Malware Analysis Report

2024-08-06 12:46

Sample ID 240627-qt4agawdmp
Target spooferexe.exe
SHA256 8f9b5a425ca5c012a26fa47754f9f2f102a90430033623e310ca18f10e8bb502
Tags
rat default asyncrat stealerium collection evasion persistence privilege_escalation ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f9b5a425ca5c012a26fa47754f9f2f102a90430033623e310ca18f10e8bb502

Threat Level: Known bad

The file spooferexe.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stealerium collection evasion persistence privilege_escalation ransomware spyware stealer trojan

Asyncrat family

Modifies Windows Defender Real-time Protection settings

Stealerium

AsyncRat

Async RAT payload

Renames multiple (3220) files with added filename extension

Async RAT payload

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Modifies registry class

outlook_win_path

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-27 13:34

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 13:34

Reported

2024-06-27 13:36

Platform

win10v2004-20240508-en

Max time kernel

128s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spooferexe.exe"

Signatures

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Stealerium

stealer stealerium

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (3220) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\3.jpg C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-300.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBarNotificationLogo.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-36.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4_thumb.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashWideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\rt.jar C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4276 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe C:\Windows\System32\cmd.exe
PID 4276 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe C:\Windows\System32\cmd.exe
PID 4276 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\spooferexe.exe C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4872 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2676 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2676 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4872 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\spoofer.exe
PID 4872 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\spoofer.exe
PID 1340 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 1340 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 4816 wrote to memory of 3748 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4816 wrote to memory of 3748 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4816 wrote to memory of 4828 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4816 wrote to memory of 4828 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4816 wrote to memory of 2760 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4816 wrote to memory of 2760 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1340 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 1340 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 5088 wrote to memory of 1008 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5088 wrote to memory of 1008 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5088 wrote to memory of 2316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 5088 wrote to memory of 2316 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1340 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1340 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 1340 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\spoofer.exe C:\Windows\SYSTEM32\cmd.exe
PID 4908 wrote to memory of 1988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 1988 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\spoofer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\spooferexe.exe

"C:\Users\Admin\AppData\Local\Temp\spooferexe.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "spoofer" /tr '"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"'

C:\Users\Admin\AppData\Local\Temp\spoofer.exe

"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd"

C:\Windows\system32\cmd.exe

cmd

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TestFormat.snd"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\Desktop\DECRYPT.exe

"C:\Users\Admin\Desktop\DECRYPT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 134.223.125.3.in-addr.arpa udp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
DE 3.125.223.134:13147 0.tcp.eu.ngrok.io tcp

Files

memory/4276-0-0x0000000000640000-0x0000000000656000-memory.dmp

memory/4276-1-0x00007FFE9FFB3000-0x00007FFE9FFB5000-memory.dmp

memory/4276-2-0x00007FFE9FFB0000-0x00007FFEA0A71000-memory.dmp

memory/4276-7-0x00007FFE9FFB0000-0x00007FFEA0A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat

MD5 d2642213cfc2b0d26c51e2224cd28754
SHA1 61093798fb2882dafb344c84debb4613239fa7e1
SHA256 23657ad9c1e63c0e2fbc365520f4cfa34f9770e3612811dc927b9d885a9215c2
SHA512 3564ad90036bda7a378d6027ca09ff0474ca05c9c79d5c3249de498348363743e1a7bb4f32e5ed2407e8be4984b65acdfa66d7ca569f3312edf0138373961ee0

C:\Users\Admin\AppData\Local\Temp\spoofer.exe

MD5 4f3d74ad18bafdc2aaa94ea2d2bf9423
SHA1 2ccd26c6760ca04d9ca8b3761b2e9b54485450bf
SHA256 8f9b5a425ca5c012a26fa47754f9f2f102a90430033623e310ca18f10e8bb502
SHA512 0025953e7b173bb038726cd1ca3147a9a412decd8cd9991f1414560b837c0b6a0faf97078e640e872d8e1de23a040437a1d6c4bd4ab0aa359ff7cfb81e6df647

memory/1340-14-0x000000001DB30000-0x000000001DBA6000-memory.dmp

memory/1340-15-0x000000001DBB0000-0x000000001E07C000-memory.dmp

memory/1340-16-0x00000000024B0000-0x00000000024CE000-memory.dmp

memory/1340-243-0x000000001A720000-0x000000001A8A8000-memory.dmp

memory/1340-248-0x0000000002400000-0x000000000240A000-memory.dmp

C:\Users\Admin\AppData\Local\e1f06e047ddf1bc1c42c0f2e94daca34\Admin@GYLQWJCN_en-US\System\Process.txt

MD5 f521a8fe2ecb3e0fe4ff0e41c20a8595
SHA1 e436f9424fb3a270c100296dd20c9904177ad1ff
SHA256 d03d87646630acbf95f7f1d7ec27bdc8346d334b899c54a541cc00e7291b0113
SHA512 f249de76af1f4304338f8d0c0b7bdc9becbd46c7d5b85b1bc9afdbdb217fa9cec50c8667d939ecdf6194371f1c4434c711d8d2349fd94ba408c1b52fc653f7eb

C:\Users\Admin\AppData\Local\e1f06e047ddf1bc1c42c0f2e94daca34\Admin@GYLQWJCN_en-US\System\Process.txt

MD5 28b674648ea51abf5fc8768d1cef900e
SHA1 ce633365b4f56b399eb6123360a1c3a205f1b78a
SHA256 651d53f653cc1e178690408eb42dfeb722022079ef4246af56b0cd613a655824
SHA512 7984510b6549bc56f14bdc2536f5140a5f2118f00273a7359f51e73aaa2ce00a2c7253bae85aac7f1563777d63eb007e4963944b367e60b16d6e8f6fac032c69

C:\Users\Admin\AppData\Local\e1f06e047ddf1bc1c42c0f2e94daca34\Admin@GYLQWJCN_en-US\System\Process.txt

MD5 3ffad3cf775e5b4011c2e9668f2072e1
SHA1 a7189b4919454470606f973127676aee1015e9e1
SHA256 ce40d16712f1cb3bda390e06a935d3bf85cdb1ffae6cc59423c6f25463ea51da
SHA512 d6d7bb22c4df9990082958c33c64ccb5132c10123600545a529bc7dcf50f6df4bad6f073e26cae80d60d0c803a29bc8951f24da724bf5930d89a067ad689b7e4

memory/1340-621-0x000000001A620000-0x000000001A69A000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 7ced87d32d67058d2c31024e25c307c8
SHA1 341328d9677f5cac8ed888545acd000758363eb2
SHA256 376cc633dd364abc8c0536b760d3eb7e8791e5f0648106211acff0ad529c37cb
SHA512 8447a76f841ae2b858f346556abb35e710928b3544a7aba28ac54ada5ce66e216068315a386b4f5bdb6450d952e1a4139e5fbdc08cb44db93cc16bb8dcc730db

C:\Program Files\Java\jre-1.8\LICENSE

MD5 a73a877ec8bfd14b51cdf2c0a2cf726c
SHA1 dcea7cd9ea030e8a548cd687c1c4d1f28adf20a3
SHA256 354f0e571ebe00f18c43058d0af9acea55c7b0b2edaa93ca486ba044e12ffa73
SHA512 ae2ceaa1e012684ceb95443baef5724501adf5202116e8d24f8dc4375474f2c644e9fca730e0a1a8bb2fbb94c020fe18407a5d4573473446d270ba4eb9adf98e

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 4ec1831b479a0a447916cf5e9c57af59
SHA1 361c4b905c368d314fa3a2cec0ffe064eb0c4d20
SHA256 e6a24a7e5cef4a9ccac77638d71cc1b5b09a119c6220a93d5bfcf3890e18b65d
SHA512 fd52659126a7d1a60158b4f700a3a9905e2dbca64b3e6e0ea8e32ab03e8fa8a88c222157c3ff4a48593f72c3df2592c68f93e3fdad8528b868759ef9685c1f5e

