asyncrat | 8074d6085f0629dc715fbf492933cf91ae573051c84aa749d56f88936e8f0ea1

Resubmissions

05-07-2024 17:23

240705-vyej5ascmr 10

05-07-2024 17:18

240705-vt88yasckj 10

05-07-2024 16:59

240705-vhqbpavbka 10

Analysis

max time kernel
895s
max time network
923s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarxiya/Anarchy Panel.exe
Size

54.6MB
MD5

94bac1a0cc0dbac256f0d3b4c90648c2
SHA1

4abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA256

50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA512

30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
SSDEEP

786432:RvcKHU1yll1EcgYwm/7hPo9b9DMs2PTUpRYj:lPU4bZwm/NwEIYj

Score

10^/10

asyncrat stealerium stormkitty default collection persistence privilege_escalation ransomware rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:7777

Attributes

delay
1
install
true
install_file
restmaPrograms.exe
install_folder
%AppData%

aes.plain

Extracted

Path

C:\Users\Admin\Desktop\README.txt

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure that we have a decryptor and it works, you can decrypt one file for free. But this file should be of not valuable! Attention do not try to decrypt the times, they may break and we will not be able to decrypt it. 1. Visit https://tox.chat/download.html 2. Download and install qTox on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - test 5. In message please write your ID and wait your answer. Your ID is [C0E5A63A427B0B660D3B] [[Encrypted Files]] C:\vcredist2010_x64.log-MSI_vc_red.msi.txt C:\vcredist2010_x64.log.html C:\vcredist2010_x86.log-MSI_vc_red.msi.txt C:\vcredist2010_x86.log.html C:\Program Files\CloseGrant.mp4 C:\Program Files\DebugExpand.rtf C:\Program Files\InitializeTrace.odt C:\Program Files\OptimizeSearch.php C:\Program Files\ShowRestart.7z C:\Program Files\7-Zip\History.txt C:\Program Files\7-Zip\License.txt C:\Program Files\7-Zip\readme.txt C:\Program Files\7-Zip\Lang\af.txt C:\Program Files\7-Zip\Lang\an.txt C:\Program Files\7-Zip\Lang\ar.txt C:\Program Files\7-Zip\Lang\ast.txt C:\Program Files\7-Zip\Lang\az.txt C:\Program Files\7-Zip\Lang\ba.txt C:\Program Files\7-Zip\Lang\be.txt C:\Program Files\7-Zip\Lang\bg.txt C:\Program Files\7-Zip\Lang\bn.txt C:\Program Files\7-Zip\Lang\br.txt C:\Program Files\7-Zip\Lang\ca.txt C:\Program Files\7-Zip\Lang\co.txt C:\Program Files\7-Zip\Lang\cs.txt C:\Program Files\7-Zip\Lang\cy.txt C:\Program Files\7-Zip\Lang\da.txt C:\Program Files\7-Zip\Lang\de.txt C:\Program Files\7-Zip\Lang\el.txt C:\Program Files\7-Zip\Lang\eo.txt C:\Program Files\7-Zip\Lang\es.txt C:\Program Files\7-Zip\Lang\et.txt C:\Program Files\7-Zip\Lang\eu.txt C:\Program Files\7-Zip\Lang\ext.txt C:\Program Files\7-Zip\Lang\fa.txt C:\Program Files\7-Zip\Lang\fi.txt C:\Program Files\7-Zip\Lang\fr.txt C:\Program Files\7-Zip\Lang\fur.txt C:\Program Files\7-Zip\Lang\fy.txt C:\Program Files\7-Zip\Lang\ga.txt C:\Program Files\7-Zip\Lang\gl.txt C:\Program Files\7-Zip\Lang\gu.txt C:\Program Files\7-Zip\Lang\he.txt C:\Program Files\7-Zip\Lang\hi.txt C:\Program Files\7-Zip\Lang\hr.txt C:\Program Files\7-Zip\Lang\hu.txt C:\Program Files\7-Zip\Lang\hy.txt C:\Program Files\7-Zip\Lang\id.txt C:\Program Files\7-Zip\Lang\io.txt C:\Program Files\7-Zip\Lang\is.txt C:\Program Files\7-Zip\Lang\it.txt C:\Program Files\7-Zip\Lang\ja.txt C:\Program Files\7-Zip\Lang\ka.txt C:\Program Files\7-Zip\Lang\kaa.txt C:\Program Files\7-Zip\Lang\kab.txt C:\Program Files\7-Zip\Lang\kk.txt C:\Program Files\7-Zip\Lang\ko.txt C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Program Files\7-Zip\Lang\ku.txt C:\Program Files\7-Zip\Lang\ky.txt C:\Program Files\7-Zip\Lang\lij.txt C:\Program Files\7-Zip\Lang\lt.txt C:\Program Files\7-Zip\Lang\lv.txt C:\Program Files\7-Zip\Lang\mk.txt C:\Program Files\7-Zip\Lang\mn.txt C:\Program Files\7-Zip\Lang\mng.txt C:\Program Files\7-Zip\Lang\mng2.txt C:\Program Files\7-Zip\Lang\mr.txt C:\Program Files\7-Zip\Lang\ms.txt C:\Program Files\7-Zip\Lang\nb.txt C:\Program Files\7-Zip\Lang\ne.txt C:\Program Files\7-Zip\Lang\nl.txt C:\Program Files\7-Zip\Lang\nn.txt C:\Program Files\7-Zip\Lang\pa-in.txt C:\Program Files\7-Zip\Lang\pl.txt C:\Program Files\7-Zip\Lang\ps.txt C:\Program Files\7-Zip\Lang\pt-br.txt C:\Program Files\7-Zip\Lang\pt.txt C:\Program Files\7-Zip\Lang\ro.txt C:\Program Files\7-Zip\Lang\ru.txt C:\Program Files\7-Zip\Lang\sa.txt C:\Program Files\7-Zip\Lang\si.txt C:\Program Files\7-Zip\Lang\sk.txt C:\Program Files\7-Zip\Lang\sl.txt C:\Program Files\7-Zip\Lang\sq.txt C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Program Files\7-Zip\Lang\sv.txt C:\Program Files\7-Zip\Lang\sw.txt C:\Program Files\7-Zip\Lang\ta.txt C:\Program Files\7-Zip\Lang\tg.txt C:\Program Files\7-Zip\Lang\th.txt C:\Program Files\7-Zip\Lang\tk.txt C:\Program Files\7-Zip\Lang\tr.txt C:\Program Files\7-Zip\Lang\tt.txt C:\Program Files\7-Zip\Lang\ug.txt C:\Program Files\7-Zip\Lang\uk.txt C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Program Files\7-Zip\Lang\uz.txt C:\Program Files\7-Zip\Lang\va.txt C:\Program Files\7-Zip\Lang\vi.txt C:\Program Files\7-Zip\Lang\yo.txt C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Program Files\7-Zip\Lang\zh-tw.txt C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml C:\Program Files\dotnet\LICENSE.txt C:\Program Files\dotnet\ThirdPartyNotices.txt C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Program Files\Google\Chrome\Application\master_preferences C:\Program Files\Google\Chrome\Application\110.0.5481.104\icudtl.dat C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrome.7z C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\Logo.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoBeta.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoCanary.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\LogoDev.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogo.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoBeta.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoCanary.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoDev.png C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\LICENSE C:\Program Files\Java\jdk-1.8\COPYRIGHT C:\Program Files\Java\jdk-1.8\javafx-src.zip C:\Program Files\Java\jdk-1.8\jmc.txt C:\Program Files\Java\jdk-1.8\jvisualvm.txt C:\Program Files\Java\jdk-1.8\LICENSE C:\Program Files\Java\jdk-1.8\README.html C:\Program Files\Java\jdk-1.8\release C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt C:\Program Files\Java\jdk-1.8\include\classfile_constants.h C:\Program Files\Java\jdk-1.8\include\jawt.h C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h C:\Program Files\Java\jdk-1.8\include\jni.h C:\Program Files\Java\jdk-1.8\include\jvmti.h C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT C:\Program Files\Java\jdk-1.8\jre\LICENSE C:\Program Files\Java\jdk-1.8\jre\README.txt C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt C:\Program Files\Java\jdk-1.8\jre\Welcome.html C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libffi.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jpeg.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xmlresolver.md C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar C:\Program Files\Java\jdk-1.8\jre\lib\classlist C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar C:\Program Files\Java\jdk-1.8\jre\lib\meta-index C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar C:\Program Files\Java\jdk-1.8\jre\lib\psfont.properties.ja C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar C:\Program Files\Java\jdk-1.8\jre\lib\rt.jar C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash.gif C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md C:\Program Files\Java\jdk-1.8\legal\javafx\gstreamer.md C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md C:\Program Files\Java\jdk-1.8\legal\jdk\cldr.md C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar C:\Program Files\Java\jdk-1.8\lib\dt.jar C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar C:\Program Files\Java\jdk-1.8\lib\jconsole.jar C:\Program Files\Java\jdk-1.8\lib\packager.jar C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar C:\Program Files\Java\jdk-1.8\lib\tools.jar C:\Program Files\Java\jre-1.8\COPYRIGHT C:\Program Files\Java\jre-1.8\LICENSE C:\Program Files\Java\jre-1.8\README.txt C:\Program Files\Java\jre-1.8\release C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt C:\Program Files\Java\jre-1.8\Welcome.html C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md C:\Program Files\Java\jre-1.8\legal\javafx\glib.md C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Emails

