Malware Analysis Report

2024-10-19 06:53

Sample ID 231129-nkzjtafh7t
Target Infected.exe
SHA256 bf7a53c5db252212663303fd5492a75244b43beabbcc5a59b131ee46f8bbeb40
Tags
rat default asyncrat stealerium collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf7a53c5db252212663303fd5492a75244b43beabbcc5a59b131ee46f8bbeb40

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stealerium collection ransomware spyware stealer

Stealerium

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Renames multiple (1263) files with added filename extension

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Looks up geolocation information via web service

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-29 11:28

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-29 11:28

Reported

2023-11-29 11:30

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Stealerium

stealer stealerium

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (1263) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\taster_post_call_illustration.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-20.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\credit-illustration.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-white\AboutBoxLogo.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-100.jpg C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\Microsoft Office\root\vreg\officemui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\release C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\DeviceNotFound.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-256.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Ringlesscalling_360x120_2x.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
N/A 127.0.0.1:3232 tcp
US 8.8.8.8:53 4.tcp.eu.ngrok.io udp
DE 3.127.253.86:13116 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 86.253.127.3.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
DE 3.127.253.86:13116 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.127.253.86:13116 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
DE 3.127.253.86:13116 4.tcp.eu.ngrok.io tcp
DE 3.127.253.86:13116 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.127.253.86:13116 4.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/640-0-0x0000000000B50000-0x0000000000B66000-memory.dmp

memory/640-1-0x00007FFB206C0000-0x00007FFB21181000-memory.dmp

memory/640-2-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/640-3-0x00007FFB3E370000-0x00007FFB3E565000-memory.dmp

memory/640-4-0x00007FFB206C0000-0x00007FFB21181000-memory.dmp

memory/640-5-0x000000001D710000-0x000000001D786000-memory.dmp

memory/640-6-0x000000001D790000-0x000000001DC5C000-memory.dmp

memory/640-7-0x000000001D6D0000-0x000000001D6EE000-memory.dmp

memory/640-8-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/640-229-0x000000001AEA0000-0x000000001B028000-memory.dmp

memory/640-234-0x0000000002E20000-0x0000000002E2A000-memory.dmp

C:\Users\Admin\AppData\Local\51c922658f7bb29fcfc72f70efa865b6\Admin@WCYMIBFV_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\51c922658f7bb29fcfc72f70efa865b6\Admin@WCYMIBFV_en-US\System\Process.txt

MD5 baf775237fc9cac333623c558f18af78
SHA1 87a74e2d72d79a8da5289037d9e881ff58e736d2
SHA256 e7372f4f0336df0adb24240fe19631730f75fb5ee8c35ba7c55e4ab4efd2dc53
SHA512 1426c3f05300ed37c5307509b1407558d973ad550cad2cad2e40d8ef532fa60999e1f513ba414d4fdc0dae6a72e0d45180ba3f4ab426993bf92b54a8f520889f

C:\Users\Admin\AppData\Local\51c922658f7bb29fcfc72f70efa865b6\Admin@WCYMIBFV_en-US\System\Process.txt

MD5 23dc7f71c7e187937b6f4007c399a9e7
SHA1 be613a3e316c05af130732a2fd6907c39adf27d1
SHA256 2ec9dd7b2911a24601bac2c28e248a858d71b320391a1cc9e906ed776963b050
SHA512 7981f40b564628fe6419e4eb2e6f44c45a246d9614a791684b4527371594053ea8768763374f2a80a12d8330a7160e05c72d1fd5b59fd6e72c63e2231980dd35

C:\Users\Admin\AppData\Local\51c922658f7bb29fcfc72f70efa865b6\Admin@WCYMIBFV_en-US\System\Process.txt

MD5 ce19873c2f54a4236f0f75132060b744
SHA1 af7a914dde7aa8be7648defabb2a8810dcc65b6b
SHA256 38728d0795b05465f0cb0842acfb2f4f405083597f592b5b9aed196cfea3287b
SHA512 d16f603120bf0cb7dcc0c67a2ccca101faeda39be0fffa345f322fedb62152f9de968ea7aea9af94b533324ae73bb3189bacc70bdf2222511271cb5922d1976c

