Malware Analysis Report

2025-01-02 02:03

Sample ID 220707-f91jeagad7
Target PO2207SFI0036.jar
SHA256 b8e82650075522e0e110f5323b90cda807342f07a5d7ca9e84655be8c774cd73
Tags
adwind persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8e82650075522e0e110f5323b90cda807342f07a5d7ca9e84655be8c774cd73

Threat Level: Known bad

The file PO2207SFI0036.jar was found to be: Known bad.

Malicious Activity Summary

adwind persistence trojan

AdWind

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-07 05:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-07 05:35

Reported

2022-07-07 05:38

Platform

win7-20220414-en

Max time kernel

103s

Max time network

52s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PO2207SFI0036.jar

Signatures

AdWind

trojan adwind

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\iIbRbDkJOLI = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\flDFRnxclTz\\fuJPNmxtvfA.PKfSoa\"" C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\javaw.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\java.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1308 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1868 wrote to memory of 1308 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1868 wrote to memory of 1308 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1308 wrote to memory of 568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1308 wrote to memory of 568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1308 wrote to memory of 568 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1308 wrote to memory of 1008 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1308 wrote to memory of 1008 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1308 wrote to memory of 1008 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1008 wrote to memory of 1808 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1008 wrote to memory of 1808 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1008 wrote to memory of 1808 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1008 wrote to memory of 1652 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 1652 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 1652 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 980 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 980 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 980 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1652 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1652 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 980 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 980 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 980 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1008 wrote to memory of 1696 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 1696 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 1696 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 2036 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 2036 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1808 wrote to memory of 2036 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1696 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1696 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1696 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2036 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2036 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2036 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1808 wrote to memory of 1960 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1808 wrote to memory of 1960 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1808 wrote to memory of 1960 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1008 wrote to memory of 1868 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1008 wrote to memory of 1868 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1008 wrote to memory of 1868 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1008 wrote to memory of 680 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 680 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 680 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 1812 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1008 wrote to memory of 1812 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1008 wrote to memory of 1812 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1008 wrote to memory of 1544 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1008 wrote to memory of 1544 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1008 wrote to memory of 1544 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1008 wrote to memory of 1620 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1008 wrote to memory of 1620 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1008 wrote to memory of 1620 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1008 wrote to memory of 552 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1008 wrote to memory of 552 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1008 wrote to memory of 552 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PO2207SFI0036.jar

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\obicwbnyxf.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YbWmbLjxUD.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\tubyfqxdsk.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.7318478352077297103681542163260144.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5984170095603524923.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3045385297721390748.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5984170095603524923.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3045385297721390748.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1822003052296697431.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4034081613615566537.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1822003052296697431.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4034081613615566537.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v iIbRbDkJOLI /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\flDFRnxclTz\fuJPNmxtvfA.PKfSoa\"" /f

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\flDFRnxclTz\*.*"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\flDFRnxclTz"

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\flDFRnxclTz\fuJPNmxtvfA.PKfSoa

Network

N/A

Files

memory/1868-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

memory/1868-64-0x00000000022A0000-0x00000000052A0000-memory.dmp

memory/1308-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\obicwbnyxf.js

MD5 36d4b49a516648adfab130ddccc8c1f6
SHA1 91c2425d84a19e56da8233d611c0926a3a574c70
SHA256 6712dcf593ae6b9378847a69f17cc8bb1893fbec8e5a4e3a045685798bd45f37
SHA512 a9aa5aae6f2429a1015590d78a269770d67e38fff8c1594172ac8515683d915cdd34240883533bc3a07516fec9f77d265e25e4853dfb133ac2ac9b926da40ba2

memory/568-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YbWmbLjxUD.js

MD5 9aee3f24b86d76a39e4159fb5e815299
SHA1 7683fdd73d728bb6c1b618f736f416be62cc6d0e
SHA256 f7895f20657ff5b98b01bd1ce8645be3a545ea3bf8d0ac2071c2c1292c236115
SHA512 74fda118ab1cf3505303244c0fd8f943f91546cffe6b9c5d47189f1de237c5e9fb192c9de6e228c9fad3cfe080d422a882493be7e170a06e9a68bdbfffab1fd3

memory/1008-71-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\tubyfqxdsk.txt