Files\Java\jdk-1.8\jre\lib\deploy\[email protected]

Files\Java\jre-1.8\lib\deploy\[email protected]

Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]

URLs

https://tox.chat/download.html

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3940-387-0x000000001E3E0000-0x000000001E502000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Infected.exe	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Renames multiple (3112) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2284-1-0x0000000000940000-0x0000000003FDE000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Infected.exerestmaPrograms.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Infected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	restmaPrograms.exe

Executes dropped EXE 2 IoCs

Processes:

Infected.exerestmaPrograms.exe

pid process

2428 Infected.exe
3940 restmaPrograms.exe
Loads dropped DLL 1 IoCs

Processes:

Anarchy Panel.exe

pid process

2284 Anarchy Panel.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2428	Infected.exe
3940	restmaPrograms.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

restmaPrograms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	restmaPrograms.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	restmaPrograms.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	restmaPrograms.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

restmaPrograms.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	restmaPrograms.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 icanhazip.com
27 ip-api.com

flow	ioc
25	icanhazip.com
27	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe

Drops file in Program Files directory 64 IoCs

Processes:

restmaPrograms.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated_contrast-white.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png	restmaPrograms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-125.png	restmaPrograms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-dark\Settings.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-100.png	restmaPrograms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookPromoTile.scale-200.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\3DViewerProductDescription-universal.xml	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square150x150Logo.scale-200.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36_altform-lightunplated.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-unplated.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	restmaPrograms.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-125.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation.png	restmaPrograms.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Studio.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_24x20.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-high.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\8.jpg	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80_altform-unplated.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-125_contrast-black.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated_contrast-white.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-150.png	restmaPrograms.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\THMBNAIL.PNG	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125_contrast-white.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	restmaPrograms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-64.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-lightunplated.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-400.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-200.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.scale-125.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30_altform-unplated.png	restmaPrograms.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-100.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Hero.jpg	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\167.png	restmaPrograms.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	restmaPrograms.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\7.jpg	restmaPrograms.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-200.png	restmaPrograms.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-150_contrast-white.png	restmaPrograms.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png	restmaPrograms.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4864 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4864	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

restmaPrograms.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	restmaPrograms.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	restmaPrograms.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3000 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

688 tasklist.exe
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXEipconfig.exe

pid process

2944 ipconfig.exe
4364 NETSTAT.EXE
4544 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3568 systeminfo.exe

pid	process
3000	timeout.exe

pid	process
688	tasklist.exe

pid	process
2944	ipconfig.exe
4364	NETSTAT.EXE
4544	ipconfig.exe

pid	process
3568	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeAnarchy Panel.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\TypedURLs	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 29 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Modifies registry class 64 IoCs

Processes:

Anarchy Panel.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exeSearchApp.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\2\0\MRUListEx = 020000000100000000000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 020000000100000000000000ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\1\MRUListEx = ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\2\0\0\MRUListEx = ffffffff	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Anarchy Panel.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{AEB66A9E-81CD-4726-93CB-AC2A626996C5}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\2\0\2\NodeSlot = "16"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Generic"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4620 NOTEPAD.EXE
Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1604 schtasks.exe
1076 schtasks.exe

pid	process
4620	NOTEPAD.EXE

pid	process
1604	schtasks.exe
1076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Anarchy Panel.exeInfected.exerestmaPrograms.exe

pid	process
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
2428	Infected.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Anarchy Panel.exe

pid process

2284 Anarchy Panel.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Anarchy Panel.exeInfected.exerestmaPrograms.exevssvc.exetasklist.exeNETSTAT.EXEexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2284	Anarchy Panel.exe
Token: SeDebugPrivilege	2428	Infected.exe
Token: SeDebugPrivilege	3940	restmaPrograms.exe
Token: SeBackupPrivilege	2664	vssvc.exe
Token: SeRestorePrivilege	2664	vssvc.exe
Token: SeAuditPrivilege	2664	vssvc.exe
Token: SeDebugPrivilege	688	tasklist.exe
Token: SeDebugPrivilege	4364	NETSTAT.EXE
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	4516	explorer.exe
Token: SeCreatePagefilePrivilege	4516	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe
Token: SeShutdownPrivilege	1128	explorer.exe
Token: SeCreatePagefilePrivilege	1128	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Anarchy Panel.exerestmaPrograms.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
3940	restmaPrograms.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Anarchy Panel.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
4516	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
2284	Anarchy Panel.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
1416	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