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 e9dfc5e21dfc194640b0ff630b6b3d72
SHA1 8225b649705e51a969a167d9167dcb72d6f2a181
SHA256 a8044e8593f77a72c00149b2953734d98b92e441ec94632777990dee77c73627
SHA512 6d0e661647ddf8b2698f2af53cd624f27fc53dea6f80822ef157261939e17082c6a6ebfcdae5458b744a40a6b7a1455f138779986d2b9c0155053ac121c8b7ca

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 98f4fb5b2e50c9f6efbf4611b5afc14a
SHA1 955f51ddfdbe05f25cb025bc815f3a1036e65ff5
SHA256 14d95678b6a641e2d434580e56c81d0fd880f3c47f3a9f588ace467237662b13
SHA512 ec5992b49e876d22c6dee2e38384892dacd0ceff492809c69476d5eda16d500197b0f0a8308745865458ac56554543b5243d4cf52ea7bbc1cb814715f8e355ca

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 ca895344202acf6ad72bc2a85c7b1ba8
SHA1 e19f577c7d91e7648278777ffa65897736208719
SHA256 fd5813a05238d219c9debe8d932cff56f4317c074481d480053f8a3d126baf55
SHA512 4cc318b22ed03f795dd98dc101553321de4cf9514a52079288b2990cabe9cd2a68a26663405b99daddffb5ddf5c15f122b8c8afcbe069e080fa690cfa1786a97

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 2d47552493f85b0c3b45cf8af41346ef
SHA1 3a05ed27efe19be135a05504f5cba20c6a0774dd
SHA256 4e66c8dc1851de08fef68e0586e4b30a3969bbd4015a2e0e8e377d9506af0a98
SHA512 f4fc70b5e5cd272462b1a25aa1b5b003bd4b870130eca6c009c5c7f70849fcc5cfbc49429cc713c794e399ddfd81edda2e451afaf40c28d80910269305b3ee47

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 a0fb129fc1728fcccd9238ee7a8381d6
SHA1 d21cbd6aa5175d8e7a3918047732c4b00afb3e98
SHA256 a7b1cb8860540e22a96818a4c9647a5bf699735ccdc48bf9ec6998b93ee0a4a8
SHA512 48283c0e13832c367470f3d2dfc5a3c631c9de8ce51c1fd2093393791869e3bc0f7612d81f40396264aac52915aba9651331d43ad310ddd12f3617903e9cc6d1

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 093b9e985fbe7e84ab135a84b8f65690
SHA1 08778b8d1dce6e5b79b083d0f60d40cdf0b614e6
SHA256 f2e8d790d60692cc3b2fc547cbcca6e1b9205b830ba67166bd71780d19db8bd5
SHA512 1d743478829ce8e66c938bc74b9b2512227f9a6bc51fbe86a7ee875b9051151611587755bc8efdf48e43473cd8ac2fe7bb8f5b312b6c644dbb9f72e6c9066492

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 0e2a47bde579d16f92e4d398c0c17cc5
SHA1 973164eb9d1b1b1f06fefd9db7b61880637754a9
SHA256 1d57b4277b6bf9b3c59228e25a972234785505f58775eeb280dcb958114df793
SHA512 647ef38f9a9735d5cfe5b589c9ec25713426b362de224e6901c717a8cbde4b5d11139dbe1c4166c6a3f329fe226ec6c589f56d962ca37e62c2283c2607caa947

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 db90cc6a56057e2651c87e26effe2fac
SHA1 390751cafbab5ba1e47f0961f5f4a4e6a115e6c1
SHA256 f2639c6e8d76149703492aa5b4f24ffdeba54fc2496d3b2d30a301deebca2309
SHA512 9a3b75011f46e877abaab633884295dad129e8219f048a96e52b34c8e1235592c3f44aa7de7bc9ae79338ffa370668d43165ced4379d270d87e7a6d279f5cfbc

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 249bf1b1a6125b6be8700c5fc9ca3763
SHA1 a5c50304611b02cd47f5092d0e1ba1e8e7cc8235
SHA256 498d65a62e3e855404742ac7c51bcfd175f9a0eb370fbc377c77248136937292
SHA512 a6c3b5bce95ccadf587b2dff514822eee0a606600390afab36d79e94b4d03c306107e3c126b40b974f260b4d0ff6bbab9892312fdf85d9dfec5ba2878ff6caa9

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 8da9d3370fc67232d4893569db9b45dc
SHA1 8a1934bfe990826d650571d9b5282195703ace54
SHA256 3a39cec54027925ef06d12f38d164378ef5bba7293fc570bb148e457205a4d24
SHA512 35954316e02efa3ce8a28be6a53d7d4908c0a96740b59f7071e280a5dc06c4b836e2feda1e04d167f455b891ca097d13d623521bb168d992821b5e70e4d6e896

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 3bbcf869fc797afaf922cf9914e47080
SHA1 cb4a49d5bf2406b4104b89e648d42983375b4d23
SHA256 07df82adfbebc1139c5c879549c5200fcba88f681c8d4bef71d792bd6ed7ab22
SHA512 05eba168c1c10b3a32d3d83b68990131899c0b7616fbbf746b7f8cfc68af2609dc5fc2d197526da38e9067d23f13d53a35af249ffbde30c123c8df1a7442b34c

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 93c1c31ef0e9e88845d856688eee9f77
SHA1 03884ba1270016f6c7805bffc39edb589c46220c
SHA256 bb00e5534809bd6ae63ff7ce1b237f98e53df24939a2af1492dc7a3c2312d038
SHA512 72b1f92449d5dd0e62c066ded4ddb58e0c3e50a69ea4a926b72bb7e53a294273b1d8b71a1b48eb7c11cb2e92ad353992b9f852ddbb6823906a989c306c1198fc

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 1d540af7954d3d4c11527db4bae6383f
SHA1 a82196c25f58907921bb8573316542b3c7a00017
SHA256 748aeba0ed80253be649b768a6c6531e51b607ab34d93423b409498867ecae30
SHA512 386f4d43f1485cc128225adc1ca89f34c0c8d55754dfddc845b5b02459b13dfff33a47e07bb0d3e6ff5b096aa0b80b5b49efe1ff6922283fb8748b072736e1e5

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 345f1bf681ca23aeba9f0a147f53c37a
SHA1 53cd3c3b30b1c251d6d62fac5ee0fff34a84bf55
SHA256 402af3e13836370112bce044406859afd28276c6d0bfc0f88cab365e987d8af2
SHA512 08177b3c9c6d0bb1811a0d2e924d7c32b2ae94e56831a24d8b38e397a0f688e8e9aa783ad3f33e7b783fc6911f1bb27932527ec1845978a6eae7242bafb7b9cc

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 d18ee6f36a4b1326dbed5d778b9750b7
SHA1 370952cdfb8175b459287b4573bcaee3e8ea1e39
SHA256 c2ce5d9fdadcaeeff6f89328a252ed041ac1a2451078f09fb39783ec86719d4f
SHA512 6e48ebbf740f162c4f2564cb5ce6ccb9c64c61640671bebe3bdb5f2dfcb3f5f1bd9a14aef38b109b2188f8c2a331db08546171ba37905a7e053a912103f68348

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 e3265e93007e7d436ea53c6f697920f1
SHA1 17be9320a64c57946853a37db648d9f9fd458e41
SHA256 1bd99a4d3efaf8c494ed6fdc83c2ab59c1ed4edb1e77db6f5c1a391d5c25783e
SHA512 20cf66b24ef232dcc2ac8daa5beb8e622ea317299d622123721b0ce88fc740b51100315fe57a6b3d6fcc59dc85fc2ca0d64019ecba628b834b730b59ee3b55e0

