jar 0.628554001502139784.jar Product Specification PO.doc http://www.cometrosi nc.com/images/bbbbbb bb/invoice-28302.jar Proforma40773100 150 7328765.jar sjfcplkzk.jar http://futra.com.au/ 0.359970001511742001.jar cenovnik.jar vav2duep9c.jar zbqfs1n7s.jar bad.jar wowik07mv.jar 011292018.jar tiwit.jar 49Order List.exe 71DXX.exeQSQ.exe Swift copy 27.02.18_ pdf.jar CONT_WX_BAS.jar FULL ORIGINAL DOCUMENTS 2FC1.jar Ship_DocsX XXBLX384_pdf_.jar Tax Invoice.jar e27ac656a0ca2cef5f55b91cfadd malicious ae093353eed4d91750a705c1219 790bfbb47 5fe771916df7152c4d1a9d04d325 malicious fd3e69f6daa1e381f89d62565b10 80be3563 ae745fea5d6f51bd4ab5a913fe4fa malicious 08933bd78e9d04b5f2ce1e65cfe1 b7f9c5c d20233fa82e1b3b3c33e7069a1b malicious a2ca92631c52ece8393bf51f0d62 224f62b1d a6f75b5b4f7a49657b6cafffbde06 malicious cf84a39cc246f21086345d6307ee c35229e b667645597164100fe44d0814bc malicious 5af4ab014002b0e4bf903ae42306 3c5966e08 b21c6a312f46085d591c9b1b880 malicious e26f4a4f416738c929646d81d900 a829195d7 f70ab7562e2279c68ba4f8d7a897 malicious ccf6216ed1c8e69da10a650ba8c 7edece2ed malicious 09a69d56590a140ecde8e1cceed malicious 5083472ff6141afa67c225e5640e da73cd3c9 c3abf2c78674aae73b3f6ebf6d83 malicious 94fbd3ac06c053dab8dde3d9322 d9510627c malicious 0020925076786475c6eb0e72a0c malicious 8d9b894b0251bf858231a0a107e 3cc29aeede 754e38b15463310e66510a68846 malicious a6cb52a3694613a110a5b356a9a 8fb659ce1e b30fe3ba0d2472b4f89714ce0c69 malicious 90576dafe6a0aff78d1da8c15341 30f5d1b5 dac5b25ed447e764d536bd1a154 malicious 3c9851198bfda1a6ca66f207f15e a7934970b 5a48320c3e3dd5976aaf59ff2dfe7 malicious eb431590c3544717fb62d71f89a4 0fb3e03 16d23e425ced47509cae61d92c9 1dc1f295928ab79accbcae6dbb2 c80bac45db malicious c1eff22424b6768bafb98930f144b malicious 1000691cf2be2dfb7cf654cff4590 814c9f aef4d513540180a040da1a8e6c4 malicious 3a67eac3d627236feec8ebe3aafa de6d0c6c0 01f89a19d84d39e8d1e9540ffdd8 malicious 85f9b077c9ab66372149532d7d6 dd1f467e2 e27ac656a0ca2cef5f55b91cfadd malicious ae093353eed4d91750a705c1219 790bfbb47 5fe771916df7152c4d1a9d04d325 malicious fd3e69f6daa1e381f89d62565b10 80be3563 ae745fea5d6f51bd4ab5a913fe4fa malicious 08933bd78e9d04b5f2ce1e65cfe1 b7f9c5c a6f75b5b4f7a49657b6cafffbde06 malicious cf84a39cc246f21086345d6307ee c35229e b667645597164100fe44d0814bc malicious 5af4ab014002b0e4bf903ae42306 3c5966e08 Copyright Joe Security LLC 2018 Page 11 of 443 Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse
Match Associated Sample Name / URL SHA 256 Detection Link Context 0.628554001502139784 b21c6a312f46085d591c9b1b880 malicious.jar e26f4a4f416738c929646d81d900 a829195d7 Product Specification PO.doc http://www.cometrosi nc.com/images/bbbbbb bb/invoice-28302.jar Proforma40773100 150 7328765.jar sjfcplkzk.jar http://futra.com.au/ 0.359970001511742001.jar cenovnik.jar vav2duep9c.jar zbqfs1n7s.jar bad.jar wowik07mv.jar 011292018.jar tiwit.jar 49Order List.exe 71DXX.exeQSQ.exe Swift copy 27.02.18_ pdf.jar CONT_WX_BAS.jar FULL ORIGINAL DOCUMENTS 2FC1.jar f70ab7562e2279c68ba4f8d7a897 malicious ccf6216ed1c8e69da10a650ba8c 7edece2ed malicious 09a69d56590a140ecde8e1cceed malicious 5083472ff6141afa67c225e5640e da73cd3c9 c3abf2c78674aae73b3f6ebf6d83 malicious 94fbd3ac06c053dab8dde3d9322 d9510627c malicious 0020925076786475c6eb0e72a0c malicious 8d9b894b0251bf858231a0a107e 3cc29aeede 754e38b15463310e66510a68846 malicious a6cb52a3694613a110a5b356a9a 8fb659ce1e b30fe3ba0d2472b4f89714ce0c69 malicious 90576dafe6a0aff78d1da8c15341 30f5d1b5 dac5b25ed447e764d536bd1a154 malicious 3c9851198bfda1a6ca66f207f15e a7934970b 5a48320c3e3dd5976aaf59ff2dfe7 malicious eb431590c3544717fb62d71f89a4 0fb3e03 16d23e425ced47509cae61d92c9 1dc1f295928ab79accbcae6dbb2 c80bac45db malicious c1eff22424b6768bafb98930f144b malicious 1000691cf2be2dfb7cf654cff4590 814c9f aef4d513540180a040da1a8e6c4 malicious 3a67eac3d627236feec8ebe3aafa de6d0c6c0 01f89a19d84d39e8d1e9540ffdd8 malicious 85f9b077c9ab66372149532d7d6 dd1f467e2 e27ac656a0ca2cef5f55b91cfadd malicious ae093353eed4d91750a705c1219 790bfbb47 5fe771916df7152c4d1a9d04d325 malicious fd3e69f6daa1e381f89d62565b10 80be3563 ae745fea5d6f51bd4ab5a913fe4fa malicious 08933bd78e9d04b5f2ce1e65cfe1 b7f9c5c Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Browse Screenshots Copyright Joe Security LLC 2018 Page 12 of 443
Startup Copyright Joe Security LLC 2018 Page 13 of 443
