adwind | 00ef6637bea63d139f497f9b19c72bc526b85ab40d4ed62a1558930c0ebaa6e5

Analysis

max time kernel
149s
max time network
198s
platform
windows7_x64
resource
win7v20210408
submitted
02-06-2021 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Customers Copy.jar
Size

88KB
MD5

0e55c05d788d4da90b52984d7728a897
SHA1

b5aae7d06d912aaa6b97c4363dab857f03f2c7b9
SHA256

00ef6637bea63d139f497f9b19c72bc526b85ab40d4ed62a1558930c0ebaa6e5
SHA512

879158d6afb38b4a1744e421d758f301b097224d6b55076904c9b06ecdc3dee64ef09824881fe6d3f9e599aca99805af54354b9f4c07a06c0421023bea6b5cf5

Score

10^/10

adwind strrat evasion persistence stealer trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

javaw.exejava.exe

pid process

948 javaw.exe
1364 java.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Customers Copy.jar java.exe

pid	process
948	javaw.exe
1364	java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Customers Copy.jar	java.exe

Loads dropped DLL 32 IoCs

Processes:

java.exejava.exejavaw.exejavaw.exejava.exe

pid	process
372	java.exe
952	java.exe
836	javaw.exe
836	javaw.exe
836	javaw.exe
876
876
948	javaw.exe
948	javaw.exe
948	javaw.exe
948	javaw.exe
948	javaw.exe
948	javaw.exe
948	javaw.exe
948	javaw.exe
876
876
1364	java.exe
1364	java.exe
1364	java.exe
1364	java.exe
1364	java.exe
948	javaw.exe
948	javaw.exe
1364	java.exe
1364	java.exe
1364	java.exe
1364	java.exe
948	javaw.exe
1364	java.exe
1364	java.exe
948	javaw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exejava.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\RRJvkyviJbr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\kuyhxmFvQrH\\zthyVCIRQGW.AbUcwv\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Customers Copy = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Customers Copy.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Customers Copy = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Customers Copy.jar\""	java.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com

flow	ioc
14	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

javaw.exejavaw.exejava.exe

description	ioc	process
File created	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1376 schtasks.exe

pid	process
1376	schtasks.exe

Kills process with taskkill 19 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
868	taskkill.exe
988	taskkill.exe
664	taskkill.exe
1752	taskkill.exe
1172	taskkill.exe
1692	taskkill.exe
780	taskkill.exe
1248	taskkill.exe
1500	taskkill.exe
1600	taskkill.exe
1928	taskkill.exe
944	taskkill.exe
1580	taskkill.exe
1272	taskkill.exe
1564	taskkill.exe
1740	taskkill.exe
1996	taskkill.exe
1980	taskkill.exe
108	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1360 reg.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

924 regedit.exe

pid	process
1360	reg.exe

pid	process
924	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe
Token: SeManageVolumePrivilege	988	WMIC.exe
Token: 33	988	WMIC.exe
Token: 34	988	WMIC.exe
Token: 35	988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