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 e1e1a943b9d8dbf642ec3df2d91aa59a
SHA1 a383d5ad370fbabd15893866793d86d2d00bcfdc
SHA256 0b5ad0bf41d55ed5f2102428124ca960b5045fc78147cc7721f2b5c240defd1c
SHA512 c4e54a2010d7300475383bfd549b5381fbb28820ff7a7b62a156640d48975170beced03decf8f7a3a9a284012cadda3ab4e8d5a50f35f22e32f00f1366496ac2

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 86739d6d91f5a9f2ad8d4c267b29472b
SHA1 3713b8a001ccaa048c1c68e63d6437467ac4ce69
SHA256 cd1590e5755ecd3f875b83b8d0711897ce3cad01c49e8b9464e012b00db4dd49
SHA512 c6d83d2d13b107a787cd94657a636e3dba1fe7b91be3394ea6068d9e989d4cd1541015fa5c1b31da211899bd5604af4cb7c656bcb0adce132e3775a25c0a1abd

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 8112c25d5a7c452907190f7e9c669a72
SHA1 22e044b3414105db446546b9e7acceb245de1d1e
SHA256 4aff385b148221f224b0f511cb59f224303f116281f806e5a8488f96b4a3887b
SHA512 6f372525bd8e2ecf5a368b3acf7548f3069a6944245710afd358e2555b80b9b565f1eec22af17e3e9a2b59cada9bc14e3d5228e5377702af751c196eaff9d14c

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 2df044b134a6a9fc7161d01342fa62bf
SHA1 112dedfe2dd88cfecd9453df69c176e0beb9a495
SHA256 590f9090a6311b8d33ba19a8414d3d8266e8b5b9d262d39564b2a2727465c1ba
SHA512 306a9ce38d6467acd04e5fb9d45fc0933791c245aca736b499a4c1eb5d83e4414a1f51251ec678c3b6baa339e818106aa7e2279a449ff586e367486da2a62a77

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 04f87969fa25e05a5329ca7e2fb35ba0
SHA1 ff9ea86908fa604203043a1c009fbd8c9be5278f
SHA256 c74ece0ec6ff033b47f2e7494b6953319d0d2170945639ec0cde6fea19ad0cbe
SHA512 563043eaf876ac9300ccb42b5a741f172c588ebb3b28e9769a341d76014e2446e54c8ca3cdb847c294c914f42cdc3f8ba81134b8b98ec213876bb09be66e0c5e

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 4d91fd8b6a72fff42997fc81fff0bf2d
SHA1 12c20a820a56f550f9148e4c149381b83e4e4a4a
SHA256 393524440415f6db4aabbea0e0e9c44847c570b0b17c33f2d6fee06cceef9a81
SHA512 1cff7ce5402d31e085b817a511a40d000a4b2938f1d8a23598297626316908dbb552eff48eaaabf89bcf7a857b617cc6df6ddc3c4777067294e3943e135d91ea

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 9dc2edfbc2f426838d66bf5914e7de9b
SHA1 73ea55e82e7703d8b6ed37c8d66c5aa3efc03a8d
SHA256 11996402b3bce1e9c3a2c00366a8b519889205e70b6c610999a6a793c91d98d3
SHA512 1fe11c1aa37d2ab44ed3000b35704e87e07137cb083740cb77eab3adc0aeae094b03af39d134ea9f97b5283204afdf98609914ed8aaddc6900de5eb6fdf438e9

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 1abea4793ceaab55401c8c0d2490ac43
SHA1 aa2011e424c91eaa16181f06de5a3f7bfb7e3fe7
SHA256 192ab6322f1d2d4d7f554284278ea35db5df49e822843878f6c58cb75a91cd00
SHA512 1fb9345ae084b129dd2607f8e92dce8c21cbbc20f487f2f123ed2bb0436ea5b97b28574f4533a0554d1a428cecd9062cfd53d3971e6e8c4a0e89f53f06b86cdc

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 2d5e15e5b00658289d37408ff381ee33
SHA1 0ceec2fa17667c6820f036c0cbd5c7cb4c7aeaed
SHA256 89845b50b87aaaae82f2c9b54223b1f80c60411368808c73b23f2e2cc734ec8d
SHA512 2c77a7157648fb25efaf5f20656b4e7203094b7ab64422cc29122906eeeba6c620045ee453a4ebd9f96114ec3eb485d2f21a5004fcb5f97c57b19e4571aaf080

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 a1def19a682b2f405aece98b30e33a90
SHA1 e6cd6f35d2174f53f77cc5655d0526b52521c7e4
SHA256 221466250d8cae5b7d153c8a721d9c31d4b76b542ceda7d5822efc0ee317c79d
SHA512 e7c99742a8a5504c6ceb2046c845070e39f366e90047f75178cf0b48244faacd2935f781eeff16e5fd86594fd8aff27dcba04f5fe55d5b2bd681ba2794723d1a

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 6945210dfdfc96dcf81507b5a223be5e
SHA1 f614666979112d967e173bf87188324385025876
SHA256 8c1f0db74e278a81788c3ba43bf81c5574b93424961c5ffd16525643ab7c78ce
SHA512 bc0ec9cc7c71d7f7955d14eb3c9cbc6cd6a2ddfce7485b28765a53a558a8d9ee80512e4b0c5a9e89c6f46ad0167e898ff7ef38bc379c275ba900b0fe948792ef

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 32e1d37e6e0e91bc2e5e9f8d8a985cc9
SHA1 0c3abd36ec1e37ea5aa18e1f81506f5f1fd5d9c6
SHA256 3a762f961efe3e3305c2f1b833a404af875d0c36943c3548c5b8c11f4d0ebd01
SHA512 ad2bccf8601d24ca433b9df446338ef23e709ad6cc02fea14f626ab395481103e8ea5938b00dff8eded388f33f8875f7da158ba5b380652e49f18ef5e2241234

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 a428fea44d3a08a45cb6e9c7ecfa74fc
SHA1 c4eb8b0ce695839b3032bbe0b7e15c4c4898ae38
SHA256 85cb103e4f2bdb0ae45a9365c8042c7e6ab9cc58d65eb427ce40796f4a08b130
SHA512 e7cbab73b5a13343c7742835a97199470259823b86c260123e49498e2688587203abadbe380522bc63b3bc82fee8de86b806afbc55a902d83c11323f1a78c592

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 7487a26effb7aea5dbf5ad7180217bfc
SHA1 50fbd5bfa42cff8f861e60a8a9dfa98ffaa29c7d
SHA256 5597d0e46d6ceefd4dcfe418c6676263c2d21b96a2069165f4e3e4577693d48d
SHA512 d3cfa962d2dd6fffcf444034520c65391602e4ae831aa0ad7a9ed2c7b693a366256ee16bcac442f87cf7d4f7aaf45f97c574f2d40b26ad7a393e123c8697bb33

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 d5d578b83f65012984a5cc860963f12c
SHA1 9850c2265e314ef47b103a77506c1d0bd5fe0454
SHA256 744ca6c04ec2001cf2288af4b585e1fc06f5018a86ecdf516c1b06d54cc2a368
SHA512 70629ca1178d1ffb8058a052aa5638df8477e186dbc3a4c23753f636dcc94643b4fe204e27e45f2b1969e356515bbc04cc9e0d339d195a6cbfe717d6c7f8b0a8

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 bbc45cc154a930887683f5bedcd424bc
SHA1 a93e33f255f0481f451af404001b7562dd6d3e4f
SHA256 415122ffa8031ab64eb3b32ea22b0eb13b1aa488c4afac0eafe596aa2b2367b8
SHA512 0eedd7e444a96a5c411fd667bc6ba455464b66d88bf401b29a50f36a1e32bc0ded4fe6beb57b6c0db3617062f1bacf96843da75262593130ee0a06d8ef9f97e0

