Malware Analysis Report

2024-12-07 20:46

Sample ID 230629-cdpv9acf4t
Target d46ced619302d537e07481dfe8a1e7e1.bin
SHA256 79325b550d8d499c64eb0ebefb98fd3f22201b4784a739d79ecd73ebaae8c45a
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79325b550d8d499c64eb0ebefb98fd3f22201b4784a739d79ecd73ebaae8c45a

Threat Level: Known bad

The file d46ced619302d537e07481dfe8a1e7e1.bin was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-29 01:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-29 01:57

Reported

2023-06-29 02:00

Platform

win7-20230621-en

Max time kernel

155s

Max time network

158s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.114.4:443 github.com tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 140.82.114.4:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp

Files

memory/1092-63-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-70-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-78-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-87-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-93-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-98-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-101-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-103-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-107-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-109-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-113-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-121-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-128-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1092-135-0x0000000000420000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-29 01:57

Reported

2023-06-29 02:00

Platform

win10v2004-20230621-en

Max time kernel

148s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar\"" C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar\"" C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2500 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 2972 wrote to memory of 2500 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 2500 wrote to memory of 1784 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2500 wrote to memory of 1784 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2500 wrote to memory of 1608 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 2500 wrote to memory of 1608 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 1784 wrote to memory of 4052 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1784 wrote to memory of 4052 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1608 wrote to memory of 2212 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1608 wrote to memory of 2212 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2212 wrote to memory of 2896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2212 wrote to memory of 2896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 4312 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1608 wrote to memory of 4312 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4312 wrote to memory of 4540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4312 wrote to memory of 4540 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 564 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1608 wrote to memory of 564 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 564 wrote to memory of 4880 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 564 wrote to memory of 4880 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1608 wrote to memory of 4400 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1608 wrote to memory of 4400 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4400 wrote to memory of 2692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4400 wrote to memory of 2692 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.114.3:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 209.192.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 52.168.117.170:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 microsoftmicrosoftmicrosoft.ydns.eu udp
BG 84.54.50.148:4545 microsoftmicrosoftmicrosoft.ydns.eu tcp
US 8.8.8.8:53 148.50.54.84.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp

Files

memory/2972-143-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2972-152-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2972-178-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2972-183-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2972-185-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2972-198-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2972-201-0x0000000000C70000-0x0000000000C71000-memory.dmp

C:\Users\Admin\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar

MD5 d46ced619302d537e07481dfe8a1e7e1
SHA1 135311ed819821a8a5043a0141c192e7b121a459
SHA256 4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec
SHA512 e4a35e5868ab5d267165375093a929ed02fc00b1fa6d9ef6e922c2992347363727b4c3ec935cf0562a600bbb5d571033e1e849ed5c12fc87915e2c2f0e605911

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 8bfc83b0e6e251307aacb5a6378d1a78
SHA1 be6e187a045d3497c7928adb0913ff17f37f3955
SHA256 260515b3cd77e6fdeb1b4c1bb1233b24130a23f4d01c6e254e97c946c43b297d
SHA512 a2e0b56706b8c9df128c5f83f0da880ee22e04aa972cc155ccad0218bce15cfedd1f017f47e4cf17d18c5710f1f7682751400da4512daa44fa2ae2b732dd8e2e

C:\Users\Admin\lib\system-hook-3.5.jar

MD5 e1aa38a1e78a76a6de73efae136cdb3a
SHA1 c463da71871f780b2e2e5dba115d43953b537daf
SHA256 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512 fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

C:\Users\Admin\lib\jna-platform-5.5.0.jar

MD5 2f4a99c2758e72ee2b59a73586a2322f
SHA1 af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA256 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512 b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

C:\Users\Admin\lib\jna-5.5.0.jar

MD5 acfb5b5fd9ee10bf69497792fd469f85
SHA1 0e0845217c4907822403912ad6828d8e0b256208
SHA256 b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512 e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

MD5 b33387e15ab150a7bf560abdc73c3bec
SHA1 66b8075784131f578ef893fd7674273f709b9a4c
SHA256 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA512 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

memory/2500-224-0x0000000002B30000-0x0000000002B31000-memory.dmp

C:\Users\Admin\AppData\Roaming\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar

MD5 d46ced619302d537e07481dfe8a1e7e1
SHA1 135311ed819821a8a5043a0141c192e7b121a459
SHA256 4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec
SHA512 e4a35e5868ab5d267165375093a929ed02fc00b1fa6d9ef6e922c2992347363727b4c3ec935cf0562a600bbb5d571033e1e849ed5c12fc87915e2c2f0e605911

C:\Users\Admin\AppData\Roaming\4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec.jar

MD5 d46ced619302d537e07481dfe8a1e7e1
SHA1 135311ed819821a8a5043a0141c192e7b121a459
SHA256 4e0f0e48af90b53ca2f5bfe07730901ca963655051f5fd4fba455933bc9a72ec
SHA512 e4a35e5868ab5d267165375093a929ed02fc00b1fa6d9ef6e922c2992347363727b4c3ec935cf0562a600bbb5d571033e1e849ed5c12fc87915e2c2f0e605911

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 d046beb2a9ad1cf7e4c81581653d5020
SHA1 5fcb05b92dd08580b39016014ad47f7d38865c93
SHA256 ba344b499bdacdb44ded02b5b877dee1a891ec97c3a1654fb12e471d21c5da45
SHA512 ac0f9b2e3f4201cc30742f1b8cf1c11749c0657e950bbc75c4501ed0518da00bcfff608285b483084d59a0a558c9c2b390e656b32e73c888d1a84172ecad5350

C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

MD5 b33387e15ab150a7bf560abdc73c3bec
SHA1 66b8075784131f578ef893fd7674273f709b9a4c
SHA256 2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA512 25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

MD5 2f4a99c2758e72ee2b59a73586a2322f
SHA1 af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA256 24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512 b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

MD5 acfb5b5fd9ee10bf69497792fd469f85
SHA1 0e0845217c4907822403912ad6828d8e0b256208
SHA256 b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512 e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

MD5 e1aa38a1e78a76a6de73efae136cdb3a
SHA1 c463da71871f780b2e2e5dba115d43953b537daf
SHA256 2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512 fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

memory/1608-250-0x00000000014A0000-0x00000000014A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2177513644-1903222820-241662473-1000\83aa4cc77f591dfc2374580bbd95f6ba_18e45b86-45c8-4e56-b846-cf6e0f375be5

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna9022108103044145801.dll

MD5 e02979ecd43bcc9061eb2b494ab5af50
SHA1 3122ac0e751660f646c73b10c4f79685aa65c545
SHA256 a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA512 1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

memory/1608-269-0x00000000014A0000-0x00000000014A1000-memory.dmp

memory/1608-272-0x00000000014A0000-0x00000000014A1000-memory.dmp