Malware Analysis Report

2024-10-19 06:53

Sample ID 231029-e9wpsaef7s
Target Anarchy Panel 4.7_adrikadi.exe
SHA256 ac74f6db722a46ef37291aa464e142b81d8c7de8627f64918d333b738af694c6
Tags
asyncrat stealerium stormkitty zgrat default collection evasion ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac74f6db722a46ef37291aa464e142b81d8c7de8627f64918d333b738af694c6

Threat Level: Known bad

The file Anarchy Panel 4.7_adrikadi.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat stealerium stormkitty zgrat default collection evasion ransomware rat spyware stealer trojan

Process spawned unexpected child process

Detect ZGRat V1

StormKitty

ZGRat

AsyncRat

Modifies Windows Defender Real-time Protection settings

Stealerium

StormKitty payload

Renames multiple (2036) files with added filename extension

Async RAT payload

Grants admin privileges

Checks computer location settings

Windows security modification

Executes dropped EXE

.NET Reactor proctector

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Looks up geolocation information via web service

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Program Files directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Creates scheduled task(s)

outlook_win_path

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Modifies system certificate store

Gathers system information

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Gathers network information

Enumerates system info in registry

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-29 04:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-29 04:38

Reported

2023-10-29 05:09

Platform

win10v2004-20231020-en

Max time kernel

1802s

Max time network

1151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Desktop\Infected.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Desktop\Infected.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Desktop\Infected.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Desktop\Infected.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Stealerium

stealer stealerium

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Grants admin privileges

Renames multiple (2036) files with added filename extension

ransomware

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Infected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\DECRYPT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\Desktop\Infected.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Infected.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\ C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\oVcBLd9.png" C:\Users\Admin\Desktop\Infected.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-125_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-400.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-16_contrast-black.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-125.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-200_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Cloud.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-125.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-256_altform-unplated.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-24.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsStoreLogo.scale-100.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-125.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-unplated.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\THMBNAIL.PNG C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square150x150Logo.scale-100.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-125.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-lightunplated.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ArchiveToastQuickAction.scale-80.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-100.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf-2x.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\release C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-72_altform-unplated.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-48.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-32.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-125.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-48_altform-unplated.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-200.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\MedTile.scale-200_contrast-black.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-36.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-200.png C:\Users\Admin\Desktop\Infected.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\organize_poster.jpg C:\Users\Admin\Desktop\Infected.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hy.txt C:\Users\Admin\Desktop\Infected.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Desktop\Infected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\Infected.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheLimit = "51200" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 50003100000000005d57962510004c6f63616c003c0009000400efbe545754885d5797252e000000a5e10100000001000000000000000000000000000000a30a00004c006f00630061006c00000014000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7800310000000000545754881100557365727300640009000400efbe874f77485d57eb242e000000c70500000000010000000000000000003a0000000000c6c5230055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000000e94a93b7703da010d4ef23f7703da0162a3ef427703da0114000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "1" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 4e003100000000005d579525100054656d7000003a0009000400efbe545754885d5795252e000000a6e1010000000100000000000000000000000000000034c82401540065006d007000000014000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\Desktop\Infected.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\Desktop\Infected.exe N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Infected.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 3084 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\cmd.exe
PID 1140 wrote to memory of 3084 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\cmd.exe
PID 3084 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3084 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 1140 wrote to memory of 1104 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 1104 wrote to memory of 4752 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1104 wrote to memory of 4752 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1104 wrote to memory of 5084 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1104 wrote to memory of 5084 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1104 wrote to memory of 376 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1104 wrote to memory of 376 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1140 wrote to memory of 4764 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 1140 wrote to memory of 4764 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 4764 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4764 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4764 wrote to memory of 3376 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4764 wrote to memory of 3376 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3760 wrote to memory of 408 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
PID 3760 wrote to memory of 408 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
PID 2964 wrote to memory of 4988 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\net1.exe
PID 2964 wrote to memory of 4988 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\net1.exe
PID 1140 wrote to memory of 2084 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 1140 wrote to memory of 2084 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 1140 wrote to memory of 32 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1140 wrote to memory of 32 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1140 wrote to memory of 4064 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1140 wrote to memory of 4064 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1140 wrote to memory of 1844 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 1140 wrote to memory of 1844 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\SYSTEM32\cmd.exe
PID 1844 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1844 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 1844 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 1844 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 1844 wrote to memory of 1156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1844 wrote to memory of 1156 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1156 wrote to memory of 1812 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1156 wrote to memory of 1812 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1844 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1844 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 8 wrote to memory of 3380 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 8 wrote to memory of 3380 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1844 wrote to memory of 2028 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1844 wrote to memory of 2028 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2028 wrote to memory of 4988 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2028 wrote to memory of 4988 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1844 wrote to memory of 2708 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1844 wrote to memory of 2708 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2708 wrote to memory of 2036 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2708 wrote to memory of 2036 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1844 wrote to memory of 1168 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1844 wrote to memory of 1168 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 1168 wrote to memory of 4088 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1168 wrote to memory of 4088 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1844 wrote to memory of 184 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1844 wrote to memory of 184 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1844 wrote to memory of 1612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1844 wrote to memory of 1612 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 1844 wrote to memory of 548 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 1844 wrote to memory of 548 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 1844 wrote to memory of 1476 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 1844 wrote to memory of 1476 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 1844 wrote to memory of 1436 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE
PID 1844 wrote to memory of 1436 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Infected.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Desktop\Infected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap22206:132:7zEvent32460

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\Infected.exe

"C:\Users\Admin\Desktop\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Infected" /tr '"C:\Users\Admin\AppData\Roaming\Infected.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Infected" /tr '"C:\Users\Admin\AppData\Roaming\Infected.exe"'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RestartSend.png" /ForceBootstrapPaint3D

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RestartSend.png" /ForceBootstrapPaint3D

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\NewInstall.TTS"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\WriteConvertFrom.dotx"

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe

OfficeC2RClient.exe /error PID=3760 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\SetRedo.png" /ForceBootstrapPaint3D

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\CheckpointShow.jpeg" /ForceBootstrapPaint3D

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\system32\dashost.exe

dashost.exe {dbab9c3c-5039-4b5a-9e42d5f0e1d5b830}

C:\Windows\SYSTEM32\cmd.exe

"cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -an

C:\Windows\system32\ipconfig.exe

ipconfig /displaydns

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\Desktop\DECRYPT.exe

"C:\Users\Admin\Desktop\DECRYPT.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
N/A 127.0.0.1:3232 tcp
US 8.8.8.8:53 i.imgur.com udp
NL 199.232.148.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.148.232.199.in-addr.arpa udp

Files

memory/884-0-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-1-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-2-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-6-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-7-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-8-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-9-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-10-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-11-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/884-12-0x000001CA6D990000-0x000001CA6D991000-memory.dmp

memory/5092-13-0x000001E907A40000-0x000001E907A50000-memory.dmp

memory/5092-29-0x000001E907B40000-0x000001E907B50000-memory.dmp

memory/5092-45-0x000001E90FE70000-0x000001E90FE71000-memory.dmp

memory/5092-47-0x000001E90FEA0000-0x000001E90FEA1000-memory.dmp

memory/5092-48-0x000001E90FEA0000-0x000001E90FEA1000-memory.dmp

memory/5092-49-0x000001E90FFB0000-0x000001E90FFB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

MD5 94bac1a0cc0dbac256f0d3b4c90648c2
SHA1 4abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA256 50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA512 30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

MD5 94bac1a0cc0dbac256f0d3b4c90648c2
SHA1 4abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA256 50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA512 30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe.config

MD5 3d441f780367944d267e359e4786facd
SHA1 d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5
SHA256 49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9
SHA512 5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

memory/2692-113-0x00007FFC71110000-0x00007FFC71BD1000-memory.dmp

memory/2692-114-0x0000000000E00000-0x000000000449E000-memory.dmp

memory/2692-115-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-116-0x00000000064E0000-0x00000000064E1000-memory.dmp

memory/2692-117-0x00007FFC71110000-0x00007FFC71BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

MD5 56a504a34d2cfbfc7eaa2b68e34af8ad
SHA1 426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA256 9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512 170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

memory/2692-124-0x000000001EF40000-0x000000001EF52000-memory.dmp

memory/2692-125-0x000000001F590000-0x000000001FB78000-memory.dmp

memory/2692-126-0x000000001FB80000-0x000000001FF40000-memory.dmp

memory/2692-127-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-128-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-129-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-130-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-131-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-132-0x0000000023800000-0x0000000023A52000-memory.dmp

memory/2692-133-0x0000000023E90000-0x0000000023FDE000-memory.dmp

memory/2692-134-0x0000000024130000-0x0000000024144000-memory.dmp

memory/2692-135-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-136-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-137-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-138-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-139-0x0000000024180000-0x0000000024192000-memory.dmp

memory/2692-140-0x00000000242C0000-0x0000000024538000-memory.dmp

memory/2692-146-0x00000000200D0000-0x00000000200DA000-memory.dmp

memory/2692-151-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-152-0x000000001F090000-0x000000001F0A0000-memory.dmp

memory/2692-153-0x0000000025300000-0x000000002541E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bhatrussia.url

MD5 96cec2ff3bc1281c3b541d549538c9fb
SHA1 3080d0f1e71aca0d10925f692c7f700a6fa16d76
SHA256 cd064a6f7aa46315dea10e6d73bc0416c4954bc8c3fee19a39a2c88c49f3e8ae
SHA512 bf4798a45851d7c0555474e20d26a6fda8112c9be895f674dea49902b5dc3b4d5d9ce9bc5361f16d9b8508198a3f36733b4991cc72553dad3f698e0e0a87a653

C:\Users\Admin\AppData\Local\Temp\blackhatrussia.url

MD5 ef657464ae10c35ee89c6bfb900d83af
SHA1 1c68b493f87316260e99e3b5b1983fdec0c701b8
SHA256 cfd230d01d6c362a1005d5a530f1807a65ef8497a1246c43c0dfcd5a62022cbf
SHA512 80964f8716653eadf15fcea9bfec0800c4beeee6bc1155b421d51fde813d7752f33a6b33622c1f9f4b5c576c168c6f173349caf03f8e76525aa32251c0d340de

C:\Users\Admin\AppData\Local\Temp\Home - cybergoons.url

MD5 ef51820e228c5bbcf9aabe92e747782e
SHA1 b33c7c782205e69471257703f6cb70b1357ce474
SHA256 59ac2d12ea4559253fa25f2d367f75b7689bb7b772965101903063f646ae9b4d
SHA512 3d2e8ce0d822636ce3a78edf63d4935638446a9bd0eff88e85daeab4d6be00f10d32a9f74afa11af56fbefaebb7534a64339a2de3f416cc0c670122bc5b9abd9

C:\Users\Admin\AppData\Local\Temp\learn all kind of hacking.url

MD5 7ade4a739cbd8f44d0ef52a2f1bc6e7b
SHA1 20753d483e1a84cb248ba2c0fb72d44137d7d73f
SHA256 cc7649ed53c65e4851ace414529564fe16801bb2bed4cb15588bfd6b4ac13616
SHA512 5850c3d064c9d616854a47b4bd398b76494f1fbe9b356ec5e15879f97dc67970168196ec6b177fa71d15d25d25757a29319cbf9697f3a80461aa62b431d53851

C:\Users\Admin\AppData\Local\Temp\Home - blankhack.url

MD5 4a4418c24d2f2a9deee8046363bdd28f
SHA1 4532c81bb5e66e2f976581a6cb251ab642ada551
SHA256 55dfe247f8fd6a8b0b66b3cb61feeae96d0b357338cd95771e89897aac1a6839
SHA512 b6f01a2b8333dc1926a829271a557ed99f6a69bef5fbc9c32231da11089ef1190981f7ad5de377a6b928988609bee38322b6b4e0e9cfb813e98f7a807b062764

C:\Users\Admin\AppData\Local\Temp\gbpast - Login.url

MD5 4a4f5be9370e206241bb73bfc2367f3c
SHA1 3d837fdcaa5e3bf04b57600cecb56a9ff34dd8f2
SHA256 210f2ee620fe51acdbe59bba7bb4acbde397034818b09156f6f0874b016a5b18
SHA512 2ba13fe029ac6c5bcfdecf4f9ff6bdbcd64a1129e845c94944b3b35143b8270b8e024b28302750b2214ef82371a70e59fce4226907af240f60d6ad78fb668054

C:\Users\Admin\AppData\Local\Temp\Usrs.p12

MD5 553be3f9f0251864cab5a22cf75b80f3
SHA1 de5d2e9471323eee6cd0520f3b9821c9c5ba26b3
SHA256 1540a1eb1976ab9398e2abae7176f49da644c0ad72a4be92b41edd531f836e07
SHA512 3488bd2ec00f3dfa115e1a9ec38c899a8ae627907c7cc2f91a8088d258e60615ede1adf5671a2e7e7583c550e70b9641b9f2d5a5fb60b84ac47962d558284cdf

C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bhennukkrj4ap4ybumzdxwrmvm3shh42\4.7.0.0\user.config

MD5 4b01719ab493b81d429c574dbaca15ef
SHA1 719ef1e4e6616a3d8afce09de7f89ddcf186a3a3
SHA256 33ce546b728989bc9ff5dd4c487a87723e5eb7b3953b7cb56e747747411b6c54
SHA512 4d5293d8b58c793bbbe6dedc061cb4fd3e7302771ee91789240ecf80f2f79d08dffc36d148f755107a3d12de6037ab18c57cb42494de80a40d90b64bb04ef234

