strrat | ba68c2acc5b4ce72444fd74f4dab6661bad90e865b0992d5ff9bb4afe32f3557

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OCOLZ552720.js
Size

195KB
MD5

86f5e65bcc64e04ba7946d8071f213b1
SHA1

403129cb5514917a278e91e0643f852964912c03
SHA256

ba68c2acc5b4ce72444fd74f4dab6661bad90e865b0992d5ff9bb4afe32f3557
SHA512

8580b921516571a57edcf22de46be1b938167a19278fa1f2eb3de6994198a9d6e3d305f18dfe1ed8e293c2ab0ffb2464a5788756c3be3fd02cb352b5af3d691d

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtwfngte.txt java.exe
Loads dropped DLL 3 IoCs

Processes:

java.exejava.exejava.exe

pid process

4024 java.exe
3108 java.exe
2100 java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtwfngte.txt	java.exe

pid	process
4024	java.exe
3108	java.exe
2100	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exejava.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\rtwfngte = "\"C:\\Users\\Admin\\AppData\\Roaming\\rtwfngte.txt\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtwfngte = "\"C:\\Users\\Admin\\AppData\\Roaming\\rtwfngte.txt\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2180 schtasks.exe

flow	ioc
22	ip-api.com

pid	process
2180	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	612	WMIC.exe
Token: SeSecurityPrivilege	612	WMIC.exe
Token: SeTakeOwnershipPrivilege	612	WMIC.exe
Token: SeLoadDriverPrivilege	612	WMIC.exe
Token: SeSystemProfilePrivilege	612	WMIC.exe
Token: SeSystemtimePrivilege	612	WMIC.exe
Token: SeProfSingleProcessPrivilege	612	WMIC.exe
Token: SeIncBasePriorityPrivilege	612	WMIC.exe
Token: SeCreatePagefilePrivilege	612	WMIC.exe
Token: SeBackupPrivilege	612	WMIC.exe
Token: SeRestorePrivilege	612	WMIC.exe
Token: SeShutdownPrivilege	612	WMIC.exe
Token: SeDebugPrivilege	612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	612	WMIC.exe
Token: SeRemoteShutdownPrivilege	612	WMIC.exe
Token: SeUndockPrivilege	612	WMIC.exe
Token: SeManageVolumePrivilege	612	WMIC.exe
Token: 33	612	WMIC.exe
Token: 34	612	WMIC.exe
Token: 35	612	WMIC.exe
Token: 36	612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	612	WMIC.exe
Token: SeSecurityPrivilege	612	WMIC.exe
Token: SeTakeOwnershipPrivilege	612	WMIC.exe
Token: SeLoadDriverPrivilege	612	WMIC.exe
Token: SeSystemProfilePrivilege	612	WMIC.exe
Token: SeSystemtimePrivilege	612	WMIC.exe
Token: SeProfSingleProcessPrivilege	612	WMIC.exe
Token: SeIncBasePriorityPrivilege	612	WMIC.exe
Token: SeCreatePagefilePrivilege	612	WMIC.exe
Token: SeBackupPrivilege	612	WMIC.exe
Token: SeRestorePrivilege	612	WMIC.exe
Token: SeShutdownPrivilege	612	WMIC.exe
Token: SeDebugPrivilege	612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	612	WMIC.exe
Token: SeRemoteShutdownPrivilege	612	WMIC.exe
Token: SeUndockPrivilege	612	WMIC.exe
Token: SeManageVolumePrivilege	612	WMIC.exe
Token: 33	612	WMIC.exe
Token: 34	612	WMIC.exe
Token: 35	612	WMIC.exe
Token: 36	612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe
Token: 33	3892	WMIC.exe
Token: 34	3892	WMIC.exe
Token: 35	3892	WMIC.exe
Token: 36	3892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

wscript.exejavaw.exewscript.exejavaw.exejava.execmd.exejava.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1036 wrote to memory of 2612	1036	wscript.exe	javaw.exe
PID 1036 wrote to memory of 2612	1036	wscript.exe	javaw.exe
PID 2612 wrote to memory of 3244	2612	javaw.exe	wscript.exe
PID 2612 wrote to memory of 3244	2612	javaw.exe	wscript.exe
PID 3244 wrote to memory of 2756	3244	wscript.exe	javaw.exe
PID 3244 wrote to memory of 2756	3244	wscript.exe	javaw.exe
PID 2756 wrote to memory of 4024	2756	javaw.exe	java.exe
PID 2756 wrote to memory of 4024	2756	javaw.exe	java.exe
PID 4024 wrote to memory of 188	4024	java.exe	cmd.exe
PID 4024 wrote to memory of 188	4024	java.exe	cmd.exe
PID 4024 wrote to memory of 3108	4024	java.exe	java.exe
PID 4024 wrote to memory of 3108	4024	java.exe	java.exe
PID 188 wrote to memory of 2180	188	cmd.exe	schtasks.exe
PID 188 wrote to memory of 2180	188	cmd.exe	schtasks.exe
PID 3108 wrote to memory of 2100	3108	java.exe	java.exe
PID 3108 wrote to memory of 2100	3108	java.exe	java.exe
PID 3108 wrote to memory of 3060	3108	java.exe	cmd.exe
PID 3108 wrote to memory of 3060	3108	java.exe	cmd.exe
PID 3060 wrote to memory of 612	3060	cmd.exe	WMIC.exe
PID 3060 wrote to memory of 612	3060	cmd.exe	WMIC.exe
PID 3108 wrote to memory of 4048	3108	java.exe	cmd.exe
PID 3108 wrote to memory of 4048	3108	java.exe	cmd.exe
PID 4048 wrote to memory of 3892	4048	cmd.exe	WMIC.exe
PID 4048 wrote to memory of 3892	4048	cmd.exe	WMIC.exe
PID 3108 wrote to memory of 1348	3108	java.exe	cmd.exe
PID 3108 wrote to memory of 1348	3108	java.exe	cmd.exe
PID 1348 wrote to memory of 2196	1348	cmd.exe	WMIC.exe
PID 1348 wrote to memory of 2196	1348	cmd.exe	WMIC.exe
PID 3108 wrote to memory of 1320	3108	java.exe	cmd.exe
PID 3108 wrote to memory of 1320	3108	java.exe	cmd.exe
PID 1320 wrote to memory of 804	1320	cmd.exe	WMIC.exe
PID 1320 wrote to memory of 804	1320	cmd.exe	WMIC.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\OCOLZ552720.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bwkbv.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\fquimaihdd.js
3⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
4⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\rtwfngte.txt"
5⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3108