Anarchy Panel.exeOpenWith.exeOpenWith.exeOfficeClickToRun.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
2240	OpenWith.exe
2240	OpenWith.exe
2240	OpenWith.exe
2284	Anarchy Panel.exe
2284	Anarchy Panel.exe
4136	OpenWith.exe
2080	OfficeClickToRun.exe
3472	StartMenuExperienceHost.exe
5016	StartMenuExperienceHost.exe
4708	StartMenuExperienceHost.exe
3760	SearchApp.exe
3252	StartMenuExperienceHost.exe
2036	SearchApp.exe
1100	StartMenuExperienceHost.exe
5076	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Infected.execmd.execmd.exerestmaPrograms.execmd.execmd.execmd.execmd.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2428 wrote to memory of 1656	2428	Infected.exe	cmd.exe
PID 2428 wrote to memory of 1656	2428	Infected.exe	cmd.exe
PID 2428 wrote to memory of 4044	2428	Infected.exe	cmd.exe
PID 2428 wrote to memory of 4044	2428	Infected.exe	cmd.exe
PID 4044 wrote to memory of 3000	4044	cmd.exe	timeout.exe
PID 4044 wrote to memory of 3000	4044	cmd.exe	timeout.exe
PID 1656 wrote to memory of 1076	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1076	1656	cmd.exe	schtasks.exe
PID 4044 wrote to memory of 3940	4044	cmd.exe	restmaPrograms.exe
PID 4044 wrote to memory of 3940	4044	cmd.exe	restmaPrograms.exe
PID 3940 wrote to memory of 4828	3940	restmaPrograms.exe	cmd.exe
PID 3940 wrote to memory of 4828	3940	restmaPrograms.exe	cmd.exe
PID 4828 wrote to memory of 428	4828	cmd.exe	chcp.com
PID 4828 wrote to memory of 428	4828	cmd.exe	chcp.com
PID 4828 wrote to memory of 3232	4828	cmd.exe	netsh.exe
PID 4828 wrote to memory of 3232	4828	cmd.exe	netsh.exe
PID 4828 wrote to memory of 336	4828	cmd.exe	findstr.exe
PID 4828 wrote to memory of 336	4828	cmd.exe	findstr.exe
PID 3940 wrote to memory of 3108	3940	restmaPrograms.exe	cmd.exe
PID 3940 wrote to memory of 3108	3940	restmaPrograms.exe	cmd.exe
PID 3108 wrote to memory of 4944	3108	cmd.exe	chcp.com
PID 3108 wrote to memory of 4944	3108	cmd.exe	chcp.com
PID 3108 wrote to memory of 4248	3108	cmd.exe	netsh.exe
PID 3108 wrote to memory of 4248	3108	cmd.exe	netsh.exe
PID 3940 wrote to memory of 1356	3940	restmaPrograms.exe	cmd.exe
PID 3940 wrote to memory of 1356	3940	restmaPrograms.exe	cmd.exe
PID 1356 wrote to memory of 1604	1356	cmd.exe	schtasks.exe
PID 1356 wrote to memory of 1604	1356	cmd.exe	schtasks.exe
PID 3940 wrote to memory of 4756	3940	restmaPrograms.exe	cmd.exe
PID 3940 wrote to memory of 4756	3940	restmaPrograms.exe	cmd.exe
PID 4756 wrote to memory of 3568	4756	cmd.exe	systeminfo.exe
PID 4756 wrote to memory of 3568	4756	cmd.exe	systeminfo.exe
PID 4756 wrote to memory of 3976	4756	cmd.exe	HOSTNAME.EXE
PID 4756 wrote to memory of 3976	4756	cmd.exe	HOSTNAME.EXE
PID 4756 wrote to memory of 4128	4756	cmd.exe	net.exe
PID 4756 wrote to memory of 4128	4756	cmd.exe	net.exe
PID 4128 wrote to memory of 3228	4128	net.exe	net1.exe
PID 4128 wrote to memory of 3228	4128	net.exe	net1.exe
PID 4756 wrote to memory of 2512	4756	cmd.exe	net.exe
PID 4756 wrote to memory of 2512	4756	cmd.exe	net.exe
PID 2512 wrote to memory of 4532	2512	net.exe	net1.exe
PID 2512 wrote to memory of 4532	2512	net.exe	net1.exe
PID 4756 wrote to memory of 4916	4756	cmd.exe	net.exe
PID 4756 wrote to memory of 4916	4756	cmd.exe	net.exe
PID 4916 wrote to memory of 3056	4916	net.exe	net1.exe
PID 4916 wrote to memory of 3056	4916	net.exe	net1.exe
PID 4756 wrote to memory of 220	4756	cmd.exe	net.exe
PID 4756 wrote to memory of 220	4756	cmd.exe	net.exe
PID 220 wrote to memory of 2040	220	net.exe	net1.exe
PID 220 wrote to memory of 2040	220	net.exe	net1.exe
PID 4756 wrote to memory of 4996	4756	cmd.exe	net.exe
PID 4756 wrote to memory of 4996	4756	cmd.exe	net.exe
PID 4996 wrote to memory of 3216	4996	net.exe	net1.exe
PID 4996 wrote to memory of 3216	4996	net.exe	net1.exe
PID 4756 wrote to memory of 688	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 688	4756	cmd.exe	tasklist.exe
PID 4756 wrote to memory of 2944	4756	cmd.exe	ipconfig.exe
PID 4756 wrote to memory of 2944	4756	cmd.exe	ipconfig.exe
PID 4756 wrote to memory of 3140	4756	cmd.exe	ROUTE.EXE
PID 4756 wrote to memory of 3140	4756	cmd.exe	ROUTE.EXE
PID 4756 wrote to memory of 4336	4756	cmd.exe	ARP.EXE
PID 4756 wrote to memory of 4336	4756	cmd.exe	ARP.EXE
PID 4756 wrote to memory of 4364	4756	cmd.exe	NETSTAT.EXE
PID 4756 wrote to memory of 4364	4756	cmd.exe	NETSTAT.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

restmaPrograms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	restmaPrograms.exe

outlook_win_path 1 IoCs

Processes:

restmaPrograms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	restmaPrograms.exe

C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3572

C:\Users\Admin\Desktop\Infected.exe
"C:\Users\Admin\Desktop\Infected.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Roaming\restmaPrograms.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Roaming\restmaPrograms.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F7D.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3000

C:\Users\Admin\AppData\Roaming\restmaPrograms.exe
"C:\Users\Admin\AppData\Roaming\restmaPrograms.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3940

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:428

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3232

C:\Windows\system32\findstr.exe
findstr All
5⤵
PID:336

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:4944

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Local\Temp\restmaPrograms.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Local\Temp\restmaPrograms.exe"'
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:3568

C:\Windows\system32\HOSTNAME.EXE
hostname
5⤵
PID:3976

C:\Windows\system32\net.exe
net user
5⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
6⤵
PID:3228

C:\Windows\system32\net.exe
net localgroup
5⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:4532

C:\Windows\system32\net.exe
net localgroup administrators
5⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
6⤵
PID:3056

C:\Windows\system32\net.exe
net user guest
5⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
6⤵
PID:2040

C:\Windows\system32\net.exe
net user administrator
5⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
6⤵
PID:3216

C:\Windows\system32\tasklist.exe
tasklist /svc
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:2944

C:\Windows\system32\ROUTE.EXE
route print
5⤵
PID:3140

C:\Windows\system32\ARP.EXE
arp -a
5⤵
PID:4336

C:\Windows\system32\NETSTAT.EXE
netstat -an
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\ipconfig.exe
ipconfig /displaydns
5⤵
- Gathers network information
PID:4544

C:\Windows\system32\sc.exe
sc query type= service state= all
5⤵
- Launches sc.exe
PID:4864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4516

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:268

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4728

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:552

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4880

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4072

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2424

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3528

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4364

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
Filesize
50KB

MD5
c7b38fc9fabf1b9e05595ab22c8a1138

SHA1
d5a6257b2d068931cf7f726f57b007e5092e7440

SHA256
1fc1fff89574629d2958cbac19fd76ba45729aa4d6a8d2dd2796b40d4ca7156b

SHA512
7ce3fd3095a53b6bb9fc1ba8e2fce1f2f2fb21332d096fb4afcfd8a2052febe9cfbc4a202c01d16b8bb9c9110c646fc13e224543549ce9111eedbe15fbc27e76

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
Filesize
1KB

MD5
d0c4afc5d0e7bd7bd6e0aede8e5c7655

SHA1
a95b1eef621ed4b3c16d04bfe50f760325bc4b37

SHA256
6bca18142733e9a032bdbc77a5da3c2bf1fa4429372d0db221a52552bfea1d70

SHA512
05359007432945ec3c6bbf78a7a1e419b4e25efb47bd32cf0bae8cf21f71a26a82ea8d9dfffe12ce28628ba703369b88eb3c5fc8d81bd6afcd70ce721523b3f3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png
Filesize
3KB

MD5
aec9af6f8903f2803dc1d560f9646a34

SHA1
79db5c25444784e32b55810f6130577a6cc91627

SHA256
3e5398933862071666912678272e3ab2506f94cb1c0d2a340ea09e8f3948faab

SHA512
edd0aee2b47c3d83747997c4afeda298c6ef02278ee61270e9dbcafeb8caf6701255e4bbb39f879616c2194dda8847241b927719cc186f320ca0a52522eb48d6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
Filesize
688B

MD5
4ab735d3646da8af64007cb0629c8e64

SHA1
902b22d9b875e0555bde23c297a807cec79df244

SHA256
2abb1360800daf58b69a91e87e8e03b577873b227ceb2a935aea4ecac1c37a6c

SHA512
917c017ce96b155be60666614ffd766699e033c5f64c650f3cb92bc8a3b5f2cf58c419e43a3f96e49631e57d022a8a6de8e4429582873b17443ba9be16592864

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png
Filesize
1KB

MD5
8d184a7f4b6d23474a4effadbe462b53

SHA1
eedb794404731973fbdc2e03f921ae9f4a947008

SHA256
46182cc4c23d404d2432f4e90f4a17041a90a9a9c4cb6fffc847a5f56b08d205

SHA512
739d88fa3a51c3c1c0ef1a51ffa08e28e2f1b223246eb54dab0a2b6bfd8e16b0e953c75ecc177657935b84c0f43e1cee45b0a24eb1059d9f0328f3ddb3161437

