Malware Analysis Report

2024-12-07 20:30

Sample ID 241119-2ymn3azkcp
Target 79245dbb19e445f38be57c9f04cf0e3c35dc33b686d06460ed25298f1e8a801d.zip
SHA256 7e58ac38c97ddd22502d7c4f3bccfdb9a52094e29779f54799b281a59c5a8766
Tags
adwind execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e58ac38c97ddd22502d7c4f3bccfdb9a52094e29779f54799b281a59c5a8766

Threat Level: Known bad

The file 79245dbb19e445f38be57c9f04cf0e3c35dc33b686d06460ed25298f1e8a801d.zip was found to be: Known bad.

Malicious Activity Summary

adwind execution persistence trojan

AdWind

Adwind family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 22:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 22:59

Reported

2024-11-19 23:02

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\79245dbb19e445f38be57c9f04cf0e3c35dc33b686d06460ed25298f1e8a801d.jar

Signatures

AdWind

trojan adwind

Adwind family

adwind

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\javaw.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\PUiCqyDueav = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\IwAYnNUGhgr\\ofjGgTkJxpO.AbYzyy\"" C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\test.txt C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\javaw.exe N/A
File opened for modification C:\Windows\System32\test.txt C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 2816 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1292 wrote to memory of 2816 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1292 wrote to memory of 2816 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 2816 wrote to memory of 1952 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2816 wrote to memory of 1952 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 2816 wrote to memory of 1952 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1952 wrote to memory of 3056 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1952 wrote to memory of 3056 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1952 wrote to memory of 3056 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 3056 wrote to memory of 1604 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 1604 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 1604 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 1028 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 1028 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 1028 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1028 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1028 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1604 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1028 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1604 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1604 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1952 wrote to memory of 2988 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 2988 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 2988 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 1348 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 1348 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 1348 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2988 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2988 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1348 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1348 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1348 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1952 wrote to memory of 3028 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1952 wrote to memory of 3028 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 1952 wrote to memory of 3028 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\xcopy.exe
PID 3056 wrote to memory of 1800 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 3056 wrote to memory of 1800 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 3056 wrote to memory of 1800 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1952 wrote to memory of 2236 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 2236 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 2236 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 896 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1952 wrote to memory of 896 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1952 wrote to memory of 896 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\reg.exe
PID 1952 wrote to memory of 1908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1952 wrote to memory of 1908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1952 wrote to memory of 1908 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1952 wrote to memory of 2576 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1952 wrote to memory of 2576 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1952 wrote to memory of 2576 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\system32\attrib.exe
PID 1952 wrote to memory of 1692 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1952 wrote to memory of 1692 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1952 wrote to memory of 1692 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1692 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 1692 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 1692 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 1692 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 2696 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2696 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2696 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1692 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\79245dbb19e445f38be57c9f04cf0e3c35dc33b686d06460ed25298f1e8a801d.jar

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\vwqsnjqvdy.js

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\byxvzpfj.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.7979242682794867348138691933342968.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8871747375606381515.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive445340449930217734.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive445340449930217734.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8871747375606381515.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8531397653761619167.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1787540974695510405.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8531397653761619167.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1787540974695510405.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v PUiCqyDueav /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\IwAYnNUGhgr\ofjGgTkJxpO.AbYzyy\"" /f

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\IwAYnNUGhgr\*.*"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\IwAYnNUGhgr"

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\IwAYnNUGhgr\ofjGgTkJxpO.AbYzyy

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.45294559158899578229386213398950042.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3186007304640937833.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3186007304640937833.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5869936018599941751.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5869936018599941751.vbs

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive164840081258569117.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive164840081258569117.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8987482746736981773.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8987482746736981773.vbs

C:\Windows\system32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wsaew.duckdns.org udp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 wsaew.duckdns.org udp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 wsaew.duckdns.org udp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp

Files

memory/1292-2-0x0000000002670000-0x00000000028E0000-memory.dmp

memory/1292-12-0x0000000002150000-0x0000000002151000-memory.dmp

C:\Users\Admin\vwqsnjqvdy.js

MD5 8152433447b6c4f88f1c398620ecb691
SHA1 67ed414ddb0b30dd228cff010f3d2fff1314173a
SHA256 3ecc55efeb2b563beb270b3f45bca42d58298997a98122936b4244cd059966d5
SHA512 c1f0a355710afe7f40c3cb9d35299b6715d1e62c01faabca31a88387d8051565d6fcf3ee32a13969138873c2c6d72a9e6ddbd4bc0227026de8e21375f0790dda

memory/1292-14-0x0000000002670000-0x00000000028E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\byxvzpfj.txt

MD5 2730127e84362d5eede4632ebe5000d2
SHA1 0ff50dee5fe68ddfeff592e02c4f8a85c2510698
SHA256 4136b6f32a6fe6e83f603260a2c439a5f85e23afb40247f59360fea9babcb961
SHA512 08d0376a63ea108d3f40105c967567debd6a7aec7cdd601a9cb8b5d1df2feeec547a5d9ba3c9e86c96c3c9decfe8305e5cbbc79aa453515a2a39bc4fe8577196

memory/1952-21-0x00000000026A0000-0x0000000002910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_0.7979242682794867348138691933342968.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/3056-36-0x0000000002530000-0x00000000027A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\83aa4cc77f591dfc2374580bbd95f6ba_38b42d9b-3e83-45f4-8789-a30be34574b0