C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bhennukkrj4ap4ybumzdxwrmvm3shh42\4.7.0.0\user.config

MD5 495d368baef768dd527dd8b772702c87
SHA1 20ceb83c7076024e0491f169173607aa4a2e3931
SHA256 38f1820a88401c8e117bfeca56a11aa06dc806a175203e86f323dc6fb81fb3cf
SHA512 75770717f4bc7c9bdd13d747fdcd6306c38423b1b5d908b5d7cdf4da1b7bbe722f65bb52e63c61ca6da89981d8f5a99035c1d610a0fdacb706a046520c291d18

C:\Users\Admin\Desktop\Infected.exe

MD5 c067081c04ccec5fc228b9a00448cad7
SHA1 6c04378c11ea48885b1918705b95fe7e741785b1
SHA256 92f44bd3908fef5e650ce08ac27a20a96c3c413960c3b2e307baf8a3a7d88470
SHA512 d3dde16a807568b3160a2abc0c7b96955e62db3dfc91941d1b86fd8bfd92f407791eb6c54d9ab341658c02da37e76329fd8580600d1aaab62b32a412a93a9964

C:\Users\Admin\Desktop\Infected.exe

MD5 c067081c04ccec5fc228b9a00448cad7
SHA1 6c04378c11ea48885b1918705b95fe7e741785b1
SHA256 92f44bd3908fef5e650ce08ac27a20a96c3c413960c3b2e307baf8a3a7d88470
SHA512 d3dde16a807568b3160a2abc0c7b96955e62db3dfc91941d1b86fd8bfd92f407791eb6c54d9ab341658c02da37e76329fd8580600d1aaab62b32a412a93a9964

memory/1140-194-0x0000000000B10000-0x0000000000B26000-memory.dmp

memory/1140-195-0x00007FFC71110000-0x00007FFC71BD1000-memory.dmp

memory/1140-196-0x00000000012E0000-0x00000000012F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plugins\oYsKwDG.dll

MD5 a718955297276f2349b7644447736e08
SHA1 377388d115b77aff357dcaf92b6aeb6286b1460d
SHA256 54ec206c8fe8ff27b3fb02ef892b8e6bc4b6abfff2fe08f5f57175c64f1d3220
SHA512 a3c2ded0cdc4e62adac92a569d6cd4db0c3647e663700f019a9de27e738eb2672e5cccec19af15633a3cd25a882452ff5ce39c17f67dc3ed6653b9e0ad063641

C:\Users\Admin\AppData\Local\Temp\Plugins\0guo3zbo66fqoG.dll

MD5 e4ebcf76ff80ef398d3ab77d577f4c08
SHA1 cb9e6b30a63d50ae87610f6855b64abfb25691d2
SHA256 9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5
SHA512 8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

C:\Users\Admin\AppData\Local\Temp\Plugins\59Zp7paEHDF7luJ.dll

MD5 15e3d44d37439f3ac8574ac1c9789ec2
SHA1 bb3ef30e9f4496198f412738579966210ade36e0
SHA256 5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5
SHA512 ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1

C:\Users\Admin\AppData\Local\Temp\Plugins\EVa7gBMKoaHmLC.dll

MD5 64a3d908b8a5feff2bccfc67f3a67dbd
SHA1 a17d7e5fa57c99a067cac459cb507b625dac254e
SHA256 6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1
SHA512 66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

C:\Users\Admin\AppData\Local\Temp\Plugins\eMTYbTz0gueNs4.dll

MD5 5dfbcfbbf9e2ae7db23e252808699ffb
SHA1 a1d429292fe73aeb5abab10304e1ae8c1262b26d
SHA256 929e5f15e9ceca03c80b2d174283cb25bf47adfe4693f5c01f622416c9f6d03c
SHA512 9ee63080781577e0d818a27d026024f96161bb7b132dc0c130fabbe2d6c3b7758868fff5a4ad68efeb4d08f964e2f69417022751880a443f7f920aa4f40f5c09

C:\Users\Admin\AppData\Local\Temp\Plugins\CjETR6GpGXqM.dll

MD5 b0fc0ba80f8ec9586ff397412c512d9f
SHA1 0f6051b71b715a47be1fa16683201413905629a3
SHA256 13db80a0211ba9bf59a1e43bdb2fffa91de5c7f38bd469c4824b5e06245a0234
SHA512 222a365ae567c6c773ca2b99b82795916839cc5c9ba8eb019bf6713108720c2793303ef6612b64488f4584602cec84c0b48a02fe709db0250bf377d07e002d7d

C:\Users\Admin\AppData\Local\Temp\Plugins\fzAgyDYa.dll

MD5 a5770798b7a6465f5b5a8c19d7d707ee
SHA1 ca67e9591d2f757cbbfacb55f27aec6485b10ee6
SHA256 f855353a618af8a53504b5188c05d3a09fb1ff85763e0cd15c53dee82d7c6119
SHA512 64da7687e83c6ff4d1c1cdc644ffff53333f745e82f169beb529d55ec5be6f21658d27c6e01744147c00f834978260e86ea627a5f2981f27305afb69a7b467dc

C:\Users\Admin\AppData\Local\Temp\Plugins\mML6WKMqdxjDGA.dll

MD5 e03b206eec8a7efbd1a47909071226e5
SHA1 21163989ea524920e874bc7932adfcd5e94f854e
SHA256 778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965
SHA512 831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

C:\Users\Admin\AppData\Local\Temp\Plugins\mGWHaG2Jn.dll

MD5 8f98206f577160f950d456d1190c8d32
SHA1 defced38fce00775c4616b420fa674d77f946eff
SHA256 2bde0293c982fb6266c683ecaa2c90372d26d9a2786726874a2cfb89dcc68324
SHA512 432c2b6759701754616273633c966332e718dbb10a9a7eab0d7c57ffdc9be95b5e1b16b6e291301ac7aa6d1de48a46d30f08729e45d6634b1849f41c78e92d91

C:\Users\Admin\AppData\Local\Temp\Plugins\KNTmoSnG.dll

MD5 738c096a9bc38e21a9aa59ebc356c80d
SHA1 139756ad201a537461a6bb8524a4b89a63b1b1b9
SHA256 300a5551f7be89c5f03c0b70fa7dafb7f84c6394dac68bee95169e985e7786f0
SHA512 294c34f0716861fa67ba571bf7a8614613a1746e9f2935ba0c86eb1897dff858ea1f7fb44f1b6ec87cc709f4933a912dcd3eadd5d0b208c72985aa47e1f214f2

C:\Users\Admin\AppData\Local\Temp\Plugins\G3nl0mDcABnDuZ.dll

MD5 97b8bec4c47286e333cc2bedacf7338e
SHA1 764bbd0307924b71ca89538b42996208d10c9b91
SHA256 060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de
SHA512 a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

C:\Users\Admin\AppData\Local\Temp\Plugins\FBSyChwp.dll

MD5 0d41ccfaa8e7ef96248b8270d1a44d08
SHA1 6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326
SHA256 0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3
SHA512 a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

memory/1140-210-0x000000001C9D0000-0x000000001CA46000-memory.dmp

memory/1140-211-0x000000001CA50000-0x000000001CF1C000-memory.dmp

memory/1140-212-0x0000000002D80000-0x0000000002D9E000-memory.dmp

memory/1140-213-0x00007FFC71110000-0x00007FFC71BD1000-memory.dmp

memory/1140-215-0x00000000012E0000-0x00000000012F0000-memory.dmp

memory/1140-449-0x000000001B0D0000-0x000000001B1F2000-memory.dmp

memory/1140-465-0x0000000002F40000-0x0000000002F62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBFB0.tmp.dat

MD5 4bd8313fab1caf1004295d44aab77860
SHA1 0b84978fd191001c7cf461063ac63b243ffb7283
SHA256 604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9
SHA512 ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 2f10e51eb8ee17afada46574a5c6627a
SHA1 a954969300d6e0a228a6aa71ff51271a1540b7f9
SHA256 1a8273d038a869c6f9f0c063e145b9f0cb9c78c200568f499c79c298bebee1be
SHA512 1ad88f1547b4c92257f73ea7c4797a822cd71d0d6d365741dc79845bead1760819eb247cad163f6ee4e7ff531a79d12b4e7f60d778902067ab956ccf56030538

C:\Users\Admin\AppData\Local\Temp\tmpBFF9.tmp.dat

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\tmpBFF8.tmp.dat

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\tmpBFF7.tmp.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpC029.tmp.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/2692-575-0x000000002A410000-0x000000002A4C2000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 5a7c1b78dfb14ac7998a75d40b92c3f4
SHA1 03f72828cbb9c0382de7dc609e278ccec1a7716a
SHA256 9fa0ba50e0d580b203f7b5baefb7319567b827a30dea1c20f1bd5068df69c279
SHA512 ffa283ecdace7010f7f995a2cb97541f5864ba686a11afde728b38dfe28dcdadbd59c1fc5f62c7f4d85b5f1cea6064228d447cce90d9bfb5a234af37e1f265e3

C:\Program Files\Java\jre-1.8\COPYRIGHT

MD5 47b0a2f749bc41ea2ed69137daec9c41
SHA1 6f6f85ceba9acb59a573583ffd9532e68daf0429
SHA256 b99f739360157b7fa5004ff57911e09f563e5eb5c60b10b46fd47567ec43f3ef
SHA512 74bafc146c3e337a4964b0a669bcfaf8df4ba7cd6f61e0b878f761259a79867e832f57d5e1aced2659e6ebda32a593d60fadd74d09330a1c6b84083b6ed3d85a

C:\Program Files\Java\jre-1.8\LICENSE

MD5 7630446a67a822e879e2f0bb8e0bdd6d
SHA1 e822848b7b96061e4d026dc2300ce91eded5bfbc
SHA256 6b057d8bf87b173648aef2ea79c984a5e77b686d7f37894e049f5e85943a43ba
SHA512 a89ac32ebc6ce974e143919fbaabfa71e2774ea65a0cbb01d9f85e2c8ec4349064763e718c26ca210a6f60eecf3599adf2c7b937e5d54acd14d8c4b55672f252

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 0a1c927745f82b77ab835b25e3d5e51c
SHA1 4c716bf3b21a3f1b7f6c344624a9bc735b55ebeb
SHA256 41f4bd4e0b149ebbaa6416c23bebf2344a85235f380099c619e1615428dd44cb
SHA512 c0a821833bee6f906f28d73fd3eb8e88e320aedef4f38b117d3e27d10ff267c7b1312ec8d00850fb781b20d3b6e2aa66e74238c40e3f533c332cfb520cee8d8d

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 37ff4ef4329f1f638df53801f475312d
SHA1 2b151840e3fd1749ad2d62bd0da0fed30169e712
SHA256 bcccea06cfa7e56b2062bbe7528823adeefb9ff24ccc094267d976237dd378e8
SHA512 e7a48d0c6ac3b64e76b54fe784e916e8e0fdf8600875ffd7fa50ad4883d4e47ab363f420ed3816e13b15d7d65b210f42d361ab07b0baa3bdf179279c424975f1

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 e432b966724fac93ff5fa84beb4985cd
SHA1 d686cf62da1e0d279c88a14ae8d89b69155f1509
SHA256 9c1ba9c40a424205a0cb0b533ed14b31449a2f589fe4bd15d8549061149c4669
SHA512 c461ca87a371939d963c0c036dce8c6f995fa3f00ba3f5e91f1f142eacaaa7ded1121db5ae8079715fcf89d0da2c05bd5a3807a5821c411f18f7a61f28bc4c85

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 cb28f5c5757f8f7cfe567bc0a270a7c8
SHA1 cc264e3cc9926473dcbbd3d3b29b83aa36a8784a
SHA256 0514e4752e9f2e6b8ab3c95c329cb2e942525742fa4646c751dd43735d1a0378
SHA512 40f5e37bb81a0296025f2da7dfee528c7970876678329d393dfd5787281802009974c325b6275bafea5a7535a6bb327441350de302522e82f5ac17f7786be760

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 f7c9880c14e44b583c03f435ef8e0bf8
SHA1 45f006fabbf0740c13818d68bc81a54c507031ef
SHA256 3a05d9e837846d94e305791bae337446b66e841eec78f40010d594dc578c5b7a
SHA512 6bb29ebb17b768df88b3888d1b704bd2c189c939bab4eb135f4c3ae2b0990e05108f083b20b562bcf1762973e302fa38ed596454ca94754cf535c4d3935278cb

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 df84fcf0df90408117a9c0edac604547
SHA1 fe2b1e6a76a403f5602926b43a52cd5953dd0e15
SHA256 c6b139ed2ecf31244c18def01f6ea5c182cb919641494de0341ad54b52066d2a
SHA512 2ec91419923d80a913f29055ab73696dae19900d09626cbee9f35a34895f6b5321f997f2d83bdaf1e91d394a154ea7d5d55a7044912975c954cf5e7c183a6551

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 60b271633b1d51593780561a0ec3bd1e
SHA1 b317ba3187474a36d824275cfd209cecc506da6b
SHA256 5032374c6e5b638cb36a282f2c18776750f6d8025b6e54ebced2d4968f4e2456
SHA512 115e4fa260a0c945415d7895d815085dadd61d6d2e4b9ebf96af6bbb6ea3f160efea61201a0ac444cac2acfb72bc0ee2d18c96e38f73481ec121d256baa99788