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png
Filesize
448B

MD5
a79392b000347de511975b96ced826a5

SHA1
2eb9fb27926eedeeb5a4c5c21acd0c4775e22e58

SHA256
b15d8ef9dc6aacfc7692dae0edfd0bdb5ccb5d5a8c01c17cf8be94f4b6db31c2

SHA512
8b089bfeaab4a614a5c65d9759f84a08df03ffadd453306f75bf22df14b1939b4a95090445280cc8f5caa50a805d264eed68e9fef84a8e3c40f6cdcaab4c9c7d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png
Filesize
624B

MD5
383aac362d2e3ddd1ec23ae2c78bd9e8

SHA1
5ad6e0cd3636f11182ef9bb41a9dc187dcea10bd

SHA256
9bf1856a8c5630b906805aa475ead48f1219630147a23c5322b84706a5e0bb5a

SHA512
b50035301334840921f4bc78f4cfe5552313b2896127e2365482468bdf9b7d9dbc125c928ab638669a65ce45c30bfebe239b7b6901ace9986ae85f9e1feba10a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png
Filesize
400B

MD5
87349f8afb30e15d265ffb82df94fb41

SHA1
ca40459e9864b1df033abf0f9d3aaf877f6e7d99

SHA256
8e5e3792a4c545faa210bb0e98d42e6344450c5696028900b884503ec1461ec2

SHA512
9463cd03a8e09b5a010d1069113547c966da86fdc65f69566d3d4bc3291aff72f0a5fe91acf28ee399ba887cdc1e424e9dddc88a2d8c8181e635bf566e242d3e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png
Filesize
560B

MD5
1664ab9b04d49ed2b5753cf7ea654f71

SHA1
7b7efc1ad0dc30e4478ce08bd95f3b59def28bcd

SHA256
ba6693991bf1d10c67d48841a952936b3ad60a9ff9cc7d28a1b65ae8f74e4185

SHA512
07f3ce8bf950a73585090f68cefacdf46615c8ab468304d012ae183d4a6975f0b6ef4a495fe9ff6281b3ee187c313dc95291cf5b070957f7a4a03a6cf9c482b2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png
Filesize
400B

MD5
23d663e317be4becaff6f67ce4ece83b

SHA1
7ec6fd3939fc993595982600a85fc4d7432e82d3

SHA256
36e2f05eeac0305919c6106032c4b2ec7f62b36c2fb29c458c56158840025340

SHA512
0ea32b6d101137c59ec5b352e89d40f0b1e73362a624fced457eca69ff96c50fe534e6f3b82e2190f88efdbb2ff572f83fda500f865bd724c179ec7a6ac4e273

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png
Filesize
560B

MD5
f671911a9e3ee9a1f94f1e162a05c293

SHA1
a863b0dc3fbb0914c5a66b2cde877e9a0bea1e15

SHA256
c8c31379426cc32ea035d361dee3347685f8de8ec1d6b3060b6ae57481e9d024

SHA512
04b6d9e631ec32e841c15c0081ec8997cb4598174a60e097ab3cca4b2829b1b7563a69d3824476cb6be43cc418da941e2e4488e0bd57454e07f759be6fea831a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png
Filesize
400B

MD5
f85b51bf950bd3d9b7e62689c87d0cf8

SHA1
24ae6d3bec2ca5c2185a600ea12abf17c1107c40

SHA256
0150ae86e07dbd3fb03b4c8e2bfc1f83bf03092599ddcd7d57d4c652e39cc5a0

SHA512
ab47f4827c09543a889ec49b76379a9ae565864959e9933684e33f2852457a1a6d4e537e4a0b71366e6dabc93954ebaf77e865b4ad054618ac18b9aee02e7354

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png
Filesize
560B

MD5
8f360ee726883dc9ce0fb850414a6f1c

SHA1
dcd726e6769991fa094265491cce9a2e5938c7bc

SHA256
2cf8975945427da426ebae59f7df36d7f4aca271c04d25273429323dbedc429d

SHA512
7e2fa2fe7a32da8459a05c8f5db9350ce2bc212411b23a208128c84ae1fd7b456dd9d7f3f4d79816273161890ce43b77c1d5ec5f94524d7f9ea8b8751576fdf0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png
Filesize
7KB

MD5
0a779ca586b93ec7a2cac384e1f1d1b6

SHA1
a4047dcccc88ea3cd622f5e81452d040ba0a7077

SHA256
5a1f9eaf11371b07f2f5687e01f5a99c81e2910e69538dd62169f0784dd9e469

SHA512
b26d284be07a83ff28119e2e5820881e4f44c32402da5ed63e21c6bbc2111342aab4b9ac59d7d9c9a65f3feee177b9de59f854bb0bec63d62f5636dd4fc05ec1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif
Filesize
7KB

MD5
fa0c0cc1c4ad80242895ec984af9ff7b

SHA1
2d6cf3a3fb7914a1a70fc6ddcdbaef0466880877

SHA256
a6379299f096b4c02c1ccb5ed2e805d6cc1f36e82aa2efd7797ed33898d7d2d6

SHA512
120e2bee6e5415a3a035aed1194f4462d5fe69166a588340b696cbcf70a3e9b809368f1a07638ed2f20faa7665ff495652ab912cff7fdcef14f57ea34c4de3b4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png
Filesize
15KB

MD5
25ef0bda55f85f81fcfbddd7b2940ea3

SHA1
b21a8105370684905bec52a7677c493a66bec8e4

SHA256
9ba50b9dc53d462cfd91398314ff9706d03edf5087cca509b862ccf9d0e5b3c2

SHA512
ac95dd521afc4c5516829433474616bf9b4eb9a4db1bec53fe29fb506b201ab122edd939bef9efa217ecabb620c74d8cb29e5725ba67e267ba31e3d679845f7a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png
Filesize
8KB

MD5
c84becc4c19b19c3a274fb4241a575cf

SHA1
b04a871905fc6acd9a668b76ddedce4c4a0366fe

SHA256
e65bed5ba5fcc0095e3a0f30e89caade42540034669c5d683477b5f22897da6a

SHA512
49ef441d5ddc70eb483e3187555a6b4d99c5f45059ed17617ad934cb98ccb3d397270ae1adb90125055923c6f9eea5baaa7e73034af50d28502f2c457d940f0f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png
Filesize
17KB

MD5
04abf97464cd2b5facc14595ae09d62b

SHA1
4f900cb0091f2373799b5a29e75b245876fe2a47

SHA256
725849ce64237858ab5bba9054cb7f3e0c38e3bbf223a3f1dee5dfd51542e69e

SHA512
0f0e858aeaf58cd47e1082288a7bb0f80984f815529dbb62f4fac6e90c7d70f000a6010c224229c656da8f42b7ac96af0003cd26817f5bec6ecc1f5a2429d6f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png
Filesize
192B

MD5
6067b80231914c04db3764410a027a3e

SHA1
28dba1b9526685f1ee08d9966cacff7be1b2f738

SHA256
fba2844ff727daeb8a76c0c28e7b58b615aa93a85f890629da5bd477894b84e8

SHA512
078368635c2c82fb791e1a7e9dc20d75005a370dccbf4fe5dcf66413c48e8efb7f63496c2c2d07819b0db45c4a98d06ee8d6eb586b435cafd8cff3b4e666fb34

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png
Filesize
704B

MD5
472d3ca1daf6dbabc5dc3284c2acf1fc

SHA1
0147535dec824a19f0652528956aceccd20c3f52

SHA256
3024de11a764f7dfb8e5f4ac26e6d84db5da5055707b54c3bf1355f9e9358f34

SHA512
cecf2c3a3f0862f070d0ee474e0d8075d4c9c229279f1946bcc1b9ed5be0e008b24342fa30c22265a342a278d7229be5ec688647bd078a4601736e95cedfe02d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png
Filesize
8KB