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/1952-42-0x0000000000130000-0x0000000000131000-memory.dmp

memory/3056-43-0x0000000000440000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive445340449930217734.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive8531397653761619167.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

MD5 0547e7c8dade7157d58f6bf5e74bcce7
SHA1 f1ef0a100276e7d3adf38b9fbb802d12f4bb8d9f
SHA256 6953ed5729acafb594c9e81b970f946848453abc6033d4b5519870b58c72abac
SHA512 b213982a0935465b8d468822912169457b60a55382eba7ee39c62be953512a2d524aa6d01953d05dab981b72c417e62bcdff661bac99534e54778f906ad44d6b

C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\MET

MD5 df1d6d7601b75822e9cf454c03c583b6
SHA1 966737a61ec5f9bcac90154389f5249ca6c0e1e2
SHA256 f3936669b75c67d577d93655b07629b30371aefd32845f69d7cef09b27409d8c
SHA512 50f1943794f84faa26ec8aa1175d98dac365ad3a48eda7b1899e57f1e7fe88365d595403131df926c0471900bf1dcf43f534c57bfb2fb33fe5a81870f4e103ba

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT

MD5 7da9aa0de33b521b3399a4ffd4078bdb
SHA1 f188a712f77103d544d4acf91d13dbc664c67034
SHA256 0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d
SHA512 9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+10

MD5 715dc3fcec7a4b845347b628caf46c84
SHA1 1b194cdd0a0dc5560680c33f19fc2e7c09523cd1
SHA256 3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08
SHA512 72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+2

MD5 e256eccde666f27e69199b07497437b2
SHA1 b2912c99ee4dff27ab1e3e897a31fc8f0cfcf5d7
SHA256 9e971632a3e9860a15af04efec3a9d5af9e7220cd4a731c3d9262d00670496a5
SHA512 460a225678c59a0259edef0c2868a45140ce139a394a00f07245cc1c542b4a74ff6fe36248f2fccc91a30d0a1d59d4ebcc497d6d3c31afad39934463f0496ee4

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+5

MD5 a2abe32f03e019dbd5c21e71cc0f0db9
SHA1 25b042eb931fff4e815adcc2ddce3636debf0ae1
SHA256 27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78
SHA512 197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+7

MD5 11f8e73ad57571383afa5eaf6bc0456a
SHA1 65a736dddd8e9a3f1dd6fbe999b188910b5f7931
SHA256 0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e
SHA512 578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Indian\Christmas

MD5 02bc5aaee85e8b96af646d479bb3307c
SHA1 1bf41be125fe8058d5999555add1ea2a83505e72
SHA256 e8d8d94f0a94768716701faa977a4d0d6ef93603de925078822f5c7a89cc8fca
SHA512 e01d82ac33729e7ee14516f5d9ff753559f73143c7aa8a25ed4cc65b59dc364b1a020bc28427f8ec43fec8ef139cf30b09e492d77f15d7b09ae83240cdf8bc14

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Pacific\Port_Moresby

MD5 ab2fd12cd39fd03d4a2aef0378c5265c
SHA1 4a75ef59534203a4f19ea1e675b442c003d5b2f4
SHA256 df69a28476e88043eba1f893859d5ebf8a8d5f4f5a3696e0e0d3aa0fe6701720
SHA512 a82567f84dd4300733cd233d1b8fd781e73eaf62f2f6d5e33a4129418d9b0dfc1001e1fa3deeed9a8129acd0ecc0e1153bfb154f93f26a4ca484c04e753808bf

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\AST4

MD5 090c3805a378e5c6f9170de1f08505a0
SHA1 b462772078f0264c175f7c9998a8e39d6e4bcc64
SHA256 4ddfc9ed251c2298e6fca3a0742de925442d9164ba230d28e869097d27b74415
SHA512 67e57206bff887539568596789c8d77bbb843a97a8ea2ae373225ad4c4fd185b6e602d9b171232a2b8811f2911778b9152ba08daac355e7eeb2e1558b1555763

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\CST6

MD5 37e9ac1310a963cd36e478a2b59160f8
SHA1 1406eaa01d4eea3b26054871f7d738e4630500e9
SHA256 04c9e4b0f69a155074b9ff26351265f78090c7ea2f23c5593b7130b4eb1e5e32
SHA512 0ccc4e958bd34c2a28dca7b9fc3e9ca018ffc6c54d0f24e3db40e86f0bfc5a232228288cce38350bf8140b98c74658d2616e2ef15b2a085a590711cf975982e1

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\PST8

MD5 f49040ffcebf951b752c194a42ed775e
SHA1 4632642740c1db115843409f0bc32b9ca8d834d7
SHA256 7422b2a82603f03d711b7ac7a9bebe5d1e4d9307cd283ce3d2714af46362f934
SHA512 f7be16b8418f2d57132ccd6b65f40296c80aa2d34634dee839eb2b50c45cb511db1135f8816956bfa90f4f0ca298909adf70787cd8c9e30c894e836f32ef5ed6

C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\YST9

MD5 4fae101fead3cd098a57d1715ca79a97
SHA1 f0a556f72dea44bd4065cb874398994005bc5237
SHA256 fbc6ae3bcdbdd8c91acc153bde0862d443afd70b211404879c36045442524b56
SHA512 c9d2e4c94b8b0e87b251cc22b8e96799268545e73a9ba3cde726ac0797d6c3288344615bcf30fbe8135e7ddb8d429958357b1ba03a7e953a2c7c8eac3c5dde8f

memory/1952-1801-0x0000000000130000-0x0000000000131000-memory.dmp

memory/3056-1802-0x0000000000440000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