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 3c1cf66f38a604360c72c78c7785edd2
SHA1 a1759e1850021ff133e1424bc1af0940056f412b
SHA256 0651d5bfb25d82b6a227a75996001d7cb82e1dde0f0159b05231e0a2bb22383b
SHA512 5e73ea075536fa3f12ff6d6018f85781863bf8176e8fa1178562cb01a8c65955064dac7b388175fa08ac8bec4668c7ba46c343300acf6a5dfc6ac65f03e158aa

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 f1304c167cb9b4afa28c1d8ff1d56a14
SHA1 f001efe4c2c6bcdce86e37cba276ca437db5981b
SHA256 ca9d4acf14a2c471100d4fa96d432c07f5ecda8f8b38d879d2464778c95e365b
SHA512 83d59766a2718d8b258d9e2e4bb92616aa0ac63f16c2ea15379009151c0d8e91d225066a7c7cb59cf5cbf8035681d9a979642daf01ebebf5d40c301844c4ade6

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 1c8da4217dabb89880e04f3742a2e5e3
SHA1 f3e415a8568d229c55f43425d9d15eaafd934452
SHA256 52a93cc962f7e6842f653fffc7b27b69da5dd54ea92d9c0c68280d6deb8a9f14
SHA512 635b25466a4e012fe7262ac993242c1cd67005a856398af2bc7a3939dfef95afbf63585e8b141948c032b1f9c27fd9694981461153379e3d38c330ff61cdf90e

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 bb1eca3709b01a9347eb547903860d36
SHA1 369669bd7fdd2c6c5ab66b60d37cdf3bedae5bfd
SHA256 608b54e405f76109ed3f25ab8ec9456192d612f52db3052f45df63fec5b20729
SHA512 f5f42d8d3d2d3d63eca9d136fc510c713001cbc02c2e8ba1d07fcf346999dcd7bd4e5da8d7811020413d609c6cc1c9c2f32d7565a7ffc8342e52e8d47007c8df

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 6d930677ea0b2ecb212be623664db59c
SHA1 bdfab226394a1e2322cee67817e88e671f902c2c
SHA256 cb72a44eab45df994b58aa903d2470a5bef17863fd4c517caf6558e13778ad2e
SHA512 f36b9ec2ef6e626aef5d5948657475bf3809448cbb91ab5451102fcfbb1018010787c7e4af0bb227da88e887a8b4779340951d60173bda970ef311af0caf5bea

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 74175bbe968e7ac875dec935dfd42eab
SHA1 492519163fdb1034a68755200ab576e6a8ccbc5a
SHA256 9496cb156f9fb618049fa1776395a8fa0619d0505cf89257488b1ba460dafafd
SHA512 b9c5d81ec75c1271ac59f6b6272d9831647766774534e1c43eaae0c6595ddf821f5160dda2855a41b049e9982f16572c6d10e968de815e1317b24c2a790a025f

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 08387531f1b00979fefbfa8d35c68e68
SHA1 17a48a3152a8f63e9f5e646b42a4ce3c23d53fa8
SHA256 34a186ca5d3915c0349006317f303c6f24258dc24d6b46f899ae68db4b689784
SHA512 0636a507455f4cd9ad39637283281ed7ef6154c1abf66f032431fc876b637a02d180ca42a91f988a5a12c0c434ffd5b1d298f872bd4520b301523c75a0b1f462

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 0059cf2c76aa8564bc9622fd6ad607fe
SHA1 9d96ef8ad31f12940002bd030f01e535e23b2653
SHA256 21543edbe7720a2df3ab5928b0137ebe42bc0288b3ef82c214b8720770547d8e
SHA512 6cb422461bfbb8b738571ddfa561ea6d536e83aeb6d1054b038cef6622c182284f638973be884e5a85c127bc5c20a95ec8a1952d10264664d298066a0122f0f8

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 74acd4113e9668f6e6c5f163c67d89ff
SHA1 e22eec22aa94612831f3e41c26ab7780b13ae81a
SHA256 a6a4e85ab74a17ca3e1fb0930e555d764ea985d01ac426f7228bad00a32c1bae
SHA512 839807465fd55f8d83878f0ec461218559820c6097fce1cccf0b7166ec581b52bb299f5bb679aaa1ee12ea5003477c7c91ac952249028a326c75189925ee1f79

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 93574ab46932ec8624d209bc9a12b1e5
SHA1 96ddc13be677adb8e31e0b509d7ab8f3cfd473fe
SHA256 7f6d3c16c28a2e15c28a24a5f1bc6b0189aee6a9b883e9661a7d9a9561017fa5
SHA512 97fdc7d6827ae756fb0fc310af74e8ae5449b3eeee2a0efa1779da99a3f2b4379d3c969414dcec68b24a701e71da05c60130d75c867e3b308d6173d5f9242c06

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 8f55547a756b2dc8f52218a0c19eda0f
SHA1 8b429115562fcef4cce88ce35ccbfd7e9a84ac14
SHA256 cea267f02b29fda33c29d3c4a359befaa4763c07edf129fd0eb9c6ce05958da3
SHA512 8765acd479023e15bc81eb2a395cb2637679d26cf349c3c41649251ca4ac0319f90699f146224e7979c0beb7fbe4783ea2ac01f0436f47ef63feae0dbe19a80b

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 0c4d880faef444bf39a47ef8c272523e
SHA1 ac7bdc082fdb41bfdf0db09e76278d31d384d8af
SHA256 7cc9ec64b4bef3be5c4a054ea12b18edc814e6ca05128d73abde69aeeb8983fb
SHA512 d110914bbaf678a11f34580c6dff8c61fe30993f8ad1ec6775a6c7dc450e50b450bc044846d50928272b9ebb78b4bcf75bb3db8a07fb618b819ffbf247a7417b

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 afff96fe665b9fef614435219af054ba
SHA1 0d358ba7de3e8b2e962c6ec6edadff1758f52c13
SHA256 402ac3c725a7838e49e7b6f6d4a99480d1d5bed071a4cd3c002253d715a76c68
SHA512 ecdf0628fe4c9cec1983b00944377b34a95f784d05d887e7f526251db260afb0aa9784166bb8413fedfaa6ab0d1313a874bd80d8d82492c947eca5415646a4f6

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 fcfbdfdefe3e2e36adac2d1037cc52ed
SHA1 1d74be56987da213e64074fbc57207051a353812
SHA256 85b11e14ba4d4798c495dd62740d94347a1531514eb10e9df90eb08df14020de
SHA512 3a3bf1382a9e52654f7f8c5528e054df8f401cc7893860d7391a1e76f88a2e8c143ba5da250c1a99b7ecf71fab42b88b51dad755c8b86f1fe7e96a729d2965a5

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 49964082a72667376ccb61a90217d2bc
SHA1 b8a3842b8b92d9d40cd54a8fd33e3e1445673f59
SHA256 9a682e4e6c44a8c73cc464b67f1427057885c1d422955f4a516b563fc905c7e2
SHA512 d5d55b0149924aa1ffcb52dd92281badf98e1341af5692ee3d555907dcd365ab81a78593fb5342cf4a80708d1ec45d72cc96bcc21e0ed9f4383d07ab75eb06dc

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 8aeafa7860c15b2a3d330b5b2efff43d
SHA1 3bff771723d149d72e35542acb833676e284be54
SHA256 c7c50356d2a4dd4e8c555df4c7a7c9a3c4a4446d028605bdef27a855f9779c06
SHA512 0100ed7bd20c48ab9e0684fd92f45e4deb58d91249105d465a114483672b82a0201f07bef6d539ca7c6714fd906c0ef7def1cb3927acf2d7d9ab1d3f9d8610d7

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 8a0038347e04b05695add5dd212cf387
SHA1 7bf0f27ce1148f019de295cc90c679cbc0d7e798
SHA256 680ce97ed44515fa11bdb1f815b411ea8ac05d7d59c685e97b5a64b68c689a8b
SHA512 64a7e662143af4ba2a31433ff96a4346b9e7da67ca5fa45df74ce1169e260df037f5deb66df8c0267cf3152c621950799b117650341ac22f59b547940bdde909

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 dbf1ef27c8db9c6c8741935099c9655a
SHA1 e16eeae2cec886096e77684857077c4afbc5ee04
SHA256 33af6064f7744d97af7c50723ab0ca3c1981e10e978094232b497580ddc7fab1
SHA512 d6cba1ee1b158ec880afdbee6e97f67b019fdaabd3f3ffeb36af36b83a476afd03d32b1482f1fe9350a62808278a6f1bdc5a9fc5baec566be71c0946cc6d21ab

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 fe655ad4de12dbc27f4f27179e60904c
SHA1 e9c6dc797a51b2920f53e67d7c81a2ccee70c3dd
SHA256 f1efc53f6090c82cf9940d81c46c61bd35b20b378139e1ab5ca5a10a40cfb6e7
SHA512 a2b8bb7fe5a2ce9fd4a1bdea5e2cc0b9e545dff9c841c89177d7cd6158162dc826d746e70aa4dd82fbfcb51ca76a08fd311fbb30093aec65aed4fd8709dfc4e3

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 442c6a4cfb0c449cdfa8ff503bcd4e9b
SHA1 69462733f7e865cb38ef7a7d467c42264a781b10
SHA256 7346f81417877d5b0910233e57cfcf66a40582e052f8de56cd3e910e736db95e
SHA512 2e480f80a97ff5e0400aa62a6c72596235c4d190f12bc39f96f1c0058723e54c7815da3f09dbb5ab8767b30adca8dd72e9ae72528151b0ec8717b4e55fcabb5f

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 f8b672576aad01666f110b340d0de82b
SHA1 ecb9522124465a4df2580f76c67f0149dc410581
SHA256 833c389543f61b988eac33bb202d1773f7bd01e82432bf44a926837d13683f8b
SHA512 eadb4d79d4251bcd0acac53b8e906157bc426016fde42435cbbf04777400a6a90071835c472a97fa52d4bb0be62934903ba01aa2acf3f6df8bb5dc628697ba51

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 2390b595efa9466350423d89a450dda5
SHA1 8a13a3e8dd2d241de769959618e5ebcb1448dfa8
SHA256 1ecb3f10f40e074a496a3ecc9cb98ea8899fcdf56124696338c0fe6eb29a4fda
SHA512 21085bb920eddddfd6baf4481ecfcc54e247f2aed4274e4e6bec2dda16e3bebd57d1b8d23a6f5faf8f650220675ec8d54aabb1e8c738fee08d02aa02f229e0dd

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 b70b2a1894f69c8987e103416f78ebe5
SHA1 8e85d749f7aaf6f97a722cfedb40dd7b5b53fd79
SHA256 9ec1619f571948c11563da1f26ffb29897dcbe22b4110db6c858dd110c6bc174
SHA512 e15d6fc63a48dd24f4abf821be9d5a2b7facca40fd0d16f4c3f4504d5a6ff622d6bfc9a8200cf8d3ddbab7d7b1acbad368bd63855155914392a8854a19cd7e80

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 5dfe8f849e8c81f80b99161a230141ca
SHA1 db93692d0ad1e38049366916f1984f000d6c1739
SHA256 9c2bda694913d74d0efb58a820a8efd7d2abf9f4a29a12310331b42f59a07378
SHA512 3012c120ca2d3648619499c96e58fcd40785113a0cfc21b2a4b4a8f53323d3a6d7786cc336496d70bdc5ffbc3ea8e9afb766122d61ea7fb2014e7dcb6164ce70

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 0c12f27e14d1b0f0843784b0eed3c75a
SHA1 a91e523d2b065516fb2e4343a8dcfdf0ad5f9632
SHA256 9db365a2bc22c7319b25864b37e23944c94135aa5913dd4323807e1c584949a8
SHA512 dfc42741df0101b677ca65f20b88fab08eb3a37a079375872a270704212858327c33ebf862a71c9f041c5d926f126420bce660e4672a74071840c64deba2bcc2

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 0d9ad37a7265ef27fd6620f8b9f6fb94
SHA1 1c02b14f2716eab1c3a4cd4e69667c26543ce2ea
SHA256 347291f9c0de5e803f34f48977e1fd14e54e6bd5f914e1a8f9c5547b6014b72a
SHA512 b49d3cf67f56884a8b8a1ac7d3298a43927b1cf089bf67ba953a3a2df82a09b4a8ba9d879adba6afddb7211d38a4005bfd9abcb29fece2f2ca40dca437945084

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 f5e2669b018856bb1ccb6cbd82ebaca1
SHA1 dbfbaefa58e6b24affafa5290baa5d2273a36b4c
SHA256 abfa08aad3b7c255fd67286c9430d0c5e9b4113cd4ab80a3e0f75de251d50662
SHA512 c0b8eab7433167d073dd46e84e456017a12bb949867d5fc1b10b46672a389a8068a1727f33621484b9c9c331e249802e3886fb8f6e7da96d67545adee08085d9

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 ce088c1720bb0e50709f192c1db6ed0b
SHA1 e75f7d9df4458f532d5c65b6c4f0083be7949b65
SHA256 be5f466b70ac9b7a33e312366376388f65a092d14e049ca2a04a1e96fe76a2b8
SHA512 98467baefd7e9f591662ccd3455b24a3b6af34e7dcbaf84d18b26ca5d4b00dadcfd5f4edd6c376fb760b029d9c3c658c199c97e06e3198c54fd20d6c82b54dee

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 1a81a0e08923e09623e3d5fcfc0d86c5
SHA1 e96b4211f42ed0b3446c033e2edd1a6c31125005
SHA256 cb8384c6f54c9a02bc3796ed5d3c60af77a4d55f584cc766e6261fd3c9edd93e
SHA512 148995e85630f275bfc7db5b0e0c8af61bbee5e74dbc222c9567ac49be651ee0393b992ca929a1d4601d641f276640d2882d3e6659ba3f79a0c9cc74526ff64a