MD5
0f6793b56719df9e762a6d80d019cbfc

SHA1
3314f250f0d1908786280eed708c2701253a7462

SHA256
4d11f99c8ce4435d63da967ff0cd88fd2de0a2ba6e214e7286a22aed7d955497

SHA512
41ccd29e184f08713bf0cc1136043e873d0083179c5043085b7e1ab9c26eed28d3727a404405f0d42a56e45d4170a4df456218cd08343337cf1419ff4a254fe0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png
Filesize
19KB

MD5
15421b97e0ea6a99fdccfcae0e7a71c5

SHA1
85eb911088be23814ff568653bd96bc8adb5a568

SHA256
19833f564cfcd1b6e273c034fc81ab061911c4c5a813759b709e4750887e4056

SHA512
ecbbfa20ddc20afd9c9b6bb37789097da0d23dce4792e9b2d238cb8057e2067a4bf599354da4e6f8412058fb30666de15427b228388518766e448505a144b1c7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif
Filesize
19KB

MD5
942d73a80a4f6ffb0f5b1dab7be057a7

SHA1
1acd97e25742a8e003433f0f5d1a2b5e2a18e519

SHA256
0d7cf423e4395589b422aa84531a8522136a8df79156deaeb2a82b16d0c6ded5

SHA512
ba2dfdf0aa094986d3c3dec7373fa92032a150d9d804895f7e61949ed61eeb02fb8a79899199a13be9f227c9125237e8cb0359538f1f67cf6be19d0503df6969

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png
Filesize
6KB

MD5
8fc25886edf24d99524dad2d1bd835da

SHA1
4a56fdf711682ca69414980e3a478e565f488e78

SHA256
cacc62bcc351c1e05e2af666bfe98ef9046ab2a8001cf1b4383c63951f1d7d33

SHA512
ff6fbb014f52f1e07284c30bda34cd5cc62362221dd48a28d95d8fd8c798e9629ec50839ae30d30baf5c53fe0a54d9a75dde51d3451a8ee042047f5409efb07a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png
Filesize
2KB

MD5
90aba3beb01732df8dc1e7f576f97c0e

SHA1
b8acf0f5fbf29836675ea9470f150ab822a168fb

SHA256
db5abf7577a64f68b88ccca5fbd539345c1cf8b90f6125b5c9ee09dbefb893a3

SHA512
4918a18040b6616bcb5543c37aadbef57227e13cad159e44d45f6f14c8cbb52da80de4d46b94c7bb6e4950c203026e5465f540b46459fe84951baa09b3ab2bfb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png
Filesize
2KB

MD5
5d4da1e4db89e9fc7618d07ebe44015d

SHA1
3e662614b59996a24bfe79d38dd2f9dd543a39d5

SHA256
41ecf7ad25bc82c5dc217e60dc871e56a71df93794055d199e7eba0d28c8de0d

SHA512
e477137ad9c3b3d68e1f85e045cb9cd2b7633d65a80907e93ddd31b0265ca372d5f6195e743341ba124be92ae3020b5a1b45b07ff4fcc9eee9e1d0a405e0d821

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png
Filesize
4KB

MD5
e7cae634a60bd77233ad742f1350d0d2

SHA1
b16946cd3ff338ee8d142212dc3d1c14231c5f6b

SHA256
a6ff428687b6a652a38c59253694564b6559188b51e348f893a8a0ab532cf314

SHA512
cb17081a22201f2643c2b7e0dd52d214aa7f09a829efe31f74b35d25b86ea48d13ab58238ccd36fb9f0dd91ef047da50d6aad658e0620051b07269d72c994f1c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png
Filesize
304B

MD5
f3f31558e744dcc25cb1cc3013785991

SHA1
02c12d37c798aebd21ade2bdefec0c69a333136f

SHA256
490c4d4b26cbae7379a2ed17b468852adb9d2302ecd289831396f6e1838fbf6c

SHA512
f63317ecf2777afe24c12aaf603852bb92864c59674b1fc0d9de59291df1d21a2229095f8ff5f5afc7263a393601e4fd4f1a508f8853b9e936956d8ab2b6315a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png
Filesize
400B

MD5
52ad077430aa1c3a5a54dc8d9cdf007e

SHA1
ff85b489fbeff5d09fe9b262b51501bc5508be8e

SHA256
599169a9a7e9bcb0c4122e422727f16173b150620fcdfa30cbaefd9d892f535e

SHA512
e7c06004778e91aedba7fbf647ac2a88cb22c4a04d03b6fb67a1704647e1dee65bcfe1c2f5c70e6a94696b669874e0f00a2cf0baca9cd43cf84e166fd64495e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png
Filesize
4KB

MD5
a30900fb034dc3cd7f225fcdca4f431e

SHA1
09a9d389f17bf723744a55b5205c0f558e437c42

SHA256
aa5d1d1ac1b42345cd8fcbc42444f1a77709104f4d24fd733665c7c43b3bb772

SHA512
0aed00741b0b5a701f5b9000bf15fa115f7963dff3b4ccee4a55201478514e9285fc10f56d258b54725987be1ebab4b3df61ef17976cea590203ead907305e90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png
Filesize
1008B

MD5
d1196072ac1d99f991d8a3e6ea396094

SHA1
776a0e46c621db254e9783de239b31f721a3467c

SHA256
34a79355264468181036e8dbd361bc7907d90b012376175aa60ce54d89720f3e

SHA512
6ae624c118e38f825695cee6742bab734efc6954669abcdae6141b4df6d489241375239745a67279b528701337ed55ab51650231222ad944e97cd8336b924adc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png
Filesize
1KB

MD5
27675241e71df0923b8d1fef38fb3f7c

SHA1
48480d24ee95c269aa6b5124de98678211afc5d6

SHA256
365a381b4fe8536aee7a9ce9f6768b21a90ab50bfff852c49e66cf560ea3a683

SHA512
ffce717432eb555f4f9bc1bc587432c96df3a33dd020a231a7217c703509bbd2c5b74341ace7834f1ad635f2644ba207215522d6767b84425bb4bf68f5c60d7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png
Filesize
2KB

MD5
03fc2c9562f0e116e0bf710947fbf552

SHA1
2da1e633e2d584b8829ada65cbddd41f3e9982a6

SHA256
206eb684460e532e10eb8dbe67f06295483323e5ace4a71f58576f548f558f5b

SHA512
a04d4c74294bac386bfcc9499aa9338872b790eeaa9a5149c78c27a74af883ea8eac482f4e8e29eb45e7119e6fd8420e9c3756edd7384fc0f8577e23fd0078f1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png
Filesize
3KB

MD5
cf7d7994c07b6a90213ee8bf53c2937f

SHA1
ce277702d6e9f16116a828c580c14a24c6c2444e

SHA256
3aaeff89d8a15bfcd346de4790e451e942ae7d9553ee597db82051e83397304f

SHA512
04a3e5f628b975ec5d08f082e403271b8fe19b787bacd7403a3b60a8a62bad3ac7e94eb21e81fc815b3b872f6ab402647d61c10378d95b575f75ec97570d5719

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif
Filesize
560B

MD5
a9b3f3ebf512ef03858134bceaedf4f9

SHA1
1b52c68d3c7a04315537ee22ac9f64748bce1571

SHA256
936db524a8de4c2a8dd990c9b3851359db02b568c1d60e8b5f276b486351527d

SHA512
fa00aef67493e63b9c4edbe7b7a69965de1ad71da9d5c4288f78a3dbd78f1c0ef4018f14ef80831fe4dbad17e8039ff6b59d1bd2bb6eb215e735873d5aa03a90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png
Filesize
6KB

MD5
4003ed751879d435c34754e7f016c672

SHA1
28528eef63ae6258988b5635b2b3ff87a272b94a

SHA256
3191f8d23b56b9f80a2b2c37f438552e0fe7762be9f7eab8d5696119dadbb85f

SHA512
ad6bdb753b54a32ff17eab752eb7fd149927d1e85a4cc1ce95a7ccf14fa0b7c0fea199f6383217ca8389e015b64f21157181679bfd37594a5802b831eb0492e4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png
Filesize
832B