MD5 846245142683adc04baf77c6e29063db
SHA1 6a1b06baf85419b7345520d78ee416ce06747473
SHA256 c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512 e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa

C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index

MD5 8bff510abed2b6fcc5a83eedb65b1766
SHA1 ba6d0cd7504a5baeb963501b8bdf315ec6cb355c
SHA256 afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b
SHA512 8786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522

\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

MD5 4b4153f3ae3454a5d9dae1b41846e908
SHA1 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d
SHA256 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160
SHA512 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

C:\Users\Admin\IwAYnNUGhgr\ID.txt

MD5 d56d3656bac55bdd8e0a90164b783b40
SHA1 2eb1c3c2e6cb0ce544e06213eab2bdb2afa83df0
SHA256 6b6ffe8ce67a22522d192bdf453de20c483fc7ea1633c3151666b205f653fd33
SHA512 e050b53f9b48b69aef598017f5674bc83f83370b01c7d789cd71fce4dc114c467f567eee5f6ef5b3fdc40bfc57374896db743344e99b590bf38c632e2cd53b8f

C:\Users\Admin\AppData\Roaming\Oracle\lib\rt.jar

MD5 b3f3eea1bb42a24646638668b4022d5f
SHA1 c63ff198af318be31426e4441f2507b299c742d7
SHA256 5a42fe1fdf54299f751ee73a2756114a7d66de1062a458699ad200d8bcaacd86
SHA512 3033ee55558437d1096d742092e852c8eebd5a4b99e1bc6a639a8b94de8af4200e9c7a495527ecce553c5fc40fb6bba9fe47326c91c8f908564b5837f1b1b620

\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

MD5 ffa8f0ee3aace64fac7f55cb718472a9
SHA1 d199b599dd062737c64e49213088b4e568418a1c
SHA256 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff
SHA512 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

memory/1952-1821-0x00000000026A0000-0x0000000002910000-memory.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

MD5 8ebc899a0ee346da1484d99d991aee48
SHA1 d6e6b5508b74ea4154099f8814b30105a44bee85
SHA256 ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7
SHA512 77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg

MD5 ab035b969e9bcf200cbdfd1158d475a7
SHA1 e36c2a8e62edf04b3b8f282c28e9408ee6d1da10
SHA256 940c29cd2a34a9d84275e3b526d595eec6e08ba5f7f0806fc545ce0d26fe9024
SHA512 2f96657645a4e25e80ac684c00bd931857ab91e72c9411024f5de06ab629de0a7c79ae13efef9ccba6bd19442d823ea840d066ba133bfd89144dd6c0eb0b32bf

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index

MD5 426812cbfc93fb23bbc504c2bf92575b
SHA1 e077f3d8e6a0b769c0c504348b257edc609563c8
SHA256 ef4f43d97420e544fd64d504029233191e92a46bc7811478f4b6dc7c02651072
SHA512 84f3ddc620dc2b98425ca6742e295151d4f27e417412e1ea6bcec8d2eb9d71c98cb60b9f687ab7443f702f23fa98011793f73e715e0a9e82ef4f40038b69eab0

memory/1952-1814-0x0000000000130000-0x0000000000131000-memory.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

MD5 b3e0f70c518921dad42bab3c0304144d
SHA1 c2b74c7c036e221317a992f147aec77ba7eb9fc1
SHA256 d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7
SHA512 07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar

MD5 8447fe024c6ed74ebcf06462689bcb63
SHA1 78ea3dcc279af9216bed911e7c1018e604151929
SHA256 c98f8ca3a99b4d29dd06e80aa9395fa6c267554a335c3f5db40d90b818d44c8c
SHA512 e56325ec4cb124744b2b711b0ac607150237f11884e25cb4bbe224ab32754e246765670f11df08a3c2a6a950f536780414827d0a7fdd0ce689e5ae8235accbf8

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security

MD5 779d1c858e736a5a9e9f5a5eddf49fe2
SHA1 7af7dda65d74c7cd17ad10b0aa9e854a96a26e6f
SHA256 379f1c061e63b8a272b034503d4af821ee0f40052d0cff060ac61bc190071b66
SHA512 339844ee820b81212a59cf25cc99a5ccdd656634038d72cdefce305b3fcce0ecba5d50c1610adcb2089a1d1635bcc2c84dd2e5b64bdd84f1c0ee2d139c86b46c

C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

MD5 2977c42aae44773f721c5a6dbaaa6feb
SHA1 69635e0b0d70823dbb45bed6d8ad0dfddf0540e6
SHA256 910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5
SHA512 a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

MD5 018c6d5d781ecb2c0eca8d08acd03a76
SHA1 7739a2fb33303ff00b27c4ed00e1321badbfee58
SHA256 40c94ba508ec8724a4e7aef704afeb6ac42e5bcbd8078868320883698529ee33
SHA512 b332d890f3aa28cd98e6431e8ad37aa47ff7bf44dfe6dbe56defc685f00bd7b54b234025fc0eeb64ea7314a7fc0371ce38e11295d09ec6eba66058c9f693e98b