System is w7 cmd.exe (PID: 3412 cmdline: C:\Windows\system32\cmd.exe /c 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\OVERDUE_INVOICES20180511.qrypted.jar' AD7B9C14083B52BC532FBA5948342B98) 7za.exe (PID: 3420 cmdline: 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\OVERDUE_INVOICES20180511.qrypted.jar' 42BADC1D2F03A8B1E4875740D3D49336) cmd.exe (PID: 3452 cmdline: 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\OVERDUE_INVOICES20180511.qrypted.jar' com.angelican.breadthl ess.botticelli.unaffixed.succindurni >> C:\cmdlinestart.log 2>&1 AD7B9C14083B52BC532FBA5948342B98) java.exe (PID: 3480 cmdline: java.exe -jar 'C:\Users\user\Desktop\OVERDUE_INVOICES20180511.qrypted.jar' com.angelican.breadthless.botticelli.unaffixed.succindurni cleanup 02E26F23B34336225FB5E33DB36BF08C) java.exe (PID: 3536 cmdline: 'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -jar C:\Users\HERBBL~1\AppData\Local\Temp\_0.7972982719609311110148951 6232296510.class 02E26F23B34336225FB5E33DB36BF08C) cmd.exe (PID: 3648 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1420844806834119909.vbs AD7B9C14083B52BC532FBA5948342B98) cscript.exe (PID: 3688 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1420844806834119909.vbs A3A35EE79C64A640152B3113E6E254E2) cmd.exe (PID: 3776 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6753597149742715449.vbs AD7B9C14083B52BC532FBA5948342B98) cscript.exe (PID: 3824 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6753597149742715449.vbs A3A35EE79C64A640152B3113E6E254E2) xcopy.exe (PID: 3904 cmdline: xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e 361D273773994ED11A6F1E51BBB4277E) cmd.exe (PID: 3948 cmdline: cmd.exe AD7B9C14083B52BC532FBA5948342B98) cmd.exe (PID: 3592 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive3796941006347813606.vbs AD7B9C14083B52BC532FBA5948342B98) cscript.exe (PID: 3668 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive3796941006347813606.vbs A3A35EE79C64A640152B3113E6E254E2) cmd.exe (PID: 3784 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7380665066812273370.vbs AD7B9C14083B52BC532FBA5948342B98) cscript.exe (PID: 3812 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7380665066812273370.vbs A3A35EE79C64A640152B3113E6E254E2) xcopy.exe (PID: 3912 cmdline: xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e 361D273773994ED11A6F1E51BBB4277E) Created / dropped Files C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c46.timestamp Size (bytes): 51 C:\Program Files\Java\jre1.8.0_144\bin\java.exe ASCII text, with CRLF line terminators Entropy (8bit): 4.760085635834618 Reputation: 6A9271BFCC1239DBB2DAFAD0DFECF291 E5D734020995756AFD61E9111D580AB0599D8800 935AA6FCD53F3FDCEB2C5D0E770832FEA991418F825BFC1C8CE624AF56FE9180 97E4043851CB3F556C04EF64BD0F4132E56A842AA49E29D0D3615066337E7627221A698AEE73047DB9364DB3D41 FAE76348C99CF25AB31608FD43AA5C3B8DCFC low C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1420844806834119909.vbs Size (bytes): 276 C:\Program Files\Java\jre1.8.0_144\bin\java.exe ASCII text, with CRLF line terminators Entropy (8bit): 5.064973526456737 Reputation: 3BDFD33017806B85949B6FAA7D4B98E4 F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66 9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058 FECAE7829AEEDCD098C80A11008581E5781429 moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\Retrive3796941006347813606.vbs C:\ProgramData\Oracle\Java\javapath_target_827509\java.exe ASCII text, with CRLF line terminators Size (bytes): 276 Entropy (8bit): 5.064973526456737 3BDFD33017806B85949B6FAA7D4B98E4 F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66 Copyright Joe Security LLC 2018 Page 14 of 443
C:\Users\HERBBL~1\AppData\Local\Temp\Retrive3796941006347813606.vbs Reputation: 9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6 AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058 FECAE7829AEEDCD098C80A11008581E5781429 moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6753597149742715449.vbs Size (bytes): 281 C:\Program Files\Java\jre1.8.0_144\bin\java.exe ASCII text, with CRLF line terminators Entropy (8bit): 5.093300055314051 Reputation: A32C109297ED1CA155598CD295C26611 DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510 45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB98548 2E345B3351C4D3DA873162152C67FC6ECC887 moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7380665066812273370.vbs Size (bytes): 281 C:\ProgramData\Oracle\Java\javapath_target_827509\java.exe ASCII text, with CRLF line terminators Entropy (8bit): 5.093300055314051 Reputation: A32C109297ED1CA155598CD295C26611 DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510 45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7 70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB98548 