MD5
19f4fb6266fda1cf232943fe52e0fc08

SHA1
6f53321e967307f7324aa05909af95f338974bd7

SHA256
4d6dee984de296affd6f11a5aa0ba283a7e45e5a85aaf65b1891aabb1704d1a1

SHA512
55d2d71146c7c468f52d15c027834602bca889267fae3ae386b9d89c18ddce933d3d43175fa8172239f0d7aedbdb24f5986f3dcdc799439f9e806e8c9d195aa1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png
Filesize
1KB

MD5
a03f091ce3b38c81ee13c6cd2cfdef2d

SHA1
83e580fd12484f8f4394c210789b3010fe7fa371

SHA256
0a5d676fd3bec5eaa6dd33263eda343a277490d6521b80177d30e3be015aa043

SHA512
cbf37224ba49c7c3cd33f8a07ea44d275f1d6df21c82c839722c64ce5666d7a1f9197ad4aae0a1f079654f191eddb1d565627907bdc172df13c7cb6307a276aa

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt
Filesize
32KB

MD5
ea803ecbe22fdeac3b67b601b384b4ba

SHA1
3ff0931ba92a90a548fee4bd15b4631d14de0cf7

SHA256
53a5642b3fee14a6bc6d3eb033768485d5e896e52f43d50622c1788036614c97

SHA512
35be0b381b8b26831abaedf08b634e14ecd5e4f6665812a79f4f7157b6077e65d1011b125dc2f8858d1e3e1c8c02e1366c801bbb3db56e9cb0364c52ce4321af

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
160B

MD5
2b99c2a7791bee7a0a6d035ea395ac39

SHA1
a911820205ff7cdc59963dc9e607cbf6a7f058c4

SHA256
a2769ba6e634246944de0a1dbf36502a2a2ba6c190b49dbdb4bee59c7e7e4353

SHA512
92c77d7367ce437582301cb6b0453d0116d1d0a09b9e861571d68e7cdef9774502a80e098bd5ed51e7367958cbf4277aa35fc42fd8173bebca5b9dc48432c977

Download Submit
C:\Program Files\Java\jre-1.8\LICENSE
Filesize
48B

MD5
ae49cf623125b2baafb2b739bd6307a2

SHA1
361f81d775bf6f1327596d423d55d2c37244e382

SHA256
f73c7ab886ddb15935ebabf4884276459e332446371e659bb2b7d2b490ba360b

SHA512
11c69eb05a21bd73e44d75e27080a0879a08e40aea5d962dc642cce2f11c362da0a5a8e1d1ad5956ecca645c890c98418b5cf9b7ff32e3451863f2d7b38d455f

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
192B

MD5
5e582efd8e6ea172f4b62aa2f460a212

SHA1
d059621773988c255ee6f998ba61990049cb9051

SHA256
c98083fa907b2db810859c0bbcce7753fa1466a6e07f3546d46b9357176d7ba2

SHA512
ff55a0ae27381c9e16c3db2c1ac7f222fc05bb81072b5f850b19fdc77f159c4445163e09cb5219f076744efc59b31d506afb248037c78ebe4daeb86d7c51e120

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
Filesize
192B

MD5
ac1f347cf9d35de489a14267750375e1

SHA1
a39a15968846de7fdc27c6304d3c3abb38993ad0

SHA256
3a92ed23821847033b7ef7520e6dc7e325148b2ed8dfe2ebb354b3937ef6afa5

SHA512
6b8a2de68699ed9ad7eeee4e34eeb6138395506a4fc6d294e64faf460042b8d2b1dc65716dfcfad1928dc80af9220c64610fdea676113384b96d5bcd9191183f

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md
Filesize
1KB

MD5
210b94af174e524b281b22d929bd084d

SHA1
45ff0c793c9d8cec3664dc4ac55a386eb26116a5

SHA256
6cf81b2fb5573aee66119526834bbce7970830c60b9c07429284e130ff067071

SHA512
bb0a1976f0973ef5c4d11ae62d6d9acce6b676e065ce73007f8e5d91b01cb8a3e4b68917b9229273e8a45d6f04526a5f672c2189cd4ffcb96015d15274aa4b75

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md
Filesize
31KB

MD5
c6316879246aadfc17bfcecf9d44d745

SHA1
e17a1f15866758936d00853805beb31335c68aac

SHA256
e70e3d1d7c24b7574580dd04f50c2662556ecbfd8e08b83297ed8255e0b6ceec

SHA512
ba0b3cc04dddac0016db6779eb00c59cfc5eb945b34c455f5657deb7070bfae2a0289dc14b75e65b21679dcb07a7e93f4e7f5fb31bfe683d43cd961fbe76ffca

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md
Filesize
34KB

MD5
85ecea67bdd7250268471144087d4e06

SHA1
98ebd4293fe509a195f7d735391d6642582cdb4c

SHA256
858b5ba147b824eba429de88c282f6c0a2e53fbbd7f30e15c8d1a15aab794fe6

SHA512
a8a89b873f2893b9e6687a3106eb1307f36ba653829c10e0adfec19cdaf8f70984f0f194c660589b9a943efa7a590e73a4536f8ec5ddf570e165d73b690894c1

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md
Filesize
2KB

MD5
544eef7488fd981e69a77bac979e40ba

SHA1
e1235b24068575338397a971f13aeab36068a56b

SHA256
b58f04bc2c37cf020ad44316d32a7308c7fcaaa099fe0340fb6d938659f20371

SHA512
81fa89a86801b3cb6113f3b832542cc4321d928b5150f6b8937914f68d39dcc4296893838955c679b753ab84f226d5c79b9e437bb5e1f9b78b8802cf49c1509c

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md
Filesize
3KB

MD5
6abf8cc35546aac1745eef860d65b502

SHA1
36b2900091800ec5181ac4aa700e56b70c412cf5

SHA256
c71a6dc14e508a2fab218409ef983c9c4b0fa39918cedb54b8a07c179d246166

SHA512
b67800e739cc5bd92d481670aa6ab3d7178247a8f4bb5f8ec6f8eec8cfd9d92d3896449bbfddbf3763bd618c4d0b5ae54cf85613a5e8f8943a3c4cfb6761432f

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md
Filesize
2KB

MD5
4fedfb6733f15632a8b61903ace35dd1

SHA1
cdaa46224554401ea418d6001eed407faf2ee1f1

SHA256
6a0227ffaefaec56024c26ed1e19c9a13d2a6c835a0b42d5723eda4d57a7078e

SHA512
3a28d91a815a89e3c6672da6437664fcab4cc0bda27615e1e12655a818228e6e3399c492863f1df6f9ae85e6722d8622fb1ba1a4e71266dfb2dca8080cf29837

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md
Filesize
5KB

MD5
068c09ef1a8570326e435065b0f7aced

SHA1
2a5a9241bd103f0231ca5a8d2bb5620bbeecf1dd

SHA256
81a9f12d339469d3ce8d8e450e0f372c1d552175f2412509bb9168013b2eaf35

SHA512
766cee408145e1335f871bacffbad60caa4823659bc158f076ca5e39a17eb78bdeef81ea090cd0f53cf9c14f7aabe278404e1b2e3bab861516847f11523ccf7b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md
Filesize
1KB

MD5
d2ca6695c76ee046922a91d98c9382ec

SHA1
773cd49dadbf997357f2f1f5ae5d19e6907fa842

SHA256
812aded26b054a868fe32d04fca22331f5c594afee6418fb7c27a441ffe512d6

SHA512
54405341ec79b7f3a8c40e2293b4f719527948da0c8b6a2f2c67b91b7a04f3da60ce35bee403444c863e4f6ab74e008e83c024902dc27778ebc249b9514dbfa7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md
Filesize
10KB

MD5
5dafcc2617b9b10e13448f78b7891343

SHA1
4bf1e80d5f38ce9b04f3fe81648fec2dfefbcdde

SHA256
267ac51a5688083348c76006aa78aaa0115120db5e5e77bf5020afdded3365ad

SHA512
a846b6b50c6ec69f869a16ee8c5503889bb88e0c477f63253c6cc8743731db21415f088a856e73527b40b4bcea337c5d901b2d92c1e1d9dc8d5a862deb9b61c9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md
Filesize
3KB