C:\Users\Admin\AppData\Roaming\Oracle\lib\jce.jar

MD5 29753d8abdc7ba7561d2c5fd96cee210
SHA1 acfe2f4fbb9101bae52c2161703c1914ce65a062
SHA256 105840a8b3ab7ff368d58aba76b83eb0ea5445a4fe6f84a4ace9a3c8f05cb9e9
SHA512 741175c4a07ae66646c8069df99247896ca5f2d647a7b08f9d3e93576e0e5dd3c9a0a67871d2b6ad768c762cd0bc45343e32017af7dbe7d6cbd953059d5684c9

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunec.jar

MD5 a00a0eb4a6c8f58ba0674bf56da6b601
SHA1 40a67c09f821af3f62d428e4d79980f9df10e407
SHA256 de574520c29756024f93d2136b8180d9d998a66ed6743bb484fc7ee4601705ac
SHA512 ec76a4d64dd71095e92c96a63d52a4bd8c935304dc3bdc3922773e561dd6558012c373c44ffee6e9858a28cc35c587c89bec3bc86ef3d579e4d149e2acc8c417

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\US_export_policy.jar

MD5 d5d126ae15abecb7d6e3a28b0d57543e
SHA1 0f5f7000873330225c67c37b7e5e3f310ddf5730
SHA256 0e38f50cd7ebdfe7dafeebfa7156b89f848d5c7fae853db755b190e98ac4e7f2
SHA512 196b852e76b32c07efdbf88e16995881d940e0144b2d0e0cab8c4f51362898db75489d6f1a98a51b49fb50b50ca25a083529315929668d75d54b3af18e0cfefe

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar

MD5 6206de1bba4fd8f0046d59177f6b3dcb
SHA1 443658612b0ed8e1c2fe0353ee4e9a0f5ade636c
SHA256 6f09f93e0b9c24704af89bbb527b6834f7857a953fa65b32b0d5434a2df18028
SHA512 ffc66be163eaa965d357e0574db5d7dcc8927f062dff395b96968e6f313034e5c9eaa24fc626a68bbcf6cec2b2d7430786561e16f96a87363f0dca4e0f6c230a

\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll

MD5 94d11fc73e3de366cc0c7a752feaf975
SHA1 c449985a32ab342c46d1962af251db47587bce30
SHA256 ee1a861382193204af35455cacc1bddecc5b559ebf5bc7b851d3a01d377e8571
SHA512 338629676469edaaa9600bfd901e9a1af99891b1c70bb4dd8593136be3a50be1dab1d0005eb5f6050d792c886818dd8ff0869fcad90c44bf20e5c32f9c0b0322

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\local_policy.jar

MD5 f41ab8f64b1fa13fec7276579c420951
SHA1 256fae2beeccabdd441bb072b1f2fa3349625807
SHA256 3e9cdd87f4a7c8f27b2bf4d03a7e51b6ce6a563a7f619db8e3197799f1838afd
SHA512 9faa38adaa441d6596e25dda3a67789cd1978ee2fb5e65b99a7eb2c0eacd862d6260bb9eacd17c056aa5fbc180004c724b0229d3073f18c2c626efcda14364d2

C:\Users\Admin\AppData\Roaming\Oracle\lib\resources.jar

MD5 f43e2bea45648670903f3f9c462e89ba
SHA1 0c64730537815a28ef1be22bdb709065ed505479
SHA256 bd7734192a891eba585e94996c4a8812f7cf96753671aa9a74268c39faf50987
SHA512 af5edd06039ae86806c8846468f82d5fa43affd00b4a9757bed8ecea466272aefbac70656eaf211188db07209472bb3bc2ed9445dcb74e98328ac0ec4bb61c18

C:\Users\Admin\AppData\Roaming\Oracle\lib\accessibility.properties

MD5 9e5e954bc0e625a69a0a430e80dcf724
SHA1 c29c1f37a2148b50a343db1a4aa9eb0512f80749
SHA256 a46372b05ce9f40f5d5a775c90d7aa60687cd91aaa7374c499f0221229bf344e
SHA512 18a8277a872fb9e070a1980eee3ddd096ed0bba755db9b57409983c1d5a860e9cbd3b67e66ff47852fe12324b84d4984e2f13859f65fabe2ff175725898f1b67

\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll

MD5 049b2f21eeabedbc85a5435849c26c52
SHA1 3399776cdcca0e846ddef891e840dc5b22af55c1
SHA256 4136f7e7282d17fe4bd24d2bd86432664153f34f712fb1c82e40b95567bce3f8
SHA512 af9d224f6739be29d6ae0d7d8fe87054c20933dec34352604df7ea82733152acb02c63983ec910b7a3e433c32226dc971d9575386945e2590c67b496c6dbf4e3

memory/1692-1878-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-1888-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Windows\System32\test.txt

MD5 9241f9bc26ad3bf684eb1574315700bd
SHA1 4486f8c4f76b2284cc708cd6d51149b8a3831940
SHA256 443eabba1e4f22de7eb21856f00d36846e50adc131d894ef64b135f2d567ddb0
SHA512 caea99f5a84265bf41c4d91f4a8bbc3d3538cc9b8505854ac829efe7a5931d1e92ff955bcf6b60c2e70f8ce9be84c4dee1773901dad514e9e74003e223172da2

memory/2732-1906-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2732-1907-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1692-1910-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-1912-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3056-1920-0x0000000002530000-0x00000000027A0000-memory.dmp

memory/1692-1924-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-1945-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1692-1957-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 22:59