2E345B3351C4D3DA873162152C67FC6ECC887 moderate, very likely benign file C:\Users\HERBBL~1\AppData\Local\Temp\_0.79729827196093111101489516232296510.class Size (bytes): 247088 C:\ProgramData\Oracle\Java\javapath_target_827509\java.exe Java Jar file (zip) Entropy (8bit): 7.977146417027947 Reputation: 781FB531354D6F291F1CCAB48DA6D39F 9CE4518EBCB5BE6D1F0B5477FA00C26860FE9A68 97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9 3E6630F5FEB4A3EB1DAC7E9125CE14B1A2A45D7415CF44CEA42BC51B2A9AA37169EE4A4C36C888C8F2696E7D6 E298E2AD7B2F4C22868AAA5948210EB7DB220D8 moderate, very likely benign file C:\Users\user\AppData\Roaming\Oracle\COPYRIGHT Size (bytes): 3244 C:\Windows\System32\xcopy.exe ISO-8859 text Entropy (8bit): 4.5048923444191455 Reputation: 3DC1BFBD5BED75D650AD0506A0DF5930 8E79323389B9BC4B6AAD357B8BFAAB6A518FB82E 621F7616B5E8538ABBC26667F28C25650A5B239A4F1ECA981F5DD60B8DA9B589 74F077BC149AA459E480B5EE6117876CF67CD17D290E90F0A6045F687C42DD4E9F12133CE2459EAF905BD053E5E BA587C042040C84DA9CD2A26E415FC388B148 moderate, very likely benign file C:\Users\user\AppData\Roaming\Oracle\LICENSE C:\Windows\System32\xcopy.exe ASCII text Size (bytes): 40 Copyright Joe Security LLC 2018 Page 15 of 443
C:\Users\user\AppData\Roaming\Oracle\LICENSE Entropy (8bit): 4.208694969562841 98F46AB6481D87C4D77E0E91A6DBC15F 3E86865DEEC0814C958BCF7FB87F790BCCC0E8BD 23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C AC2C14C56EEA2024FCF7E871D25BCC323A40A2D1D95059C67EC231BCD710ACB8B798A8C107AAD60AAA3F14A64 AA0355769AB86A481141D9A185E22CE049A91B7 C:\Users\user\AppData\Roaming\Oracle\README.txt Size (bytes): 46 C:\Windows\System32\xcopy.exe ASCII text Entropy (8bit): 4.197049999347145 0F1123976B959AC5E8B89EB8C245C4BD F90331DF1E5BADEADC501D8DD70714C62A920204 963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2 E9136FDF42A4958138732318DF0B4BA363655D97F8449703A3B3A40DDB40EEFF56363267D07939889086A500CB9C 9AAF887B73EEAD06231269116110A0C0A693 C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt Size (bytes): 63933 C:\Windows\System32\xcopy.exe Entropy (8bit): 4.755223491638325 UTF-8 Unicode (with BOM) text, with very long lines 4F31CD1A5D86744D5F00666D9A57AD2A 17D0B343CFB2E54BBEC7AF17F247A8BCB72D946B 7F841E514BA8D2F30D90C63C8CD93AC516428C9326D571F9F3EFBAE8BD72BA96 D87034237DFA3B22B4B510A98DE091B30D2ACB1DC32784C71932703A048C5EB862EDD376C2B4FC879E49D72634 EEF6863AA7F24C9A7E7CEF9FD7A30960438F1 C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt Size (bytes): 145180 C:\Windows\System32\xcopy.exe UTF-8 Unicode text Entropy (8bit): 5.0247000630968905 CD63A2745CDFC4E6EB7B40A16AFC5326 03538F98566F2BA5523B3CFF4341396BB59252F9 DC3982C5EE4CB1AEFDA63468C19D8AA60C80CD9FEC7E7209816F78AB29BC9FB0 7036034F99D2A6AD507CE4DF7DF183D5EAC82861FB79555EEC0EB6207C9463670E2618C56636E7385D63A890B41 CFA590C38908BE7D5DA8FB1550DFF0CFBF093 C:\Users\user\AppData\Roaming\Oracle\Welcome.html Size (bytes): 955 C:\Windows\System32\xcopy.exe HTML document, ASCII text Entropy (8bit): 5.094001412859534 7A329F25E9CC132C673CD134E8134B0D 634D69FDD1E9B824A1E92DA00FDB6201A6D302AC 6F3F130AA22B3CBEAD959E5CF0F7F626B96539EECA56BED60768E91A77823363 99C9026924558381CAB0D1CD1F351D977F82953C1AB1BC99DAFE543D81DB702A1F30527DD7E33BD99219CDC21D C05688898C39E8070658AC185F82DAA3F526A4 C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll C:\Windows\System32\xcopy.exe PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 14912 Entropy (8bit): 6.134860281825746 Copyright Joe Security LLC 2018 Page 16 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll Antivirus: Joe Sandbox View: 5AC1ACB7FA3D3CF55C1E460D9BE8AB47 BB669135FAA8ADF24AA8ECBCAF5BA84A0DE5A9BF EA9D437D0828D399B7FA57BD25F18FC42A0423E35DB0314DB3DC2DF497C9F219 EA37D04B0CDE218123D4275B4A1D7B4010EA00A85D598EBD87ED86877513E13192CED95791180261C 76A67A8FE3A630A3F1D198EE32D2BDEE83E56605239551E true Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Filename: Ship_DocsXXXBLX384_pdf_.jar, Detection: malicious, Browse Filename: Tax Invoice.jar, Detection: malicious, Browse Filename: 0.628554001502139784.jar, Detection: malicious, Browse Filename: Product Specification PO.doc, Detection: malicious, Browse Filename:, Detection: malicious, Browse Filename: Proforma40773100 1507328765.jar, Detection: malicious, Browse Filename: sjfcplkzk.jar, Detection: malicious, Browse Filename:, Detection: malicious, Browse Filename: cenovnik.jar, Detection: malicious, Browse Filename: vav2duep9c.jar, Detection: malicious, Browse Filename: zbqfs1n7s.jar, Detection: malicious, Browse Filename: bad.jar, Detection: malicious, Browse Filename: wowik07mv.jar, Detection: malicious, Browse Filename: 011292018.jar, Detection: malicious, Browse Filename: tiwit.jar, Detection: malicious, Browse Filename: 49Order List.exe, Detection: malicious, Browse Filename: 71DXX.exeQSQ.exe, Detection: malicious, Browse Filename: Swift copy 27.02.18_pdf.jar, Detection: malicious, Browse Filename: CONT_WX_BAS.jar, Detection: malicious, Browse Filename: FULL ORIGINAL DOCUMENTS 2FC1.jar, Detection: malicious, Browse C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll Size (bytes): 127552 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.413147752142186 Antivirus: Joe Sandbox View: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows EE08371113351E3C57E6A6AF2AEFC898 54021050ECDD16C309B3C5EF4CE87175D86A7316 395325970EF0FA1AADCD0BF072A90D28990FB31DD29D70FF8FDA31A7974DE1FB A03D9E62337470C5CE8EBB1D02B7B01F4587A21EE6512FDC282A80A7E9804854E9FAA2FB253DECD 3556D8614D25492AE7FE238475DD36DC2815344FF8A794E79 true Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Filename: Ship_DocsXXXBLX384_pdf_.jar, Detection: malicious, Browse Filename: Tax Invoice.jar, Detection: malicious, Browse Filename: 0.628554001502139784.jar, Detection: malicious, Browse Filename: Product Specification PO.doc, Detection: malicious, Browse Filename:, Detection: malicious, Browse Filename: Proforma40773100 1507328765.jar, Detection: malicious, Browse Filename: sjfcplkzk.jar, Detection: malicious, Browse Filename:, Detection: malicious, Browse Filename: cenovnik.jar, Detection: malicious, Browse Filename: vav2duep9c.jar, Detection: malicious, Browse Filename: zbqfs1n7s.jar, Detection: malicious, Browse Filename: bad.jar, Detection: malicious, Browse Filename: wowik07mv.jar, Detection: malicious, Browse Filename: 011292018.jar, Detection: malicious, Browse Filename: tiwit.jar, Detection: malicious, Browse Filename: 49Order List.exe, Detection: malicious, Browse Filename: 71DXX.exeQSQ.exe, Detection: malicious, Browse Filename: Swift copy 27.02.18_pdf.jar, Detection: malicious, Browse Filename: CONT_WX_BAS.jar, Detection: malicious, Browse Filename: FULL ORIGINAL DOCUMENTS 2FC1.jar, Detection: malicious, Browse C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll C:\Windows\System32\xcopy.exe PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 95808 Entropy (8bit): 6.488891397675493 9867B47DE013C131DEABC5A5CE73876E C0F0AE34A594AE4903E4DA2889BCB30CDCA60DA9 B2C96DF9961DCCE06BB40185ADE8DA3CC5FBD839DCE92EB0B38CD0D21ABE2D9B Copyright Joe Security LLC 2018 Page 17 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll Antivirus: Joe Sandbox View: C94911122DD66A2319A59E9252423226FFAF9D3D385B0B2F3A89575C06ED40C21A4B426579BEB3A88 BC9C962EC4D0A63182DD16DED6E4EC8A8F2CFC0EB4D6AB2 true Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Filename: Ship_DocsXXXBLX384_pdf_.jar, Detection: malicious, Browse Filename: Tax Invoice.jar, Detection: malicious, Browse Filename: 0.628554001502139784.jar, Detection: malicious, Browse Filename: Product Specification PO.doc, Detection: malicious, Browse Filename:, Detection: malicious, Browse Filename: Proforma40773100 1507328765.jar, Detection: malicious, Browse Filename: sjfcplkzk.jar, Detection: malicious, Browse Filename:, Detection: malicious, Browse Filename: cenovnik.jar, Detection: malicious, Browse Filename: vav2duep9c.jar, Detection: malicious, Browse Filename: zbqfs1n7s.jar, Detection: malicious, Browse Filename: bad.jar, Detection: malicious, Browse Filename: wowik07mv.jar, Detection: malicious, Browse Filename: 011292018.jar, Detection: malicious, Browse Filename: tiwit.jar, Detection: malicious, Browse Filename: 71DXX.exeQSQ.exe, Detection: malicious, Browse Filename: Swift copy 27.02.18_pdf.jar, Detection: malicious, Browse Filename: CONT_WX_BAS.jar, Detection: malicious, Browse Filename: FULL ORIGINAL DOCUMENTS 2FC1.jar, Detection: malicious, Browse Filename: FnRoEYlPgUU.Ptfypi, Detection: malicious, Browse C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll Size (bytes): 1182272 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.631868285342272 Antivirus: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 0304579370E3EF9F287C58089FF07EF3 88EE48B36422A9269C469C36B801932BD6906BF5 4C4BF1FDE6365A4FC265257BFA61CE3300CD0C5C1E904C40C0065EE8E97F39C4 CC585EE0D6D2243C481B98B5D9B48807FE149DCB9B28B9375239F14B38DE394D2FEC0429F523CCCD88D971288F 8BE692CEAA0DB081DDE36DACD8FB49A6EF9E30 true Antivirus: virustotal, Detection: 0%, Browse C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll Size (bytes): 15424 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.37998881692665 Antivirus: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows E32EFDF4BDAE1464F979912F1404C5BD 08080E4851E88B83995B864911628F6FDC6311D2 3A01155AAF37F23ED8EA04F25D72EBA98AA7415DEDF9D40BE378F28D4BEE63CD 8ED83FFCF5AEBEA7D730FF4D4B765301465F212D0FB0B1834C928E29B93E875573F02B12E3878764F99DE32B0F9 C5661B6E5B295B4378887081BC0F5968CC04A true Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse C:\Users\user\AppData\Roaming\Oracle\bin\client\Xusage.txt Size (bytes): 1423 C:\Windows\System32\xcopy.exe ASCII text Entropy (8bit): 4.176285626070562 B3174769A9E9E654812315468AE9C5FA 238B369DFC7EB8F0DC6A85CDD080ED4B78388CA8 37CF4E6CDC4357CEBB0EC8108D5CB0AD42611F675B926C819AE03B74CE990A08 0815CA93C8CF762468DE668AD7F0EB0BDD3802DCAA42D55F2FB57A4AE23D9B9E2FE148898A28FE22C846A4FCD F1EE5190E74BCDABF206F73DA2DE644EA62A5D3 C:\Users\user\AppData\Roaming\Oracle\bin\client\classes.jsa C:\Windows\System32\xcopy.exe Copyright Joe Security LLC 2018 Page 18 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\client\classes.jsa Size (bytes): 12713984 Entropy (8bit): 5.158674134150041 1141D3988B18B4B48049CD465CD6CFFA 4F480BA8672A677BCBDDB132449631325FA20845 20A36F98B41698731AD5EB6318D303000976AA35EF67EEAFD16AB335710A517C 34B05CF0546ECA76040476F9ADA5664A73200D0160C0FCC1689FFA2B36B52AE4BE4D484726CDD232FBEC31EDC A821A4AED8E50408048612EC5373A0279C83891 C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll Size (bytes): 3866176 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.855835733402667 Antivirus: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 57A10918A05BEF3961ACF79867085723 3A4FC413D5A32D494E3CCFB2B8F3DCF96BB90808 B7D99D8FDAA0FAD10FAF4C5AA6EEB1FC84DF4D1933EA537480829A6ABDE43849 53609EFC64A6B43EE50F9EF404545F50431A38441C10B0DABA6AA9324074A84671DD52B66790C7EEE22B33FDDB 986B28CEDAE5C1A58B5F30FFA0B2B5AF893C4C true Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll Size (bytes): 142912 C:\Windows\System32\xcopy.exe Entropy (8bit): 7.350677345698727 Antivirus: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 5C4AB5C8D9FC9D96ED1420CF5FFECFE4 3B68B2C1EE2FB2E973B4CAA0DEE7F7DBF3882133 5CE247418D8D454FFC0DF04EDC50A1A65A4CC3D5969CE66DB55169EEC85877BA F6689A26AE1E57CBEEF84CBE3FE1FBD812FC474FAD6BA5E8D4DFE0E8C99BDC8AF7CB2084961D93CFAF928090 EA969E34ED373F1CE8BFA5593043AD12C7CF020B true Antivirus: virustotal, Detection: 0%, Browse C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll Size (bytes): 64064 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.339283328310836 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 3080ABA90CFF63D5C5A33C854DCE27F3 D6E5E7A045A187EDEC8AA6E689010C2DDC73F608 7E1ED9E399997650E8C10EB60094BFB659942BDE0764DA19AB041CE62083115F 55FF028A571F5382801D70E3020E03C09F4115DA1F47E2AA2E47455EE02823A2BD589C7C5AD06EABDFCC519DCB 19B3698DA79AB22AB844F000AD3DEBA98790A2 C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll Size (bytes): 454208 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.51698680676728 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 2CFE0B1492EB6FEBBE2F1D4E09B4872F 1C780B589B2D71D6D0B2B5BF0C2E440A90A00A7D 542869B28FF7067B128F35A3F71A17F85D59687C50044182EC5C31A016F38706 A90D4C4DDE4A464A2CAB2C5C5B63C553C5C7FEE6A4415F17685C41357130FCA8E248D81FD0530CACFDD02F9D CC9D1F996D5D1F1298747E4B20DB3AF4E7E034E Copyright Joe Security LLC 2018 Page 19 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll Size (bytes): 25152 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.6260515725325355 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 8CE4069A52BC41A4E834A8E38753FA09 5C0FF25904840B5D067B23B47627424C0987C0D2 625CFB08B5B909BBF0565398D8744B974FE4143274750E6F2CD4BF3C1580C935 2BD484384DDDD55FEE6789F4EF086EF7F8AD4E7D9956C207B6587E24BA1AB665AA19A8C094A12CF48A71F79BB 84A15C5EAD859EE94FF47F1F9AD4B7B84CEC10B C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll Size (bytes): 21568 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.60119196764975 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows D322D0D676132063FE34A84FAD8C08FE 458DBF55127E52AD7B76591CB50771CBF0D7C58B 034423F51F7D5A39992D3262576BE208D516D3C515757A70915053AAEE7CB552 56C892B17B30CACC8E1D5CF09B5E522826A1B443691E75894C13AB94C75F88A4B26EA392B2EC5A99BFF3EDBD4 F8DC518B29E10F7BBEA8697F8AD4A127B025B2F C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll Size (bytes): 826944 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.023278804823511 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows C0A01372F7A1D107EE2641779F669AAD 8C770048CF9B517634943BBA66C4A1E4DE9CD6B4 E596EC4273F111D8D6647568FEB3706782509F8296EE04A85C75748980A656F1 64D25B8CB45B7367FC4BFD8F4D6567FB0B8D25D35752285D18CA91D097828266B13D75F568D62E4686C9FAF9850 A45E37C29B9816BFF5A12BBD85B6BB08F4371 C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll Size (bytes): 908864 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.159242151659468 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 8EE9808AED44873E6C2F578196A53715 D6428D7878272E3DF67C70C511E1A2284DD863FF 4C503B185348C669BD20E5852C5AD203AB6B905F97FB5A7A3474C7310545748B 27D27FC942C220CAE003A917F5769E6B59B87F7E535AD1280605B1705A2FBE34DBEDFF4A2875E6E599067489C06 EDB284E41CADDC6912C1B8D459751A93458BF C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll Size (bytes): 109120 C:\Windows\System32\xcopy.exe Entropy (8bit): 5.986074013591891 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 6E2AECD1691420507DA90BED5B849A53 48E88361B85C61D36EC0FE8564287A5AC4F75C8C 893CE6B2475F12EBCE25711B51D4ED8045BCB0813567080346167F9AA8F71414 D17F7D8F0771FC74B4BDFEF9E5736745C34DF413CF0C09632546CAE7AB82438FFC236306CE21F583A6F20FDE2B 0E602DE444016DAB0DFE660E4E000C9368B76 C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll C:\Windows\System32\xcopy.exe Copyright Joe Security LLC 2018 Page 20 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll Size (bytes): 223296 Entropy (8bit): 6.506726069952414 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 25CCA16EE39023C5A7DC09C321A5FCF5 FF755F58244E0753D737C9325B9F42FE59CD9B65 82C2757D3210BFE13677A0A286E4BB926DE25385E5F325B49338D5BD09C821C1 2736F2F1F345CD1CFEE241A212DCB879D53AFA65596E05ABEEC6638ECEB6C42DFDA6A2F92AC71A4ABF6D304A FBE85E41916A3B01AED5B73D1415DE1D8FD70725 C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll Size (bytes): 152640 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.5431595288476 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows CDF176E141AD890AA8D8A269CAC60BA3 2C339BFFDA4E07FE3DC4D0460169831FD5F5FBAA 93ADB78853E427471E48AEFAB4A9103C6AC3B7D233931C8866933D1EECAD8519 3F5029A52DAE00E3D4FE696155AAA17308377D848A17946885CEB34F33FC3D7E455D86FF0F3F8FBB5E8D44F3AA2 761836EAAAB22D700467C38E8B4294359504C C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll Size (bytes): 200768 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.431604183486996 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 77BACEC88AC4E3C8D95FF07FF3A2B7BE 256C6640B9C44154071C029C6EEF285FCDB2F66C 9F91A2E7BE21317DA8D61D80691FF185546797E7435C35CD348F7A97845A93BD AE19C912D287902462DF8DA4C31873A5571BE8EC40C52AF66812E298F9D249809BF0B0FFD0DD517BB0A9AA1EA1 B9F25C6B0FB76F692134C5776A57757367B64B C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll Size (bytes): 400960 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.166649076853756 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows F5A84D9F582379275CFDFE409644AB21 945176DC56DD147ABBB77EF54080A8FC47AA658E B20F2376F99CB9C36E1CC3F88DB91CF7ED7449BD092F4FF982FC6BF3C691676C 70B53088A2FE2B2F01AFABB800A6D5912705F9116B03870C91DC9CD1CF96B092B22713EDCA3C94696710094FB21 D08D75F7A2D4ED998E636BD07C375732972E0 C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll Size (bytes): 514624 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.803326727806044 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 0D8ECAE61AAFB195F02134CD2E618B59 67A037AF6116B858B4CFD3AC1F141861F6FFCB3C 87C4B4556AC731C37EC23518820B25EE065252DDCBE351B37BB020A470DE47F4 70D320428BE43598A0812690951DE0F312A97A6332F6F0081CE675EA6D0B4DA1A3523ED43DFC8F288FD262A9322 BA10B3DB08E8924B11BFC1BD89DDB3BEDFC3A C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll C:\Windows\System32\xcopy.exe PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Copyright Joe Security LLC 2018 Page 21 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll Size (bytes): 132160 Entropy (8bit): 6.723153703478439 7B105B9E5DBE91945F95A0AD1708B205 BF535181CC646D19F7357937E404266BEF5D91D0 2773D91DF28EFE4FDF6462653298FE2647622AD25837987FC86C02E34FBB1D2D 4E8F4D0316A0F6308FCEF846B73FFA98FF67D0527498F90861B7C466166E7F564DD0D85E440F82884447ACE68600 EF1D22B0727B8C3F722A3B937BFCD85CE86D C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll Size (bytes): 115776 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.787276209523372 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 281E338EEFD2121C835C572063F2942C 58E1326283E4C7202709CFBBA2F6247DA25C20A9 CC51833EF9C42D096090B6F7CEB88B91829DC9D0603ECB963042B2F6F9ED3B3C