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
7⤵
- Loads dropped DLL
- Adds Run key to start application
PID:2100

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
7⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
7⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
7⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
7⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
8⤵
PID:804

C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
6⤵
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
7⤵
- Creates scheduled task(s)
PID:2180

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
1⤵
PID:2196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD5
29d27d3eb502ab954775fdd49198a60c

SHA1
26d8acd31bf7b6c59b7d56bfba0da8e5f74f895e

SHA256
a40eccf26e7768d4bdc79aa815b5167b10e9ab81905b6b5f8d331a3570efc9a1

SHA512
8d1d83424caed8074a1313b70f8297837111292ab182f53171700ddf4098669120b882f8361d9a22bcb49106e24f3c3c116c845c791c90f8486a28590889af39

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5665664333553481247.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna8825707140264237711.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\83aa4cc77f591dfc2374580bbd95f6ba_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\bwkbv.txt
MD5
8c8bd4c98378cbfd170cef3fea63ad10

SHA1
289800651479f0f5180c2bd85330933cd84d9f55

SHA256
e0384f56f6db64896fbc40b41f82e2559abf10880fd618677867c23d45ab003c

SHA512
95cb754afd2e61f8849b640c14ee1940667d29f6cf215664c17e3206ad58e236ccea2cc0070f9d2246b92257db5361804053f30f2a9dd25ad39cbc0f0f9bd163

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar
MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar
MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar
MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar
MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\AppData\Roaming\plugins.jar
MD5
0414a9d9911fa094e029be12bf629f6b

SHA1
987e79d11e4240c387d3009894f8f29dbfb3c940

SHA256
98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

SHA512
0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

Download Submit
C:\Users\Admin\AppData\Roaming\rtwfngte.txt
MD5
0414a9d9911fa094e029be12bf629f6b

SHA1
987e79d11e4240c387d3009894f8f29dbfb3c940

SHA256
98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

SHA512
0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

Download Submit
C:\Users\Admin\AppData\Roaming\rtwfngte.txt
MD5
0414a9d9911fa094e029be12bf629f6b

SHA1
987e79d11e4240c387d3009894f8f29dbfb3c940

SHA256
98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

SHA512
0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

Download Submit
C:\Users\Admin\fquimaihdd.js
MD5
b544135c8bde6ae3eb47f3fffab790e0

SHA1
127e34ec41a98affd2c3ca2e6c51aa9678363771

SHA256
88917bfabede7854485f688d3b0e1f3fa49e49cd4935b58df0bca5e9c975ecd5

SHA512
df0448ac0e1353401222a29ef4f30bb40f2dd0583b2d8101f6f7d725b25636d3b6f9c51d452627d06dcc704ab7c872c9c46c469431b4952db1402d29843aeffc

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar
MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar
MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar
MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\rtwfngte.txt
MD5
0414a9d9911fa094e029be12bf629f6b

SHA1
987e79d11e4240c387d3009894f8f29dbfb3c940

SHA256
98528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4

SHA512
0bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna5665664333553481247.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna7766916446325736793.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna8825707140264237711.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
memory/188-54-0x0000000000000000-mapping.dmp

Download
memory/612-84-0x0000000000000000-mapping.dmp

Download
memory/804-95-0x0000000000000000-mapping.dmp

Download
memory/1320-94-0x0000000000000000-mapping.dmp

Download
memory/1348-92-0x0000000000000000-mapping.dmp

Download
memory/2100-72-0x0000000000000000-mapping.dmp

Download
memory/2180-58-0x0000000000000000-mapping.dmp

Download
memory/2196-93-0x0000000000000000-mapping.dmp

Download
memory/2612-2-0x0000000000000000-mapping.dmp

Download
memory/2756-7-0x0000000000000000-mapping.dmp

Download
memory/3060-80-0x0000000000000000-mapping.dmp

Download
memory/3108-55-0x0000000000000000-mapping.dmp

Download
memory/3244-5-0x0000000000000000-mapping.dmp

Download
memory/3892-91-0x0000000000000000-mapping.dmp

Download
memory/4024-39-0x0000000000000000-mapping.dmp

Download
memory/4048-90-0x0000000000000000-mapping.dmp

Download