Reported

2024-11-19 23:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\79245dbb19e445f38be57c9f04cf0e3c35dc33b686d06460ed25298f1e8a801d.jar

Signatures

AdWind

trojan adwind

Adwind family

adwind

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PUiCqyDueav = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\IwAYnNUGhgr\\ofjGgTkJxpO.AbYzyy\"" C:\Windows\SYSTEM32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
File opened for modification C:\Windows\System32\test.txt C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
File opened for modification C:\Windows\System32\test.txt C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2996 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 2372 wrote to memory of 2996 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\wscript.exe
PID 2996 wrote to memory of 244 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 2996 wrote to memory of 244 N/A C:\Windows\SYSTEM32\wscript.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 244 wrote to memory of 1832 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Program Files\Java\jre-1.8\bin\java.exe
PID 244 wrote to memory of 1832 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Program Files\Java\jre-1.8\bin\java.exe
PID 244 wrote to memory of 3420 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 244 wrote to memory of 3420 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 3420 wrote to memory of 2792 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 3420 wrote to memory of 2792 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1832 wrote to memory of 4688 N/A C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1832 wrote to memory of 4688 N/A C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 244 wrote to memory of 1480 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 244 wrote to memory of 1480 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 4688 wrote to memory of 2324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4688 wrote to memory of 2324 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1480 wrote to memory of 5092 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1480 wrote to memory of 5092 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1832 wrote to memory of 1012 N/A C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1832 wrote to memory of 1012 N/A C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 244 wrote to memory of 1688 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\xcopy.exe
PID 244 wrote to memory of 1688 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\xcopy.exe
PID 1012 wrote to memory of 4132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1012 wrote to memory of 4132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1832 wrote to memory of 2680 N/A C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\SYSTEM32\xcopy.exe
PID 1832 wrote to memory of 2680 N/A C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\SYSTEM32\xcopy.exe
PID 244 wrote to memory of 860 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 244 wrote to memory of 860 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 244 wrote to memory of 3128 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\reg.exe
PID 244 wrote to memory of 3128 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\reg.exe
PID 244 wrote to memory of 3740 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 244 wrote to memory of 3740 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 244 wrote to memory of 708 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 244 wrote to memory of 708 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\SYSTEM32\attrib.exe
PID 244 wrote to memory of 2780 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 244 wrote to memory of 2780 N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 2780 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 2780 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 2780 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 2780 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 4940 wrote to memory of 1084 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 4940 wrote to memory of 1084 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2780 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 2780 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 2372 wrote to memory of 3648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2372 wrote to memory of 3648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2712 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2712 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2780 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 2780 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 2808 wrote to memory of 1196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2808 wrote to memory of 1196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2712 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2712 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1916 wrote to memory of 3588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 1916 wrote to memory of 3588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2712 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2712 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\SYSTEM32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\79245dbb19e445f38be57c9f04cf0e3c35dc33b686d06460ed25298f1e8a801d.jar

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\vwqsnjqvdy.js

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\prqzfw.txt"

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.466351139810877955298041565690973999.class

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive990732536190636893.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive990732536190636893.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7287859592459801696.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7552425905097026678.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7287859592459801696.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7552425905097026678.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7926521249530718667.vbs

C:\Windows\SYSTEM32\xcopy.exe

xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7926521249530718667.vbs

C:\Windows\SYSTEM32\xcopy.exe

xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\SYSTEM32\cmd.exe

cmd.exe

C:\Windows\SYSTEM32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v PUiCqyDueav /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\IwAYnNUGhgr\ofjGgTkJxpO.AbYzyy\"" /f

C:\Windows\SYSTEM32\attrib.exe

attrib +h "C:\Users\Admin\IwAYnNUGhgr\*.*"

C:\Windows\SYSTEM32\attrib.exe

attrib +h "C:\Users\Admin\IwAYnNUGhgr"

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\IwAYnNUGhgr\ofjGgTkJxpO.AbYzyy

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.22990909458428525181933403044717720.class

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5380395041484028573.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5380395041484028573.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9127406221642389195.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9127406221642389195.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7812530779872147773.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7812530779872147773.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8877522369552007479.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8877522369552007479.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 wsaew.duckdns.org udp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 wsaew.duckdns.org udp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 wsaew.duckdns.org udp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
DE 79.134.225.88:6458 wsaew.duckdns.org tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

memory/2372-2-0x000002172CAB0000-0x000002172CD20000-memory.dmp

memory/2372-13-0x000002172B220000-0x000002172B221000-memory.dmp

C:\Users\Admin\vwqsnjqvdy.js

MD5 8152433447b6c4f88f1c398620ecb691
SHA1 67ed414ddb0b30dd228cff010f3d2fff1314173a
SHA256 3ecc55efeb2b563beb270b3f45bca42d58298997a98122936b4244cd059966d5
SHA512 c1f0a355710afe7f40c3cb9d35299b6715d1e62c01faabca31a88387d8051565d6fcf3ee32a13969138873c2c6d72a9e6ddbd4bc0227026de8e21375f0790dda