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 343996c311b0293db138bb3af11050a0
SHA1 1f13eff773b9313bf4c5ef0750bc5152f75400f1
SHA256 214991c70d5f854e5a3aee013e2389dfe3287d403ee7031e55b9d056a5833f68
SHA512 1739a8e2a7a5bd1101914307ea15b2537dfef9ae0b27d7690ffcd14df690a83a96a296187c63e4a76aab9b15dda15d5093d50cf3079347d8e5f8fbb43c5d3a24

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 4f04665eab44a3b458ce3d06b1da473c
SHA1 29bc17500d06fa3120402bbaef81ad666e0d7562
SHA256 b2c5979d5b8244a2e13d47017664c5262dc6aa19bf4cb6db29ab62ea9fff6540
SHA512 41f3df54742876d77fb171d9e6e9fd30e7127f16719a258b4b37d0e278fbc70c15eb277e0405ca1e0ef04fc6792cd1861ef3158e604568ac8f5467b80436870e

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 9d2937ea56733b33ec39a9f063f6fe9d
SHA1 a8c2cd0f316254d7cb21d845bce9680aaae8f61a
SHA256 02f2eded25861b921cfd9fa59bb6814a8e5c0b1a631f42c6959c0bbc2f30c56f
SHA512 9e17efb24b43f825a06c041f069959b01891c5d2e88cad390da008e2fe54f9466df43dcbb65054c307960a85e744b87b96c211dfe7382bac55b9c9350bee5caf

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 045f71e6de6f6b0defee01ea457be121
SHA1 4bfa682e9b4eadcbd2035d23c7e4bafe4d57bba4
SHA256 9c218078f7d0bea0fc1b98cd6f5b8320b8f1996d7cb1d06736ebe9d9cf1cfdfb
SHA512 f9423587765928ce43f150b0875e343bed58f91f752d091faca9a6df510a1b88d1b00eaeec3c1a33301e70953dc09e27b7255115e3592fe1ef9501e51895eda7

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 d4fcc888e94867c65d42929a281fe8dd
SHA1 79a20bbf50a968a974567fd525be4c15e0380ba7
SHA256 9dcc35d1fd8377d197f3a7afaf5f2ff0220f34e4ee14a3033b4faa1ba60712fb
SHA512 68f9a95b453cbaf13099ead36dbacb6fac56c517ff022e841edec9032b039e1b7ef7f2f7f2280c160586ce18728c49ac19f4a5e59418f96c867cb5d08bb70706

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 d7f6b43ecd6f1ad40d71a561f38f002a
SHA1 35cd31ddb75631e952ab845b66dbc26ba9a48c10
SHA256 f14ae2813523233b399c6a3c7d6227aa343e3107ba8939797031c768ef0bb23f
SHA512 b3f13750957490a94cf2466fb26177b301557878d33c7267bb20dea08f645c10327b32e05f389046cf056e37340d5e988f89f92a523b4d6f9607b80d9a2d9f31

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 665a30732e74b643b649f2c31432eabc
SHA1 02609c983e60ce46750bfb86da94ff37af0dd7fb
SHA256 e9ab68924edfcca300b5c9a5c0738c0b8305d17ac21c74e1a4210bf9ead80a30
SHA512 32e3bb4aa67806eeb9eaa6d1a6517dd711b5ac350304737dd20948932cc80fe4a30e44ab8f4a16a2eade4e4a19712895bb431a3ad0fa9ac2274395ceed903e75

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 f1fe4ee25d45a9bcfdb531e2bf351004
SHA1 eea72cd06acf47733e268f5692d8e63616c52dbb
SHA256 ba134a2c4a4fbcabe02137e4eb7e7f7c5399f2f84bfbb3f2506e38ee724cebd4
SHA512 1344bd5489b639ae6abe40333f86814c0f3d31c9849e7f84c939f1bb53a58c5777bf2c227c42fa2513dae0bab4d24f509cf8323ac22a7dbb58f02604e5e73c2e

memory/1140-2515-0x0000000025020000-0x0000000025428000-memory.dmp

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 d4cec79e04e13c97aef567e52654feb1
SHA1 2578613b8f6e2bf9e34961301067ea95ff36ccae
SHA256 7f8a9d2b8987ad728e555fc5445180c3c6d6fae231fa27912113862e913b6b19
SHA512 3b96b4cced21484158b45eccbd5b375f9ec9dc68e72f3c40b913b33cb992f1231b4e062420f39de861ebc20f234698289d40b49336a3419f57d9f1845e2ac9ed

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 3cba7711f155ec62d8fdc54cc813752a
SHA1 19adae86633156a70645fc51511f3dad1c866b81
SHA256 5a3cd49c8cc79bd57487e31d659c9eded831b59b23bbcf993f4cd19478142da7
SHA512 df500cb9030387eaea60b2b14578188f79e62754ce4ed2200d6adf74fe750c58b7b950c92c6de42d49da0b9bb495f289b61b7f423c05ad4ba348dedd858328e4

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 940fb1bb672fd8920207aa80bec0f5e7
SHA1 d1de526bb450d9fbff62e23d2e0e623a3a849e13
SHA256 e5b37e9ba8018e26a8cc814c62463d0675dbc9dde290e20f74a86d83e69723c8
SHA512 da66b2ddfa30a3b12eb1e29bd96a039c513222f7017b29d0be6d9554bfe473c0bc9933d69449c251c26b01d97c6ca7a5711346b97ff70eb88461bd8046aec746

memory/1140-2869-0x000000001C3D0000-0x000000001C482000-memory.dmp

memory/1140-3150-0x00007FFC93330000-0x00007FFC93525000-memory.dmp

memory/1140-3151-0x00007FFC93330000-0x00007FFC93525000-memory.dmp

memory/1140-3152-0x000000001B2F0000-0x000000001B30C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plugins\RssCnLKcGRxj.dll

MD5 f6808c4fbbe0275db03b2cc5b4c2bc0d
SHA1 e40b61c64c68f72fc5144f5057d54229babdecf8
SHA256 e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248
SHA512 f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4

memory/2692-3154-0x000000002A210000-0x000000002A310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plugins\PK0TcnqTGFagQTS.dll

MD5 fa90a2aee0d172000257c4faca31237c
SHA1 b317281b4acaaf1d7b7255c5e92887322abae892
SHA256 991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49
SHA512 b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

C:\Users\Admin\AppData\Local\Temp\Plugins\rNXXgmX25s.dll

MD5 050f07b46987eaf152aab521c0112fc4
SHA1 2d2c0943ce9c10ba09b0d5cca54c2a88a1e61e95
SHA256 b93374fdfd9af786ff20597ae0e242b81373984ba5718194f9e57feb231c52cf
SHA512 a27c370e40ec126b6b9f3ab7d603378c2b629ec752aa8fc57a10e3ef58c0b701a5d1b4903a17ba180c4e73e76b54304f0868c474eb60e671562d0deed83a18c8

memory/1140-3157-0x000000001B310000-0x000000001B344000-memory.dmp

memory/1140-3158-0x000000001DDB0000-0x000000001DF38000-memory.dmp

memory/1140-3163-0x0000000002DA0000-0x0000000002DAA000-memory.dmp

memory/2692-3164-0x000000002A210000-0x000000002A310000-memory.dmp

C:\Users\Admin\AppData\Local\45f55b0800f068585fc6474d02a639b2\Admin@HNFOSCDF_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\45f55b0800f068585fc6474d02a639b2\Admin@HNFOSCDF_en-US\System\Process.txt

MD5 6d2ebaca5c4d6ef1b479f8b6821c2dce
SHA1 c33c7fed3d7f7b77641e15a3de7dc1e525e52814
SHA256 7586b63ffb6d4f6c22455d4aa579b4541b6f6257f53f9942b54d0f4778595de0
SHA512 a1cac6e347af73f83bca0efe5be2747914f7fd649efab8be660d5c55793752561e56d395f6879bb84e5e6aa6737186fa8edb12632c7523ac526d596cb9a042d7

C:\Users\Admin\AppData\Local\45f55b0800f068585fc6474d02a639b2\Admin@HNFOSCDF_en-US\System\Process.txt

MD5 c5ddb91b9dd757a779eed37027054e42
SHA1 ad7f1bcfae937379291784fc40587595f64ac91e
SHA256 3244c7e622f2e0df5749205cb9406ce7f6f9bf10c5545620d0a4d74df4dac1ed
SHA512 dd8ca476a89546d9e0af6f2341348cfa2cb712d83b96dbd5228802a79fc1ab2652d5a4addc7925dd3004ae62f4bc10b2caf9ddf634cca1ce2ce1bfe610597b78

C:\Users\Admin\AppData\Local\45f55b0800f068585fc6474d02a639b2\Admin@HNFOSCDF_en-US\System\Process.txt

MD5 0d986ce98e6412c94f754bee272f3dff
SHA1 9148da747467d42c166b89603e9faed9c4e08560
SHA256 c3e145cfc15b8fd1e8e70d656d9b40839b682c056e5520695cfe60706f2a78c0
SHA512 1d6d073af58ea008d70b8a045a1ad31ba10c7d5d6c06a598fcd9a4ab8a82558fe2fbc208429220a3faa9080fc625365fa411cf5b7873ba23830f481d23cd800c

C:\Users\Admin\AppData\Local\45f55b0800f068585fc6474d02a639b2\Admin@HNFOSCDF_en-US\System\Process.txt

MD5 ff861d62a3f03338d94d0d8ac5e16354
SHA1 16dce4f6ed507bb6a4e13781f9c11494fc7622a1
SHA256 ad755c0716c1dffe710a6c8d7c95a089f62806cff7faa7f0fe2922b9c830df85
SHA512 7ff2370963da150cf123bbc847175ce9bd22f24a13a9940113bdb0cdc3537139536e907221c4b5c3840da45fe1fb6b690722e64e2b8a1376b4873b7cf72a2fe9

C:\Users\Admin\AppData\Local\45f55b0800f068585fc6474d02a639b2\Admin@HNFOSCDF_en-US\System\Windows.txt

MD5 3665d448c051a6c09815246375f63d4e
SHA1 073b0db41146ab575bf1dd950b22acb441240a95
SHA256 884d9879812f0709f720adc57ae58e42229a7f6e5c34d00a8e69df14e0230ebd
SHA512 684a4c7261ca66a87d0036c072f8efd78885dd8bbb0d568ea86d9b467a925698ca829e26b01084e52dbcb9c3eba738c8f64310db90d6f4853ba66cd322effef1

memory/1140-3312-0x00000000012E0000-0x00000000012F0000-memory.dmp

memory/1140-3313-0x00000000012E0000-0x00000000012F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plugins\zVvPGvK64uLS.dll

MD5 a267a675b7243d9152c7b8e3e261d64c
SHA1 9a0277095646e2a773e8a04a7913ce6a56cf05b5
SHA256 9e82bf869638f8118f47f3870b1382401e42912cefcc6a9890489af5bb805c7e
SHA512 0dae32c0c0fbf6918779a5e9699cbef27572458a5cdc7119298abddb6a597a0017fe33af06c02abe0c66f3cd490f6955bd7c65470ed3e31338d28575306c04bb

C:\Users\Admin\AppData\Local\Temp\Plugins\sJ88z8tsg5XzK.dll

MD5 b3fa2c3d50057ddd2c9579dc0aef1590
SHA1 88a1f57b9177c95a2e095866574639b09d5f310a
SHA256 6eaf5744b8ec91312e1c6be83d852627e5204b3b64a1932e60e47438d73fb6bf
SHA512 0d1b8288cbc1c206029fe2f9b7366b2f8b49158e4c9643e453111ceb90fd77af903533c64f6ede351755414c9e7daa926704cda6f1953be79e1adc7aff515508

C:\Users\Admin\AppData\Local\Temp\Plugins\yL9x34D8X3oO2P.dll

MD5 38502e61cc1d39095a12c1883551ad9f
SHA1 135c9cad9e6d54bf66a1cee5c99ba510102623b0
SHA256 0e9733277eac197c4eaf40fb0eada0907388222ef21843488a8e591149768301
SHA512 cd67a63ea954a4db8c8dfadceb2822b447d98c2c43a8f9c6901d0fce3230605a0416395b92caea6ac08348d5f6b0e1cb052b24cf90829602b0a5b0652b8a2600

memory/1140-3328-0x000000001C4B0000-0x000000001C4D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Plugins\WkUP83aP9CABpi.dll

MD5 8dbfb67c059aa59f7c53e20ef6740363
SHA1 3de96e7f48ee7647f5a7c2efb68cbd914bc78364
SHA256 a74b74f463d567c1f0505bddcd49ed23700f9ab7dcf4b7f46435723258c5a7e2
SHA512 70aed01375416e2be63d676bbdba58c12ba5f50d406d1fe252e7a66b901d32e0705007dbf465193de51663174c1b53bdb980890d8b2e6ce641dd16a200e3440d

memory/1140-3331-0x000000001D1D0000-0x000000001D24A000-memory.dmp

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 450975d2c0972c880f74291d0c499605
SHA1 a26020870314c3cdb8a25b659bccce67b18e3d46
SHA256 cbfc0d24762ee29f2a584e974c812528fbb2507a0e4c667655f4b2b52476f860
SHA512 17d1fb51605408bd32ba2de8fc9fc520e44488bd94d337241f615a7800b2c6312ef6d8f3bb68b644379f9957d953d0aa5dc884499e2872be42d3820d73d32c52