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 e11aeabf6432348a79d9c9fc2dc1b335
SHA1 2e7bc2670a3a9f09912db16429cc3df7fc7c22e3
SHA256 069b24eef7aeeccb0c679b10a9abd22682bb28188b61d1568564387fd8b41107
SHA512 7ef97a3523e11d0d9fb043cd4d80be5dd7c828c93c81f6ed8a00c13d9b1d761c7ed2e9ada5fd254214b17e6bde32638b0ed3f11e39399b45046873dd08a1a206

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 e15f4cf54c824a164fc01f3f4a34ab7f
SHA1 4d8b2ea611d3404b5c2419a359af826bd80cf1c2
SHA256 4dfeb4b1898e32e124d5c2ddfc83b89b5a82351a876044ea9cc991e9260f2752
SHA512 26127e23f991a849698e9f54a3027ccfe734b0564dfec57018e321747f741293f1136ff7188753bd8e7cb34d78b38401c130ec062f97cc4014615a210cb8e4cb

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 04e5ccabc9856e396cb2028dec4a1eeb
SHA1 5ea1823600594dee236878bb452620aec854618f
SHA256 fe706562817e4d0db798e1acc74be2fff59960ebaa93b6fc1f4c63e41fc683bf
SHA512 2044855516818f7d6c35af13a310c9dd1881b02980bf9ad9d2f8002fa599d026680ef0a91773ada298c3466aabd48e2cc338439b8fb27f899092e8a5d20c14e6

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 63f2f7d3c4a4b65d4641700ad5c4b364
SHA1 ba4a18db90d5283ece6d17ab101fd474c65fee57
SHA256 89bc02266fd8e2699c1d6ea840398ddf10f6b0a75233b5f32f55ca9feb4d49b3
SHA512 a6c4707d9dbfd6e4f6abd551cc208f9cf4cbb83966dc7ef0c0584b10c19de58180d71cdcdd697958b34559bd554cb0484dc30d39b733339e3a150598eb201b33

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 bc64bbb53d9f53c976aa124889aeefb3
SHA1 917205e436be14737c4c7b53e458cdcd0394b1b2
SHA256 c092602cb1f82b6b311eb49b7354767f02274cdd0269be7fdf576ee9a9857d04
SHA512 56af7ba8ada6e5d50789a5c91a5052b65fb9751f6e0f6c7357bb6d0605a58e1d951146fe4cbd28200ca0612dbc9b8b44abd32c3f04d0f924e5c5448f85ddae62

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 7f3247f2b8e9a8c61b7df6e1c2a09db1
SHA1 172a7108847668b452734fcac4b5cb2408c41b59
SHA256 470da072aaf9b363962784f5a3f4b2edbebd59503ccb29859caeed986455da0e
SHA512 e620627447b6e613d9ef2eda7457c19c8a776031923ba24f54b84e4ec37170674ff3f117a78e7c16df3af9a53092ef8d97dd952bf5425694d67a5254828ad666

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

MD5 8660059c1e2baabdeaee864be03203c4
SHA1 d1347b466ca4196e7aedbbecea14ad8886895df6
SHA256 664da1d46908d5024a7398fa205466a84af10b1350051e9159b58a5e407085c3
SHA512 cb916577daac18c097581f7fa7105ddb799d201aac007af5b14ee2a70045a5c47244705a26bc9e0b33a0893596b7dfa5a8b4d78abb4b5910070fb1b6e2ce399e

memory/1340-2766-0x000000001E280000-0x000000001E332000-memory.dmp

memory/1340-2767-0x000000001A6C0000-0x000000001A6F4000-memory.dmp

memory/2564-2768-0x00000265C3220000-0x00000265C3242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_un5ircsy.53p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/1340-2792-0x000000001D9B0000-0x000000001D9E2000-memory.dmp

memory/1340-2793-0x000000001E180000-0x000000001E19A000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat

MD5 5599dc4f8f12b5ac70efd2c5d4fa5121
SHA1 745e5e98e3efbfa13fc9c49a63b6521070e1faae
SHA256 989317df6fd8ae6f447bb2b6b816878c582a5833fea924f4f52c8d4cfd6e0d8b
SHA512 f2464ba2e8034301ff312ad512d6b25401829659c6f9dcdfc11899c739c056a288f69d4b736f78d9c82348231530690185c4480fe95efcace21723ac96fc52ed

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 1de75e2c065a0b47b483740a94f1bb03
SHA1 ea0635387f66bff12287706e7da0ab594585b1dc
SHA256 027e35cb906e1b73b9bc038532b6080df59241d7d4b52df9625539274d119226
SHA512 27d78ce589c555ac43abfbfc68e2e192d833a6583f5ad4649c962e91345227c3369d7bc38200451b1a7b0624331628caa2cbd7b9128b0611764444e23b6c648b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png

MD5 bcff7441a189e8d862ba82e10520869f
SHA1 57f63e3d219108ff9a3cfd8907911f5c98adab37
SHA256 558edac7152f4f349cfe887b21d89c533bf693c8e90bde015bf8fbc57a272e75
SHA512 f895a316b07ca6603ff053c3b84e9d631e37a235484440e9ac8259bf2231a4af0520d5db76b377dbe03887f061b22a91c5847e768bc1b26604a03ddb7d2f1d2c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png

MD5 f0bdf638f865bac5a978393d383a922b
SHA1 84af6ed0491bf0171466f260fcdb0a4cf3389e30
SHA256 b287157d9206ea89ac555eaa0099d827047ef1e2a9afc4b5b9526b807ba05a71
SHA512 c39cbb2759786016f2b32cc045e394ff9e755b22c09c141654cc866cb3736093d5f6ff0832f1892eb2db4bb9a15403729048f94b8020a75661868d546c3d2d94

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 caf753bef1485eea305bb047e93a96f2
SHA1 8c967f1a420c0722fe48bee1280253a067cf3e23
SHA256 1f3c7fbca930ede2d3a3845f8408feb633ab718dd17bd5cd44f9931998779454
SHA512 5d7628268ca0efa84351ed9dfec846a651f3049d68a9c0ce1efbff4df513ef81f22bbe1249e39e0ed31ff7195a44fd0fb5eafbf5d4d29dfe11bf3435a7271382

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 1400364a5055805ea8d8778c2c579c0e
SHA1 b5def5cd3f28ad1a9538a11b0e6da2a61ea11d59
SHA256 ec39118311302163bfad9692cb8c999d395c0d7c07612be30abdfba17effcae8
SHA512 a7e8e03fd89ba6f8d789f7018fd08a53ca3bb85ff074bd498bca6a955031676ed6338244d68244c46b66c4c34014661881304bd440cf592bbade65a26158bad4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 6c81b901aa3c9bc0a0419a01db806668
SHA1 382d33dc0f3abcd9c98de6fec627d0c86ce88b65
SHA256 5e0efbd5a8b37bacc45e54ac7e4ee51a33993a7cfb5185b4f6e882a0dafb3c9c
SHA512 7bc7e5940916f2e8665327964d5c74224bda428cf5d6c742ef7b3b24d725649115e06c842ecef6776f872b469f740c4e7071bda780d56b99984ade7f67597818

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 6936eff973008c123a1f5181c9d9cd59
SHA1 ed6aef98405be25e1b95a1497277af5ad1f92de6
SHA256 1be00fe394d20d83f3f7784a9419a33a3db2e7a5848cdd6b0892c526e8ba7f40
SHA512 cf4f691cb471b1c4e22c4df6811f43ddd466296a937516e350bf5394932e3dbaae4e2f77749704e78b6e15de0dd889f997e866552c9d8483c8f3796d2eca0a64