java.exejavaw.exejavaw.exejava.exejava.exe

pid process

588 java.exe
836 javaw.exe
948 javaw.exe
1364 java.exe
952 java.exe

pid	process
588	java.exe
836	javaw.exe
948	javaw.exe
1364	java.exe
952	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exejava.execmd.exejava.execmd.execmd.execmd.execmd.exejava.exewscript.exejavaw.exejava.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 372	2016	java.exe	java.exe
PID 2016 wrote to memory of 372	2016	java.exe	java.exe
PID 2016 wrote to memory of 372	2016	java.exe	java.exe
PID 372 wrote to memory of 588	372	java.exe	cmd.exe
PID 372 wrote to memory of 588	372	java.exe	cmd.exe
PID 372 wrote to memory of 588	372	java.exe	cmd.exe
PID 372 wrote to memory of 952	372	java.exe	java.exe
PID 372 wrote to memory of 952	372	java.exe	java.exe
PID 372 wrote to memory of 952	372	java.exe	java.exe
PID 588 wrote to memory of 1376	588	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1376	588	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1376	588	cmd.exe	schtasks.exe
PID 952 wrote to memory of 1752	952	java.exe	cmd.exe
PID 952 wrote to memory of 1752	952	java.exe	cmd.exe
PID 952 wrote to memory of 1752	952	java.exe	cmd.exe
PID 1752 wrote to memory of 1740	1752	cmd.exe	WMIC.exe
PID 1752 wrote to memory of 1740	1752	cmd.exe	WMIC.exe
PID 1752 wrote to memory of 1740	1752	cmd.exe	WMIC.exe
PID 952 wrote to memory of 1564	952	java.exe	cmd.exe
PID 952 wrote to memory of 1564	952	java.exe	cmd.exe
PID 952 wrote to memory of 1564	952	java.exe	cmd.exe
PID 1564 wrote to memory of 988	1564	cmd.exe	WMIC.exe
PID 1564 wrote to memory of 988	1564	cmd.exe	WMIC.exe
PID 1564 wrote to memory of 988	1564	cmd.exe	WMIC.exe
PID 952 wrote to memory of 868	952	java.exe	cmd.exe
PID 952 wrote to memory of 868	952	java.exe	cmd.exe
PID 952 wrote to memory of 868	952	java.exe	cmd.exe
PID 868 wrote to memory of 1964	868	cmd.exe	WMIC.exe
PID 868 wrote to memory of 1964	868	cmd.exe	WMIC.exe
PID 868 wrote to memory of 1964	868	cmd.exe	WMIC.exe
PID 952 wrote to memory of 1512	952	java.exe	cmd.exe
PID 952 wrote to memory of 1512	952	java.exe	cmd.exe
PID 952 wrote to memory of 1512	952	java.exe	cmd.exe
PID 1512 wrote to memory of 924	1512	cmd.exe	WMIC.exe
PID 1512 wrote to memory of 924	1512	cmd.exe	WMIC.exe
PID 1512 wrote to memory of 924	1512	cmd.exe	WMIC.exe
PID 952 wrote to memory of 1120	952	java.exe	java.exe
PID 952 wrote to memory of 1120	952	java.exe	java.exe
PID 952 wrote to memory of 1120	952	java.exe	java.exe
PID 1120 wrote to memory of 484	1120	java.exe	wscript.exe
PID 1120 wrote to memory of 484	1120	java.exe	wscript.exe
PID 1120 wrote to memory of 484	1120	java.exe	wscript.exe
PID 484 wrote to memory of 836	484	wscript.exe	javaw.exe
PID 484 wrote to memory of 836	484	wscript.exe	javaw.exe
PID 484 wrote to memory of 836	484	wscript.exe	javaw.exe
PID 836 wrote to memory of 588	836	javaw.exe	java.exe
PID 836 wrote to memory of 588	836	javaw.exe	java.exe
PID 836 wrote to memory of 588	836	javaw.exe	java.exe
PID 836 wrote to memory of 300	836	javaw.exe	cmd.exe
PID 836 wrote to memory of 300	836	javaw.exe	cmd.exe
PID 836 wrote to memory of 300	836	javaw.exe	cmd.exe
PID 588 wrote to memory of 760	588	java.exe	cmd.exe
PID 588 wrote to memory of 760	588	java.exe	cmd.exe
PID 588 wrote to memory of 760	588	java.exe	cmd.exe
PID 760 wrote to memory of 1948	760	cmd.exe	cscript.exe
PID 760 wrote to memory of 1948	760	cmd.exe	cscript.exe
PID 760 wrote to memory of 1948	760	cmd.exe	cscript.exe
PID 300 wrote to memory of 1712	300	cmd.exe	cscript.exe
PID 300 wrote to memory of 1712	300	cmd.exe	cscript.exe
PID 300 wrote to memory of 1712	300	cmd.exe	cscript.exe
PID 836 wrote to memory of 1996	836	javaw.exe	cmd.exe
PID 836 wrote to memory of 1996	836	javaw.exe	cmd.exe
PID 836 wrote to memory of 1996	836	javaw.exe	cmd.exe
PID 588 wrote to memory of 1368	588	java.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