AFFB6E15756A3A09A0DF0FE584BEBB16A96A5F7967A57B422EC093D9D96C043F409A317EFBE197C360EF06FD71 005F436046C6345D434B342371F42C50910F8A C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll Size (bytes): 16448 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.486828513892576 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 8E2E4E995DF27609BEFB14180163F18D 1A048A6BC0B7CDF5A2376D748D3E1B7ACDBEC7A0 7DACAFF6289A9887E4908915497F3A412CBC229C92A3E76691EBB3CEBA5A69DA 72BBACD85EC3F0766A17F844BF890E57E40B32675CC08CA4BAA3D559FA81C6846C7235F592FB6006675598638B0 5AE3671F40369406B67E3957C518449A80C80 C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll Size (bytes): 51264 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.579030329626856 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows D6026C2B6A839DD03688404627DCA20B CDE737D8E169FDE876C280DA9DD78500F840BC5D 127A152EA4F71BF2862E39E90FF98A6FAF057AF8A845A75680F80202ADF91210 0376A02FE84680E3E5160036288EC92BFBC82AEE8975642721DC5C2A035B1A282AAC7BDF2EF76A293A27631E269 C62991CAC6E12C092FDAC6062301D81FE4B88 C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll Size (bytes): 19520 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.454041821166387 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows BB3B769F9AEF7B70F575899F44FA934F FBABBC8E506F3401FDB45A55A2F84C6BA8E7AC94 2F32FF27565E4FD290E75CB76B24566358BB3489BF6CAB69D5B9D5FC883BF7A0 0474908858F842DA4CA3E7E0A7963FD7B658BEA47BE4AA58DF66F972F24C3391123911EC22FA908CAC67FA900D 505CFFD87835D0D042133A0FD81256E708A0FB C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe C:\Windows\System32\xcopy.exe PE32 executable (console) Intel 80386, for MS Windows Size (bytes): 30784 Copyright Joe Security LLC 2018 Page 22 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe Entropy (8bit): 6.412006519570213 AF5D1B2BE539A2D210A598E693A45579 8F753CC6C1474516DE71C7CC82230D7CBE02A0BA F1E12F28C9DD7F8FFE2B94B6D0C8F2043494EC0A71FC0A1BA239573DE97A3427 53E69BE640F57B75DBDFE18E097B00DDF6C007E73986D96448D9E0B96FF06A38463E5A3CD87E0AF5F6C8CC49EE C2184B9EF7883CF14C2152B6BD21B644ACDACF C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe Size (bytes): 15936 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.462003296325281 PE32 executable (console) Intel 80386, for MS Windows 690C4C406DA3043653F43B5E0ECC019C F8F5E5E7362461223676896472CA159124FB2065 48AA7ABED502980607600F0D3F4F204FE11EF39DB3FFC0D37D81E13CEA54C5AA 8C01F2B9040B13C957DE38BD9AB2662B50CF62F31E1E06D7E186F89933600B59562292FC06B8C5155F2E06DDEB9 FDCA415B431A2AC2E711937EED7F75C7F2BA0 C:\Users\user\AppData\Roaming\Oracle\bin\java.dll Size (bytes): 127040 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.806845399394011 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows D4A44B1965428805885AC50623F54340 5FE1B0B783558DBA430193D17ED4BFFEFF0033CB 8F519A123E54D0CA719B221562E326614FAAC1864E1F911DCBD60A415E89E05F 38117BB4C063058CD7C3B5D76F8B75F2BF1DAD04F58F3A4A5797E57B0A8D09878141EC6C1B8ECF02BAE2362275 28FB0A30570FF8288C351290A99B075B665CC4 C:\Users\user\AppData\Roaming\Oracle\bin\java.exe Size (bytes): 191040 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.7499064995642835 PE32 executable (console) Intel 80386, for MS Windows 02E26F23B34336225FB5E33DB36BF08C 5B52DF44ADAEDEF8DF26A2C1CE0A700D8BE84FC5 74E3A20C7CE578D6E8557332921FC19445278092266FE8BCFABD3F5E1629ED4E 396BD293563699F882CD36C8DEDCC669B07AFFDD7280ABC4E14E38DDE93D86D84565EC15621F570998A159CA52 C6C63E07A8C6829AD2526DC298B6E0A3E3F5B1 C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll Size (bytes): 23616 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.619933086072398 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 85A34845252FB6F6D93862CA04E68DB3 C24E2186CB7C3419822576F07EB06EB7B2B6CC82 1AE3BBFBE8A818B8EF5B9F686FAA1098F47022FFA9570502F9F9F9AE4EE7C9E2 5EECE50EE4CDE9ED25700EF6E12D69AB712EEE50DA0FC896F48D68D434BD97DDD1E65A660C2A5B61B28E354F EC9BF1D31FC558B944EF4C5532C55279C08ABF2F C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl C:\Windows\System32\xcopy.exe PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 160256 Entropy (8bit): 6.482822492204265 Copyright Joe Security LLC 2018 Page 23 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl ECC258D267832147756C992E0317B477 4D70E4DB47F9D6329AC463C8C32DBD81CE6F44AF AE5AA1C0F4C8537EA1256498BAB2CEE76A9FF96581CA9466046D139A10608094 E3F7F92FC626CF6054D2B1A6069013D194BB27C5CCE42C44040DDFD684D3A077BE6320E35102442F2BBA7E76FD 732175FFB77252EA8B21BAC286F6EE86D27122 true