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 f7b256a46010a8f9ec86de374219299f
SHA1 324bb943743c87973e453c2854398757ada5a3a3
SHA256 a9b2e779b34addf43863e11afcb08505711be8388d0591270329f845f3768252
SHA512 21d279c4326222cd087b3f162d75ca4deef33656a456e6911cff1342dc0ff0eb06198b022bad84c9c1d4c435ab1c7ed911c93452f74c1024f4248b22b0afea2b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 fe7dfdaafa3d93fea966f55d32a31846
SHA1 82bb0c32680aa7a41eca7db8148b6345bdddba7e
SHA256 4c6ada7cce767c8853b62a99dd68f3d97102907186c460dd9f577e64064f7eb5
SHA512 171ec92f6be040cf09a0e355abaa6d16725ce0177cabb977dde9943f0fc4d3d22d7b8d04ce424f4c2d7efa095e6fc21b9a3a65da86b063a5ae81a559959d6118

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 6c968ebb917d9a3a28b65294fc5275c1
SHA1 2721f3d94e472025f46c2bc69b01d460b1de992a
SHA256 fbffc365fefbba0cdad4ca4c5c2e1e691a117eea091146c706ea2c2172303347
SHA512 56b48a3519ea6a2e234f4844a7d8b34c97d11b639284cda42f32dbaecf9fcebf23e5582fbea2faece174fd4fa460e634c33a27dd584e6058ea0d76cb5630fcfb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 22f51b21d29b1c92babbc1bd1cbfb1cc
SHA1 c44938d2059a0a57df46abfaa2785999c3b0f346
SHA256 5ffb97f8cd70d6632d4d011413344aa4bc7894140bc03319e75c63f675c33d68
SHA512 910245700fa5ff5d99d791a482177157a5b53ea46969ab516a5ebda04c5800f4d295d009646c43ce598bf6a0c610da6af2449b1b096430a52522be49b85f2768

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 bacb67cd96270419110177d163c9c8d9
SHA1 4e9cd7b5d82190c776f87a42db5c2cfb2027637e
SHA256 3b975891c22452049b700d97457abd22e58393773f4c4a00161dafb0f9246550
SHA512 c9a300f1463f21c772263af8e84f1044280a0bb9e5094bddbecbf59a840607de31a539106774688a5bcb513a74c5085484d3a19f4942b16f89b6807d2e116f69

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 4b1c06bf4d042ca6bb001a005007f064
SHA1 33ead15eb7b00c8205195a490590594445a4c772
SHA256 66dc418d46bf6d9075bcf93f1caab337fd88fb630411c52aa3f3cce239cee486
SHA512 1ad567ea5ffb0887b4418b3847aa25750f56b3f33ac845d99a21203abe9a4b1878f8985d086d304d1066d13b475dfd9e44d52446837684087638ab711042948a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 791888e4f16c979086b75fc84d08047e
SHA1 dc9b1b915df9d5b6eaf6baa5d380c0bbfeadf11f
SHA256 60ba1246c1aab5c5f81fd3ae23c826a80176d7880de209c1b28545adbf649058
SHA512 bf57ccc228e4f41b3d01bc1d4350f38c4341dfba0db34978969bd26c1a620ed6c39759b6bcf654b19cf2ee88644cbcfba7f3b24d45eb97068341a53192f7b54c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 4b244375c8a4422a423debc185b7da1d
SHA1 c2571ce95ab96f20ee22400d435e5b32fb7b2c9d
SHA256 45f71041d4ef553040921736ee1c4aaa14ab306fdca4764a5aac4b59dc102009
SHA512 1425684382a9836923d435ff3e1c8125d65a924f209374fa5c5244f5c2574db32b93fcbf0381a57600e54351a866f5826cfeb46575f9a4bc16019f5f6eac5edb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

MD5 8483f2f03d8a3eaefd651b7b8b664eee
SHA1 a4550c44695fd7aae281e2279ccd799d62a5eaed
SHA256 432503ddb9c24f109c4ac6ad7a44f8a86361c8cf4b1a950790b7055d4afb9296
SHA512 45d8e4adad77061c766846491c413d2daead60a190435f5c8569136877b6414bae23ad117bf1d5db04138f3b863a2738ee24195d6199d6cdeec0764fa87d0a0b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

MD5 8cad74baef93e4c4fef05ed2a820ebf7
SHA1 0a64c9470093b506bdcc08304efbe0f049de09e3
SHA256 5efa8061e35d644f2ea7bc87e9f3abab58224bb2ef8ee3d5aabd48c12fcdc60d
SHA512 d3411564d50b91e107901d8d6a9339fe6c8d3c220fc43ea2f6a024cb183e5307ee1a7d1186cf846605ce5798a6eb40d60ea46a0220d7ed2aefcd116232ff8892

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

MD5 6ca97b36be8229d33c44c52d39bfab45
SHA1 638097c6f9dbc03eb940eab6a20c94130a26fe82
SHA256 433105c69eba899eb77ed7160a4e1b2bbb0b7262e4fdd1e0923f657cd790182a
SHA512 48a3706ddf4b88159861365280b4ccd70d6d63cf0271545a95c5e0d9714e817eeae568397ea9d214c23d2528a3b410db52fd7d5a483ce599aeabe7ec4c848460

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 d6a89f719c5cc35c37486cbb96d44366
SHA1 ed09d2791a30a8d12655e5b39bbf8b91f85e4cbd
SHA256 022c2fc28910a83853a4f1a1d8df7fe2aeb41269e08c2b9af33a7bf40d59d8f1
SHA512 1af6672b22843109939d839b4c6f2a5ccae52419594901abeb86dcdcc6201232a90c7129cab7b7752156929cf42c34dcfab6fee0c01f1f303a4d350243d99155

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

MD5 13e121a8bd67e1724cff99b78475205b
SHA1 bc8ee76a06713ef4aae72d90abcba79467c11cc2
SHA256 2cdd00cd50af83e43861e7839bc5a26036cb22637aa28244ac516e49bbc7517a
SHA512 19f5e7bb29b1e1b0fb7a4509f8731f8dfd5ecccc05a2bbddce4e07614f322eb29909eca3c75e2453a43d513d5013cbf64d58e6cb10badc9977d2adf8ab09ea0a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

MD5 fcb31b7b75f36eb1bdf35797a5d8a9c4
SHA1 3e560945ed2ce256f91d100ce9d11618c59d620b
SHA256 e71757425a9ee19bd57f5c07950237e311c4af8817354283191fc26e043ba8cf
SHA512 c8eecc7e9d5d00377c71d2776b348c142cf97940672fb5526903228c137699655f7761f9a7ea3929d8b7bb69d32ca036e4feacbdc3235bd027be70c5e98dd7e3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

MD5 f6ecee3a33ec34eb715277e9099ba477
SHA1 de985c3fa611106c41d6ab088e70f19a3520a5f4
SHA256 f375c001c5cb7a95ac675d7bab537a6a79b991451371f692f35d8a47954643bf
SHA512 b40556a68e61904e900a444d3ced068865489ee3976443e21e9932296b4f55c04666aa44dbc2bc7cdf3a1fdb459368fa2b6a79444bc32bf6cc552b9cb0281d79

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif

MD5 2b62c3633643a645bf4120fec95e7007
SHA1 193430d90fb9133dad41ad12f48297fa8c51544d
SHA256 e46fde9c30fd7ace94200257871bdf5f18cc557dea6a651c94ce79cd27ba93c2
SHA512 263dfa841172ea041809fc8fa0600c71f5db17d42990db34f2ff30f1debf29db8f0c57ca225c784a8e3009c0627121da123df3f32a52b3b4adff69bac7a4feca

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

MD5 8660dab66ff6d9af5def6d3845c2b7fb
SHA1 c6fb494f4daece13ae22d209250055fe36e26b17
SHA256 008f3f3d111342f493cf70505f1d53ed2de435800be7534087aa09b14a68d9bc
SHA512 0fcfdbec9279efb8e55cc809cd30f6558dc43276a71bae6ccbee29a59e072d242bfc68f9c5ca47d37f67b23e7afdf32134761258c77a61cb45a028870dd77650