540 attrib.exe
1928 attrib.exe

pid	process
540	attrib.exe
1928	attrib.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Customers Copy.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\Customers Copy.jar"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Customers Copy.jar"
3⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Customers Copy.jar"
4⤵
- Creates scheduled task(s)
PID:1376

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Customers Copy.jar"
3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
4⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
4⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
4⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
5⤵
PID:1964

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
4⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
5⤵
PID:924

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\receipt.jar"
4⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\hycsfofdht.js
5⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\jdyqzmpym.txt"
6⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.80446308360856667871353963351704566.class
7⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1403877700186143963.vbs
8⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1403877700186143963.vbs
9⤵
PID:1948

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1275896825141208254.vbs
8⤵
PID:1368

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1275896825141208254.vbs
9⤵
PID:1008

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
8⤵
PID:1896

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4165803751068843872.vbs
7⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4165803751068843872.vbs
8⤵
PID:1712

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7514274224279796080.vbs
7⤵
PID:1996

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7514274224279796080.vbs
8⤵
PID:904

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
7⤵
PID:600

C:\Windows\system32\cmd.exe
cmd.exe
7⤵
PID:1504

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v RRJvkyviJbr /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\kuyhxmFvQrH\zthyVCIRQGW.AbUcwv\"" /f
7⤵
- Adds Run key to start application
- Modifies registry key
PID:1360

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\kuyhxmFvQrH\*.*"
7⤵
- Views/modifies file attributes
PID:1928

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\kuyhxmFvQrH"
7⤵
- Views/modifies file attributes
PID:540

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\kuyhxmFvQrH\zthyVCIRQGW.AbUcwv
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:948

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.8319879651794484828982461699196897.class
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7206209706112653969.vbs
9⤵
PID:1172

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7206209706112653969.vbs
10⤵
PID:1984

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8190788984794910729.vbs
9⤵
PID:1996

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8190788984794910729.vbs
10⤵
PID:1580

C:\Windows\system32\cmd.exe
cmd.exe
9⤵
PID:1504

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5765125698982473403.vbs
8⤵
PID:540

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5765125698982473403.vbs
9⤵
PID:1288

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6157470215425875444.vbs
8⤵
PID:2044

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6157470215425875444.vbs
9⤵
PID:828

C:\Windows\system32\cmd.exe
cmd.exe
8⤵
PID:1516

C:\Windows\system32\cmd.exe
cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\wpNSAeNdLc281895597161987269.reg
8⤵
PID:840

C:\Windows\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\wpNSAeNdLc281895597161987269.reg
9⤵
- Runs .reg file with regedit
PID:924

C:\Windows\system32\taskkill.exe
taskkill /IM ProcessHacker.exe /T /F
8⤵
- Kills process with taskkill
PID:868

C:\Windows\system32\taskkill.exe
taskkill /IM procexp.exe /T /F
8⤵
- Kills process with taskkill
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /IM MSASCui.exe /T /F
8⤵
- Kills process with taskkill
PID:1500

C:\Windows\system32\taskkill.exe
taskkill /IM MsMpEng.exe /T /F
8⤵
- Kills process with taskkill
PID:1600

C:\Windows\system32\taskkill.exe
taskkill /IM MpUXSrv.exe /T /F
8⤵
- Kills process with taskkill
PID:1564

C:\Windows\system32\taskkill.exe
taskkill /IM MpCmdRun.exe /T /F
8⤵
- Kills process with taskkill
PID:1740

C:\Windows\system32\taskkill.exe
taskkill /IM NisSrv.exe /T /F
8⤵
- Kills process with taskkill
PID:988

C:\Windows\system32\taskkill.exe
taskkill /IM ConfigSecurityPolicy.exe /T /F
8⤵
- Kills process with taskkill
PID:1928

C:\Windows\system32\taskkill.exe
taskkill /IM procexp.exe /T /F
8⤵
- Kills process with taskkill
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /IM wireshark.exe /T /F
8⤵
- Kills process with taskkill
PID:664

