adwind | c2f92747b7015dbcb1a2b796e4f27345d924f5f7eca457d0751e13bc9123cd74

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f6b636c6cede877d244b23b69383525_JaffaCakes118.jar
Size

635KB
MD5

1f6b636c6cede877d244b23b69383525
SHA1

5e62257128436713acda3b6652d67aea077d012b
SHA256

c2f92747b7015dbcb1a2b796e4f27345d924f5f7eca457d0751e13bc9123cd74
SHA512

1df335559690e4656f45f7b66417a78df2e98f977f697191b59a6146e62b075318a98590c5f461227eb0d85f9c01a3cf45661f58be80b77862066ad274676c18
SSDEEP

12288:6MUW+AwfW7yd+u8foZIM6OLxHRNlti+8d3P4Q5Hke7FzDEm:6MUTAwfWWdt8fGIZGvzh2VDh

Score

10^/10

adwind discovery persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Class file contains resources related to AdWind 1 IoCs

Processes:

resource yara_rule

sample family_adwind5

resource	yara_rule
sample	family_adwind5

Blocklisted process makes network request 20 IoCs

Processes:

WScript.exe

flow	pid	process
9	2540	WScript.exe
23	2540	WScript.exe
29	2540	WScript.exe
30	2540	WScript.exe
37	2540	WScript.exe
45	2540	WScript.exe
46	2540	WScript.exe
47	2540	WScript.exe
49	2540	WScript.exe
51	2540	WScript.exe
59	2540	WScript.exe
60	2540	WScript.exe
64	2540	WScript.exe
66	2540	WScript.exe
79	2540	WScript.exe
80	2540	WScript.exe
81	2540	WScript.exe
82	2540	WScript.exe
83	2540	WScript.exe
84	2540	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArKHnUIPnG.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArKHnUIPnG.vbs	WScript.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3640 icacls.exe

pid	process
3640	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exewscript.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArKHnUIPnG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ArKHnUIPnG.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bhaKnAfpxYo = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\nmBwwjwEBvN\\gPYKzTGZEZG.UdTKgK\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ArKHnUIPnG = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\ArKHnUIPnG.vbs\""	WScript.exe

Drops file in System32 directory 1 IoCs

Processes:

javaw.exe

description ioc process

File created C:\Windows\System32\test.txt javaw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings wscript.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1332 reg.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

javaw.exejava.exejavaw.exejava.exe

pid process

2484 javaw.exe
1692 java.exe
2736 javaw.exe
4048 java.exe

description	ioc	process
File created	C:\Windows\System32\test.txt	javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	wscript.exe