MD5
9cde5cb3b25d0b1ffdbb53eebd0ea3dc

SHA1
b205d2302ba2ebc2c549ead724d82fbdb5a6701e

SHA256
f82f80eddf9dd26030bad2a1aa6c528be966e4dc57a718a7893d46a2ebb41616

SHA512
4b1c17298e6b2b5a3f915cab2cf38e9466726a3f160f15d5d1217511f24e015100c82edf0b316744a22714e7d1c788f7a1dc6f36471f3a16427490dfc4a87010

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md
Filesize
176B

MD5
55270cf911965b84d8b85c75ea492ed2

SHA1
71a37998a11aaa52aed1e03fabd3a7a1b3dc745f

SHA256
55280ac089dc5fbd8a88ea47a1d4f20feed93907f5cbbbca9d28b81777cf509f

SHA512
10a9a49fdccfaf535697be4bb6c8f09aeaaeac8de1a43aa311a84aa566691b44902d291f960114c2fc2ca65cb47c9542cab5b1d8c5a153584930527da0249a24

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md
Filesize
1KB

MD5
d40f15e1c1be0a4b904549432dc370ae

SHA1
7de2d04182bd38bed95a002eb4056fdc86ebf118

SHA256
7e88b0090d2fb50202b6f6b379ad1c3ea713fa768b3150ca81fe4a92c33b0652

SHA512
a4b808229b3d0c3e08a8829f8597212de9f4f0abfb719bbba39ca856e1471ad9e8559a99cc77d12e258c57d4665ede68837b69201da9384bc8630ae08b5439e0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md
Filesize
3KB

MD5
69bfe6c0adea002b2d76fa24f1f38b38

SHA1
3303a8a8cd338a150942f83ab40d62a3831fb1aa

SHA256
137a9a3dd9845635398b2005fcd3b3e9c3206698db83a220bcb51d105651bbf9

SHA512
891f46f321519962df68cf01e1c776bd55ce2e04c82dc4fde47d3cc645d16cae6bb08e0addb5ffabe5e69996169ea5bcf020c5d4c34c18f05f0b810351413e9f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md
Filesize
1KB

MD5
ab31f658997f82419824abb8806f0cfd

SHA1
cc8f9a087eceb5a8283a9db636d0333b566310d8

SHA256
7a57eb6e152bcc1f8a10ba2119555bf9d2a148dde8683a1f2c41e4d6bae3b7b0

SHA512
a8e0d30e37526212ae406d4a9d6588560a87998f45df978ed00c44de7e1e228e5663308697c2804357d432bb2146a2ea0bf9f8f0e8cc7282fc4d4836acd7a7a4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md
Filesize
28KB

MD5
c4fd8fb0a969990051bb60f5b40bc413

SHA1
2cab4a4f0bc4812962f9a0c8581aaebee6b7a67f

SHA256
d6da7c02e368d1f49ab33aa1870126f72e57cf3b9a497c8b33e9cd9d056a46b2

SHA512
62ad820b2f52e0e37465f9131f5caa9dd3ae8845f18cb7577553642e36c89850801b799de5adf74620a1c0995762a9bfc4c2afaca5dd782d90431247750f2865

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md
Filesize
2KB

MD5
36efdd02fbca6832403df3c91dd23a21

SHA1
585d8cd399e47009d4f704854fd5260202561378

SHA256
2e77672bc316ca644a0fce6b74ed54c42d5ea4abe4a41acc5eb4dbcf935daefb

SHA512
ba3fa3c1e0f04c83a161fbb9346273aeb2a855b3aa7a3b663f74151ed3f5bcfe2452bbefdadc26a333d54b21c32aa1933d18c3b53fd05637b6721ab3f9ec5aa3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md
Filesize
1KB

MD5
83d80376dbca35f4fafe5e311c175027

SHA1
cc4ff8c35574f1f255fddb55735da09d41e534e0

SHA256
067ed072c888df2cad4ca97df30fc878f3a9d7e38a72922fabe0d7ddc2fb378f

SHA512
3d36b9a0d58da4985e69794403b4b0f3ce2e91f4c93acd95f1124c593e5fdb4bb2cdb649798ed243d564e89b0e760c03b33e2fa10e0cc649181c03067c24aaff

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md
Filesize
2KB

MD5
c43cfd31cc9e322d022f305932ea55da

SHA1
288005f4be660770fa525eae4f4d477d1c21d66c

SHA256
ea6dc7debfedb9cd0851a636463fe6787bb33535a21f92b97c68003ede31b725

SHA512
d18b547a1b2e333e18a446455ba357bf902d4a016c25cb2e2666d2dd331824527d260aa05d9736df7721dc317ec7057ffee61aabfcdae7e36f597a2ae7e03e5b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md
Filesize
1KB

MD5
d99ca2ef6c3c24d56d35e9ea8415c11d

SHA1
b67986f3ab66a5e72819ddbe47dc9d21a14a7aec

SHA256
1b61b7fcab512839f235ae95718d350b04dfe064fe08fe4d6f065a4024a96c6a

SHA512
585dae704ee60830b01afbaf21d03848a08b47a1a2882b24772ebd915b14b6627f5514a2956f7e30e18f4cff0a2db134ff16fc8670111f0849b3566a548ab1ef

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md
Filesize
1KB

MD5
c63ce3ba281058c5c4a1a233a60105fd

SHA1
3b06ebd21399778dc7b7cf6bcf5440ac2490f84e

SHA256
e8a3dd3a2187f7193c7fdee3bb5467dffa34daee665582a1ea98e1da42bb2679

SHA512
b8580c6853dafccbace6785631de5a50059414a6f2874a148b980d6e20207c861ccfa5f1eb90eaa3d9a3b8e2ee5936f481977c068e6908cd7510697424d29e41

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md
Filesize
1KB

MD5
a597914a50399372cabdb58d99ffbc8a

SHA1
882286e25551bfe001972e5b724f0f04d555ff29

SHA256
90ac8b362652459d3d7f166d29c48a9cb99c32b4593d0011850b9f5d49f1f819

SHA512
a97cc223245d1932dab60f4d7fa589034f748034e4791f9fe895b8975abfc567c86485174a972ec30ff6c8bbf73904b6359d6565ed2d6646ba5a13b462aabbcd

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md
Filesize
3KB

MD5
35fcf7699724d9f7a0054cfbf2143fbb

SHA1
2e14561c13d08d699bb3977a00f05a4d3ff71161

SHA256
1f4a908bf849c096eeb417843a2940bdc0bd728d1599f9acb2f3eaecacde4a8b

SHA512
c11cd2be5a93a067e78ddd1d0e7fdbf0bca621da8d3f954c9db46b1c3e0c4c829c6e3a91d1e9f532d8cb241cbc9a308fe60c479ab26e34d0ea37c1d249164d67

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md
Filesize
2KB

MD5
0f5689d6a1c8421188a8e6f8e979c1f3

SHA1
64b8e1e0e77e91bea8f292a10da2c54238d929f3

SHA256
34c4daa20476b8f8c1cbac2f3e7341c9ac396f2ece9b5409d22b4e098136a914

SHA512
cdda6ea471f66e9db266acf1a6b81d4e5bef2dc2472f3a5b4f53f193aa3b5f97dbb5cfbf03f9acc83b6303c72d58e832014d70ed0241de69fc01e95038dd2fb6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md
Filesize
5KB

MD5
440cef445a0e12981b934ff44a2067af

SHA1
d0a72bd0b910ef9022df7e217e21031819d0efa2

SHA256
c8ec2ad875f897cacd6e86b9adbe0bdeff98d7a419b3d063843f41e0841f1189

SHA512
ec46440fe85aefa8b74a73f669db3be6c7b27a629e59ca2e7177fde68e06c2de7cbe9940c95bb0a95c785686129adcf144ac5736cb56a9943dfc88c7ba637065