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 21c5085a5d080a02f0f7d9a3e208f330
SHA1 6aaebc9d988f8766d0c9bdb25b152dacb0bd6b7b
SHA256 9c07ac44d06c100433a7c48bba8795c8b0904210583d38f8a798e4f3130ada67
SHA512 4eaaf23716033e1c86718a15c5834fa4fb2e06dfa297b00a480634883c78ee0168d707506d0ab4e2ab5215335bfcc5ef428f5f988682a64c5b05aa0efae133d9

C:\vcredist2010_x64.log.html.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 7375b5f78c3f003555ddd7a9b0b030e7
SHA1 7c2a86f20cf92b83073513cb3546e7033b8d613a
SHA256 2ef336a3dfcd7565328113a0305ff533c04737e939bb04ec6aeeecb54a9670ee
SHA512 6fd6e70cc04f01dc597a5fe635d7eba1fc377beb85993889cbb396666a22e633dbb602c10fa0b7f4b060c57e1484e6c592f612b23b1947dc91c26467901cb6f9

memory/1140-3380-0x00000000012E0000-0x00000000012F0000-memory.dmp

memory/1140-3381-0x00000000012E0000-0x00000000012F0000-memory.dmp

C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo

MD5 da1e089e6519b42c0ea6171ee6011621
SHA1 788fb44263593a65c542ccb0175e7d41450f0f80
SHA256 f608abb94d70fa6eaaedf3950f3f889e7c31fdc82be6e1b807fd8cb93727fa31
SHA512 c318f2c2c5bcd510b5b7c13f0b5ac3830c90a0b56f03d1ea3dd3a59cf671800027297d25d58d0390da64fb6102cae5c8d460302d34df6d1106a33ca99ab37d6c

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 ff5e8273f77b07178871a1f942460bd9
SHA1 a5c9ef6781e99e6bf9e95cdf39323a652b967b48
SHA256 ba639d8015e5e4d26096700ee7eb38d84e46eece84ba993d3fa9935b60379d3b
SHA512 2adc6726d195b7f7b39f3c02a432aa54c452b2a0a91f1a849391fced04c109bca86daaba95b1aa416e5d6310e1f51005146c0ae962350b9ff9b59be57feb7360

C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo

MD5 28bb38b4eabddb33afb1cbbc7d3385a3
SHA1 c35b876ff0559928fc7c678f292db954c59715b6
SHA256 8cc01a6a0353e9db81d1d8ee7b3618c74e148c171d5ffe8ead308d47f41169b2
SHA512 2715a84a313c866d60ce089eb279a68e896caa55334bef7fbc345d0cf1b41b7a4b7e0eee3d5ecc1c8c370c1c83f23d7162dd61199f819c274e42c761255cab0f

C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo

MD5 95df0cdf2ec438e9c5aad42972c87108
SHA1 38aa58c95ff269428455994583de5601ad073f5d
SHA256 f85f47f0e500bcb871fdcd9bca1c5bd9619d9da2b93852a58e4e1f216439bb0d
SHA512 6c7c8ca209066f0bd03a5e38cd07e80d66db8a030a71b52443074b27f331222208280de081cb8b147bc9171b69faa67dd75a653214694ae98d7e55e61228a61c

C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo

MD5 c67afb97eea5d70a691e3e15e4ae1cb1
SHA1 98ad100017a7e5872172e7442deff4ed787e61be
SHA256 2b2a71a9e86fbbb7a88524cbcc9a0760c54400b164d7b30d3e805870e5be2203
SHA512 2bb3daf440b999618d67076a0ce14ca7977d30aa7a2df3384819cbab282d89a48734e6e3ce9d29aa4079c0d045990d5c9216ae6a576d8ee7f976ac15326c8033

memory/1140-3777-0x000000001D250000-0x000000001D282000-memory.dmp

memory/4324-3790-0x0000027A8D420000-0x0000027A8D421000-memory.dmp

memory/4324-3792-0x0000027A8D4A0000-0x0000027A8D4A1000-memory.dmp

memory/4324-3794-0x0000027A8D4A0000-0x0000027A8D4A1000-memory.dmp

memory/4324-3795-0x0000027A8D530000-0x0000027A8D531000-memory.dmp

memory/4324-3796-0x0000027A8D540000-0x0000027A8D541000-memory.dmp

memory/4324-3797-0x0000027A8D540000-0x0000027A8D541000-memory.dmp

memory/4324-3798-0x0000027A8D540000-0x0000027A8D541000-memory.dmp

C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo

MD5 7547222f6f650521d4ac890ddaaf8c4d
SHA1 911c6f5fc5b2036e9546973ac7d5fc3cfe25122e
SHA256 01ea04400b905160e48b665500d95363242548dffdc379dac5e1ff57b6844be6
SHA512 9c658b8fc9ca179b7c5b0b752ef4324342354f7d6f4158e63d80b08c4f120f3691a6f068a075e36b6fe8933d7a4b78cb101896c2f79e360be579b1d091fc0cc6

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 a1986f272314b6844e6c8fafa1f66ff1
SHA1 aeb0bd9658671e8c2f614e25fe82fbbbd9d31a61
SHA256 cb7adb15a3332e3a687747bf786364b21c796c158422c87654f2571c92ffb088
SHA512 b02a58df1c427bcae31a03b13f100efe84fd3061c782a5c4083069580b8015eac5e8400e451dbfb75a8e6162fb6a50bf639f5244d56def5f13d126d6a57576c9

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

MD5 011d05b1016989732bf2b09f818dd898
SHA1 e35e256e2326bb94c35ec55fe9e3e2e7d52cd392
SHA256 e8f57a90dc7fab3d53ef10862ec863fd60f55bea28753cbe5eda7a4e4a9a685b
SHA512 a398d0478fd93d8c24bd44772f301c718678ea296d3994113c704f989881341cba8636ba5fe61faa23036931ddd3b5905294dfcdbf12c7970270cc5c8827e9e0

C:\Program Files\VideoLAN\VLC\plugins\plugins.dat

MD5 76c8ec6ae10520db27f2d427deebfca6
SHA1 ef518b4de636a8837eb7e85d9312a430de695c25
SHA256 daded8d3c0772966f457b5f2dab91112a5957ea38f093aabdfafae2c2e95df96
SHA512 4c9740e1590c1f08169f166e045642f44a21a2e703eaddf612f28d67d0bd5d5b00f34d0d760fee2b831d15936cef3ba2bbfe0b104a3e192ae1a452577b5caa40

memory/1288-4200-0x00007FF717070000-0x00007FF717168000-memory.dmp

memory/1288-4201-0x00007FFC7F590000-0x00007FFC7F5C4000-memory.dmp

memory/1288-4202-0x00007FFC67FD0000-0x00007FFC68284000-memory.dmp

memory/1140-5804-0x000000001D8D0000-0x000000001D8EA000-memory.dmp

memory/1140-6116-0x000000001D940000-0x000000001D974000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hndersbd.tql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/32-6240-0x00007FFC71110000-0x00007FFC71BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/1140-6315-0x000000001D970000-0x000000001D98C000-memory.dmp

memory/4064-6426-0x00007FFC71110000-0x00007FFC71BD1000-memory.dmp

memory/4064-6428-0x00007FFC71110000-0x00007FFC71BD1000-memory.dmp

memory/1140-6677-0x000000001DAE0000-0x000000001DB4A000-memory.dmp

memory/1140-6999-0x000000001D990000-0x000000001D9C2000-memory.dmp

memory/1140-7509-0x000000001DBA0000-0x000000001DBD0000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 a3cede8bd827d43c95b69b2e13ce1482
SHA1 4fa7a2e8ad454798308792ad24963daa1a6bb281
SHA256 8c0d7b1e2af928021caa1fcefe5a68bd7b1fb8ecae768d42e956a345ffdb6f2d
SHA512 fb0637dd4f0b7478c678c2ac97b93ee23a21a8b56d1e1dbb5376c693e1430532ded8a9f87953795a725618fbc2842171b526bb69011618b21ce2e726ff298974

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png

MD5 5fc99457941d29b12a792940acdb21ed
SHA1 175cd75821e06d9844fc0e969bdb7d6e03da040b
SHA256 a5bd3d9ba6d0dfbb557ad3b6d0fcd4ae3a79ce0931b79ead9203743dcb32af7f
SHA512 3b2b690782461d7fd2bbafb6b0110db751685e1c563ec2b275c1fce5416ff6585b3a8c7e9e97e0739c63983bff55a21deb621a0f32f78f1d26734375a3764056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png

MD5 74bcf099c6dee69c168bdad7b01d43a1
SHA1 57f47eff94401a7ee6e9cb2ab8b1086ebb3707a2
SHA256 934c151bcb0853729fd3bdfb0674a323edac850e758c111fc22fba8444c01b1e
SHA512 5aecc96b9ac4bfcc735f381434ed0762f53b4bc59c474f2894a33ef0be947b662f1d794e5cb7ad55f4650a8d467ae6776aa8f71c672045c8e7afae1b6c9a3b40

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 94b344a9d590339f3f775d0a9bf636ec
SHA1 6d1191aea015600d92b89da68caa2f98a3a939b1
SHA256 ad4d0667002468854b11a4de8034ebca207c5bc16d2204410aec0186fcdc2aa0
SHA512 a9233c0836882a07fc16f587c898637a301af0caefcb7e66030c9b05c3e365b38668f6d1a5c7189684d8c73eb1054e88e7b288715678195fc2ba1eb10269e1ea

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 0e2318f610423b572630520ad8a5ecc1
SHA1 d7f68fae4c1b7b230338458b175ed0a4da3f0644
SHA256 4478a0804c9e9fa3dfac063702f2a13f0a2f4856193bf51dc8f94c87a30dfe3a
SHA512 96ed309e38f5c13ed55068f7fb6d3929efe06e381e838e040058f3d547e0346fea0059d301ae695d47e890e57529e47a6bfc8a4bd8177e5beca7261a2cd8d733

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 279de92aa487578dc6567afcb80594e4
SHA1 8ee3e6079747d19ec4b57587da431f3fce738520
SHA256 b99ccebc6d3d3a07620f9810bc3c3085795fcb54246bdcb1a358392cbb20453b
SHA512 bb2af5094e9b1df5b9b0234de1401ff2e10ab1129edac47f3ccc86c6846dc6064b161d848d33331565e22dd33655ef5610f8be1c01d7d8ec0aebefd86fc1f662

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 74099d925b7f2f61e186713a4b262e57
SHA1 f07e72e27315bcc19816368dd265a3efd36f74fa
SHA256 230556d04285006770e674b33e67ae6028c92f77be6832eaed7cccd2239f2f45
SHA512 2fff0dd9171e0f6acd527b9ed2e6ed97f8901080adb7f2c5924100a9d58eb6726519294dad6174f01315e1abd510135d9cb6940e81119e230eb5dbbaa1b955e4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 747b5d154ec123b0acb644527de0aa85
SHA1 8fa0b7c09cffc0d927f505c5d872305e83aa9194
SHA256 79056c94b47879f72034de19c63ed0d72a2cf642472fbbe61ed834ca8e3f905a
SHA512 dbcb4c23d91ebd2124479ffff00ca3f2276f577a9fbccd1842d519bc250f01c4fc93532cbc92772c3464c29f869dffb98d5f09c7ba5ef82245c2f0b00c14de3c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 15dd2f8e7e6ae78f5d52d1dca370ebe9
SHA1 028b6cd09dc105c00f5d5d8c2cd392244815a6d4
SHA256 0cf72897ec54be1d4392fcfad569527e05faf4050a0e2fbeb62a518e25a3e2ac
SHA512 aa4fe8c7881821ae4cec91a4db97231b1788cf3a7a270accfb08efc85e22df374aa250c3b7f4d6d124f625d1afb8289a5ef72183c1dc6ab65e6eaf5c72d9d535

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 359602cba96f0ca1c3719e247b6914a7
SHA1 67c9567889f0c99f82dc495dc18a940f1b363520
SHA256 f1254b78fb26bc73519eeb1f4f9bbdf6b1e53fd6e7ab6e79ab36c2da23a6b80f
SHA512 fe4eaa0f02c2dbd21e83fe11af3f342164121794f7bfe6ffb2f6074b0e8376a39055ce968c7b27232c962f1f3035fa5b480c55bb64e60d882a8b169f274ea232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 a337fa1e02d33150cb9c136bbbe3374d
SHA1 58c729eba09eacc8a1accf4d8847f3e5fd0453e4
SHA256 d4410cafa3a536e14fe913641bd1eb6b10a6e96e6a7e430cea8b72b47be8594d
SHA512 49aae315e615b239d7983233ef644f20a15773425236b7d26b896672910bafe19d659f41d4eb913b533dfb1ea2ef48698ab53a5adadec3bc34550b4f65f32342

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 dc436dd820c5d770e0b6725589d36617
SHA1 c9fa26f817a180a3105c872dded58ecc223049b8
SHA256 e1e377c291af879f22e61779dc719854d1229771451f0ba2a02b4347ccd5d4f0
SHA512 90f0e4294603c352310527ead544444b62f8bc5cf3c77875b5bbd512ebe362bcf1cf79f98fadf10315dd93b420577304eec731f41cd2ca1e3bcd49341583f043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 440863ab326b34f4aaaa92eea5934856
SHA1 45dd1b49b5f65811ee726f8280689ef21ea0c16c
SHA256 dc85b6120b3d41b8c907332d445687ecab7cbb539e9667c591e2ba456fbbe099
SHA512 b65064da209d12b1af7b54025e03d4129b9e377dfd56f2f3f643d4cfc6ade52ab4a09b29a519d2176741ea34e9daddd9f57d8925b7e170897da2f57be89a4306