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 248c4c9ee9fdfe1d4304bf4b6de146d5
SHA1 e0ef3d9b2b8f565af5f01a0712feb498af4b1cff
SHA256 a13cee525e0ad2ecbf9edeab407783b7d5e4db272cef5124f1316cd9c45d97b8
SHA512 f086aaf7eb6fa2ec549f9587d6c5e056900f1f3c2b36094db7617bf0f7e1463f4bc5efcead944a6f38fb45a599fb4ffccd53d28d8b0f5e41da7786f357d28d44

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 936807e0ad7f0cb91bc56383e58a1f86
SHA1 86154796a6788234a942e86f200bf5d70924b4ef
SHA256 46b6b08b4eb19b5d7d42f58c3e4c2c830b1d0b8adb0aefab0419f9a35c0540cc
SHA512 d09af292a93ae49721065b98fefcdce2e9bd23386bc09236248ddf543c2093e92abae9a07df5801fc0466262993bdfc27dc1f42cccea834eaf38823015fc0d93

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 c5c92fb93e84b7dcfd95fcd34c8c9ea4
SHA1 c27495d6d1a8ecb66d2d9c72203a313876d530dd
SHA256 b4c35b5cc6e1633a09adc9c2efefa7592d4f125694d3c1c234c16394faae3270
SHA512 1e8ee471c88bf734b04bdda27d4841222ed9d314180b64ac5fd097f7dbbc6d56b1cd9b4c7cd75b37eee404cda538ba6304e246f616aab8bfe63fb2a12e342f70

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 2f1c0ce5af6141ea3b91259341ddd2a7
SHA1 18c6176ec6f6feed4da0dfddd6136071b8e9428b
SHA256 f446a33b5bdc5d34096564719a0484b7a347a50929314eb5d00523b53ff1f24a
SHA512 9976f6de51535b8a9073627330d75e9c8bcf4549792d9bd49471862576690d226a291fe9397bde31b776291c4781e14af5b08c5bed09fd8f1c21267d484e0212

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 37cb2918d9124efc92f59eaae57cc9f6
SHA1 ba696ebc5ff97948f241dd6d962fbb1a1a196cbf
SHA256 2a47ca344dd18916a27fabb5e6e09e19ae9902d4a845c95ad331dcf46aee6e6f
SHA512 e6341c541c3f01c732f1d47ec9add04aa7bdfe4f4a435f54395e6a95979350cf24b408a3a1ffcfa2b42e245c031f5d1f2c7792054f5140e493280b535371e9cd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 009009504fa9460e21c40ccac56c702e
SHA1 1d0845157d3a2866df473064a972e0fde251b862
SHA256 72428335af2842b72d6b1eda4533c7dcfcec9a1cf4c352545a53b6e16858863b
SHA512 30da62d38269c99ab6e5f503a8f6b530ddfd3df9a0ce023880e01d6d670aa872bc6ce4fabcc182cd680ea558e81275f14bf01783523fe98e3bfcf9c66bec3686

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

MD5 cd0dc1872c7d36769e479f77f327f8d9
SHA1 1bba90a583ac9cf6d510ed7950a4dcdc807dd7b1
SHA256 6e5c5b94d95b29434cb3b6c6142052890f04db257b64f6bf00df77cc634dcb8d
SHA512 a66fffdd054061cab56dde6c8f1bdcf26ffb4cd1a79c6ea55f8b5601ec32b4fea44f94f66dbb787d33297a87fc656f16e4ac63fb64f514cd26317536772ca957

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 f4b7b31f80c4e8ad2f0a137a219c7622
SHA1 48b3377ad4c898493bfe9bc1c3d273495b381d3a
SHA256 72b45b161d6754ac519773eded3f3b23c651aacedbe72eba3902898ea16fcd08
SHA512 ebe2f88abcfc4ffba2ab1e497aa1126f73350b2c7e68eb828dd10fdbb18051653e373a123172f99c294b5425b207a3cacdf2312aade2cf40e7d0ad400553a9f5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 2db301c5816a671d55759113e05489e8
SHA1 36c54c989a058f363d3c7ece144eb4f9279f7d8d
SHA256 2433e9ba58c162cb22aceadc6960e0422487d01f4c7642cfd2d4ad8cf4025228
SHA512 95e75570f7154df221ff9228e4e98b847989a439b9bf111efac8ffe9f05ee828e189f04696a2400253d0b9d9ba901f99cc6c80d0ac5023a61cea1714b059e338

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

MD5 3d6f3715644b4874770180686fc28eb3
SHA1 b4b26ec14189ec91ff65cc4c115a5c930a4a8da4
SHA256 f4569db96d43cb23be79f3516f2fa57d71632208c902cdcfa211a147861cba1c
SHA512 d02cc5818d1852e897c2ec010d6890481d5e0a08bc5eaca899e46f1e9bb50d1c75409f8d732f228f9559f34140d41b17a722b269c8d8c1898ec41966da40c7e2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

MD5 671eb042e9e852f7e7330ab37f5979e7
SHA1 a7b488c08d6d656c1345c223d3c905e729700392
SHA256 9782bcb70c5c9aa99d53ec618619750b8b6c78aebbabeb64b12a4954fd8f28d2
SHA512 03046b3959a9920b3dcd4ec1ad5832be891dc968aa45d52c3993a7dfb5d08a1d34b9623ed89c6db37664f3310fc54acedb43917520ebf40c24823a937795fafd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 3453f22754e1c83af196ab65f8e762a6
SHA1 854fe8a69f3c27a7002b68530437d942662b898b
SHA256 2de9723debdeb2cb369251dcb1f809783961c5da266531af9e16b06670384442
SHA512 a728f26b0f3a68ec326fe02a95fc9383ecbbc572b56e757452e0c6d0442ab2a5e021d622640370a2bcf2b39e530ecb0d4682e9bd7dc1b5875ea824fd8b761013

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 b45fcdafb9585e15a379bfb783d7f4c4
SHA1 702609ca47b29ac7a1b89ecbfd9a457f3d64b40a
SHA256 5068b2a873f06e8964057a31cd0531d7fa390739c689d70b5e1e1e5399a6f069
SHA512 c24623083340ca0afdda6aff6f883e8e0356ab3f143c9e04219b82938598607b231fe90a88b8332d4d29416b16813e5860509daf3a2188ba203072aff41eb7e8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 6af5b9c45d97bfa1802613dca2e44cf8
SHA1 5de12c809f741f97be6bd7a67b268a52df27fcbd
SHA256 c19f2a4eb1d30eac9d14b81e8c8e9f8564c48799542b52fb41a1357d7fbbb238
SHA512 ccd3780c62aaa3caaa123a75fa82be2d946b3f70386b2da91c36013bff152c1c75f2ac6a2bbe9dcd4dc1649468328871ad2c5cf50ea3050c1727c54b4e0aec57

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 2e5371e2a1f5822a984db956c06f4092
SHA1 f4f6f5934c3a48fa4ded685af80cb431635ab89a
SHA256 7ea7788ebcbf35ab7afa0ee3250cd177f86693dc4b8cd98b181c12b32c98af82
SHA512 c40d6f77dd6caa8c9ec4709f61b4f7e96986443074898944dbef809e9811199854035ded1e63ffd4a4e21ba4308c36f038fb486ed6229ccc9c6533fc95edb2ca

memory/1340-4364-0x000000001E1F0000-0x000000001E20C000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

MD5 2ec505303100fcd0c7652ee5da4ecb6a
SHA1 b3868b8a34c4885d5092f587980cb6da3b2e35a9
SHA256 7431960d9ba8f40b26abf94dce7a98be7e318d6cea9e230234eec5bebe7e82e0
SHA512 4d82187133885d0be01af7cc14095c6e78ce594f5a390e3411f769d2b11dc8e22f2fe27a619a35eeb7c45ea23e5b4f2452cb59be24da47f29cc1da855ee1448e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

