ShippingDoc.jar

General
Target

ShippingDoc.jar

Filesize

166KB

Completed

18-11-2020 12:35

Score
10 /10
MD5

335c639a4ea7c94f9c53d1e793f08f45

SHA1

d4d26a79b9c0e80b2ecee65f850f6fed21cbbaa2

SHA256

c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f

Malware Config
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • STRRAT

    Description

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file
    java.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\okmmzdmwla.txtjava.exe
  • Loads dropped DLL
    java.exejava.exejava.exe

    Reported IOCs

    pidprocess
    3788java.exe
    1344java.exe
    1308java.exe
  • Adds Run key to start application
    java.exejava.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\okmmzdmwla = "\"C:\\Users\\Admin\\AppData\\Roaming\\okmmzdmwla.txt\""java.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"java.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"java.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\okmmzdmwla = "\"C:\\Users\\Admin\\AppData\\Roaming\\okmmzdmwla.txt\""java.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    27ip-api.com
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2740schtasks.exe
  • Suspicious use of AdjustPrivilegeToken
    WMIC.exeWMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeIncreaseQuotaPrivilege192WMIC.exe
    Token: SeSecurityPrivilege192WMIC.exe
    Token: SeTakeOwnershipPrivilege192WMIC.exe
    Token: SeLoadDriverPrivilege192WMIC.exe
    Token: SeSystemProfilePrivilege192WMIC.exe
    Token: SeSystemtimePrivilege192WMIC.exe
    Token: SeProfSingleProcessPrivilege192WMIC.exe
    Token: SeIncBasePriorityPrivilege192WMIC.exe
    Token: SeCreatePagefilePrivilege192WMIC.exe
    Token: SeBackupPrivilege192WMIC.exe
    Token: SeRestorePrivilege192WMIC.exe
    Token: SeShutdownPrivilege192WMIC.exe
    Token: SeDebugPrivilege192WMIC.exe
    Token: SeSystemEnvironmentPrivilege192WMIC.exe
    Token: SeRemoteShutdownPrivilege192WMIC.exe
    Token: SeUndockPrivilege192WMIC.exe
    Token: SeManageVolumePrivilege192WMIC.exe
    Token: 33192WMIC.exe
    Token: 34192WMIC.exe
    Token: 35192WMIC.exe
    Token: 36192WMIC.exe
    Token: SeIncreaseQuotaPrivilege192WMIC.exe
    Token: SeSecurityPrivilege192WMIC.exe
    Token: SeTakeOwnershipPrivilege192WMIC.exe
    Token: SeLoadDriverPrivilege192WMIC.exe
    Token: SeSystemProfilePrivilege192WMIC.exe
    Token: SeSystemtimePrivilege192WMIC.exe
    Token: SeProfSingleProcessPrivilege192WMIC.exe
    Token: SeIncBasePriorityPrivilege192WMIC.exe
    Token: SeCreatePagefilePrivilege192WMIC.exe
    Token: SeBackupPrivilege192WMIC.exe
    Token: SeRestorePrivilege192WMIC.exe
    Token: SeShutdownPrivilege192WMIC.exe
    Token: SeDebugPrivilege192WMIC.exe
    Token: SeSystemEnvironmentPrivilege192WMIC.exe
    Token: SeRemoteShutdownPrivilege192WMIC.exe
    Token: SeUndockPrivilege192WMIC.exe
    Token: SeManageVolumePrivilege192WMIC.exe
    Token: 33192WMIC.exe
    Token: 34192WMIC.exe
    Token: 35192WMIC.exe
    Token: 36192WMIC.exe
    Token: SeIncreaseQuotaPrivilege2640WMIC.exe
    Token: SeSecurityPrivilege2640WMIC.exe
    Token: SeTakeOwnershipPrivilege2640WMIC.exe
    Token: SeLoadDriverPrivilege2640WMIC.exe
    Token: SeSystemProfilePrivilege2640WMIC.exe
    Token: SeSystemtimePrivilege2640WMIC.exe
    Token: SeProfSingleProcessPrivilege2640WMIC.exe
    Token: SeIncBasePriorityPrivilege2640WMIC.exe
    Token: SeCreatePagefilePrivilege2640WMIC.exe
    Token: SeBackupPrivilege2640WMIC.exe
    Token: SeRestorePrivilege2640WMIC.exe
    Token: SeShutdownPrivilege2640WMIC.exe
    Token: SeDebugPrivilege2640WMIC.exe
    Token: SeSystemEnvironmentPrivilege2640WMIC.exe
    Token: SeRemoteShutdownPrivilege2640WMIC.exe
    Token: SeUndockPrivilege2640WMIC.exe
    Token: SeManageVolumePrivilege2640WMIC.exe
    Token: 332640WMIC.exe
    Token: 342640WMIC.exe
    Token: 352640WMIC.exe
    Token: 362640WMIC.exe
    Token: SeIncreaseQuotaPrivilege2640WMIC.exe
  • Suspicious use of WriteProcessMemory