memory/2372-14-0x000002172CAB0000-0x000002172CD20000-memory.dmp

C:\Users\Admin\AppData\Roaming\prqzfw.txt

MD5 2730127e84362d5eede4632ebe5000d2
SHA1 0ff50dee5fe68ddfeff592e02c4f8a85c2510698
SHA256 4136b6f32a6fe6e83f603260a2c439a5f85e23afb40247f59360fea9babcb961
SHA512 08d0376a63ea108d3f40105c967567debd6a7aec7cdd601a9cb8b5d1df2feeec547a5d9ba3c9e86c96c3c9decfe8305e5cbbc79aa453515a2a39bc4fe8577196

memory/244-20-0x0000011AA2CE0000-0x0000011AA2F50000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 260229e3a7561b88db9d0da51d9332d7
SHA1 117eedb9d2a97e6d729280df4ead9c2826c45759
SHA256 0059c5006c8e9190cff6528bb7c9ca22d41ab869d843f1dcd5419d877f72044b
SHA512 7856d668cfecedb3b9d45aca829d9cb278495e04b5e59082232a0276b1e5f44c9d1d2ce2c3b6f45a1ba4b7baf963cb3382482d5c5ef1819f96b827c1f7a714f5

C:\Users\Admin\AppData\Local\Temp\_0.466351139810877955298041565690973999.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/244-52-0x0000011AA1480000-0x0000011AA1481000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3756129449-3121373848-4276368241-1000\83aa4cc77f591dfc2374580bbd95f6ba_a63d6fdc-08cb-4232-ab51-76cafdcb4d96

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/244-68-0x0000011AA1480000-0x0000011AA1481000-memory.dmp

memory/1832-74-0x00000151EC4F0000-0x00000151EC4F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive990732536190636893.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive7552425905097026678.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/244-513-0x0000011AA1480000-0x0000011AA1481000-memory.dmp

C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll

MD5 bf78c15068d6671693dfcdfa5770d705
SHA1 4418c03c3161706a4349dfe3f97278e7a5d8962a
SHA256 a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb
SHA512 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll

MD5 7415c1cc63a0c46983e2a32581daefee
SHA1 5f8534d79c84ac45ad09b5a702c8c5c288eae240
SHA256 475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1
SHA512 3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll

MD5 fcda37abd3d9e9d8170cd1cd15bf9d3f
SHA1 b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2
SHA256 0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6
SHA512 de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

memory/1832-565-0x00000151EC4F0000-0x00000151EC4F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

MD5 880baacb176553deab39edbe4b74380d
SHA1 37a57aad121c14c25e149206179728fa62203bf0
SHA256 ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620
SHA512 3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

memory/1832-960-0x00000151EC4F0000-0x00000151EC4F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

MD5 7fb44c5bca4226d8aab7398e836807a2
SHA1 47128e4f8afabfde5037ed0fcaba8752c528ff52
SHA256 a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef
SHA512 f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab

C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

MD5 82bb3a2292372acbf8bb25e30a3e169c
SHA1 c09c134561213cd67c670f60a2c52cf947e51a74
SHA256 9c99e6591c73eda0dfd6bb9a55d0a175cf5bdb583115477cedc627fd793c3deb
SHA512 db4802fe0e3a6dc1678765af559e9c1f6e8639dd5c7c8f18f08296b1b4d15cfe748e391459253a3dde0ca2bda74c6772af262e5b194c78c6bdefbcc2c5377db7

C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

MD5 dceeb4fb6af9bb2ea7a2eed1d921afb5
SHA1 af1463a499f7d6eed5efcb9c9515e82335e9c1b6
SHA256 6707043f0b609a0b3677cd11f6526d8ecfcbeab079a394019d648c9039e7da21
SHA512 e4688d2264dda88e90beeb394adc48064012ed458ab9015ecef744a86ab76b4f65845f77a3d02b131aa5c342e6a572f79f471b5dc8df178b2d7483c04b1f4763

C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg

MD5 499f2a4e0a25a41c1ff80df2d073e4fd
SHA1 e2469cbe07e92d817637be4e889ebb74c3c46253
SHA256 80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb
SHA512 7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 4e6dfd5867f4cea96dad1d59a0ca43fe
SHA1 6a08abc0b5a2cab00eb6d7543c661aa6620890a1
SHA256 179df744661b659d50fd6943834d81476287c2075448d2dc783fb32c69a00e54
SHA512 2565197c75eca66600a530aa6b033d4985fcb05edf73e096ebba37f06016e6ae5c4fc516a182bf674ff18e3f3b031353c9ff187a6b8804058b5d2b47c914e60b

C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

MD5 0d56a7ff632826362768b3edd5e5174f
SHA1 8b96856f8fe3175039d1a7cf3ac0910467844a08
SHA256 27cf17beab60d7f9a62aac7622eefa06eee78796db585f9ae5d3a5b5022d56a9
SHA512 b4fe51874b9ba7a2325ae3c0b96f32065f7cee7c846a9028495070f1f91cedd9445cb91248acd1ec134a72b2c07e49afcaef01b58af1dfb0ff417033c2d0e595

C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index

MD5 005faac2118450bfcd46ae414da5f0e5
SHA1 9f5c887e0505e1bb06bd1fc7975a3219709d061d
SHA256 f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8
SHA512 8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9

memory/244-1004-0x0000011AA1480000-0x0000011AA1481000-memory.dmp

memory/244-1006-0x0000011AA2CE0000-0x0000011AA2F50000-memory.dmp

C:\Users\Admin\IwAYnNUGhgr\ID.txt

MD5 f1469e98406c360bef12b2e05872daff
SHA1 8778d346ff18c1e0036f8240de2bb25ff130efc1
SHA256 ea88c16a36471d4777c53c2fc373c8c2ad371142d9e90159da5e53ea8d327f57
SHA512 982cad93865462316845553ab96ecac07c1f636479822fe3d5688f37a08748daebe55969448d779444bae0a3af7231e96fe1b0272e3877bfb7cb206eb0cf5b20