MD5 de6db2275d713babbe680eb2ad7a6cbf
SHA1 28495ca00145ffd3ba26e96fad074cf01d2c9ba2
SHA256 436e7b3bb4575d82ada2c66fe7be0e9ccffc6ebac59ec79863c598db455f82e1
SHA512 c9e9fa4a96f9b7829fc2168d35a43aab8fe2009fa6766f9939c92d327c9c2a267289bd426386f718374786dd17f2080c6c7cfb056f27d9f8d6780f4a5425e3b2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

MD5 8460985ed064d3d1ff3d13e847cefff7
SHA1 55fb140ede413856222f972a1c75e88604c77fc7
SHA256 72c5a0d6ada7bd02db96ab529e9d516afff27c721255e0dc0d15cbd1a40585a5
SHA512 29d130e14c0a4d4923eff208a68dedbda5b8000d47d64a7f3d041ece0c6058e1af032a7ed3d3b14ab95aaa250d4b1b4824d082f396d039c5d8543c5c49c4cd12

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

MD5 9337f98a697745182eafc1b4d7934f4e
SHA1 229c3d5f989a27de135d32dcc8e73de923c4cafb
SHA256 8d2f1d785599d1c7e3a75d47035dec951c087caceba3b9bc9942ccb5b6916de5
SHA512 8e9343fe9d0c338cb63d4b6b1e221921ff4bd5317767898a0cc3a6636cf412ca9aec651142b903cc9c7cc4ebbb814b1ad876f2daf834d80cf05efb0cf50946e3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0

MD5 9e0fbd673aa710774e920aacf9d49538
SHA1 48515cd60a9b2a76749daff8750ac1cca73a38e8
SHA256 1bd9c8198cd9bf3c0f7ea8fa7afec0687e55329530956a519351f176b8dd3ee6
SHA512 55a4ac39b57095f5ad3b4ecf5182105fc2a3be7d4603a91414d53efa5875cac13d8599815024dbe0c935006df1971e47363b4dc04a1bae6f4a8ab23542e4a0e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1

MD5 eb54fa9a922603e5236edf1c4f0e30b8
SHA1 2a8caa8f814bcc6f26b17716041a0143dc01da52
SHA256 2bed958e01f96d18d63c149269945ba794eb75dad3ef5215a89ecaa67b4b87b5
SHA512 c435ef07c9d5748f3d37f1c7cac7e2ad51bc2f0f4f8b7757f6dfdaef530371739b0eb7160876e181864b4e083260036d8d4ab157efe07191ea2396f177554a64

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3

MD5 ba4f272c39160f075acba0e96ac86de7
SHA1 a4e4216eed95abf0b1dbeee49e30bb7836dcf16a
SHA256 547ae100c8dfe5e4b89dcbeefa5a238f267443c71f030e04a23f1002ad4ec0b4
SHA512 4c26841c1a2d2b3c784336f6d925024f0f6974dc78afa78474f5d48f5dc2de2ab549acd0af0ae8a7884ccb819cb91f5e6161d50544a72eac13a22542d02157e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

MD5 9c1627ce5df490216774f43076ea7f81
SHA1 c4914bdcf116bdbe0a53ca6bc875ecbcb9e130c6
SHA256 aaee3d1f49d2007f7323c93ce4f7b347840cada136441a8526cede66e5d94f58
SHA512 f4ac51a148e74ce5bee3b10a73ca07c36098e347b9174e7b73b6f3feb38c9e8207045a1c0189f3ba2d157ba254eafd30e11971e4f77e8bb1ef632afed5fc4111

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 09e04d7cebe06f070622847cad648deb
SHA1 d84256f28944ea9525646496dcaa7cd0558ab375
SHA256 95a1e01418637626b59acb9217ab984206572c866b0480571bc22e66b1015f45
SHA512 1641fb5f7bdac8f583766a03852c867b2e39eec53ecdd7c4587402586459c40338f4e8cf9e6e2df5046d8fcba7f0ebf19226fa940399cd8463cca3fc699ea254

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 028904236f58e13a79cf8a57d2a133fa
SHA1 533987cf1f2627cd498a81cf01e6b271c196718a
SHA256 36b5de7ccd83a638f3e3fdd90b04e7700481959924ff4dc88928723781cbcd1e
SHA512 aea9bbc0eeff3b65ce2e5a94cc0370920b7df7a61bf844497039438fd8fbd0e4e4bb4e729c0386b4eb55450618357a57c7c10b201479f7008a50b90b664ab2db

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e36164c76778c19637405adc15c138d
SHA1 5a84b55368cc3c58c628aef578b658fede2a27f4
SHA256 bc9323059bc4e6793598b39d942be6720745037ded472e084f2b2b4b60d07f87
SHA512 d2dade91b8654b52857af12addc756817910463d5cd366fe9a13d6b23c3f2024ee2603b094bc03815b5f0f28891142d914aa65950e8a073961a4a5a312c25ff4

C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

MD5 54b16d125a8b51ebc11bea2c815293f4
SHA1 9bebbcba740940866aaf36e28c18e92599c4af45
SHA256 eef24a162de823cab9f636676bb84211047c7aa0781e95f7de075529245db09e
SHA512 d502a1b92956200d7296118d929a45c315af606cf9130033e50476a61f8827f13f2e4d5056ae165e740fb05084a39a19b325493c37b1e3cd0bca4c1b47d2ba2e

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

MD5 c78b681736ba9954c07efd97a4303ba0
SHA1 01c3f352892db87be8f8968d05edc5ba2172d517
SHA256 d1da946ae21ed629c26271406f28e24d2b94257d9bc6489906ca4032c98ea49e
SHA512 14e911a2019b61997dd7607784e7368f4f7620bd26051f55df2a482556349cc36a98a1de168980f217697af1a2bcaa86ec7bf90dad39ba873d125b5d9d2104bb

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

MD5 e2d1abb84044713e6905ed4af5d3d50f
SHA1 c7b356abd722598537f17604ddc0da59e207e033
SHA256 f5740499daed40b5350e58c4de3c705c681ffc42d7328ecfbe1b68313b0a72ce
SHA512 2857b069b3b8bc4e98c216e9ae79d621f29b75e2936469653096a7d438f8d52ce60ca4ef17478f46dc12fcb5303ff76ac95765129e57ba2fc1c91b70628888dd

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url

MD5 bbc4ac05a55ece432f84946ab277e577
SHA1 e5cdd717b08be7c4cf75bfa34ca5f9eda828e543
SHA256 f15acc0e2815036448de71e6cce4b7f5305a04195a65054974f0136a70ac0259
SHA512 06aae917b646b9dc8265820226d1a176d9f41865974b4de3d2bdb85b46f88fdd620a9d197fd77b6f3103a199e0849459f1f3d04ee8b42a0afdb2a18501cae7f6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe

MD5 590aece9a8d76e025ab09a78dd2869dd
SHA1 db516330bd4ab0520eda5eac339ab4eb107142de
SHA256 ee74dd55a5d0e5ffd47d05c6e32a3eb177affc3c159f48ce0b2cf80ae457a58d
SHA512 df849d670eafa7198b304369880f1d0f31ae930459da7648f167f5baf50cb8724312aa9adb4a28509d0320090d290d31c58fe23d7f60eeeebdf7754a22ea9df1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b6e763e8-8f07-479c-9dc7-f668798ec845}\0.2.filtertrie.intermediate.txt

MD5 44f6ca9fb3bd42de98dff82de3b461e5
SHA1 5b7323f87729113ff9c7cdeaac6c6f97059ef1da
SHA256 ab4b50169c2e41cb5f6336557de42bd97aa8277e321ae478255314150b3c8fb3
SHA512 32f802b0b853ca4b096e7b18d82d86ef318233c9075765375d8fb1e272eb8f1d0acb64ff1f823e3cd16f134c331de9717ad458df84db3d5e3fe8eddfe39fbf3b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b6e763e8-8f07-479c-9dc7-f668798ec845}\0.1.filtertrie.intermediate.txt