    java.exewscript.exejavaw.exejava.execmd.exejava.execmd.execmd.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3484 wrote to memory of 34123484java.exewscript.exe
    PID 3484 wrote to memory of 34123484java.exewscript.exe
    PID 3412 wrote to memory of 29403412wscript.exejavaw.exe
    PID 3412 wrote to memory of 29403412wscript.exejavaw.exe
    PID 2940 wrote to memory of 37882940javaw.exejava.exe
    PID 2940 wrote to memory of 37882940javaw.exejava.exe
    PID 3788 wrote to memory of 13563788java.execmd.exe
    PID 3788 wrote to memory of 13563788java.execmd.exe
    PID 3788 wrote to memory of 13443788java.exejava.exe
    PID 3788 wrote to memory of 13443788java.exejava.exe
    PID 1356 wrote to memory of 27401356cmd.exeschtasks.exe
    PID 1356 wrote to memory of 27401356cmd.exeschtasks.exe
    PID 1344 wrote to memory of 13081344java.exejava.exe
    PID 1344 wrote to memory of 13081344java.exejava.exe
    PID 1344 wrote to memory of 5921344java.execmd.exe
    PID 1344 wrote to memory of 5921344java.execmd.exe
    PID 592 wrote to memory of 192592cmd.exeWMIC.exe
    PID 592 wrote to memory of 192592cmd.exeWMIC.exe
    PID 1344 wrote to memory of 10761344java.execmd.exe
    PID 1344 wrote to memory of 10761344java.execmd.exe
    PID 1076 wrote to memory of 26401076cmd.exeWMIC.exe
    PID 1076 wrote to memory of 26401076cmd.exeWMIC.exe
    PID 1344 wrote to memory of 39281344java.execmd.exe
    PID 1344 wrote to memory of 39281344java.execmd.exe
    PID 3928 wrote to memory of 24083928cmd.exeWMIC.exe
    PID 3928 wrote to memory of 24083928cmd.exeWMIC.exe
    PID 1344 wrote to memory of 34281344java.execmd.exe
    PID 1344 wrote to memory of 34281344java.execmd.exe
    PID 3428 wrote to memory of 40443428cmd.exeWMIC.exe
    PID 3428 wrote to memory of 40443428cmd.exeWMIC.exe
Processes 16
  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\ShippingDoc.jar
    Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\mlqvxdkryi.js
      Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
        Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\okmmzdmwla.txt"
          Drops startup file
          Loads dropped DLL
          Adds Run key to start application
          Suspicious use of WriteProcessMemory
          PID:3788
          • C:\Windows\SYSTEM32\cmd.exe
            cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
            Suspicious use of WriteProcessMemory
            PID:1356
            • C:\Windows\system32\schtasks.exe
              schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
              Creates scheduled task(s)
              PID:2740
          • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
            "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
            Loads dropped DLL
            Suspicious use of WriteProcessMemory
            PID:1344
            • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
              "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
              Loads dropped DLL
              Adds Run key to start application
              PID:1308
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
              Suspicious use of WriteProcessMemory
              PID:592
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
                Suspicious use of AdjustPrivilegeToken
                PID:192
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
              Suspicious use of WriteProcessMemory
              PID:1076
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
                Suspicious use of AdjustPrivilegeToken
                PID:2640
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
              Suspicious use of WriteProcessMemory
              PID:3928
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
                PID:2408
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
              Suspicious use of WriteProcessMemory
              PID:3428
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
                PID:4044
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      3b211fed0a8172bdf72c10e0e884df0c