MD5 2e958a817e7e1e79285e52a2f82cdb76
SHA1 1ced22ac01b1ba643af7a71f143e61f1b1da1e2f
SHA256 67f9930794f894b271f7951bb9847251cc3f3aa41f8df6eb2bfbc8dd1ff988d7
SHA512 3dedca3fbef35be020086ae100153f972b4703706965d2ea8b1808fa87ef6918ef9cb0ba563365eba54315fb7a646bfb3d9585942a05d24d367abe346c3a4ce8

memory/1008-83-0x0000000002380000-0x0000000005380000-memory.dmp

memory/1808-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.7318478352077297103681542163260144.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/1808-93-0x0000000002170000-0x0000000005170000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\83aa4cc77f591dfc2374580bbd95f6ba_4cab856c-2ae4-4cbd-8a04-329969ee64da

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/980-101-0x0000000000000000-mapping.dmp

memory/1652-100-0x0000000000000000-mapping.dmp

memory/1844-102-0x0000000000000000-mapping.dmp

memory/1364-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive5984170095603524923.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive3045385297721390748.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/2036-107-0x0000000000000000-mapping.dmp

memory/328-108-0x0000000000000000-mapping.dmp

memory/1260-109-0x0000000000000000-mapping.dmp

memory/1696-106-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive1822003052296697431.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

C:\Users\Admin\AppData\Local\Temp\Retrive4034081613615566537.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/1868-113-0x0000000000000000-mapping.dmp

memory/1960-112-0x0000000000000000-mapping.dmp

memory/680-114-0x0000000000000000-mapping.dmp

memory/1812-115-0x0000000000000000-mapping.dmp

memory/1544-116-0x0000000000000000-mapping.dmp

memory/1620-117-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

memory/552-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\flDFRnxclTz\ID.txt

MD5 987833bec5e61b910e421b7db46c7d9e
SHA1 c3c4acdd9501040745f52593db4e3f5111f7a09e
SHA256 ba6357534953ea7a634b08671d16e0a1daebd4de240948c066c3170a804ed91d
SHA512 fbb250f33d80d16629797eb3429d211f52fac001c28b67d199fc2f33f7bbf792ef0f35091240a5b6dd12ebacc493b7d3de0e43d79aa66d1445f2aaf9eb03570c

C:\Users\Admin\flDFRnxclTz\fuJPNmxtvfA.PKfSoa

MD5 2e958a817e7e1e79285e52a2f82cdb76
SHA1 1ced22ac01b1ba643af7a71f143e61f1b1da1e2f
SHA256 67f9930794f894b271f7951bb9847251cc3f3aa41f8df6eb2bfbc8dd1ff988d7
SHA512 3dedca3fbef35be020086ae100153f972b4703706965d2ea8b1808fa87ef6918ef9cb0ba563365eba54315fb7a646bfb3d9585942a05d24d367abe346c3a4ce8

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

MD5 846245142683adc04baf77c6e29063db
SHA1 6a1b06baf85419b7345520d78ee416ce06747473
SHA256 c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512 e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

MD5 846245142683adc04baf77c6e29063db
SHA1 6a1b06baf85419b7345520d78ee416ce06747473
SHA256 c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512 e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa

C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg

MD5 ab035b969e9bcf200cbdfd1158d475a7
SHA1 e36c2a8e62edf04b3b8f282c28e9408ee6d1da10
SHA256 940c29cd2a34a9d84275e3b526d595eec6e08ba5f7f0806fc545ce0d26fe9024
SHA512 2f96657645a4e25e80ac684c00bd931857ab91e72c9411024f5de06ab629de0a7c79ae13efef9ccba6bd19442d823ea840d066ba133bfd89144dd6c0eb0b32bf

C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

MD5 8ebc899a0ee346da1484d99d991aee48
SHA1 d6e6b5508b74ea4154099f8814b30105a44bee85
SHA256 ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7
SHA512 77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

MD5 8ebc899a0ee346da1484d99d991aee48
SHA1 d6e6b5508b74ea4154099f8814b30105a44bee85
SHA256 ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7
SHA512 77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

MD5 ffa8f0ee3aace64fac7f55cb718472a9
SHA1 d199b599dd062737c64e49213088b4e568418a1c
SHA256 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff
SHA512 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

MD5 ffa8f0ee3aace64fac7f55cb718472a9
SHA1 d199b599dd062737c64e49213088b4e568418a1c
SHA256 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff
SHA512 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

MD5 4b4153f3ae3454a5d9dae1b41846e908
SHA1 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d
SHA256 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160
SHA512 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index