pid	process
1332	reg.exe

pid	process
2484	javaw.exe
1692	java.exe
2736	javaw.exe
4048	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exewscript.execmd.exejavaw.exejava.execmd.execmd.execmd.execmd.exejavaw.execmd.execmd.exejava.execmd.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 3640	3068	java.exe	icacls.exe
PID 3068 wrote to memory of 3640	3068	java.exe	icacls.exe
PID 3068 wrote to memory of 3256	3068	java.exe	wscript.exe
PID 3068 wrote to memory of 3256	3068	java.exe	wscript.exe
PID 3256 wrote to memory of 2540	3256	wscript.exe	WScript.exe
PID 3256 wrote to memory of 2540	3256	wscript.exe	WScript.exe
PID 3256 wrote to memory of 4952	3256	wscript.exe	cmd.exe
PID 3256 wrote to memory of 4952	3256	wscript.exe	cmd.exe
PID 4952 wrote to memory of 1044	4952	cmd.exe	javaw.exe
PID 4952 wrote to memory of 1044	4952	cmd.exe	javaw.exe
PID 3256 wrote to memory of 2484	3256	wscript.exe	javaw.exe
PID 3256 wrote to memory of 2484	3256	wscript.exe	javaw.exe
PID 2484 wrote to memory of 1692	2484	javaw.exe	java.exe
PID 2484 wrote to memory of 1692	2484	javaw.exe	java.exe
PID 2484 wrote to memory of 4480	2484	javaw.exe	cmd.exe
PID 2484 wrote to memory of 4480	2484	javaw.exe	cmd.exe
PID 1692 wrote to memory of 3492	1692	java.exe	cmd.exe
PID 1692 wrote to memory of 3492	1692	java.exe	cmd.exe
PID 4480 wrote to memory of 4064	4480	cmd.exe	cscript.exe
PID 4480 wrote to memory of 4064	4480	cmd.exe	cscript.exe
PID 3492 wrote to memory of 2872	3492	cmd.exe	cscript.exe
PID 3492 wrote to memory of 2872	3492	cmd.exe	cscript.exe
PID 2484 wrote to memory of 2600	2484	javaw.exe	cmd.exe
PID 2484 wrote to memory of 2600	2484	javaw.exe	cmd.exe
PID 1692 wrote to memory of 832	1692	java.exe	cmd.exe
PID 1692 wrote to memory of 832	1692	java.exe	cmd.exe
PID 2600 wrote to memory of 1892	2600	cmd.exe	cscript.exe
PID 2600 wrote to memory of 1892	2600	cmd.exe	cscript.exe
PID 832 wrote to memory of 4668	832	cmd.exe	cscript.exe
PID 832 wrote to memory of 4668	832	cmd.exe	cscript.exe
PID 2484 wrote to memory of 4544	2484	javaw.exe	xcopy.exe
PID 2484 wrote to memory of 4544	2484	javaw.exe	xcopy.exe
PID 1692 wrote to memory of 1668	1692	java.exe	xcopy.exe
PID 1692 wrote to memory of 1668	1692	java.exe	xcopy.exe
PID 2484 wrote to memory of 3172	2484	javaw.exe	cmd.exe
PID 2484 wrote to memory of 3172	2484	javaw.exe	cmd.exe
PID 2484 wrote to memory of 1332	2484	javaw.exe	reg.exe
PID 2484 wrote to memory of 1332	2484	javaw.exe	reg.exe
PID 2484 wrote to memory of 1284	2484	javaw.exe	attrib.exe
PID 2484 wrote to memory of 1284	2484	javaw.exe	attrib.exe
PID 2484 wrote to memory of 2492	2484	javaw.exe	attrib.exe
PID 2484 wrote to memory of 2492	2484	javaw.exe	attrib.exe
PID 2484 wrote to memory of 2736	2484	javaw.exe	javaw.exe
PID 2484 wrote to memory of 2736	2484	javaw.exe	javaw.exe
PID 2736 wrote to memory of 4048	2736	javaw.exe	java.exe
PID 2736 wrote to memory of 4048	2736	javaw.exe	java.exe
PID 2736 wrote to memory of 2976	2736	javaw.exe	cmd.exe
PID 2736 wrote to memory of 2976	2736	javaw.exe	cmd.exe
PID 2976 wrote to memory of 3980	2976	cmd.exe	cscript.exe
PID 2976 wrote to memory of 3980	2976	cmd.exe	cscript.exe
PID 2736 wrote to memory of 2888	2736	javaw.exe	cmd.exe
PID 2736 wrote to memory of 2888	2736	javaw.exe	cmd.exe
PID 2888 wrote to memory of 4420	2888	cmd.exe	cscript.exe
PID 2888 wrote to memory of 4420	2888	cmd.exe	cscript.exe
PID 4048 wrote to memory of 4500	4048	java.exe	cmd.exe
PID 4048 wrote to memory of 4500	4048	java.exe	cmd.exe
PID 4500 wrote to memory of 1992	4500	cmd.exe	cscript.exe
PID 4500 wrote to memory of 1992	4500	cmd.exe	cscript.exe
PID 2736 wrote to memory of 2360	2736	javaw.exe	xcopy.exe
PID 2736 wrote to memory of 2360	2736	javaw.exe	xcopy.exe
PID 4048 wrote to memory of 1308	4048	java.exe	cmd.exe
PID 4048 wrote to memory of 1308	4048	java.exe	cmd.exe
PID 1308 wrote to memory of 4828	1308	cmd.exe	cscript.exe
PID 1308 wrote to memory of 4828	1308	cmd.exe	cscript.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1284 attrib.exe
2492 attrib.exe

pid	process
1284	attrib.exe
2492	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1f6b636c6cede877d244b23b69383525_JaffaCakes118.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:3640

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\soibolnsla.vbs
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ArKHnUIPnG.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version
4⤵
PID:1044

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.75374843986000833447000771860332152.class
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4843032809170491729.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4843032809170491729.vbs
6⤵
PID:2872