C:\Windows\system32\taskkill.exe
taskkill /IM tshark.exe /T /F
8⤵
- Kills process with taskkill
PID:1980

C:\Windows\system32\taskkill.exe
taskkill /IM text2pcap.exe /T /F
8⤵
- Kills process with taskkill
PID:944

C:\Windows\system32\taskkill.exe
taskkill /IM rawshark.exe /T /F
8⤵
- Kills process with taskkill
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /IM mergecap.exe /T /F
8⤵
- Kills process with taskkill
PID:1580

C:\Windows\system32\taskkill.exe
taskkill /IM editcap.exe /T /F
8⤵
- Kills process with taskkill
PID:780

C:\Windows\system32\taskkill.exe
taskkill /IM dumpcap.exe /T /F
8⤵
- Kills process with taskkill
PID:108

C:\Windows\system32\taskkill.exe
taskkill /IM capinfos.exe /T /F
8⤵
- Kills process with taskkill
PID:1272

C:\Windows\system32\taskkill.exe
taskkill /IM mbam.exe /T /F
8⤵
- Kills process with taskkill
PID:1172

C:\Windows\system32\taskkill.exe
taskkill /IM mbamscheduler.exe /T /F
8⤵
- Kills process with taskkill
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Retrive1275896825141208254.vbs
MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive1403877700186143963.vbs
MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive4165803751068843872.vbs
MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive7514274224279796080.vbs
MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.80446308360856667871353963351704566.class
MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.8319879651794484828982461699196897.class
MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna7168058434410198034.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Customers Copy.jar
MD5
0e55c05d788d4da90b52984d7728a897

SHA1
b5aae7d06d912aaa6b97c4363dab857f03f2c7b9

SHA256
00ef6637bea63d139f497f9b19c72bc526b85ab40d4ed62a1558930c0ebaa6e5

SHA512
879158d6afb38b4a1744e421d758f301b097224d6b55076904c9b06ecdc3dee64ef09824881fe6d3f9e599aca99805af54354b9f4c07a06c0421023bea6b5cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2455352368-1077083310-2879168483-1000\83aa4cc77f591dfc2374580bbd95f6ba_14c10c19-3a0b-4ef0-8928-af871cb14c00
MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
MD5
018c6d5d781ecb2c0eca8d08acd03a76

SHA1
7739a2fb33303ff00b27c4ed00e1321badbfee58

SHA256
40c94ba508ec8724a4e7aef704afeb6ac42e5bcbd8078868320883698529ee33

SHA512
b332d890f3aa28cd98e6431e8ad37aa47ff7bf44dfe6dbe56defc685f00bd7b54b234025fc0eeb64ea7314a7fc0371ce38e11295d09ec6eba66058c9f693e98b

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
MD5
846245142683adc04baf77c6e29063db

SHA1
6a1b06baf85419b7345520d78ee416ce06747473

SHA256
c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c

SHA512
e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\net.dll
MD5
b3e0f70c518921dad42bab3c0304144d

SHA1
c2b74c7c036e221317a992f147aec77ba7eb9fc1

SHA256
d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7

SHA512
07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll
MD5
2977c42aae44773f721c5a6dbaaa6feb

SHA1
69635e0b0d70823dbb45bed6d8ad0dfddf0540e6

SHA256
910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5

SHA512
a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
MD5
8ebc899a0ee346da1484d99d991aee48

SHA1
d6e6b5508b74ea4154099f8814b30105a44bee85

SHA256
ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7

SHA512
77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll
MD5
94d11fc73e3de366cc0c7a752feaf975

SHA1
c449985a32ab342c46d1962af251db47587bce30

SHA256
ee1a861382193204af35455cacc1bddecc5b559ebf5bc7b851d3a01d377e8571

SHA512
338629676469edaaa9600bfd901e9a1af99891b1c70bb4dd8593136be3a50be1dab1d0005eb5f6050d792c886818dd8ff0869fcad90c44bf20e5c32f9c0b0322

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
MD5
ffa8f0ee3aace64fac7f55cb718472a9