C:\Users\Admin\AppData\Local\51c922658f7bb29fcfc72f70efa865b6\Admin@WCYMIBFV_en-US\System\Process.txt

MD5 4d1ce763bdb3930f2e887c505ab2fa3b
SHA1 2402596f0c13f95f5162b00e7fb15c685691f2b0
SHA256 38e4c2ac295e8a50d9a1cb6e0a19b2fe220071e4a57a3efc093db9554dbdae6a
SHA512 1d129dff2bdeecbfb8641891f14d10cedd4192ee49bcb532fd347a5708ee9d01be47740f53af9f409087c9f4f3e6fecbe541ca81ddd6ed8187a8bef9a669d34d

C:\Users\Admin\AppData\Local\51c922658f7bb29fcfc72f70efa865b6\Admin@WCYMIBFV_en-US\System\Process.txt

MD5 20da8fd0c1ed78a3528feed12b34e16e
SHA1 119b71c83b91abf2f303e853b22b28d505bcbf57
SHA256 132000d3dd53d6aee91c37bf7577ca111b698220325541fa97e079724fc82332
SHA512 a0b3ed108a83a1d28b1a476b4a36a5ec1b899a76a0bd7aaa1c7691b44d0337cc26c42c4d4b42c4de2b9f24ea167700c883c67076086ee646b880bc13d95c885b

C:\Users\Admin\AppData\Local\51c922658f7bb29fcfc72f70efa865b6\Admin@WCYMIBFV_en-US\System\Process.txt

MD5 86cd77d3fb8083bfa04ecdbccdddef29
SHA1 e43cb4b35869c78ab2abf54431bbb8bc43f921ad
SHA256 3fd4b44ffbbdb4a9100cc8c885f070e298bad03ca82f622532830dfd00da6a95
SHA512 736e7b0fb494bd94777ef84665e546e8835ef5f37a8f312938d66a8b65d9afba80eab73ce38eb36f65c7ff1ad5b2da9de6d849e428572704075be8569fc0b3fa

memory/640-374-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/640-376-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/640-393-0x00007FFB3E370000-0x00007FFB3E565000-memory.dmp

memory/640-438-0x000000001B0A0000-0x000000001B11A000-memory.dmp

memory/640-629-0x000000001DD60000-0x000000001DDCA000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 dec5a4446d2e7157a79db45a2fb2e490
SHA1 f4c55fc7b404ea55a6fc18be05fda4f2681d6044
SHA256 f56c7f9348f9c87ee0b3e8e03ac35c7a4524970304a92210e29502295c21100b
SHA512 3d51863f7a77452d46fc0501f19f30bf8079141d66ac4c65f19d60cd4387d09bc596aa9bcc43c5abf57fe42c5b6a199e5ebc24f2ed48bac8a220affb65ac39ec

C:\Program Files\Java\jre-1.8\COPYRIGHT

MD5 c5f20cf389bc80c5bae3619382e2468f
SHA1 56b67cc9b35a3148223fd3cc3679497a570b3182
SHA256 e233fb441205fdec7e7cc528e4a7b3a012c22cb0ccacafd99437fe28c4ec3fff
SHA512 e7921b5049c816c93eb77b4b8787715fa7710d00f2f8a04e0aa28ad380d2db538b92184320d37436009f17ce49cd3a0f54f7d27c283a726a6d892a898a748ef9

C:\Program Files\Java\jre-1.8\LICENSE

MD5 6cad228dce083b0a90e1b6765f18d7b5
SHA1 13c999f873fe467e5a9b5acab36a7d02f1808761
SHA256 a082aef3275e3f4979b45bab8f06987e24bae50e6699fd47bbeaca12d764fb3d
SHA512 df9f165c38cb947a014de554e5868208b01050483c6883ffac548dc2b8a51d9b1924fb02c8af463209230661310930db4d9d3c281532c75e73866bb0a3e0eb45