C:\Users\Admin\AppData\Roaming\Oracle\lib\jfr.jar

MD5 530b1ee313390d5d51ae8f5aa0be9070
SHA1 d5de5ee8bd7275b5b20f466ba0869251679b24b3
SHA256 bded3bbadd255c856ed7fb9900cbf0445e980a669a3aa043cf095e18539eb48f
SHA512 50671ca7de240c38921849304ae482a52ae481d0ff5a2f02aef90c20b9f49842bf2ea32b9caabde57a955b8d638a017b6b3cdd662b679a2d743e029f97b88937

C:\Users\Admin\AppData\Roaming\Oracle\lib\charsets.jar

MD5 bfdb22624544f02100cd37cff954f64c
SHA1 f699b290845f487cb7050d41a83b85446ea202b1
SHA256 04a6bc7af4d41fda5ca6c7584df50c5d0881fada89b4788e8ee4e5919345f143
SHA512 70c5f501c5e1cc67341bb3f4d190179a79fb8bee7292ff8cca0749368ae4475387ce121e8d33adc7e4e6fad5a10eab378fff17e3da0422d4cca0837c95574b95

C:\Users\Admin\AppData\Roaming\Oracle\lib\jce.jar

MD5 e0b7e0f36b9fc43d13403145db82e758
SHA1 def42078cfa315e98393c69963efb4e35e2e28a8
SHA256 4362c179bb78107777d6a0557693e65eb2b318c26642162f89509dfdab8c97fe
SHA512 5074a7ceb9621096f3bbf419d32ac260ea6d9d09c758544c2761121026c2b9db0b6617806d3b692347b685d541123f4eda99dcbaa29d9c9a2d740b22c44bf7bb

C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar

MD5 01408480f5c65da8c74ecfde0eed1a72
SHA1 2f1cb5df6d4879de8b0827d160e9bb281f829a3a
SHA256 fffafe7e2bacef79280a4565b5d1075320a8ec38dff7978c8fe6c033b6df49d0
SHA512 ae585f4825073da19f611bb7d11a1d075b4998bc3f7d53a67cdba778e0729e0b5134ce8fc49897f67d39e46f1209524ab53ab4551defc6a4127012e332f15d61

C:\Users\Admin\AppData\Roaming\Oracle\lib\resources.jar

MD5 c5152884c2676dd45109cfeba088a549
SHA1 8fe4fd1980bdc4139491b0dd963eb830b70bb8d6
SHA256 65a6d0d74b193af857dd5252d59e8bf9214ddb360b26c1da816b029bf0cf208c
SHA512 ed8d4777609024960a7037f42937de41c434df4ff7062b43f03f0060e326bdef7917e941c9d3db5a8ec7a65f4890ef3dd53c87401f9568e6f068f2930d558e61

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security

MD5 8f0e3440fffdbcaa9d26be4730492a66
SHA1 20a3e5a8ecbec20d41d7124120d264f61de96613
SHA256 b5e8205764b83f46b50187b2021de7c86a890df908a8d6c17275a68924f832c6
SHA512 c04528769ce780e730ef71803ca8191c217f571f62703daca273499b90e93101383a3699263458c205cd7a8733399c3c2ca6afc85b6843c2c5e2ba0890e762cb

C:\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

MD5 6c720917e5c8ce1202a4141e8c8cfaf7
SHA1 1175d918134983d1d64a42047f4ff814054123de
SHA256 833cdbd7b221dda58ba728ee9a41cac1d6819d19bfc7336a4b86cc69a5af3695
SHA512 217f824b389547993556c26069d58eb956e87029b5c58556c2d308e48a0db2a02a057b3147fcf6ac7606f2b97ada33e2372112e93944f645137d81cc0dd32a9d

C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

MD5 d8a6b5e5a33cb71b61964be369526704
SHA1 7788adf9163fb2ac2c85c43630c0998b0f13360a
SHA256 686021b000cd6d76b97c6f924c528293bc55dfb4ce936cfe70959eecd1665c90
SHA512 d15e5832d025a8fb17dd48b8c6d8246b93d54543ba52d40a9f97aff257847f7e05971ae927a77e12ab1625dc514a29115ce5fe9ddad18fe5fc4b0ddc2f8ca6d1

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

MD5 dafb5fbb0614c19eccdab9bef8f89c22
SHA1 91ab91eb4a90f02c4950c3e5da80f3eb24bddb52
SHA256 af62c3850cd7a84db64bbaf68533e2769da619a8a4bccf0ac4836d2ec86e4b5e
SHA512 81cf8e04b595052e67db73454a67e2098e1df9353e2c3cc842b8ab2a9fa837b90a2101d5a097a6b0af0030869e788de1aa73ebb958f1428a3952ce0464db3e93