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4626932780853602071.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4626932780853602071.vbs
6⤵
PID:4668

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
5⤵
PID:1668

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8855248893352529397.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8855248893352529397.vbs
5⤵
PID:4064

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2895640258533457102.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2895640258533457102.vbs
5⤵
PID:1892

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
4⤵
PID:4544

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
4⤵
PID:3172

C:\Windows\SYSTEM32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v bhaKnAfpxYo /t REG_EXPAND_SZ /d "\"C:\Program Files\Java\jre-1.8\bin\javaw.exe\" -jar \"C:\Users\Admin\nmBwwjwEBvN\gPYKzTGZEZG.UdTKgK\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:1332

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\Users\Admin\nmBwwjwEBvN\*.*"
4⤵
- Views/modifies file attributes
PID:1284

C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\Users\Admin\nmBwwjwEBvN"
4⤵
- Views/modifies file attributes
PID:2492

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\Admin\nmBwwjwEBvN\gPYKzTGZEZG.UdTKgK
4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.46856603007846928746778444303350304.class
5⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5254158147397535044.vbs
6⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5254158147397535044.vbs
7⤵
PID:1992

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5907944350618335331.vbs
6⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5907944350618335331.vbs
7⤵
PID:4828

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
6⤵
PID:4064

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5537037721763782814.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5537037721763782814.vbs
6⤵
PID:3980

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2735971515148480430.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2735971515148480430.vbs
6⤵
PID:4420

C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
5⤵
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
d52e891e0a0e537851d6150ebf636c37

SHA1
a8b83ccb605b60ebc11b45be1d84bbf9498a4b10

SHA256
f82e89ee0009306cfef5b9cf99f1781c9e8d2b8f0ba44661348b6d0aef62e72f

SHA512
35182ef6f1f34e2be730b463a4c9b61b77f7b3f0f27d077f9c1e08ea3e4c35e9438f62d072d8879971468e77ea267469714fc8be73660ce909e22f3ab81d9c4c

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
bdb8ec3f2f90012548f89d9d758ab7f8

SHA1
012dab41f88d4d43fe61f8b3799d1e19df4554fa

SHA256
9105a755311c50fec9739968d4f00267547c557550bc6e5d30b65e9288766bfa

SHA512
edf5ec0e42b96c2b5dd001c98423275898e1396b02c757e06b78c058ba47c5bf49eb70014519f24cd86e7768762a5014fb66655ee249fbf2188d81f5bf89fb29

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
5147a5fbba41d77f9ba2ccc503db44db

SHA1
d657566d5b495e997b240496e04b46455c405234

SHA256
7b7dd38f53c456bc6a13cc8aee23b0aaa8c2de34cfb3bdcbd8da81a7ab924a6e

SHA512
463a76910c134e814944f215ef3eebd2707b28717cbc7da2bb9018c0649b214b343d918dc836a3e9bdaa8449d481e8e8236db6bba3d4b0d7932597c15fa62d53

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
d6ff6d64486a12f8ea1be92042707d3c

SHA1
4c3213e2c1f0f62f57f96299eb48c81389704f2b

SHA256
d57a7bc59ff96737c5fe13f1f639d6099a67e69430eee94c3291ca9f49af3339

SHA512
71a92b48ab3029c8ba3ffe5503fd8b2fd6aa06f367ea98aa8623c67f7393b1f9b66d316219115c16cd48bd50dc06f3c910211fe1f66a63c6f930a38f46241aa8

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive2895640258533457102.vbs
Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive4843032809170491729.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.75374843986000833447000771860332152.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
147B

MD5
faf2f8b188047379978915849af13d28

SHA1
42ecb6f269f3dc3183d3b72b4216010f106d3317

SHA256
4ebfda517657bcc9f2b2e3c3cd13e58e9adef320c0ca1a8ac9aee888d4e1ef8e

SHA512
85c3afedfda0aa63edab3b1c5ed7ef8b06e392d387ea3c16bd28c66a54f72c7cbdd14b8af9428168402313f8a4d203be7e5f8a6732d0d8d52d46fe3963ebde79