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 20ab125eeb1d6326faf06f31c4417ace
SHA1 2664a7efcd3e578d2b7753f6c95bada75f51cb4c
SHA256 442b761da7e247924417d6e7a4295c2623b580b22714c66dbf54ce2a7f758c44
SHA512 06b3f5b0a0531f14e84f4dc598645980c82306f32b43d1e890f0cc359af422077e086960a0780ac6320b308cf262b8a2c5f490105be9d484531b3600dfd671f7

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 47512edb2ccc16531163104f4ce4e1a4
SHA1 139b5222c9da768d7b9b57aa976a02f24b3d95ac
SHA256 dc24b1299099d0fb5b542b97652e4a04173693ff094452d2e54b9edf7d883b19
SHA512 12d9ab0de931d7bced6770df361265c58d609e520f79f476080299a04291de1b7c18217b8df1a948dccbb2b301765e060ade7dcaad5232f19262249358f8d7bc

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 e376d7d97c1711af9f53d5c2901d2ebc
SHA1 07bc17018623053303bfecd561f21451ed74bbb6
SHA256 a5420c58b7409b6969126fea7ffc674b1e750423e8f37ae300abb386b495916b
SHA512 13446fe0fbff4f8fc50bc940df1750921e4099afab41575ed3c17e487a888cd582e81d1c01c2e9f288c0a2791465347c3a98bc90ce2390f4276797d8cda1c12e

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 402d2f56df613ac599b279b8c35f6c4d
SHA1 893c575d38b34e69fb612db2cde2e0673b01b699
SHA256 28f6c3912846c27929284f2fc4e050e34063bb2e1e1029e252d818daecc99d74
SHA512 da436b2560441c9d9f7ed67058b04e3729e1e6e20dd89fd0c8bcef6f37cae484d437724beb9b25764472a1c116127a55b777a143b059912e9d6d888279e91d08

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 29b2806281337c557e6938fce9e6970d
SHA1 661f8ffa2597b0e85bc32bc536a37c81b020615e
SHA256 56e5d3358f9e4de823a4b4b34e167a657e09c02fce4045a9acf692d093c527a8
SHA512 79d0f76f12fe9f801d0cf27910666b3c80fb3cb7ec69e3601351e5e8e319f26b45346ac3adc931904c786ff48360a3e60e158bad8562a7280ea83c802f3b24c9

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 3e4282d94f0a24f6a25fcb1005178e0c
SHA1 3f0db52cc6fb9af939d4cca3e4e1c7b929564809
SHA256 c5dcedd933356ef65e177375279fc1fd634573f3a4f7590fe002e12dafa3661a
SHA512 78865606c14b85d79d4b389c7514e509aef5eadeab06723210e64ca908033396c414778a88a438dc1e01993eca118520c3307acae4a1a57bd7d583364183ae2a

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 cc387ea23341fa8aa40480745ec93992
SHA1 7d1d06f2c8d689584efbd2580604a448fe234416
SHA256 7b2faa392c44fd93df5554389475b9cde3e17cba640506216ec1a76def9fdbaf
SHA512 084317626764a15b26da91aa807e6b06688f537808629579d889ee31f949a522a4510fbb9ffffe9dcc32f7552de7da7feb293c40d877dbd037d4b35188928d0a

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 b98ab4e8f83a12f57892dd8beece3dbd
SHA1 e1251df7cde9cd008a5bc5748dd68c50fe225350
SHA256 7c17ded7de79510668c08d54da9a416868201e0f6dad9447722714852c8e7cd3
SHA512 befb637bc84158e8abc777780338053606aff273ad1eaf2b3745647cdba9de732caad4563630ad2fc2beb6f3c4c9d947224486f42bd670902bee133cace41f02