                      SHA1

                      60a839d7f22455d9bad7c20065507424e606857f

                      SHA256

                      bbf7765f96526bb9c734ac41d4cfcd2492eeda974dce9c4fc8ce52e8bec54f69

                      SHA512

                      ca4b64468a2ca42b5440eaa037f3b1212e817f1e034dd8e1f07c3ec24d0ad8cf05da06afd733c52a05454a1036ae79ced4cdebb44cd997f3b6d6d1e8c7b9aaf8

                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5996235722996322311.dll

                      MD5

                      e02979ecd43bcc9061eb2b494ab5af50

                      SHA1

                      3122ac0e751660f646c73b10c4f79685aa65c545

                      SHA256

                      a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

                      SHA512

                      1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

                    • C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna6307305913522683492.dll

                      MD5

                      e02979ecd43bcc9061eb2b494ab5af50

                      SHA1

                      3122ac0e751660f646c73b10c4f79685aa65c545

                      SHA256

                      a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

                      SHA512

                      1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\83aa4cc77f591dfc2374580bbd95f6ba_72727c5d-8d0e-47bb-8579-8067735277ff

                      MD5

                      c8366ae350e7019aefc9d1e6e6a498c6

                      SHA1

                      5731d8a3e6568a5f2dfbbc87e3db9637df280b61

                      SHA256

                      11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

                      SHA512

                      33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

                    • C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

                      MD5

                      acfb5b5fd9ee10bf69497792fd469f85

                      SHA1

                      0e0845217c4907822403912ad6828d8e0b256208

                      SHA256

                      b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

                      SHA512

                      e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

                    • C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

                      MD5

                      2f4a99c2758e72ee2b59a73586a2322f

                      SHA1

                      af38e7c4d0fc73c23ecd785443705bfdee5b90bf

                      SHA256

                      24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

                      SHA512

                      b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

                    • C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

                      MD5

                      b33387e15ab150a7bf560abdc73c3bec

                      SHA1

                      66b8075784131f578ef893fd7674273f709b9a4c

                      SHA256

                      2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

                      SHA512

                      25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

                    • C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

                      MD5

                      e1aa38a1e78a76a6de73efae136cdb3a

                      SHA1

                      c463da71871f780b2e2e5dba115d43953b537daf

                      SHA256

                      2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

                      SHA512

                      fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

                    • C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt

                      MD5

                      d2467c3440de01371bbe7e92928cfd8f

                      SHA1

                      73912f01890da9c5195499d2aa3f50a8e576e779

                      SHA256

                      7f9937a49a711293d64dc57b790156324002c2783dea1830a0400b226ca8eb23

                      SHA512

                      a1b8890b25523c45599fa651ef9add61ef15939602c35b2fc7a7bea22110ea9ff9a3fd7d01dd05b0c374562e44c32f5372f12f3aabe3c2facb7515bfa1541820

                    • C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt

                      MD5

                      d2467c3440de01371bbe7e92928cfd8f

                      SHA1

                      73912f01890da9c5195499d2aa3f50a8e576e779

                      SHA256

                      7f9937a49a711293d64dc57b790156324002c2783dea1830a0400b226ca8eb23

                      SHA512

                      a1b8890b25523c45599fa651ef9add61ef15939602c35b2fc7a7bea22110ea9ff9a3fd7d01dd05b0c374562e44c32f5372f12f3aabe3c2facb7515bfa1541820

                    • C:\Users\Admin\AppData\Roaming\plugins.jar

                      MD5

                      d2467c3440de01371bbe7e92928cfd8f

                      SHA1

                      73912f01890da9c5195499d2aa3f50a8e576e779

                      SHA256

                      7f9937a49a711293d64dc57b790156324002c2783dea1830a0400b226ca8eb23

                      SHA512

                      a1b8890b25523c45599fa651ef9add61ef15939602c35b2fc7a7bea22110ea9ff9a3fd7d01dd05b0c374562e44c32f5372f12f3aabe3c2facb7515bfa1541820