Download Submit
C:\Users\Admin\AppData\Roaming\ArKHnUIPnG.vbs
Filesize
20KB

MD5
77837f07ea7e6d2c82a4ffbec82fc9cf

SHA1
2e2e6cf01913430040e5a73c27de55220e3533b0

SHA256
e7985ddaaedff009af0da7343a3a7f128796c94d5888fffe90fa916f079fbc89

SHA512
41d7c5263addcde0256fcee005c079e10c54702d9df77a1b186ffd537ee247f186bc5db6caa0d208a77e988f8566c613e4ab67b734b9e8011a4c3abe689afa87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-877519540-908060166-1852957295-1000\83aa4cc77f591dfc2374580bbd95f6ba_341ede6d-ed6e-4a9a-b21e-61c68ffcc45e
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
Filesize
479KB

MD5
e4d819e292677d17bfcd0d2abaabd32a

SHA1
a760c92aa2295463d269525e93a44f1cf23b101e

SHA256
06ba761a4e13321b9fd4f6ac686d245df901267d40d0c23398b0dee05d18adeb

SHA512
6c4ec1ad87bdf3c43eaeb18b8e14f94dee6b4915f5e36249d573cf562cf95655ef7698fbb15de5fb1a5a1386297049ea591c94535ae6a5ad6e511806b73105ab

Download Submit
C:\Users\Admin\nmBwwjwEBvN\ID.txt
Filesize
47B

MD5
4935266cb9158af2f44b374e3d5e3c71

SHA1
ef71067836f21f1c2fe84406c04733732ca01cd4

SHA256
0bd61e36e4b3e896ee8b006a3be88bf35afd5679d4e465efc4ec84a201f19b6a

SHA512
2800a6a9e38cda7960f7c06317f49ee3d5004dfdc514fa22783cd990556a1dc2977296f51563c77b50c0ca4fc77968e3ed102a67d5958b8681e09ba6eabb2e35

Download Submit
C:\Users\Admin\soibolnsla.vbs
Filesize
928KB

MD5
2ff640e53c0f38711febfbd9e7c1864d

SHA1
f3c209b961b13cfb56ed8c24efee66de7b1327bd

SHA256
ddaee1bb18354c8e3c7ba4ce2f628f5da6b61ac0de7ca230a204b391d5665fb9

SHA512
9f5127946dcd2364e71edf32ca7af30f7b3acf003687c6c1c04755547341255eba9c9d4e5b93c75b640145983322efcc5fccb9dc06e024e470ee84c20a0cbaf3

Download Submit
memory/1044-34-0x0000027786DB0000-0x0000027786DB1000-memory.dmp

Filesize
4KB

Download
memory/1692-86-0x000001E3710A0000-0x000001E3710A1000-memory.dmp

Filesize
4KB

Download
memory/1692-146-0x000001E3710A0000-0x000001E3710A1000-memory.dmp

Filesize
4KB

Download
memory/1692-148-0x000001E3710A0000-0x000001E3710A1000-memory.dmp

Filesize
4KB

Download
memory/2484-98-0x0000016FBD000000-0x0000016FBD001000-memory.dmp

Filesize
4KB

Download
memory/2484-79-0x0000016FBD000000-0x0000016FBD001000-memory.dmp

Filesize
4KB

Download
memory/2484-147-0x0000016FBD000000-0x0000016FBD001000-memory.dmp

Filesize
4KB

Download
memory/2484-158-0x0000016FBD000000-0x0000016FBD001000-memory.dmp

Filesize
4KB

Download
memory/2736-189-0x0000019E82140000-0x0000019E82141000-memory.dmp

Filesize
4KB

Download
memory/2736-236-0x0000019E82140000-0x0000019E82141000-memory.dmp

Filesize
4KB

Download
memory/2736-197-0x0000019E82140000-0x0000019E82141000-memory.dmp

Filesize
4KB

Download
memory/3068-16-0x000001F990350000-0x000001F9905C0000-memory.dmp

Filesize
2.4MB

Download
memory/3068-14-0x000001F98EA90000-0x000001F98EA91000-memory.dmp

Filesize
4KB

Download
memory/3068-2-0x000001F990350000-0x000001F9905C0000-memory.dmp

Filesize
2.4MB

Download
memory/4048-215-0x0000027E39E10000-0x0000027E39E11000-memory.dmp

Filesize
4KB

Download
memory/4048-237-0x0000027E39E10000-0x0000027E39E11000-memory.dmp

Filesize
4KB

Download
memory/4048-238-0x0000027E39E10000-0x0000027E39E11000-memory.dmp

Filesize
4KB

Download