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 c50295924e1ec736fee4adb36f45f51d
SHA1 624c6fc3366911958b2ff6b1bf6a60bf8b3891bb
SHA256 7078c98b9cbbe7f93052f059ec2ec09fb8d083a4c50222e654b22ddbe44b2afd
SHA512 8c5acc8646211e9fad4dc483311a6eb4ac3beb1229bab42ecbd7d7104746d6e5a94914a45d9b08eba02f7e0f1d23f4a2094b44852e19b1752e0b1114f2d3faf2

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 06dda47265c9ef484b96b8d0be97b73f
SHA1 f354f32e571b9725e8a79adb0f560c7247204159
SHA256 765c999f43efd4350151ee97e453b55cc12c93113358bb57162c03b7233aea69
SHA512 6624e04a65ad50f50ed4a4d5ddfeee292ef20cdd4e8d995d1a3d067362009f73e0cd648e0400318e089f195a14016ee5bf05685486cce0044de5b8f8da77232e

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 1369c780dee02f3c5447f8f6f5c33c55
SHA1 707d92cdf95e8a9fa4bfa0e364540df313accc32
SHA256 b1e57d8fae9490d7fe068ac9c369bea0cb8a1a6b4fa20043927c293aec053017
SHA512 4f771b9036084df328bf3126a7fabe3a0d27a361dd71690b3e6d08ab34c7767dec3a5dece9246f2b8a908139efe15d2cf26befbf35b29e69cd0fe5b9bb46e710

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 a238af03e3b46ca58d7e40fa13c47d42
SHA1 b272b20cab08f92b1710a2fd44b51ccc3ed89731
SHA256 308964b492de9dbfa0f265c49e605fd450b212b67e2560d013a3e3cb56da1375
SHA512 ee42b2fac0fd746d1568a680d0eb0d98b60018dca4ed85e4831ecd86da67d324fd7ac27021ede1f2433216e738ebb2e9c8bde4d86fe4c166c9c15ac29fcb0cee

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 2550ed5dfbfae11612c67d0049d0faf1
SHA1 1f21d83019f5dad064335760dc180af175655af8
SHA256 bf9604696f6bab673965374133138e156b2b1c1c5b5327ef6688ba0129c2fac6
SHA512 f19dda423ce6cecc4a583b9b2ea62d1ecd808b4cea36d5cd3ec4417efd971deaa82aded57755589600d7815da0d433f1b41826f188a90a7c0eeefac0b8460f0d

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 d9cb9482369cb16aa6d1335b016b306f
SHA1 59fc28fc655d6bb2a86ad5791c754bbd9982e02c
SHA256 a19c48ed40af5987fc04162d85e2751f9674058909e9a2af7b227e33f2f66b17
SHA512 12efab5f717561860bdfac36824659cf5c62be3c0dbfe607b5e60b9e87952472b5f997e0442d32834f5a980dc66a82ca35e7a9625465bc38ae2bda28bae999d6

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 f9c3c3d40fd21410a22935ec77d2542c
SHA1 5a1d62abd93ef3d662cb2ef9828ce38893b6f1c5
SHA256 74e76db13ce9b60bcfbe36f868a80bbc51a5c0da6d8578720adb52719e7b6aed
SHA512 85f16a60a2dc5abc773b2c8030bb2492fcdcbe084f766efb7dea953be56ee8b99e1b0ccab2d638c0d09db39c87fd178d32829b6b094a2fb600d3a834764c7574

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 b3fe88afc00435694195550167093508
SHA1 79f7649e38803fa8d504b02de1e423fae614cdd4
SHA256 df5bc2a053e3f91bc95a8010327c69c51845d708d32bdb210b9c39117250753d
SHA512 9dc3ab1282c2d4a5b7e2ae19843974f9752f51047c388f19d43f51194845a8f446b8f60eb71b95aa9da6e2d11bff94db9818c61fb1b2fb9ddc177879f663f377