SHA1
d199b599dd062737c64e49213088b4e568418a1c

SHA256
4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff

SHA512
2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
MD5
4b4153f3ae3454a5d9dae1b41846e908

SHA1
6082bb1a46ea5b1a6cd3e2bcae196c532f56050d

SHA256
09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160

SHA512
07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg
MD5
ab035b969e9bcf200cbdfd1158d475a7

SHA1
e36c2a8e62edf04b3b8f282c28e9408ee6d1da10

SHA256
940c29cd2a34a9d84275e3b526d595eec6e08ba5f7f0806fc545ce0d26fe9024

SHA512
2f96657645a4e25e80ac684c00bd931857ab91e72c9411024f5de06ab629de0a7c79ae13efef9ccba6bd19442d823ea840d066ba133bfd89144dd6c0eb0b32bf

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index
MD5
426812cbfc93fb23bbc504c2bf92575b

SHA1
e077f3d8e6a0b769c0c504348b257edc609563c8

SHA256
ef4f43d97420e544fd64d504029233191e92a46bc7811478f4b6dc7c02651072

SHA512
84f3ddc620dc2b98425ca6742e295151d4f27e417412e1ea6bcec8d2eb9d71c98cb60b9f687ab7443f702f23fa98011793f73e715e0a9e82ef4f40038b69eab0

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunec.jar
MD5
a00a0eb4a6c8f58ba0674bf56da6b601

SHA1
40a67c09f821af3f62d428e4d79980f9df10e407

SHA256
de574520c29756024f93d2136b8180d9d998a66ed6743bb484fc7ee4601705ac

SHA512
ec76a4d64dd71095e92c96a63d52a4bd8c935304dc3bdc3922773e561dd6558012c373c44ffee6e9858a28cc35c587c89bec3bc86ef3d579e4d149e2acc8c417

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\jce.jar
MD5
29753d8abdc7ba7561d2c5fd96cee210

SHA1
acfe2f4fbb9101bae52c2161703c1914ce65a062

SHA256
105840a8b3ab7ff368d58aba76b83eb0ea5445a4fe6f84a4ace9a3c8f05cb9e9

SHA512
741175c4a07ae66646c8069df99247896ca5f2d647a7b08f9d3e93576e0e5dd3c9a0a67871d2b6ad768c762cd0bc45343e32017af7dbe7d6cbd953059d5684c9

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar
MD5
8447fe024c6ed74ebcf06462689bcb63

SHA1
78ea3dcc279af9216bed911e7c1018e604151929

SHA256
c98f8ca3a99b4d29dd06e80aa9395fa6c267554a335c3f5db40d90b818d44c8c

SHA512
e56325ec4cb124744b2b711b0ac607150237f11884e25cb4bbe224ab32754e246765670f11df08a3c2a6a950f536780414827d0a7fdd0ce689e5ae8235accbf8

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index
MD5
8bff510abed2b6fcc5a83eedb65b1766

SHA1
ba6d0cd7504a5baeb963501b8bdf315ec6cb355c

SHA256
afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b

SHA512
8786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\rt.jar
MD5
b3f3eea1bb42a24646638668b4022d5f

SHA1
c63ff198af318be31426e4441f2507b299c742d7

SHA256
5a42fe1fdf54299f751ee73a2756114a7d66de1062a458699ad200d8bcaacd86

SHA512
3033ee55558437d1096d742092e852c8eebd5a4b99e1bc6a639a8b94de8af4200e9c7a495527ecce553c5fc40fb6bba9fe47326c91c8f908564b5837f1b1b620

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security
MD5
779d1c858e736a5a9e9f5a5eddf49fe2

SHA1
7af7dda65d74c7cd17ad10b0aa9e854a96a26e6f

SHA256
379f1c061e63b8a272b034503d4af821ee0f40052d0cff060ac61bc190071b66

SHA512
339844ee820b81212a59cf25cc99a5ccdd656634038d72cdefce305b3fcce0ecba5d50c1610adcb2089a1d1635bcc2c84dd2e5b64bdd84f1c0ee2d139c86b46c