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunec.jar

MD5 1227482c65dc231e3607b002950f5497
SHA1 709ff3738d5da8db225818df2966f04c13cb7d02
SHA256 cfe84c5292f9ddef96fecf118377565bbaf769eee7ff4cca81652fe1134f9809
SHA512 87c4f5fa1e6dad6f2fab8a0371380fa7be9f63b05f8ff6740a4208ec115f8db9c512de9e40b4b853be35effed2804d0774c0e9426571a129cb6bdecd527cdb8c

C:\ProgramData\Oracle\Java\.oracle_jre_usage\50569f7db71fa7f8.timestamp

MD5 94e3651512ef470405fd8e6e691a7fdb
SHA1 2f1335684650ca2b41aaeeb7fdfd54ae605f4528
SHA256 848e0c2d887a49c01c8ce375f0504d798cb590d393e76e972017079a11726fce
SHA512 1bb201471f9a01e8b3332a2aa5d4c284bdda56ddf46612784393a5899113732ffa3a44b453ac7a331647e74bef03cd31199010f7e54cdb7f5b6e64a053c5db9b

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar

MD5 456031723ebc7270d9bc3747cdd6daa2
SHA1 a4a61bb10ac83f201854a11750aa86e7dc8da41b
SHA256 324499cedd3f19ea621a38f42834369d7da8bdf40fcb5a345007bfa2e5987780
SHA512 b425eabd590f905aa147720aa507a0da2b31199956f21137a722fe6c8de05549d1cddbb2fb2ea1cbe34e39ce9d0eabb0502dd2a9a09f72dd87cd002765537079

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\US_export_policy.jar

MD5 6cbca5808b4a8613d2fed6fe4a84c449
SHA1 0135b30ebec03fb69d79cdc3126e608d9effb8b2
SHA256 761aab2969883e9e5ea76df63ca404fb67673efc3f97def057f8e22517fc9518
SHA512 4d9bf052aa124d07673c601cbfb83223b87369f7be7575a13e13c0d893e57849ba11e430b7769901782c26471528dfaa130996916451e1a7e38cf28468e44cfa

C:\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll

MD5 2632b6d90868ff1ece67f76b86a23d79
SHA1 90ddedde02a4cc37ae361caabc36a6a686c24bd1
SHA256 86106645d9e3801911808d6343a7fead7b6e9d8b740bad63a4cd9851ff599283
SHA512 61e0581c3dde45db74383b93e56396c65435714e746fe4f000c53465e8e6750bd787b5895a987bbdbe4badb5ad3570394c82476c2b4d65099f0b923002153b18

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\local_policy.jar

MD5 360663f26c5584e6c6127254b261fa0c
SHA1 aee6515eede2ad7c697ba8a61bdd9359be3319d2
SHA256 02f69a433405ea928c89a8aade74e5462282ccb9a9d30851312ed3459398f85c
SHA512 e3920d5abbbe6b0e3029ed1e0b2ce1a53da6c7e728f635b12f00b1fd2eb6151fff74b9dc85ec0c0920f7fda440c1604d24ca766cdbcb78be3425088d97e00208

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\blacklisted.certs

MD5 8273f70416f494f7fa5b6c70a101e00e
SHA1 aeaebb14fbf146fbb0aaf347446c08766c86ca7f
SHA256 583500b76965eb54b03493372989ab4d3426f85462d1db232c5ae6706a4d6c58
SHA512 e697a57d64ace1f302300f83e875c2726407f8daf7c1d38b07ab8b4b11299fd698582d825bee817a1af85a285f27877a9e603e48e01c72e482a04dc7ab12c8da

memory/2780-1044-0x00000144D1950000-0x00000144D1951000-memory.dmp

C:\Users\Admin\AppData\Roaming\Oracle\lib\accessibility.properties

MD5 2ed483df31645d3d00c625c00c1e5a14
SHA1 27c9b302d2d47aae04fc1f4ef9127a2835a77853
SHA256 68ef2f3c6d7636e39c6626ed1bd700e3a6b796c25a9e5feca4533abfacd61cdf
SHA512 4bf6d06f2ceaf070df4bd734370def74a6dd545fd40efd64a948e1422470ef39e37a4909feeb8f0731d5badb3dd9086e96dace6bdca7bbd3078e8383b16894da

C:\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll

MD5 39a3de251306cbca47cf2fb10089ae9f
SHA1 cc3f3d1bc3ad172c9646961b18fe1d7bf98b59a5
SHA256 6d1c82cad959b7e4636d8fced4368f0f2c8da4ef609667396e8772ad8d63f736
SHA512 351a02453659d04a2943abc1da2b9541f97982ed3f94d288679dfd8d962bfb4b0dcdef9b06d329bdad64e032b0372733ff7d1577c49952accf86b971aed86f7e

memory/2712-1073-0x0000018FE1220000-0x0000018FE1221000-memory.dmp

memory/2780-1093-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2712-1098-0x0000018FE1220000-0x0000018FE1221000-memory.dmp

memory/2780-1099-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2712-1100-0x0000018FE1220000-0x0000018FE1221000-memory.dmp

memory/2712-1106-0x0000018FE1220000-0x0000018FE1221000-memory.dmp

memory/2780-1107-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2780-1112-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2780-1118-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2780-1123-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2780-1129-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2780-1130-0x00000144D1950000-0x00000144D1951000-memory.dmp

memory/2712-1145-0x0000018FE1220000-0x0000018FE1221000-memory.dmp

memory/2780-1155-0x00000144D1950000-0x00000144D1951000-memory.dmp