C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe Size (bytes): 71232 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.3238633737549925 PE32 executable (GUI) Intel 80386, for MS Windows 02675987DB21CE7E022FBA4A25F5ACBF 330B2DC60592A8EF98505F3BB9842DA72639C37A A232D7829CE3494D447C8FF338F4CAA4282B8658272DCD87B71C64609B7F0C3B 9A1A13D0041A5AC44654931024A3B6B83B5D25AF1AA912BC78ED5E96413870F8E2C83F76D0A20EBFDE040EBF84 E9DD674E718163C1CD77763E0BC2C3B947E434 C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll Size (bytes): 57408 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.672223965506744 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows DD5AB5B8D417D25BD53DC56E57B1FA7A E3FFD5566386CB77841FE6E9A8AAFBF3A1D65763 5BF2AD6AA41D4B2377101FF6923BF1AF3251A0A3679E85D91CA19CFEE3729BB2 15DD88281F1B5242F027107297F509B1AA07F0DEF139A2D9EA821D51BA630D329A5A478CD9230AB0AA1635B3BF4 71AAB02CA0E881F142A49859F56ED8DB65D7E C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll Size (bytes): 446528 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.602764367577674 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 13BBFC8DB65E08D4A0C01AAD663D548E 2B69D25934E2E2A54C91BAE38A20965D44D1BD18 575A9EA499B28E0C8BDE0CF02514B81B337CD5B96E4A89724E5D60542556DABE 2ACA80DBFAEA3529A50E5CDEF345436C523621B0BFC0274D0BF43AE650061406887F918696A669204B918971E70 DCF47C2EA1A8F67DA062493A06FD27DB1FBF3 C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll Size (bytes): 126016 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.609255570053583 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 4426045C35A3FABE304041EC992A634F 5AE4FA29E92642D344207D4FE86C85EEC1B2A15A E9C0BC532B78549C384FD5637738F4AE04C041CDEB76DD14DD776D5307CB45A2 E580B44AB5661DBE13BC3DB78083DB2ED999CE3D7ADB340613C687C94C66519BDEAFCBBFCBB30198C7D2E9B6 868B61E09CFFDCD153BD597B610A7DCA2BDA53D6 C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\System32\xcopy.exe PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 191552 Entropy (8bit): 6.74460077410831 Copyright Joe Security LLC 2018 Page 24 of 443
C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe F233D34C98F6BB32BB3B3CE7E740EB84 0B2CA11540B830AE37F4125C9387F8C18C8F86AF 2206014DE326CF3151BCEBCFA89BD380C06339680989CD85F3791E81424B27EC D050562B7212ADDAF042ECDDB145AA2D598B48C7A7E848F6809EF1612C63F3EE03F3B37FBFDFF318165249D74C B68DD3C6F76649455EB8E3FA8D6A2A6CA646D8 C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe Size (bytes): 270912 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.418676549554313 PE32 executable (GUI) Intel 80386, for MS Windows 55561AC10D64539FA634E4FCB14D83DF 5C8885EAB1B7F9A63BDADC309F0E07957D259AA5 CA681963C7EDFBD7FF84D6A3FD6325C291CD5BF2D953D388065D78A3CDB08BAC 0957EE9480B62681C5F709A4F080DD2F9E633EA1CD2BE7B5A4AADD9F628738432927BD70BD7C9E2A5A0BE79394 8F4BD924EA098D75C81DF017DB293E3FA6C925 C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll Size (bytes): 13888 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.2751038934745065 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 0820D1B8828A57A20C1F81654F7D5FD3 67BAA79F87A068E78C4424335CA2C1DBCEEC60C7 563D0222814B4DA7F647D9F9BC7E0F076ADB76518D5678442A546C736ECDD639 9FEAB80F9A753D29A269AF22AB6FD457E3469292B6DCC0FD1C3A8F566CBEE75AFC5A516C0D9D5325DF707E783 7C91FB526F8A8A13BAA8ACD66BD0727AF20B1FA C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll Size (bytes): 164416 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.770236513857503 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 4612C44E5DFF2F46220B33FA385DB681 7FCD70F589D1B1DAC2A85D105C521578688F426B A8F53E3FFFE097EAA3737E8FD67AB8C113BF588AF4C67CEC82CE2DF7B1AD03F5 BD6117C1234377824D65615D63FE96BC79709B54BF65C4B9BD9C5F1BEC878A33277C5C1FECFBC84D2496CF9776 B4650278A628E01A6815876147D8BF42A9C7C7 C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll Size (bytes): 22592 C:\Windows\System32\xcopy.exe Entropy (8bit): 6.6179891152565515 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 06F8890A926E2A27CEA332CB2AFAEB4D BA71200957901BE2B3CF66EB98E0C44B3B0F7C4E 97F457160B38194D58D1F4ED221250196B0F8B00A45CDF916A5F684D97977D77 2F8093405FA8A04A4D1ADF1BB4EAA7591B3A8FA68B76DCBF5E61D790F5CE6D7782B1CFB2AF4DC2D3B655FC94 5EF218D4F1D541EFA95D3579A6A3357558A345EE C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll C:\Windows\System32\xcopy.exe PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 115264 Entropy (8bit): 6.587627783232986 20898BCAB8A90CD05CFA4ECC9EE87F20 Copyright Joe Security LLC 2018 Page 25 of 443