                    • C:\Users\Admin\lib\jna-5.5.0.jar

                      MD5

                      acfb5b5fd9ee10bf69497792fd469f85

                      SHA1

                      0e0845217c4907822403912ad6828d8e0b256208

                      SHA256

                      b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

                      SHA512

                      e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

                    • C:\Users\Admin\lib\jna-platform-5.5.0.jar

                      MD5

                      2f4a99c2758e72ee2b59a73586a2322f

                      SHA1

                      af38e7c4d0fc73c23ecd785443705bfdee5b90bf

                      SHA256

                      24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

                      SHA512

                      b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

                    • C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

                      MD5

                      b33387e15ab150a7bf560abdc73c3bec

                      SHA1

                      66b8075784131f578ef893fd7674273f709b9a4c

                      SHA256

                      2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

                      SHA512

                      25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

                    • C:\Users\Admin\lib\system-hook-3.5.jar

                      MD5

                      e1aa38a1e78a76a6de73efae136cdb3a

                      SHA1

                      c463da71871f780b2e2e5dba115d43953b537daf

                      SHA256

                      2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

                      SHA512

                      fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

                    • C:\Users\Admin\mlqvxdkryi.js

                      MD5

                      69fe560c0563f8bc5cf632cb589bb802

                      SHA1

                      bc18c3fcbd8465c008de98051ff9a9df936a47be

                      SHA256

                      a6498f86cc038a0ba27480cd97c90d40454c3247049ef269b45ac919832c9aaf

                      SHA512

                      04c3167e3b5a01289eb61ca69e551d42b4bfc7783a57f08b4a5d478b8deadf9c48d1da53edbe7f5c830ac74c904f65aa34605375c46042c7ede9a26387f05455

                    • C:\Users\Admin\okmmzdmwla.txt

                      MD5

                      d2467c3440de01371bbe7e92928cfd8f

                      SHA1

                      73912f01890da9c5195499d2aa3f50a8e576e779

                      SHA256

                      7f9937a49a711293d64dc57b790156324002c2783dea1830a0400b226ca8eb23

                      SHA512

                      a1b8890b25523c45599fa651ef9add61ef15939602c35b2fc7a7bea22110ea9ff9a3fd7d01dd05b0c374562e44c32f5372f12f3aabe3c2facb7515bfa1541820

                    • \Users\Admin\AppData\Local\Temp\jna-63116079\jna4485292194043496342.dll

                      MD5

                      e02979ecd43bcc9061eb2b494ab5af50

                      SHA1

                      3122ac0e751660f646c73b10c4f79685aa65c545

                      SHA256

                      a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

                      SHA512

                      1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

                    • \Users\Admin\AppData\Local\Temp\jna-63116079\jna5996235722996322311.dll

                      MD5

                      e02979ecd43bcc9061eb2b494ab5af50

                      SHA1

                      3122ac0e751660f646c73b10c4f79685aa65c545

                      SHA256

                      a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

                      SHA512

                      1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

                    • \Users\Admin\AppData\Local\Temp\jna-63116079\jna6307305913522683492.dll

                      MD5

                      e02979ecd43bcc9061eb2b494ab5af50

                      SHA1

                      3122ac0e751660f646c73b10c4f79685aa65c545

                      SHA256

                      a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

                      SHA512

                      1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

                    • memory/192-79-0x0000000000000000-mapping.dmp

                    • memory/592-78-0x0000000000000000-mapping.dmp

                    • memory/1076-85-0x0000000000000000-mapping.dmp

                    • memory/1308-70-0x0000000000000000-mapping.dmp

                    • memory/1344-52-0x0000000000000000-mapping.dmp

                    • memory/1356-51-0x0000000000000000-mapping.dmp

                    • memory/2408-92-0x0000000000000000-mapping.dmp

                    • memory/2640-86-0x0000000000000000-mapping.dmp

                    • memory/2740-55-0x0000000000000000-mapping.dmp

                    • memory/2940-4-0x0000000000000000-mapping.dmp

                    • memory/3412-1-0x0000000000000000-mapping.dmp

                    • memory/3428-93-0x0000000000000000-mapping.dmp

                    • memory/3788-36-0x0000000000000000-mapping.dmp

                    • memory/3928-90-0x0000000000000000-mapping.dmp

                    • memory/4044-94-0x0000000000000000-mapping.dmp