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 b1d17632538e1b6e5bd77e0576a71bea
SHA1 82d666e7238f27b3eb0ddd59d4a0f8bee0ae971d
SHA256 fd9be2d4584076e7c0c6d184fcee4a4e770a041b89886ea5c3200fb787f716ce
SHA512 5f66ec0b283db8ee0d1f966c8336d52f9b11043eb19cb27a04c45dd7f8fcf140879fd25cdc2e0589148fdacea5dfa1e2a4f05ab77a296cf684199de0974f42ab

memory/1140-9292-0x000000001DD80000-0x000000001DDA4000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 8e0ca2eff3959e05686d8b71f84d6b9a
SHA1 c0d56b80fc428dbafb2bc970eeb9301483e05fa7
SHA256 5b248fc724ccfca9011a3e9b03b4c2066e8aaab931f3d45d528ff5913eb22307
SHA512 615ee887b920bdb69c289257c4951d73285eafec46b568986205fff0f582dee28a1b21eb9e99a3261fe3d69a559eb57db304dd3acf3c91b97b04ebe3a1946e90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

MD5 0161d089ec11f21960e73b3fd37b6e27
SHA1 eae5b5551b1df62aa3d9dd6defd407a35875b8b7
SHA256 5b8107d2e2baac172c0eaf9293699f3c2ce472800b81a12251b57c86aa511c07
SHA512 48fe22cf437fb8a76d0918653dd22d217790c723f6d6926daeafd1fba482c2521378cd6ba533bf5d2833f865ea408b808ba9ef21e72bf94a23dae224c8bec5e9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png

MD5 4c204d6dec2c4da2f1ad6db3bc9c07de
SHA1 5c83431728312cda154901e78cda7deb0e8aded3
SHA256 919d2c90b5a6f746301ce8d91677954d11af204a9da81865f07cc8a29c3df393
SHA512 ea0ace43fbe9b78911420fe6c33f439289253f76d8d2daa8deb09802c0d0d909b34024b7a4ef23168db792b5e31737795cca2c2de0080dc6573eaf4562f6eb28

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons.png

MD5 b191bc9cb1fa3ed79a23a040a14c5bd2
SHA1 a1cf8efb64a4f920bdf3f930686b978feb9945ed
SHA256 ba0f47883111ee7f408a0f119926c6779d36fcef191ff4f7f8cb6480ae6dfbf4
SHA512 ae28dd72fd6b9a304f4cbf3e10ddbbaf825cf10a88b140d64c485c9cdc94451dbfb7af39e6c9bb4be0b257db243524e80af38498cee03a433ac9c892297f9c5b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 440d35ed1db933aad200a8395b083ee4
SHA1 cfe30e3723a17db46516c72e5ee98f6534003979
SHA256 a119d8cd1ce1f30687a0186f9f8247e21850cd9e798b6eff158da3b496f0a072
SHA512 cd8fcfdd6f4f19636b8c9622248fb19e353ae0fa4b10bb1e296e05afe178789514d2f498485d5a0a6546b949324e89810f41f08f816db0cc20c5b50b3c2fb828

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png

MD5 10d81fe97ae799376f1d68bbb522fa30
SHA1 804f28b50f532b87b0e6c12c43929d7370cc1866
SHA256 3e9ecc6c1c8635bf3b397bafbca17702c7668dec028a056ff579115018b76532
SHA512 69110e231d254855fdb4df5392133289c8497dd571eca1a63baab56a94b7059e3e118021ff423b0a7aad52532599066980468a7dced4709cc822ed0f2ad19984

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif

MD5 2b6dd185de20314767ef5001a6d86e1a
SHA1 40d77399414397a4c8164e4de6c5d4253e403af8
SHA256 254da82c778bf3ec831ffefacd965233a76af76407734f91c66595fee1927c3f
SHA512 647468d185e0bc16ba7ee9ccabd6161a9658fb6d837037e874801de7fe4e2614152e8f3e1c7411050e15ea5599835e259863dbc13560cc32987950ca11c64066

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png

MD5 eb40b16334ccc9a286cc777bbed4e73c
SHA1 8a13559719b01f217cd021b3bcd1e1f3a5326a98
SHA256 5a1e2d76154b7545660f5be8a99b2c13a06e4b8fb485e9b9cbbc3d231ce39331
SHA512 333c4cc342dfeb0fe120e1ec72257f28ebc39268a3ee74e32ce73b482a430ec99f4753f46cd5430ab846dc66ef591135ef740b90f300b1c1c46c210296d1c4ba

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons.png

MD5 61d5be549ae58bb7a1e9ab0c2bea714f
SHA1 707a89021a923561c8cd247abf470689aac243b9
SHA256 71aaa6e16eb735935d8aec9579b28018173028e67b68a251d9753a24b318fa83
SHA512 2d68ee968ac1e8b22005657507d4cb9e63e9d01068d0e7f97a35dec7ba3fe3022099e14b2ed32f57428bda46d3eb530bb903580c9b4b69ca01881a56673e63cb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png

MD5 02d153b6df27ce3ef005fc204c40c6e5
SHA1 ce7c21d3bc8ef1f9f71bdeea1a4fae6b47e105ff
SHA256 f0c5c8c61f49317af86a8a4a01f126729b2a7f7b2f73e9ec8c4f2aa8152ebc54
SHA512 f84098c7bdd2f58edfeaaa7a34532cc561bf50b430ca22958e9a9ddaf3cfee08e33edddf8213587eb6582328c2c3f975696238eefcaeab8828152607ec58a499

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png

MD5 aab271fcd0f53b1729502f03f493ff51
SHA1 e45117fa8f5900c130e63d3a17b071fdee6041b0
SHA256 255f3e6fe886a6f33ecd861c260dde0f04a9d6c1d53fa16b0ef11401541adc29
SHA512 15dc88e08129f9c57d0f65d3fcdc44c0321154001efc7ad2446763fb9537c30b7819678601a05981063a716c0204103d81d48df34535a1ece10335a0f1b596fd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5 ce35645e8e2f94de18ff74c9ab0605aa
SHA1 fc68b4c4284e0d2acd4ed7e2e61e18f6d3b0041c
SHA256 f91d1c3bb9cbc5d6c4bfee7ebf21c4deab9b61dcce8bc3acfdb933d6889a8229
SHA512 4ffa0a24042571891f20e2dac6f6f44750ebe0712b428e232e7bcfd1a2e5ad13645909459718088fa6ff3110ac6f0c4b3dfd7093a53a7df983bc97afbfab7114

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png

MD5 7ccf44bd96c5e1aea9e7daaaa19b6ace
SHA1 fecb5f16a124c29d2dd5fddd7f010e94d9734805
SHA256 76453f72dcb257faec08f409c1e82e5026a2074a014a8027071c0f794a3e5696
SHA512 ff9aa31c263a98d1283dffa53c93a6833a6aa60603f1d758067f3cf0c00103c3f06e9570388ee4abd42a7e3422fa7b9a103c8898d724f08a5d4e3146a8b7d6c5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

MD5 4bf9b9cd0adbab28209125da17661448
SHA1 0f0bb5a8138f5dbcf9310a65729e0780ef569660
SHA256 5b5344227056f20ab0abe345e128c000b9bee8516f0ff852c14e7e2bd1b16889
SHA512 310276e8c2b7076a569d071bc2db3de475b85f8426c3a3438b46512e9440fa98362d42d8b8927eb6b2fe74a0f90237445980defb80a38b0784a78a3f64d81d24

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png

MD5 d19a277a416f2f88b56da4aca7cf323c
SHA1 25bcce3f2486374905d8eee4df92387e54852f79
SHA256 2e9bf430ba2f6ab825d2078a658035ccf24290f7b78eb38c121dac795c59359d
SHA512 60c3e8e0a8fd19ec3f3e65497e5d22bc7c3a4a51ac6a37cc03217b72f3d4a3f65b7ac2d9ddf3f2962c6481aefbafb93a863c51d47492f8643a86c28eb61dbfe2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_pattern_RHP.png

MD5 43341913cb5a9b920836979e51529279
SHA1 04ac805ea86922f1945feae03dd98a655b7f8c98
SHA256 df9838237df05ff8688f75a9ca2015a679d23efc4bdabe26c86fbe01cbff18f9
SHA512 081fae79c60d9705143010985b6228f440e8ac3a14138aa0f6eb7aa2eb7c072fd741248188380a34d91953f01b0fb431703ffa8433410a547a264ab49beb7dd2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png

MD5 97f0f9e536a305485fbe4ec37c2546b3
SHA1 ea50656166ba17b5bfb6bed8f94d095c4d9a069e
SHA256 001990bf00fb0d29313fd18ef9c90cf3f5359f64e19706d2f0c5b40d3d196fcf
SHA512 471843083e92c8c33f0c44b76f7ca8397f49b30d9c5f4bc9f2d2081310eda9a071e446c38f1dd34ee71b327534610b60f1c6830b235ec2084d97df59d683e7b9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons.png

MD5 eff046a92efdc39737d049345aad9de3
SHA1 df20c1d8da77cd7799c0881a2564b8101ab267e1
SHA256 f442418af78c6012fc42a0b0c561a8f55e2fbe5fd5b6908dd067bdcea81c9d8d
SHA512 559827815794565dc3de57abbfd6eb3bc5df7642c17cb4314924bbd6f963b4342ef1b4aca8e604f2de541d8b02c409adaa967410c664d18ec1c578d701b560ab

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif

MD5 e6157f37a2ba3e90525c4428b3748b4a
SHA1 72859dffeb1222028cc01b8e54ab0150bd421810
SHA256 ace7d532f6dbc1068e5ac82649015321c2c1e345820610337a597a54bf9db63f
SHA512 09b4052d61ace709c7bc8fee2eb3fbde94514cbd0889e5a8484ea2f42e949956b9b1a8bca7bc5618fe7abe8832d71c75a6ec8a838aa6eaf4df879c871924d289

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 c822a01f333ef124955cdba53a0fb65c
SHA1 8f0f0117cb2323d355deca72e484e1eab77fee7a
SHA256 1017b1d40622d0077e00aabb9d1dab436421a833ee8f70a34eef3ce276bb47c8
SHA512 295a93e66dbacfa1fe13f961c05e56f980ebe23dfeae0f964e73ee8e5d917072ea20c58ddb02b0bfdbed77de03b3ffb1a2c77d2d8a953a17d6777c29e585657e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 93fb907974c1a82b8256007bf099eabd
SHA1 46a07965d106d985b7e1981685f90dcb14feed5a
SHA256 ba83849c0d99a3a0039a13a674c67e642c641c5568c62f92df2eae14df9afad9
SHA512 d5bf703d8bf2f8a479b6ca7bfd9fc14ee184c86a247330fc095794db0a01b00421351598cf4f1cbfe86ccf50140ef8e3bd4ddff3dba38a716ebdc712701805ab

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 17fe86be7a363e6277f20108754081be
SHA1 4c8b7ec2a2c05711e17aa83f1e101f22c0af4f58
SHA256 2cfc54e5a3667a21c6b74089b980ad6e9cf31daad7ef66abd7eb45d7c8c9ef8d
SHA512 b792c0ee9ca07c0e771dcb0583f3311d0692f5c065f1023cc185e2c970f8b44dfccf1d33d44e5cc0b8bc01c3f0f4dabd28ddb7f8c0c1708f8ab6b954143c1a7d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 fffa86b1a42993b5e346000b5119d3e6
SHA1 9c0f7d2ce4663f4fd76b17590ed01e0c2399e3b0
SHA256 9502b42f692cde37b8a1404f0013e027bb4461a263d1074c2ffc0dae2a275ed2
SHA512 d08dce300fcf665715a62583f6fbeb1b9d3f5508e89e82db898ebe14291c6d6dc95b0f01c2649a85f03b7fe8fe6fd8547dedc2b796b1962ce694f294d0407163

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 389af41744b58ef1d634f16bd01bb564
SHA1 7f1fb32d1442203c958e2eb3ba4afb4e739da612
SHA256 454010db0d5dc6f020b19140f09852a18f8a0d11eb903dce90a8d68924f2d0a7
SHA512 7e4247511ecd76d7e1b301e7e42f970b035370aa00f6480567e0395984a492b5ceabb3a7dc32bb51daca8f1466b4173269f5ba051e4d97349883e11c6ba563b6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 6edfc88d5d857ae7eced1acf958474b1
SHA1 c704853135f778aa862a11d4f05af29398d607fb
SHA256 a2d0fbee241d48ede51b18da367ffac99721102570079fa91b3fe4c24c4fafcf
SHA512 73e63ce2713de06f00cc5cd2eaa972768f0b7e01c7d7609676c942de77966551bf7fd1b010479d990d36ea6e1e59310676a4cb3d2d4f87750a94f2ee840a988b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 2f6d8826e25e6914c2cb4643b2562a10
SHA1 d1630de9a14ad09c750d3fd9ff6e99602eb8c028
SHA256 c61b27b8c696306abe983d6a23ed8d598782f00bf6e0e2b18200c2631f827d85
SHA512 cc411b12d86b874ce449b868141400ab582650df363acb81c62212606721b4065c985f95ddc856c235c81f0a948c43d1a3a963482667ec5aa48b967198e8364f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview.png