MD5 8bff510abed2b6fcc5a83eedb65b1766
SHA1 ba6d0cd7504a5baeb963501b8bdf315ec6cb355c
SHA256 afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b
SHA512 8786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522

\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

MD5 4b4153f3ae3454a5d9dae1b41846e908
SHA1 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d
SHA256 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160
SHA512 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

C:\Users\Admin\AppData\Roaming\Oracle\lib\rt.jar

MD5 b3f3eea1bb42a24646638668b4022d5f
SHA1 c63ff198af318be31426e4441f2507b299c742d7
SHA256 5a42fe1fdf54299f751ee73a2756114a7d66de1062a458699ad200d8bcaacd86
SHA512 3033ee55558437d1096d742092e852c8eebd5a4b99e1bc6a639a8b94de8af4200e9c7a495527ecce553c5fc40fb6bba9fe47326c91c8f908564b5837f1b1b620

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index

MD5 426812cbfc93fb23bbc504c2bf92575b
SHA1 e077f3d8e6a0b769c0c504348b257edc609563c8
SHA256 ef4f43d97420e544fd64d504029233191e92a46bc7811478f4b6dc7c02651072
SHA512 84f3ddc620dc2b98425ca6742e295151d4f27e417412e1ea6bcec8d2eb9d71c98cb60b9f687ab7443f702f23fa98011793f73e715e0a9e82ef4f40038b69eab0

\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

MD5 b3e0f70c518921dad42bab3c0304144d
SHA1 c2b74c7c036e221317a992f147aec77ba7eb9fc1
SHA256 d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7
SHA512 07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

C:\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

MD5 b3e0f70c518921dad42bab3c0304144d
SHA1 c2b74c7c036e221317a992f147aec77ba7eb9fc1
SHA256 d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7
SHA512 07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar

MD5 8447fe024c6ed74ebcf06462689bcb63
SHA1 78ea3dcc279af9216bed911e7c1018e604151929
SHA256 c98f8ca3a99b4d29dd06e80aa9395fa6c267554a335c3f5db40d90b818d44c8c
SHA512 e56325ec4cb124744b2b711b0ac607150237f11884e25cb4bbe224ab32754e246765670f11df08a3c2a6a950f536780414827d0a7fdd0ce689e5ae8235accbf8

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security

MD5 779d1c858e736a5a9e9f5a5eddf49fe2
SHA1 7af7dda65d74c7cd17ad10b0aa9e854a96a26e6f
SHA256 379f1c061e63b8a272b034503d4af821ee0f40052d0cff060ac61bc190071b66
SHA512 339844ee820b81212a59cf25cc99a5ccdd656634038d72cdefce305b3fcce0ecba5d50c1610adcb2089a1d1635bcc2c84dd2e5b64bdd84f1c0ee2d139c86b46c

C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

MD5 2977c42aae44773f721c5a6dbaaa6feb
SHA1 69635e0b0d70823dbb45bed6d8ad0dfddf0540e6
SHA256 910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5
SHA512 a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

MD5 2977c42aae44773f721c5a6dbaaa6feb
SHA1 69635e0b0d70823dbb45bed6d8ad0dfddf0540e6
SHA256 910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5
SHA512 a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

memory/552-157-0x00000000021B0000-0x00000000051B0000-memory.dmp

memory/1808-158-0x0000000002170000-0x0000000005170000-memory.dmp

memory/552-159-0x00000000021B0000-0x00000000051B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-07 05:35

Reported

2022-07-07 05:37

Platform

win10v2004-20220414-en

Max time kernel

53s

Max time network

99s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\PO2207SFI0036.jar

Signatures

AdWind

trojan adwind

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings C:\Windows\SYSTEM32\wscript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 4760 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 1372 wrote to memory of 4760 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 4760 wrote to memory of 2944 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe
PID 4760 wrote to memory of 2944 N/A C:\Windows\SYSTEM32\wscript.exe C:\Windows\System32\WScript.exe
PID 4760 wrote to memory of 4808 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4760 wrote to memory of 4808 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4808 wrote to memory of 4464 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4808 wrote to memory of 4464 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 4464 wrote to memory of 2536 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4464 wrote to memory of 2536 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2536 wrote to memory of 5036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2536 wrote to memory of 5036 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4464 wrote to memory of 1408 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4464 wrote to memory of 1408 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1408 wrote to memory of 4696 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1408 wrote to memory of 4696 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4464 wrote to memory of 3788 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\xcopy.exe
PID 4464 wrote to memory of 3788 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\xcopy.exe