Download Submit
C:\Users\Admin\AppData\Roaming\jdyqzmpym.txt
MD5
5f074f3a416d3c8cf8baaeb6a3daf26e

SHA1
079c2d4d9907a516b63cf882492d19da83d3126a

SHA256
0e33bdcede801f4e45e8adc343dc82b1b04f954f9cfabfb69bcedfe7506b69e2

SHA512
d22388cc1594725fae6b6f09a73925b40ddec113b3fc493e606a732aa149486d7fbf8081e7e0493323a0f106aa4154d50edfcde475aa6a972ad03e23a03554a6

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar
MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar
MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar
MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar
MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\AppData\Roaming\receipt.jar
MD5
59f74bb19b02353b7c7e4e9d3f73d13d

SHA1
3a112b359e19447fa8d5f3a18379b0d8f206b0e6

SHA256
fcdb76dd9ed127aa0d67615e30a9fbe167e6d5470b943e3a2aa4c33039e21c38

SHA512
393d8798a4f42bf5060949a35f6c67b2f3f789353320eadac7587dd22de781b047368468017a161afcc6d1e4b8d4f584be35dc47b1907ffe4739883fc6ee016f

Download Submit
C:\Users\Admin\Customers Copy.jar
MD5
0e55c05d788d4da90b52984d7728a897

SHA1
b5aae7d06d912aaa6b97c4363dab857f03f2c7b9

SHA256
00ef6637bea63d139f497f9b19c72bc526b85ab40d4ed62a1558930c0ebaa6e5

SHA512
879158d6afb38b4a1744e421d758f301b097224d6b55076904c9b06ecdc3dee64ef09824881fe6d3f9e599aca99805af54354b9f4c07a06c0421023bea6b5cf5

Download Submit
C:\Users\Admin\hycsfofdht.js
MD5
482f65ca98ffe494265ca1487b94d012

SHA1
8d09886b44ea95ec39cc6a8419208126013d468d

SHA256
afb49eb1848957358695dabc101257dc008b327aaa45d6651dbfeebca646622f

SHA512
74debde16ad6d4e435a94dea8f489880b40c4ae47c93c27bf0ebd919d7257072c25dff1795418e421e19d20730c84d7d61f259013139936cba23768542c6eb0f

Download Submit
C:\Users\Admin\kuyhxmFvQrH\ID.txt
MD5
54fcca78826d79623eb4a9b546e12f75

SHA1
8b39c8868207072dcd7cf79d9c0c053051016260

SHA256
77644b6fcd40006a2cda2f40047b8b52354ed38ea537d23b0b711262b6023274

SHA512
694784a0107b5e427fb00fd6d0b1126f1875c9378a333ad073e4b46e5364b99d9478657a689d35d7aee1a5a74fad17c95f6afd516d47ec10bea10010cad853a7

Download Submit
C:\Users\Admin\kuyhxmFvQrH\zthyVCIRQGW.AbUcwv
MD5
5f074f3a416d3c8cf8baaeb6a3daf26e

SHA1
079c2d4d9907a516b63cf882492d19da83d3126a

SHA256
0e33bdcede801f4e45e8adc343dc82b1b04f954f9cfabfb69bcedfe7506b69e2

SHA512
d22388cc1594725fae6b6f09a73925b40ddec113b3fc493e606a732aa149486d7fbf8081e7e0493323a0f106aa4154d50edfcde475aa6a972ad03e23a03554a6

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar
MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar
MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar
MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna3062849760258098447.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna7168058434410198034.dll
MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
MD5
ae42860afe3a2843efa9849263bd0c21

SHA1
1df534b0ee936b8d5446490dc48f326f64547ff6

SHA256
f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d

SHA512
c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
MD5
018c6d5d781ecb2c0eca8d08acd03a76

SHA1
7739a2fb33303ff00b27c4ed00e1321badbfee58

SHA256
40c94ba508ec8724a4e7aef704afeb6ac42e5bcbd8078868320883698529ee33

SHA512
b332d890f3aa28cd98e6431e8ad37aa47ff7bf44dfe6dbe56defc685f00bd7b54b234025fc0eeb64ea7314a7fc0371ce38e11295d09ec6eba66058c9f693e98b