MD5 677e29f49066b3e1349f67b262d6e93c
SHA1 fd0b97c149fd546bd1b1a1f54eabb0279719a2d6
SHA256 c7fbeb0cd1b3c42ac092347a8a5f26f8de801aba6beb110d8cc0c68db0323595
SHA512 fa3a6ff95411843194dbc16e271878d09004edbb34484283cf70383702ae12ec5d6a5f93bf81d728b57ce5f353623a44a9fef4775dd8f5fbdb56c80be88a3ed0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 18c8d52949afe07160da62c05f72cc28
SHA1 da08e5c38aaacae3115ee284b5be5bcc2faa67f8
SHA256 3c62774776eb38f1c149fc0d3b73b9c4276bee8d0a75fd778d8ea2efe06bd01c
SHA512 6f413eb65f8f0aeb309198a13efa6a2be82e1a51f863b596246124c18d23ac7968c67c4a199c234b0f6098587309fdf87a4ad9bbf92c302c163746923ed76e2e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

MD5 d203f9448cd3b47a2dbc533a133987b6
SHA1 aa182466e7768ac87e4f114e717a82c1f93a31a4
SHA256 8eb1866ea78a74b2186098353f1460ddd53a4cbc4cd10d5151c9caa0180fa3e4
SHA512 1f5079951ff52fe55e927dfb610624e171aacae0d0d192bc7ca3db758d4e3d74214bc50331cd0af566447f420b13e527da732213024068a026b160347105234b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\nub.png

MD5 a9510396973b5b17aaf5a494d1663503
SHA1 902c8a57c9f092c27e7e96c80e3592392d4e362a
SHA256 bb2f43e1ca0d7584dda1ade0be60991f0888654a1e190ca95fb33f08d7712fd0
SHA512 b1712308a061d37ffc26e5cd970818acab5b473648c1734472613879ee7cddc650b50c00ad9c2ec77ab649ff42eb2b83579f9756a29f3c530fa0cdec623ccc8d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 edb0cf130b0b3385c3aad302cd4f0588
SHA1 19546a75d4c09e8fd0cdc4ded0e31f0c7fde330e
SHA256 df48e6cb91611e5bc9fad11a3d8bd41efc5628d74a0999235b1c5d2cd7b4265b
SHA512 020f8d212e498642cfcba6a58935cf4d44259a4cc3ea56b4c2fe3e49f23f34325e4c2a97a1e11a783c4b017a4758951fd01b867256b0c4eb897cc80848ce21c0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

MD5 0cc9595dff8ced5ad22ed6ae429cb18d
SHA1 5c36cf5aeaea855095d7cb32371cb40a90bf5b90
SHA256 94f6eb6f7202a083d52eeb430440e25a8334128857a4f25bd16389878d05effb
SHA512 36c27f4d16b0d8f8ddc4aa18994a86aa57f8fbdcaef15910e7686c4d133d83ae1b4896cb0ecfe68d6fc9685099e7033f9b500c9e930cad77c325302a64971b23

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

MD5 6530a77b71a7db289cbfa0c3b2310b9e
SHA1 dfa1a311be0022b9a757a1c0a8332644d9f8f03c
SHA256 8bcf5caed281555af8de92fc01196e37c6bc489eb80b8efb41ff75367a39b48a
SHA512 0f0f4af9ff3c3881148da504ee3103d3b2edcae4b1834ad6dbba00e28200af08385fdae0ec2bef1276517f24e80f5457b3db2c187ddeb7d7396c6d354f899afc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 d130f1eff07af4c96719f948ede8adea
SHA1 874def4dbd908b47608ebe163d56a15fa7d591c8
SHA256 d62185824280f8e945447e469917760aa154a50d2d6be453bf0913073e7a9256
SHA512 c5047f1b07b77ca0b8f9fcc8ce3f5640ddfb03bc9a5763cc0c2d4eae2b6322d8c90f254b648116226d860b011517e728062607c56ed6136d029e87b5ab696137

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview.png

MD5 216922a818b5cb87f0f85388176b9a97
SHA1 62b6335ff7a99f85665b558078c94b2f31d950b3
SHA256 4aaa8edb83a098d27feea979ea2e7bb3fafd98db6a85b4231013da93f9c08d5e
SHA512 0b7a9571f3403d92ae27634283e05b1009042680fa948311c1d045e36cf894d3597daa174ceb2ed540bd533ef4f3dc2f81c0b6ed6b28a6b1f82e1a48418aa9d6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo.png

MD5 05b864fc7d8222ff04705311396488dd
SHA1 2bdb3ec67039645d41ec84b9061b50f19170d16f
SHA256 510eacc0628d10cc66a25f83043ebc2c74ac2a1cd860f87600115fb1aa5d6abf
SHA512 2a321e735cb35c21e08bed2c2e5f871680c256c7ca08ab56cba4387095189066326425b4a4c5b4f130eaa11d697faa01b5748ac8c10b497dfcdf7ca12912de96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png

MD5 826d34c1ef656fb01fc60322242d91d2
SHA1 8d7062602f344b1f3d68cf46ef99e03984109cf7
SHA256 cf5fcf4ee81be2a7913581d0e35af01fc8e884b473a31a9033ac7f82d680e4c9
SHA512 ba70fbb1886a284411f93601764314cea3ccd05cd83902d402a39a56210372babfcd1b77c78bd7695b1f0f16b449dafa26109c07e5c9723c614f49567c7f0951

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo.png

MD5 3e566387c172293bd4d106618c116155
SHA1 e5075119e8418c6aaa32af735e62d7681a78fb34
SHA256 d45a114bca2cad202a7f552003ff88ea7a80f9b204a9efedebf6e3deac0e4937
SHA512 24f968476d0b53f16fad89ec9cca29a662488804a00439c6d218c9a948f9bd6822a4f32fdd0bc0f59ab00e2c3a026937b6d9c3b5e0eded78357944c3a32c2504

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 e237a03259dfb166a823cd1214515df4
SHA1 579dfa49fe623ccc845fc5896434d732b19f392e
SHA256 c94dce6e601c090bc904fe7690de57445de6a321424cabb6c5824cbce2cba972
SHA512 bd32ad3834a78b2d823763f0225d2850979d0a672306ffff5db7090a2db1d136b45bb9c65130de13652da5b46a5855b2351b539c05c7162a91164a6f32408512

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt

MD5 1145f277118a516f2d2baffece62bcc9
SHA1 e66bbb1d9b2b90022f3c4da52f764188e8d56df1
SHA256 fbda87b759029c2282f1770555e597a78300a3de2cab4ee364e07fa0356f2c63
SHA512 b4dcc28b7a7739f5f92ea2e27e2c696ad0dccc85a43f85250f0c6494570748284f6a53433819a1edc5a0c9d27f84c24497502de2203f561b6e8976a40ef59fb4

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 6bd369f7c74a28194c991ed1404da30f
SHA1 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA512 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 d2fb266b97caff2086bf0fa74eddb6b2
SHA1 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256 b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512 c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

C:\Users\Admin\AppData\Local\Comms\Unistore\data\AggregateCache.uca

MD5 f1d3ff8443297732862df21dc4e57262
SHA1 9069ca78e7450a285173431b3e52c5c25299e473
SHA256 df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
SHA512 ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db

MD5 a6064fc9ce640751e063d9af443990da
SHA1 367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a
SHA256 5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c
SHA512 0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml

MD5 ddd2ed7a1263bd60e2cd1a6da7b8dd8d
SHA1 55e4a17a58952df778914864f17537a6f9285e4c
SHA256 ee6204f7b5fa119f2e9828e26a37d5281e3e6ce4ff51a8cc56d0294f44b16947
SHA512 0bfa03e5d3d51b43c03c515e229110e80db34f490c2d0572fe640440fe3d2331c165088a060126a4df26d3d0979187abdc4d2580023323421056fefdfb2b83df

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0db76826ef1eb39b10f50c9c98411802
SHA1 88a49701de5a338400b3f5b40deb2608b413ab84
SHA256 f09445a05f2cf45e3d1d8f826bbb4fa78f1fcbf04311a5f5e8e3b7c90e1069ee
SHA512 0247c74dde74f8f1062fd2b28fc57b3bb567e42db8e594f2712fec65e045bdaf4be8c76e9b5f98af48dacdf863091ffa446dfa9583afb4a70c73809cbfa5aaa7

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Recovery\BookMark.txt

MD5 a2ebe0889b0a985519e9eade02694c6e
SHA1 435ebf82ec544204e4f0f7f343d237c8a42c17c3
SHA256 20aa05ade0f27530dc1ddcf485205af1a9ff9550c43a79804f17686021fe0819
SHA512 daf7aa8dbda5d279e1323bd008488c2b1e6f54661da42111832898555ad940c4be80e6926f38188ae71df993306a6d7ea56bdd2af3eb1e18da51a60b8c42ce6b

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\StealData\Information about the data.txt

MD5 91bc87994a258a7abe5e6aeebf147bdf
SHA1 77e2ded98d5b4baf407a0e091a803fdaef776ec3
SHA256 e8c0331a40b5b2c88bee5e4c2df6a6b72a3e4a322f7c7ac61d59edb21eafa1b7
SHA512 f5d7e267def6ec6460be2310d09bb3f94b195c45dc9eb3e03b135e6ca9c7704d329273625f28fc86faf48b8abe63e109da5d2dd5b7deafaf367e3ce89c95ea95

C:\Users\Admin\AppData\Local\Temp\HNFOSCDF-20231029-0448.log

MD5 e2e5a6333247d95d2bbe459aed56933d
SHA1 299fd0dc3c370b3b00e55d0bed423cbe4e841bbe
SHA256 17e736b05f373815399c337b77c9a7136f3cf3e89a6f8a882b5abaf0abadc398
SHA512 ce90e3ccb02b2fbe04ca2e6f6b8c9c003457249a7b55b0c5b55e05cd64359ab1ccf30e8ad199b8315d901b88ae9b8f47ddab5091526ac3e1e55c5eff66e9c30a

C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

MD5 56a504a34d2cfbfc7eaa2b68e34af8ad
SHA1 426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA256 9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512 170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\StealData\AnarchyData.zip

MD5 b323e932e753b238cfdada69b81f5fe1
SHA1 5cdda649a5514e554de44d4a252abc751b9d78d4
SHA256 f3a959fcf1566dd5e96b8bdcb4e74f85be1df5e9b5a6e86ef1413e5f13ba8e48
SHA512 f2113515cbb57b0bcbaee2e2c59f15861af9514d6a05ab22a8d121376ee80c50dfcfbb413eeecfcb943ef4287cf78b7acfac3cd253713e313bfb1535a134f55d

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Recovery\Password.txt

MD5 61e39cd17c25f8e978e0f2863ae33f48
SHA1 d7d80edd329c240c529da0fd082270f852eb9675
SHA256 5acee54af9a2e16e5ca2278d4a91e7bd65411d67cf035974d10e4ed6c8f47a33
SHA512 d1459a9919b1fd11e5ca995d35d6341f289413e4f96aa26bb599fddc68f12511cd13030583fc806313457e0d1e846b211fb2e73834c1f8cf28d2fb0ca1a01304

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Recovery\History.txt

MD5 8b86c34ada826314848b1847cb078b3c
SHA1 407a1dc237ebf44035c8ee22bbd3c3dd8e5925b0
SHA256 422d548c18f4c6cc4a4a3b68e383edbcfafc961f7ba1c639bfd55474946d9d38
SHA512 b44b69cd893a9d6bff526509b7b4d0589ec630a352ba5892584dc4fb475dde7586e5afe09fe44d8fcea03cd26b3a14cca1c0e3b14d106912bf2b6cbef5fb9188

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Recovery\Cookie.json

MD5 764476e053fc9410258ea154d2457cdc
SHA1 d6e3f8986f3343b9444150df13672b44ed883f38
SHA256 1f9ecc653d771b63d47cc5b33b7ee42c82b2edf91583f02717bdca6ceb0af0d5
SHA512 e5cc8de4ef0033ef81cb2c046028370b57ba4433589f76db918440b4e4c78790b80aed6e7625788d0b8dc246dd7982045abdd4fa58a3dd98798da63f747b4bb8

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Recovery\AutoFill.txt

MD5 af253b3f98ca2cb6155fddbe1d7ef59a
SHA1 524ab4141c16abaf7408561b77cdf0241269382f
SHA256 0b0fee013adfb00a863956d3c21fd6dfcf5b7ebe5d4c585ac5439381505e13e4
SHA512 41adef9fbbf29c3b46e7ffaf5efffa38c7119c58f306ae8da8f69b6462de1a1069f10ece078354961899efa4d4bf5df5ff2e02c68792a874212ac9eac90a804d

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Password\Password_10-29-2023 04;48;10.txt

MD5 ea41f09f834c82caa8acbbdf95a552d7
SHA1 908c51285caf093ad3340bec9ba239e8d7714091
SHA256 ca32a84b5478453a7e0dfda8e398f4bf85b4940a6bacf3fa45e621a230a57548
SHA512 850f1309bfc58e517b0872dad0cc29c998dd5f99f220f21957618a6e9f3388378327b83dd4459998d1b56cd3b5535fda802f6d9a04509604f0efb64e9006bbc7

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Password\Password_10-29-2023 04;46;26.txt

MD5 718507c98e290a1920acdf2b2ffc2d6d
SHA1 26c429fcdfd34714e4da4f28ca4dd9e7fe47a429
SHA256 261b8811ce93b8efb30269bbb2616c7ced3b2a0815b782b8c3bd98b58d10f03f
SHA512 8192dcc348e0049799a069d902912908b464e9407101bb8c5619470e667b705d027342ace2a82a2b571a2c49d75e44fb06b308e9a88dc8f48faa988a812f8c0c