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 3852522b5ef73727b78a0b1987e037f1
SHA1 d306e051b78ad191a84f2511ce4dd41ef242a186
SHA256 1d7e56a59f3369a8af00c60ac612631c64291329440a6cede6109e1ef181060a
SHA512 4d77ed35f2ab1109e6d4dcf30ab70652dd22c3451b62bb838ae2a849e9cc452519d203886b9a61f04c7e9eef9985b49e0661b816d900d3fc837e083f92e72841

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 6946b8655525efac08cdb3e04a95145e
SHA1 3768ae7e3010da515da6c383475d6d43e15f4f7b
SHA256 fc5a6805e087e7bee3da6fe434e679472368dca523dd783dcffe663faa58d5de
SHA512 0854778f04ebe025ea0e76ef6730f28220731deba039dd17ef6d7985cbc2a40fbc5e6d249cf1e87d3fe29c7ac24688f4857d0c651f297c37df79d09691b2e388

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 9160ca161a32da6096c60275edb22c39
SHA1 b96e772554f2b0a8ce1249bdb7b9d2602c349dfc
SHA256 6de8daf2575e5e292d4d483e3b211a5b99cb5a15426289a15860afa861960751
SHA512 727559645895491dcddc7705360d90ad028fda1e3d5f0b13241fd448fadb6aecede89f2361d385829aed4a5c59554595dc72350d2c582ccea3d4f55b6ea28825

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 c7bf44f8f6f0537f559b346caef39f1d
SHA1 ed593c42e32f8fa3da82df2335d358f9fffd032e
SHA256 f3c1461d868d91cf6a6b5518b746c08a6b62173833b64ff694616bf3f4433245
SHA512 d43cbe54541448e65d260fdc6f0259c78fa082b321608cde86fbed7c12aecff7cb76758df637eb6cc8a0fbac458a98ddda9b9383735ab364f02957015a13a351

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 4b9729f3b04bcb7415dfee067c0f6b39
SHA1 8ddec7171dbcd0648b36fa09edaafbb7c870f2c7
SHA256 f2c0dab32ecbd90382562852d5ba99b2720dd83d7eb796559788aceed4a3646d
SHA512 50e93bd724bff61b01125aae1fd867ffb78bee348bb4ad6c367afff85258a8d93b6ddd16b3bd541ac3f2ed80ed94ebed129801e9c27914ae42d3923633543498

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 b887fa9e7ec9e345a0767eb0eea40b53
SHA1 db8847c82cb1d6e824389b612ef2a48e92e1e34a
SHA256 6c3c82b29a8e88877bcb649161a84d5ed46b7e5485e2c1cb793f4dd5da465f18
SHA512 dcdb3ce82f0cd2a46369e38fecfc2a27c0522ca351035edd40af5dd0c12101e3dec8d6dd05c2e8b2e3fe4c4928ea17113f12c4fb9c0672053a6677bd087d40ec

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 c67a0063d46e5758235894eaf972d7bb
SHA1 b5c351861807e0bc542017dcf53742a53f4ce67c
SHA256 0b73692c2996084bf66db36150424f1ca503648773bc825e24cbeed04a88f230
SHA512 25a8fb6e82eeab4b52fd390e9af424984fdc8b881ce18e777077189f1484ef8bd4a347e9b8e8197e9f7e631e53c52bd77619ece3cc05f8e9552afa1365365c86

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 e0883fcb23b0891e75970cc11e32c4d1
SHA1 512e0148c7d5104623d67f6e2dc3b013a0ba1996
SHA256 47656b9b6dfb518c0bfe13c578d46c4382b791a8666cbfcacde1a0cf06b32c29
SHA512 7f875934d719c888749b3b24a5faa98feb9dd0932a7b2b788f7b67a29853f3e5da89b0d7e261055a149f9585d889d7a7523c34affcbb93fbaa0a448178aa688c