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
MD5
846245142683adc04baf77c6e29063db

SHA1
6a1b06baf85419b7345520d78ee416ce06747473

SHA256
c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c

SHA512
e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll
MD5
df3ca8d16bded6a54977b30e66864d33

SHA1
b7b9349b33230c5b80886f5c1f0a42848661c883

SHA256
1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36

SHA512
951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\net.dll
MD5
b3e0f70c518921dad42bab3c0304144d

SHA1
c2b74c7c036e221317a992f147aec77ba7eb9fc1

SHA256
d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7

SHA512
07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll
MD5
2977c42aae44773f721c5a6dbaaa6feb

SHA1
69635e0b0d70823dbb45bed6d8ad0dfddf0540e6

SHA256
910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5

SHA512
a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
MD5
8ebc899a0ee346da1484d99d991aee48

SHA1
d6e6b5508b74ea4154099f8814b30105a44bee85

SHA256
ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7

SHA512
77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
MD5
8ebc899a0ee346da1484d99d991aee48

SHA1
d6e6b5508b74ea4154099f8814b30105a44bee85

SHA256
ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7

SHA512
77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll
MD5
94d11fc73e3de366cc0c7a752feaf975

SHA1
c449985a32ab342c46d1962af251db47587bce30

SHA256
ee1a861382193204af35455cacc1bddecc5b559ebf5bc7b851d3a01d377e8571

SHA512
338629676469edaaa9600bfd901e9a1af99891b1c70bb4dd8593136be3a50be1dab1d0005eb5f6050d792c886818dd8ff0869fcad90c44bf20e5c32f9c0b0322

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
MD5
ffa8f0ee3aace64fac7f55cb718472a9

SHA1
d199b599dd062737c64e49213088b4e568418a1c

SHA256
4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff

SHA512
2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
MD5
ffa8f0ee3aace64fac7f55cb718472a9

SHA1
d199b599dd062737c64e49213088b4e568418a1c

SHA256
4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff

SHA512
2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
MD5
4b4153f3ae3454a5d9dae1b41846e908

SHA1
6082bb1a46ea5b1a6cd3e2bcae196c532f56050d

SHA256
09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160

SHA512
07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

Download Submit
\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
MD5
4b4153f3ae3454a5d9dae1b41846e908

SHA1
6082bb1a46ea5b1a6cd3e2bcae196c532f56050d

SHA256
09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160

SHA512
07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

Download Submit
memory/108-254-0x0000000000000000-mapping.dmp

Download
memory/300-163-0x0000000000000000-mapping.dmp

Download
memory/372-79-0x0000000000000000-mapping.dmp

Download
memory/372-84-0x0000000002370000-0x00000000025E0000-memory.dmp

Filesize
2.4MB

Download
memory/372-83-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/372-93-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/372-128-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/484-155-0x0000000000000000-mapping.dmp