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Information\Information.txt

MD5 68303b76574bd9f1d124ae8d402ca8a3
SHA1 d291bccea34533684a081e470f6d49f81c962515
SHA256 1e96a499a94066fe4788307c9a5b03b2bf1a27b81befe6a7ca46a0735d902473
SHA512 7495b923674d89741bba87f2767cb3702271f91a7619bf03c079c3e357536723bd4a68a6a0f5a1cca07c2c97e5ba5594f652005cc38532df16a69b88a1232606

C:\Users\Admin\AppData\Local\Temp\BackupCertificate.zip

MD5 91c4f3e86fbfeb54b6bc778ce7cf6eb8
SHA1 02e8ca12a5ba64bc364e543e120266eca617419d
SHA256 cb16601bc6651b68adc29665910fe3df024dba24039de463c9af0b72d2f360b9
SHA512 18f2d40842e6d51772c500fd2bb4297e91f838f3472b53f512f5012e2da65ad8aa546bfd3f7c1c855f0cd7bb766b62608530590ca8bb1c1eac7b871b853c2a22

C:\Users\Admin\AppData\Local\Temp\919CB5E.tmp

MD5 7618cb5a35ecd7b9a94719789c779cdc
SHA1 f8205df292cf79a4c8cc101f7e65e5802f9cf5af
SHA256 1e179b406e56de0da2893b5ac49986724c5dbec446301ae8bf829c831faac2eb
SHA512 75231a815c756ee3d82972c90915bfda7c852ecd45884cebaced5297961b44f1ed48ca52b6583a6ec012dd131453aeba7ed98aff93f657ee3e116f69de0043c4

C:\Users\Admin\AppData\Local\Temp\895B839.tmp

MD5 1115e189d341ce689e1813af3e01afe4
SHA1 1a0ee1f7d8470b755446a9d4e125599eab7cdc05
SHA256 e62b30aa154396435734eb6aeb7100ec5578e27f9b5d90307f85fa1aa1e64120
SHA512 ae62b21a4b8588b236ae2e232d2dad84d687a7e7006a132f8f1009a5a61b0ab719bc6e46f09fb1253031605b440748f8bfdea8eefd0097aa3959b7bd1389e399

C:\Users\Admin\AppData\Local\Temp\238E96E.tmp

MD5 d20164c799c44c1f2d538d594adf8af9
SHA1 4da69f0ae8de0dccd1c12fe4be177478baad878e
SHA256 65ad174e9806eaf70dd0cb8586c99928ad173973a8a177943a28e1b7e989bebb
SHA512 b408018b3208d42be43d0d174596928afbd92f5678185b51b22485ce970ce49d18664880ebfad0055bd5e59a362655a41625cb5a8bf42bc43134565ef7c42b6c

C:\Users\Admin\AppData\Local\Temp\142B819.tmp

MD5 4b74bb2a9f801cfb2961a957fa6d987d
SHA1 70494f3085b2178d69abcb34aeac806c16d2edcd
SHA256 c289b13ba4278df00500c4743fd302f0e653f360ef50b342d06c4b3ba4a9bf0a
SHA512 2a1576b89346c95aba27237c36925e57a10f01d31e45357e28de8eb0d5c3d6c10cb48610a5cf68b0b8922dde7b841983c8b86290b305e08a94ff158907a86a75

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Password\Password_10-29-2023 04;47;49.txt

MD5 5f5b678f4bed97fd5701e56cbe19ac91
SHA1 95dc79b116ab5d50d18bdd607b84e702dc85cea9
SHA256 9cb2a795ab6804920001b3f6fbf277643c594dce17dd604d6d567060bc6b9ecc
SHA512 5521bc50cbfd0cac273aff0b3506b5d6b534a501bd5700ca36ac4da79783e91b5982fc07b49c645f7ef4bc86fd358cc6bd70843654b9837bf39d38f703727602

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\Password\Password_10-29-2023 04;45;43.txt

MD5 f25e7e87eaf9c7c7add4d3dee272bb7b
SHA1 9a64e38cc6b32e5b5f91765ad6a0282e6d0aeb7d
SHA256 1d2c1f469ba949396186491e0ac025f7bd4d520f6df3b886befa8a6f3297ac66
SHA512 4279dddebb706be4657d223a95d4d756bc52f746a18923237abc7bd5ca17e4288e70d9aec6a70a649c8f930f845ae5ad65bc98499df61114e3146fbd822b392e

C:\Users\Admin\AppData\Local\Temp\ClientsFolder\9B98E79A352B865F0C37\FileSearcher\10-29-2023 04;50;10.zip

MD5 7609a61a886cdec7eeb63fec1eee9bba
SHA1 a8e7fb7b243609c67a9e6a85fedc0630b8078423
SHA256 bcf8b63226c05372388ce13efade63505781f9af759e96ec74570f221dff85a3
SHA512 fb94b5c22031768d3f0ee18f0d6b87ed7166f3e37598baacce485836e8ba2dc9136326e50f82acc276c52910e96f29e4e98f41958eeb17dc32455e9a79784776

C:\Users\Admin\Desktop\DECRYPT.exe

MD5 778435dbc0ea22f9d5b60b06b1dc5b27
SHA1 ac6ded9656495cfdb701e66e3654bf161c3c38ed
SHA256 2d39bdd50f2fbb072d5c4c71ccbb18b3de6f57b73254ef44650f564b49eb47b6
SHA512 1027e8b0fbe6892eb74ab999cbb4a23ce7429febb3558978eaf373669798361340b7e492ba40a14ac68c50990b0187acffd4bafaacebe40c9677aa41145a9651

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4BXHXA8O\microsoft.windows[1].xml

MD5 588eca73f699ed029bdf59c5884f8791
SHA1 d6a4f0d004b4e2d70a68243b67d8d1e648d1407f
SHA256 f91c127f979ca4e1956be96207c88232b6090d21f317bbdf3951ce8999e7a410
SHA512 aa5daaa6b051d1b3c915858578a192161ce0ce188442addec4a548f03446b8964dd5695e93cabdcd858754e7510af677b0f4b3ff030a23080c7c820435fd24b1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 ec9f0ba2e26126f282c5b384dac43799
SHA1 4b42f421b37d61c6a77cee419fc60d874dfff91b
SHA256 0d8de2333cd37cbb38541401f59f850a6788167a471c3f4682d667e3a7ac22c3
SHA512 be589763db1ee73024de4f6cdb1984fec81838248f6bf1012bdcefa5bb99c14d5b30b6642cccfbbe311786dd7ea5f410fab20b4f4f8b9fd4094f4c694286ed29

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133430288454518204.txt

MD5 be5f5bbce205955c6ec678bb9fbfa6f2
SHA1 6c41b632387102f83a9f8c7869cf5bc3577e91b4
SHA256 9719043f24dd3a0564a9ec8c12f8e161257e3b7c26791ef103581ed33de5f572
SHA512 c8cd9b435116d076c653f9bab3ab2bd386395429d927f4718f2bc97165cb94fc3589244d39ec18f7a1905e3e11616c8eae8b371302cdf59d0c4a80798eae7482

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 3179c30b1fb6b05d6d5b89f2b2ba5dfb
SHA1 2f60394e0cf1961bfc1a42e97553957f21293833
SHA256 105a334c2a701f27bec5ee612f5bfb95b43cc00b9136220f8a534c2c14415c4f
SHA512 f92187350de36545fb61ca90330e584015b7a2ef532cc313a8a100f67f436b0352ccae497c75e05f4b5a58edfac85a54578ea292e01e571cd3607d945a9469bb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 d48f24735747524d7a42c45393204c7f
SHA1 2ccd6ac81c8b5e3883d4ec28bafb3f604544ae9c
SHA256 1cb9607ae57823ec9a99b49fb0a6153650939a4517a17db836c1fba7461848c2
SHA512 25066b01c519815f9ba61c579a13f80a22b4861acf646cc42564cfc337e9a5c41f0e15ccd8d885af3108a4d3719b1f0e79697f802bed8de35ded7f9011198a40

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 cc2d286f4b0b1ccb30120f123f851943
SHA1 dea5a62d2b2d4af1ec7f5107e6ab313f096b6f85
SHA256 bfe8fd15dcd0d30e0753f2d99ba1f29ea8d8b2d678ea52260c55cb7cccf1aa6a
SHA512 b15f8c4684ca289681881df0bb3cb68ab89897383c97f8056197d589a1d21dc3286f4ee42bf98cf89d765123cf93fd2678213d86c46f3ee4604b293ed982eaff

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 855960f7f130b4621e601b7e53133df7
SHA1 9dc7e623b4f0e9ff2954f2c137a3be3dbb4de934
SHA256 c1109742eaf5a966e979835df95a442c98eecf9d08170b2e39592a70c3ab4dd7
SHA512 f3b024a8b29839099694071009c7400effdcc18ab81f5e18895716aa7a179092ee683a760065f32a1e3dc3c9a6e6c0c405ce2be46107ddc6064e2026193bc300

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8244373b-5b28-4974-baf2-04416e7d4a8a}\0.0.filtertrie.intermediate.txt

MD5 082e1f1aa9ed2e47498ff894d5d98186
SHA1 62ad2329bde4dbf934015f95749a817f78b15830
SHA256 1fa308d45a43d54f288c3c422a985f03927b8bd97c8413cc9815faea87e71623
SHA512 efe5f0d03e8050e9c1b90bcf7f4cbff05209f8c3226bbe26cb5fde8bb472cd57f515b15c090399b1c151308249440b391ef525a09ce0147c8639ad8027b1034e

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8244373b-5b28-4974-baf2-04416e7d4a8a}\0.1.filtertrie.intermediate.txt

MD5 34bd1dfb9f72cf4f86e6df6da0a9e49a
SHA1 5f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA256 8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512 e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8244373b-5b28-4974-baf2-04416e7d4a8a}\0.2.filtertrie.intermediate.txt

MD5 c204e9faaf8565ad333828beff2d786e
SHA1 7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256 d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512 e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8244373b-5b28-4974-baf2-04416e7d4a8a}\Apps.ft

MD5 8ac66f36c12445c1abc5693a469e8e8f
SHA1 6e0d1c260980b792ecc78a9a8c69b155a91b3c9c
SHA256 f2f5b184f22a3703ec52d8839c32768befceb687ff6d72b7086a0aa6b48ed4b3
SHA512 c8e9ac06450e18ce24335bb40cc34b2789eaa112cf8d88a5d0937a495f2d94e32c7344c3dd84a53b97174d269fda73385d52093c1abb374bc918321e0ac0c5cf

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8244373b-5b28-4974-baf2-04416e7d4a8a}\Apps.index

MD5 0fde0a452ba09b9974ec5ae0e83679df
SHA1 52b53f7c31d118ba741b7bc39193ebb85416eb31
SHA256 ecc33abe92432aee555bb3b2f9416117e38ab33f4c4e91290087a22be27968ec
SHA512 43308c2e53f470f61a98bcbec2da0392ac5fc88d7d7ad9b3aab1f0c7ab948a7eef64a28b09588594b48280c339eab60c85ac64be49546b292b1af33a71443453

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-29 04:38

Reported

2023-10-29 05:09

Platform

win7-20231020-en

Max time kernel

1801s

Max time network

1568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "9" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\TV_TopViewVersion = "0" C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

memory/2744-84-0x0000000000A70000-0x0000000000A78000-memory.dmp

memory/2744-86-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/2744-87-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 f83c1904404d2b40622d28a5c05420f9
SHA1 87c629c25b2be94ff603fd4b5e1934541006cc44
SHA256 58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512 cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

memory/2588-89-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

MD5 94bac1a0cc0dbac256f0d3b4c90648c2
SHA1 4abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA256 50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA512 30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe.config

MD5 3d441f780367944d267e359e4786facd
SHA1 d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5
SHA256 49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9
SHA512 5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

MD5 94bac1a0cc0dbac256f0d3b4c90648c2
SHA1 4abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA256 50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA512 30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

memory/2928-93-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/2928-94-0x0000000000C10000-0x00000000042AE000-memory.dmp

memory/2928-95-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-96-0x00000000005A0000-0x00000000005A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

MD5 56a504a34d2cfbfc7eaa2b68e34af8ad
SHA1 426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA256 9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512 170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

memory/2928-101-0x000000001ED70000-0x000000001F358000-memory.dmp

memory/2928-102-0x000000001F760000-0x000000001FB20000-memory.dmp

memory/2928-104-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-103-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

memory/2928-105-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-107-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-106-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-108-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-109-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-110-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-111-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-112-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-113-0x00000000206F0000-0x0000000020942000-memory.dmp

memory/2928-114-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-115-0x0000000023430000-0x000000002357E000-memory.dmp

memory/2928-116-0x0000000020C40000-0x0000000020C54000-memory.dmp

memory/2928-117-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-118-0x0000000023D90000-0x0000000024008000-memory.dmp

memory/2928-126-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-129-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-130-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-131-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-132-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-133-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-134-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-135-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-136-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-137-0x00000000258F0000-0x0000000025A0E000-memory.dmp

memory/2928-138-0x000000001E790000-0x000000001E810000-memory.dmp

memory/2928-141-0x0000000027580000-0x0000000027581000-memory.dmp

memory/2928-142-0x0000000028680000-0x0000000028690000-memory.dmp

memory/2928-143-0x0000000027580000-0x0000000027581000-memory.dmp