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 73d58f0ad6b7a43efeb0564ac7c6726d
SHA1 df6baf75ed1ac9f93dc4f63ae6d0fe154ff2fe8e
SHA256 bbd49c7c8564b1f6cca5aa4dc3bb45b61cf3dbdfa008d09a6f38a82142bd37c1
SHA512 8f293794d0b57b269efc0e2b21af999f2274b894c5b3483a7dbef3a5a54df836a63be3fbb8c7243dba1667b635ffc2a501ab95c07edd77182fa504b6eb8bea75

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 0c983e16779c8a4d6ded30d1b42b57d3
SHA1 2690b5f2418752b28e5d34fb2500775a81fadd63
SHA256 2eab48432946128a22913174db3a96af7b5f4220284737b825063def71e7df45
SHA512 3241affd808387594daa4d72432f9d38e30a242c2af4e75a5ba40e23e40ab6c58fe107543c10358eb99e4f4af0180617e14c8385d573772573e7e6fd0c3492b6

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 bb57a593c44fd17780072439bf777978
SHA1 5f5c91a3e3a0d67da2d6871e5b1394886ad87632
SHA256 104c147a61fc7c85b6d8274239394b556f864dbbd3b2b582448d2634dbb4e8e3
SHA512 d11046906dc49bd7ee4af5fa6d614198bb0a62827b47aadcc594077da41f23394058d1b6509a86cbd4aea394ee899d7c1dcae83b604cc66f8bb3fc60a92ab856

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 e3868a111c3a53699761a445690a7fa1
SHA1 a0e31e8bf6879dc670c46a2e833534fa6e49e53d
SHA256 a69e79bb51b1eaaa8ac2f0ac733e0fefaa8f57b650fbedd39cec3bff76aaf641
SHA512 efc2ffa4294938fd8cb34d64f41c8aeb5c7b20aee431b76f4ef3155eda4b0abeb9ab1d9363ad9edf52f0e01168992f3c1d10cd93906481908a820b30e3ab539a

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 0af71248a7f8cc2ade18fa23855ccb03
SHA1 6c18b9436bb5a8259912bd9f9116a2bfd644843c
SHA256 1c1ef7e606f97d80c871c105016441d1c9a898f29397a72b07d151ba2d030937
SHA512 a5bd1221669f023a3bd7255de9a3c028f78ec9fdbd39cbca166c853c8f617f90b6455e0e594ace48471f9d9c51b9ba8670891c1f46cc34b5b576bd097aaf9b76

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 51bcdef2cfea1bd9107236b14704a1c0
SHA1 8c38037118095794eb55389d8be267dfa19d7e12
SHA256 7df42c6dbdc304fc6199153a6480cf7bd2f592843c893749ae34d2b6e6c4a66e
SHA512 06112ac6038f3b724651bd9437855ba61f66b1fe3487ceca5ab340400756f5f8fbd6ac7181e8460bab281fd8c2a9d12ecac8467600df4923d42d2c7474d4f299

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 77a72042ccc4656e620c975959cc8384
SHA1 ffa0f0d4291dc9238ddf217e9963c1266a731e6a
SHA256 bea8fec1a3b20b223eed01e76afc5c9ba69f354c65e494e1e418f54e66220a5f
SHA512 3cab8462ac8bd19b6c11ce2e53029dcc862b9006850a5b29d104b154d5c732ab99c2a577207cb418cf28bf186d49ccb5582e0a43b4cf425d1512a7844fb83a79

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 cb6e7ae994e7ce1c577109e31fdadc68
SHA1 8f845b008161ab2d11d941978e685c191c6fe71c
SHA256 0b83e8e575864305f6f38e0ab24c4d2ba3c4f4a73d58338f35fa27e7c15f7fe0
SHA512 0f3d34a21316fcb9eeb6916fc5a7c4f11fe772bcf120279a0065cd97b2e66f98045a2ae4985d629bacd771a6398b1b5e86a80025415a84c3e818698fc0fb5a3e