Download
memory/540-227-0x0000000000000000-mapping.dmp

Download
memory/540-180-0x0000000000000000-mapping.dmp

Download
memory/588-159-0x0000000000000000-mapping.dmp

Download
memory/588-91-0x0000000000000000-mapping.dmp

Download
memory/588-162-0x00000000020D0000-0x0000000002340000-memory.dmp

Filesize
2.4MB

Download
memory/600-176-0x0000000000000000-mapping.dmp

Download
memory/664-248-0x0000000000000000-mapping.dmp

Download
memory/760-164-0x0000000000000000-mapping.dmp

Download
memory/780-253-0x0000000000000000-mapping.dmp

Download
memory/828-230-0x0000000000000000-mapping.dmp

Download
memory/836-157-0x0000000000000000-mapping.dmp

Download
memory/836-161-0x00000000023B0000-0x0000000002620000-memory.dmp

Filesize
2.4MB

Download
memory/840-237-0x0000000000000000-mapping.dmp

Download
memory/868-148-0x0000000000000000-mapping.dmp

Download
memory/868-238-0x0000000000000000-mapping.dmp

Download
memory/904-171-0x0000000000000000-mapping.dmp

Download
memory/924-239-0x0000000000000000-mapping.dmp

Download
memory/924-151-0x0000000000000000-mapping.dmp

Download
memory/944-250-0x0000000000000000-mapping.dmp

Download
memory/948-204-0x00000000020C0000-0x0000000002330000-memory.dmp

Filesize
2.4MB

Download
memory/948-187-0x0000000000000000-mapping.dmp

Download
memory/952-99-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/952-98-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/952-97-0x00000000021B0000-0x0000000002420000-memory.dmp

Filesize
2.4MB

Download
memory/952-106-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/952-92-0x0000000000000000-mapping.dmp

Download
memory/988-245-0x0000000000000000-mapping.dmp

Download
memory/988-147-0x0000000000000000-mapping.dmp

Download
memory/1008-172-0x0000000000000000-mapping.dmp

Download
memory/1120-154-0x0000000002070000-0x00000000022E0000-memory.dmp

Filesize
2.4MB

Download
memory/1120-152-0x0000000000000000-mapping.dmp

Download
memory/1172-256-0x0000000000000000-mapping.dmp

Download
memory/1172-231-0x0000000000000000-mapping.dmp

Download
memory/1248-257-0x0000000000000000-mapping.dmp

Download
memory/1272-255-0x0000000000000000-mapping.dmp

Download
memory/1288-228-0x0000000000000000-mapping.dmp

Download
memory/1360-178-0x0000000000000000-mapping.dmp

Download
memory/1364-212-0x0000000000000000-mapping.dmp

Download
memory/1364-226-0x0000000002280000-0x00000000024F0000-memory.dmp

Filesize
2.4MB

Download
memory/1368-170-0x0000000000000000-mapping.dmp

Download
memory/1376-95-0x0000000000000000-mapping.dmp

Download
memory/1500-241-0x0000000000000000-mapping.dmp

Download
memory/1504-236-0x0000000000000000-mapping.dmp

Download
memory/1504-177-0x0000000000000000-mapping.dmp

Download
memory/1512-150-0x0000000000000000-mapping.dmp

Download
memory/1516-233-0x0000000000000000-mapping.dmp

Download
memory/1564-146-0x0000000000000000-mapping.dmp

Download
memory/1564-243-0x0000000000000000-mapping.dmp

Download
memory/1580-235-0x0000000000000000-mapping.dmp

Download
memory/1580-252-0x0000000000000000-mapping.dmp

Download
memory/1600-242-0x0000000000000000-mapping.dmp

Download
memory/1692-240-0x0000000000000000-mapping.dmp

Download
memory/1712-166-0x0000000000000000-mapping.dmp

Download
memory/1740-145-0x0000000000000000-mapping.dmp

Download
memory/1740-244-0x0000000000000000-mapping.dmp

Download
memory/1752-251-0x0000000000000000-mapping.dmp

Download
memory/1752-144-0x0000000000000000-mapping.dmp

Download
memory/1896-175-0x0000000000000000-mapping.dmp

Download
memory/1928-179-0x0000000000000000-mapping.dmp

Download
memory/1928-246-0x0000000000000000-mapping.dmp

Download
memory/1948-165-0x0000000000000000-mapping.dmp

Download
memory/1964-149-0x0000000000000000-mapping.dmp

Download
memory/1980-249-0x0000000000000000-mapping.dmp

Download
memory/1984-232-0x0000000000000000-mapping.dmp

Download
memory/1996-247-0x0000000000000000-mapping.dmp

Download
memory/1996-169-0x0000000000000000-mapping.dmp

Download
memory/1996-234-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/2016-68-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-60-0x00000000022B0000-0x0000000002520000-memory.dmp

Filesize
2.4MB

Download
memory/2016-75-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-70-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-67-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-74-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-69-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-62-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-61-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2016-73-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2044-229-0x0000000000000000-mapping.dmp

Download