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\PO2207SFI0036.jar

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\obicwbnyxf.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YbWmbLjxUD.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cygfonlrok.txt"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.8039279335287047765317590243409260.class

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive317314463684991951.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive317314463684991951.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6240658483924296560.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6240658483924296560.vbs

C:\Windows\SYSTEM32\xcopy.exe

xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\SYSTEM32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
US 52.109.12.18:443 tcp
US 20.189.173.9:443 tcp

Files

memory/1372-134-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/4760-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\obicwbnyxf.js

MD5 36d4b49a516648adfab130ddccc8c1f6
SHA1 91c2425d84a19e56da8233d611c0926a3a574c70
SHA256 6712dcf593ae6b9378847a69f17cc8bb1893fbec8e5a4e3a045685798bd45f37
SHA512 a9aa5aae6f2429a1015590d78a269770d67e38fff8c1594172ac8515683d915cdd34240883533bc3a07516fec9f77d265e25e4853dfb133ac2ac9b926da40ba2

memory/2944-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\YbWmbLjxUD.js

MD5 9aee3f24b86d76a39e4159fb5e815299
SHA1 7683fdd73d728bb6c1b618f736f416be62cc6d0e
SHA256 f7895f20657ff5b98b01bd1ce8645be3a545ea3bf8d0ac2071c2c1292c236115
SHA512 74fda118ab1cf3505303244c0fd8f943f91546cffe6b9c5d47189f1de237c5e9fb192c9de6e228c9fad3cfe080d422a882493be7e170a06e9a68bdbfffab1fd3

memory/4808-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\cygfonlrok.txt

MD5 2e958a817e7e1e79285e52a2f82cdb76
SHA1 1ced22ac01b1ba643af7a71f143e61f1b1da1e2f
SHA256 67f9930794f894b271f7951bb9847251cc3f3aa41f8df6eb2bfbc8dd1ff988d7
SHA512 3dedca3fbef35be020086ae100153f972b4703706965d2ea8b1808fa87ef6918ef9cb0ba563365eba54315fb7a646bfb3d9585942a05d24d367abe346c3a4ce8

memory/4808-156-0x0000000003350000-0x0000000004350000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 73c1f4b2453593579afea3391ea9f0a1
SHA1 fbbaded50346d037a384152939c430f6e494d214
SHA256 e2a3ca400f3ba3c50a14cd291282218bdfe253d89d4f47a7b8fc342a0bab4c81
SHA512 81498dcb0bc349b9c7f4e172535ae267d09db36bcc55b80f49f5b24fdef07e0a55c905fc65b62174cd8deb54461720b024a8568869bbfe90f8a1145514c44d25

memory/4464-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.8039279335287047765317590243409260.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 22d4c5a59fca2c422ff04b26d3cce449
SHA1 79c7bca26d2f90a4d764c6a4f789c9b822960de0
SHA256 fd5bfb597bf12baa391cf85da39abcc11368f6443a9bdcb131190a85ea84081e
SHA512 40cd740cecfca229366258b82329f5abbf8c9a36684909fb3cc06347680ac1cf10fd96e72d5f247876e4c2d7e701ed7a9851653a747efa0dbd892ccc76e46198

memory/4464-170-0x0000000002D50000-0x0000000003D50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3751123196-3323558407-1869646069-1000\83aa4cc77f591dfc2374580bbd95f6ba_6bb404a8-25bc-4cef-a831-797f8d1e89c0

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/4808-177-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2536-183-0x0000000000000000-mapping.dmp

memory/4464-184-0x0000000002D50000-0x0000000003D50000-memory.dmp

memory/5036-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive317314463684991951.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/1408-188-0x0000000000000000-mapping.dmp

memory/4464-187-0x0000000002D50000-0x0000000003D50000-memory.dmp

memory/4696-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive6240658483924296560.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/3788-191-0x0000000000000000-mapping.dmp

memory/4464-192-0x0000000002D50000-0x0000000003D50000-memory.dmp

memory/4464-194-0x0000000002D50000-0x0000000003D50000-memory.dmp

memory/3408-195-0x0000000000000000-mapping.dmp

memory/4464-198-0x0000000002D50000-0x0000000003D50000-memory.dmp