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 c5c2f0e2f11ac138e9cb708d56508362
SHA1 6f8a6d20e1668d73d2a2d73dba57dbec5ab56453
SHA256 c669688ae9bf07373f5623168d2253053fc5e4c0cd4ca395dd159e6479bb3bad
SHA512 ed43c6e185fa4a7a3d9ec487d4090bce5240e3fa403aac5e7633b39bb2425c28ae0d6b2660d666be581db2f2c72e1e96229789855d950464e37dd4cfb604b043

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 799b21520c888b8a46fbfd7f1b817934
SHA1 abe65305ef06793bb66747b0c0724fce09f29be7
SHA256 20291a1ca4b057c393496bba9ee77a757bb7d4208e9f30639c188055b31e100b
SHA512 607570ae1b043d51a58cfc98883056bfa8d7d628fcf02f3b2e5d7d57a023678f7b985af9b46dd4b9fb670542bd1386a443bd3c6c9f6933505b399df8aa35234f

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 f3492c1cd1f13d5f835ad6f21fc4f599
SHA1 76f1d6c5dfcaaa548679f7dd8080d6b7f46e7d82
SHA256 954febb6de89dd64de1c4155c2db953ae9a4a39ba34de6a9ad5300d6ef974923
SHA512 5fe86c6fd773c9f94d32aa1a686d29d648145637b479dd2fba37208bfec142a83f59c0ac02ec141460f7a4f9a7760a11672ee92dbb12d973709cb0404122e581

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 fa7ceaa75894277471760e8324f678e8
SHA1 cb3323b7dcfcde8e73e0dc4111cceb28119f7a2f
SHA256 09f5d5a01c05285dcfad04528cafe91996d9a13ac85b6d8529547e3917668c26
SHA512 aad64b3cd344d1660cf1a74489bd4b1e4cecc6abf75d239db80a0159770890edc9da1270cae7e55d36f63c1c76f43935ff507d21ed1b16aea76d3f02e68a8dbb

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 857f81e9aec2a89035afd68dc18157e3
SHA1 e20f9ea4e778de853ab2d6a5a2dbccd304acc0ca
SHA256 98527a3d51eece898c7fb3e750c9911afff56272fca26009d19d8687f38c8bed
SHA512 288dd634f01b6b481e86cc699471e4034fa2dea5f9f550af95495fbeab72f182a2ead7bfdc4f6409dc407c7ff653cdc5997fb2b311fd357caa09b54094d94816

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 7a743707b536b6ecc980180ceed43569
SHA1 d011b3a113d9109691c3a7ed4c6b64e0991a0c9f
SHA256 84883311744f02b684b25ecccb34adb8eb137777f4a7be10b686c0210a18c5f2
SHA512 82c4b9dd998d650c534ee1bce83275985852a076796b5c52ae5a3c306a4fcd39ae42c63ed51f5b90929b10b8a0e2bd9f9edd4fd1c63b1d14222b655801521bfc

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 57fb308d2845ab93244e55abda5c3201
SHA1 c64bb0e2ec8af63394462ad405f808c96bf3af14
SHA256 468b340ee0fcf3fdd9f941c6a4f542d579d118c489731b3a22a04eefb314e733
SHA512 be3f464bd891babd7a2715cfc56fa95a1c426f861105831c31a2a9fff0860df1cc45d68bea9ff4a97253bb2471e7b8f39b36b50b7240ba57d0eeb1f2873318ab

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 de151f1fe3853f2f9744caf27c435f41
SHA1 f4c2669d3252f78842d8e3c7658d3f034724e2d6
SHA256 ec01393a686a0647288de961f4d5bdd1fa2109c52e731f080f2434b730a91f18
SHA512 2625d02bba0e2b38df497a495b9b18e45e67f82f3811e25bdb796c9b21d85e0120ec947edc3e0ab2cc81f6bf565680f668d61a1334c1668998fed84b6f7b6ab1

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 8c5cf88f38c0b1f068f0a243e5ca92f1
SHA1 5250ae00ae6de6b00d0229af0991475d80538679
SHA256 3adf939d2548a6ab97821e177eb8870cf90d5bf8da00ec4bf6fdad3bc8bfb816
SHA512 abf8bdea555abd6a5113c1d040c036fa48960f72a0028e98efcc06f0fde339072334c0596aff9c066946729a31d80dfc03349d01a0b56e1ea1b3373641cc1ec2