MD5 67468958a44292931129d9668ed199a7
SHA1 a39301cc880fe45f2784d04aeb43eb4209cf6d9b
SHA256 342f82f539c983097e948c509a6e0be4c4a62e89ff2e433f716fad5e58de4fbc
SHA512 60eb3ac054abfd1942c03c244bfe26a9bc60557960932de723c172dfd28cf0f3501816365ba25c2c9282242c2dd3242a79d6f34628d62fbecad3293499617e63

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596438722385367.txt

MD5 752ed71ab071aedc90b7a9badbe69921
SHA1 afd061d4fa1f32912acd06bab55fb6c753029f66
SHA256 ba716edf858be385f9c3bab1bce1d7d84689f404307eaed9c749cca2e2b79449
SHA512 cd9ef024f18125d7de1cbd59ede834a01b7409315799f3dcd0ea7a7395ec75d031ce7c818568c47c40cfdb0cd2b9fecef025aa33069be46a33603d279b553181

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596439218381195.txt

MD5 a61926f1bb48a96e6ba24f4374a86f63
SHA1 8766ff444bc1114b5130dfcd95ca12af51e4aaee
SHA256 74c20a2bf7f25ff7b5fec6e1b25a4cc5f441ca18283a7f6411beb008e82e1e60
SHA512 22c657d1778e6298f4b5242e5f1139fbe6628d17a71ce9a3b38edd44443be22eac67b39fd5527415c7373f8b28c3c644fd53f1fcc99e7cf6671a3974849d88e8

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596446413734332.txt

MD5 223bc3693cc1a9c6d15cb6caa9263b30
SHA1 446aeb46e75833e689b9c808c2a919acd9185af9
SHA256 eaf2ac1338b1ab055f24695ec91bfabd1fa4b0b5e230e25baaf754e81449f14f
SHA512 a58e14b92375765f3d571829a7712a1f282816621ddf0ebb1272d4062b4dc169ab3b2fc013e7a901cc4100242448f19bda5699e86e9185b7c0ce502fab7909a3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449549740872.txt

MD5 9563b75596e25c9b418d242d849356ad
SHA1 87cf2077e5f2508fdb85396a6fbcc467bf87331b
SHA256 5079f902d94519b2505cec27f872e048cde6bdb5fe4087b92c4645824ed00524
SHA512 5ffd369112f693e98318ff0d53366efe4d5649340cc50fa5600ccde3c77ed1265d9d59bae960af5cea008ea86f3b8496c08add117c8c056e60113272330e4f8c

C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_121659209.html

MD5 acbe98b05c9b1fc9fb0a0289f17de8fd
SHA1 70a52d2b85b8e23a1e133168b9d2fcbd26c1ac7b
SHA256 eac9ae3e4c5d7af4a28bb9e3bbe9da2b660c4072eb3ebc57a94adcc2cc79c2b1
SHA512 f29b7f2fdd082e2b7f9bbe7e8f15a3964e49ad0ec7b34fd9c55e343bafb7de7de68e4c4f342a3c28cbdb9b76ac541f28ee0035b1974f233a2957055810a28dd7

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk

MD5 84aec9cba59227f88501dc406c5e2368
SHA1 2a8fc38db18b675394bc596d8378cd28ffe5712f
SHA256 27973f189e08e870b16acab8cb62dc79944630c79059d88ac104f890831de008
SHA512 177c59994fc668b213c38a195e56ced52ba24e443b7c1552db3dbdfe8abe1ddd9cdec37ca2fdd4a93588e879669995d731ed7213d5447ea9ac5092a1ccde8121

memory/4760-6721-0x00007FF7A4010000-0x00007FF7A4108000-memory.dmp

memory/4760-6722-0x00007FFEB0780000-0x00007FFEB07B4000-memory.dmp

memory/4760-6723-0x00007FFE9CC60000-0x00007FFE9CF16000-memory.dmp

memory/4760-6729-0x00007FFEB0850000-0x00007FFEB0864000-memory.dmp

memory/4760-6730-0x00007FFEB0500000-0x00007FFEB0511000-memory.dmp

memory/4760-6742-0x00007FFE9D120000-0x00007FFE9D131000-memory.dmp

memory/4760-6747-0x00007FFE98360000-0x00007FFE9840B000-memory.dmp

memory/4760-6753-0x00007FFE99FD0000-0x00007FFE99FE7000-memory.dmp

memory/4760-6754-0x00007FFE7C1E0000-0x00007FFE7C425000-memory.dmp

memory/4760-6752-0x00007FFE9A170000-0x00007FFE9A181000-memory.dmp

memory/4760-6751-0x00007FFE952B0000-0x00007FFE9538F000-memory.dmp

memory/4760-6750-0x00007FFE9A190000-0x00007FFE9A1A1000-memory.dmp

memory/4760-6749-0x00007FFE9A1B0000-0x00007FFE9A1C2000-memory.dmp

memory/4760-6748-0x00007FFE9CB10000-0x00007FFE9CB2B000-memory.dmp

memory/4760-6744-0x00007FFE99120000-0x00007FFE991B8000-memory.dmp

memory/4760-6741-0x00007FFEA9300000-0x00007FFEA9311000-memory.dmp

memory/4760-6740-0x00007FFEAF130000-0x00007FFEAF14A000-memory.dmp

memory/4760-6739-0x00007FFEA9320000-0x00007FFEA934D000-memory.dmp

memory/4760-6738-0x00007FFEAFD20000-0x00007FFEAFD46000-memory.dmp

memory/4760-6737-0x00007FFEB0080000-0x00007FFEB0098000-memory.dmp

memory/4760-6736-0x00007FFEB0440000-0x00007FFEB046F000-memory.dmp

memory/4760-6735-0x00007FFEAFD50000-0x00007FFEAFD91000-memory.dmp

memory/4760-6734-0x00007FFE98810000-0x00007FFE988F3000-memory.dmp

memory/4760-6732-0x00007FFE971B0000-0x00007FFE97446000-memory.dmp

memory/4760-6731-0x00007FFE9CB80000-0x00007FFE9CC52000-memory.dmp

memory/4760-6746-0x00007FFE9D0F0000-0x00007FFE9D115000-memory.dmp

memory/4760-6745-0x00007FFE9CB30000-0x00007FFE9CB7F000-memory.dmp

memory/4760-6743-0x00007FFE95390000-0x00007FFE9559B000-memory.dmp

memory/4760-6733-0x00007FFE98900000-0x00007FFE989E8000-memory.dmp

memory/4760-6728-0x00007FFE97450000-0x00007FFE977E0000-memory.dmp

memory/4760-6724-0x00007FFEB78C0000-0x00007FFEB78D1000-memory.dmp

memory/4760-6727-0x00007FFEB0570000-0x00007FFEB059B000-memory.dmp

memory/4760-6726-0x00007FFEB0980000-0x00007FFEB09A2000-memory.dmp

memory/4760-6725-0x00007FFEB6140000-0x00007FFEB6159000-memory.dmp

C:\Users\Admin\Desktop\DECRYPT.exe

MD5 13cc3bff0f824ebe590c7f9d6515532f
SHA1 1f0d2c9f699f56b2e6019b4bdf963aa4606c0ef8
SHA256 28921f3da130eb80c2f3cb546750b76d6ba6865380e3d576d525b7fd80d234fb
SHA512 a5e9c518a945f152fd06eacf6f37ccab067d564b34efb01938529a1619191bda3480c9275d871a1ed7e445627f515c8274671ae806531d1ecc59118da348fe15

memory/1340-6766-0x000000001DAE0000-0x000000001DB14000-memory.dmp

memory/4812-6769-0x0000000000540000-0x0000000000A02000-memory.dmp