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 559f731b05d0d2b1c2035446cd8d1ec7
SHA1 5cd3a640ffd0a39d8937e95baf10e9dfa0a9dbe8
SHA256 064e8040e4a3de3c1b3a6497598c7cf86598dafbcb90abfd24a33cc7555e84db
SHA512 55b211c78ef87c30250aa87f6c3a2c0d1f3d436bbd660e74a63aab8655d37af856a2a544470b5f14e89639d996a0c961b4993d30c179e51521f1fac6179917c2

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 8820dd4785f6551e836eb7c3e7931a35
SHA1 b7e4aa7db38398e430f3285332d82cd3eb024848
SHA256 25b189ec8d0f4deb0fd87e6e76528a6499cdbdf793448b29c79c89c607d309f4
SHA512 3c7b478ab18dc457132837ede8c7a640b1c72c8f5d6aebd40b52c5b89bf877cfa984e2b19de58cf5be231adc5797e399c2588ed856fca6bfc25bf67d791cb87c

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 c1f2831051d43ffafa46d52d1e7f5698
SHA1 853fd2a9f0b7c6d7c06d7a434f54b7146742a968
SHA256 370270de2d5801b915ebd30cb8dbf4bf0c9d64ba895f8ae3f49169348d4956cb
SHA512 7530e5b7e2f4beffd0f6f6213e666d89ab67a67e2d643cd90a19a14f59f4751985168a58a3c320cca09cb167981cbb71e0fee96d2cf8cb34198c8d8d0e80f115

memory/640-1234-0x000000001DED0000-0x000000001E2D8000-memory.dmp

memory/640-1467-0x0000000002E40000-0x0000000002E50000-memory.dmp

C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

MD5 9f8bf5e64008901393ad483161a3c79f
SHA1 9d4013a109b5f49805d8aaa3dd7c0c27466df69e
SHA256 cd81a4b2c2bdfb51ea60430d7b806c8708eda3687bfd0621dd9e7f6897a5b5b5
SHA512 5cdada5e62a1a59e21427dbda56c18a43413ac1103190547e13252664a0c0d1b27f8a4411d9337f1c6159778121a7afdea9981c90ff81b737b7039129b959048

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

MD5 b906d17fdb67392c8789f36123642d3d
SHA1 9571136436fd0cb52ce8a8ae57911e91a114eb52
SHA256 7c1181657ad6b49d2151f4b409da0db583131951414046507ab38bd5279c43ca
SHA512 f89938e9d3c0612e6087123cc2a1b895ad09661a1d81181808d6c767b2d590928e828f4493947482694d9c517a14cdab26dbdef41d01ad90b15a4d89ec500d43

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 5790be6a03d403098ee73cc612f3b569
SHA1 aa2bfd95f1c7e2aa31f533d0111770e6a35b4c60
SHA256 f42c850c4c54743fd8aec9660370bfa992acfab3533d6be0dfa05835d0551868
SHA512 72dc36b205396aa69f7fe052a9da2b305d8ccb10823d3164d0fad922871ee6f9be55a0d6fec7b4ba987b556e5119a1760b8441a2242c6a3e36e50a1e4c641abd

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 43bd28abe087910d78bb1293542d5255
SHA1 cafada01b7e39ca8f8b0adabedb29f0c8e9285bf
SHA256 45c1ab6c0d8460fca1a75335cdde6b2c0ac4b5ac80422d2ac21e58c92de72764
SHA512 c106faaf20b951733dd2fc24120c85ec29cee09defec8a355757fabc1e3bd0478778e1e9585d6827bea9ac7d33df2b6509fade5d8a0be849d3d0fc96962cd70a

memory/640-3701-0x000000001B1C0000-0x000000001B1F4000-memory.dmp