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md
Filesize
3KB

MD5
8f0435b15b899217f3aa3aabc8561023

SHA1
b4f8d89522f3a37bf2d2139b6be76f78c84fa01d

SHA256
c72446fffdc1ad34fb057c673bd6b609ce7980d4a589d5d2cb1bca92c142285b

SHA512
39db9078801e561b67d001fd999d111824addac0d6be0441daa7fc33e55b65537b2427dbb3b6075db41eb08bc08a5d6238f544173279061d35731c976ce12fb6

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md
Filesize
2KB

MD5
444612e7000620431bd4b2816497fbaa

SHA1
06adec4b55a45ef5b3f092ba8312549351389328

SHA256
bfe9ac989372d29ea43be204cd3e8c85e248604986fefb889b20ce5b77d61edc

SHA512
802dc4253a4289f3c1d7304b5a0d301822a61d8974784e2ba5e9397d02ec070605c207b3367e896493c17f4623a89e79e2518c3560a5f52efd472db06d5e68da

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md
Filesize
2KB

MD5
1c2c9dd533122239fff7592ccd091493

SHA1
557116167554fd1a534bc1f6681ec515fd287449

SHA256
1a412f4b9b6ce9573d43487620d129d0382052557eadc728cc2f66446d84c9b4

SHA512
bd74544e9982e7bfd414b3529e1c59a9fd68fbb1724e087ccdba6f0d2741bd6728dd6bf8d79128868f06d24b1573bbc0bd58249e73ac5b65968f5d2319f76c16

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md
Filesize
1KB

MD5
094612cd16ff32a923ff315e9b37c709

SHA1
74785bf5b72c1b9424fb51a74c39db412b28e333

SHA256
76bade6ea9f0d65e03a7d2f881331df7bef99cb8a583219df8ba0e0634151b2a

SHA512
c913647163fc23d7a4b74e005a7a0a1e349d2b20857e710a89adf162f60aa7cd6e9901eba5a49287e4ff2cc82c9cf56ef2f82add83c5a958ee0da5d53d329e83

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md
Filesize
1KB

MD5
f54f2b98834759c645045626d9580947

SHA1
244546194dc06f35b4c1815f5d8a563ff73f1111

SHA256
f92cfabdd2c51333f87b2e0b1963fb594e15ff5b2242e100a2aefa7296616ce2

SHA512
8adc6be48f8ab0016746996a427c6ac77dbc5d01654ffb88e84536a5dbef95594cef348aacbabc73e98c760cd1be7f640ae7acb8bbb3cae0a2b53c388b4d659a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md
Filesize
11KB

MD5
222e3ca391e6e04e8d6a76e3e77e5795

SHA1
3d36468222cf29484884aacb4631f337ce11b19f

SHA256
ee866a24919ead590c701c5a5b886d432730008985038c64990f2b46cda31862

SHA512
da464214b36801d970889c4945e88e686ff5de5732ecca72b166470016edcfb60db4e0d46436159b2da706ae373dbd305b05046bb9ef91a0578bc82ac0619142

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md
Filesize
1KB

MD5
afd082d096a883a7a2837d25116d7c9f

SHA1
046c2ac572d78212ad91aab1486bde63b94ee95d

SHA256
c45a49833bc76b769accab111aaf45979e949fefad1cc9d7c364b00e6f20b91b

SHA512
ac1fc40204dd61cbc4560db8efaa195e7356ea2d39f187b8ba544a2c651230ccfe03d761a337612bc2413b5575631f04d0e5ee35c0ec77eaac9a9bdb629a5215

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md
Filesize
2KB

MD5
8ae494cd0dc76eab3fb5e684333f5b87

SHA1
dd198fbab4db62e6060a17a29b47e410baad1a00

SHA256
40e7d46ad178b48f30b23e1f3a63b8d3758d45a017719503b66cce1e2d631b62

SHA512
2f842e2f5c4ab464c56b6ce90cef440cfe48551f37e1084976963b7a2d03c47e4cbdb5b98e93477d169893d6ec335859bc9c1063c740d2c2a0656de549c87ecf

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md
Filesize
11KB

MD5
87e00769dd94c5b049227fb038a74358

SHA1
df507cddcf705cbe7b51595cb44b0efbfbf0eff6

SHA256
6e7910e881848f84bdb99d02aadda2b9425bc94d4b46b11e97ec29237229dac2

SHA512
971a857423b1c7c7671e3bfb8e66a4050bfb3fe2f5527036fe160caa49c85c366e9e7250b1905ed8db8d5aa2cc8e8d261c15dd925a8b1f76a99dc9145a8eed28

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md
Filesize
11KB

MD5
74c8a66c29530c15e1787239fb23e466

SHA1
99041a5bf5fe8879c4e1fc35cfbf8bdd329e2448

SHA256
5d2d168732a521581a4c33019d18439675f7f99aa3a3d0e183dee96692caac6b

SHA512
4d3e58d63545c8cda4966e02adae14bb7e2c04a4bb31943507c9205c03823e9ae9895044009cb6e3a1494d2f624c75ff2e087d271a8bb0ba50eac0af3f9ac415

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md
Filesize
11KB

MD5
5a3098b267a7a778de81b926dbcceca0

SHA1
1d51df177307cf2fac96889cd42f8c3388fc3bcd

SHA256
0400c81280199378c24dc9aa5c5bf313fbd6a1e53d7e53b97cb822217583c1a9

SHA512
4a0c03fb77917000e05e5ca1ffd1c77b7b1fbc3a7bc91f3866e4ab1519af82d6782a9fafbb01ac14cc7c8d04a928bf9d9d6b70ca0581b2f41576a6dc12987d84

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md
Filesize
1024B

MD5
fc51c65eee657c4bd5c236620510a47a

SHA1
92020e29933e9d4e8b1cee83009613c5f66dcad3

SHA256
224df0f33f1dbb5d9cfb8e4320b53393fa706910cec1c72dffb40cec97dd2dfc

SHA512
25ed70b4f5eb9b2001fb86b3a6d8b2e02a38cbc4ec71eab9ff9d2fcf0c3d048e5b080d9016caa41beff43d3f06115fcddb75224314ec0f9c8d6435cb13d321e9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
Filesize
48B

MD5
547d46d4ae5660de4840428e3e2bac1d

SHA1
15c28ac7a4ae1faaa9e92a14a4baeb2709dda2b1

SHA256
6cc99d4abaadfb4aa2df78079ae2513d48c23b083ae0feb8b6b4d468748053a7

SHA512
8c6c21ef600adfc12d967dca7b5b8ee18569749123df00179d1760b059aa13294c663c148747dca050f77bb6ef79509de7295499fc968d0aaae1dd68e978ef61

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo
Filesize
584KB

MD5
61b303f97389228b0c4f15bb8a74a9da

SHA1
9e0320d912f72b57bb688ee005b574c267aa7d5f

SHA256
ec2247bf059a6ff5f7e33f7528badbfc9455581d47542b8b5c923b381d8b53db

SHA512
5b07f46e3b3bf10ea8f089431f135686af8d658f6d2221543e318b34e03de67fed8a72b72ee26a5509fce4ddeea4a010824c2431428aaf60b62143b6daa155c7

Download Submit
C:\ProgramData\Microsoft\Diagnosis\parse.dat
Filesize
16B

MD5
04b7f35e9d51f3c9e74f47a84aab1ed5

SHA1
25bca554fa9cd3cb487223cd39853df3fccadaa3

SHA256
efc2566459e13d16b2552dd67778e67bd2d5c973590fc20afb9ff5b8ad489e71

SHA512
5dd04bf5f766ed47452201ecd1f419249625a534ac83ec6c9626293e9da483638b078e446e2a413b77108139baa72f9418ae903d78935fac89feffc393eafd71

Download Submit
C:\USERS\ADMIN\DESKTOP\DISABLEFIND.DOC.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
302KB

MD5
e043d9c517800a6be4bc672d0562f5c8

SHA1
22eff370d81c4a9b37de07fd95e6213b61efb550

SHA256
ac0be2544070ef8caf2a5579b7ad1c011af797bcf33a2acd9ee9cf37573c40a5

SHA512
43aaa3e97e9344015bd86da44afa5085cdef5307cddd61a1f667e6a21d32375b818b633c1aa907b23b648f89e9905541e592837cb45144a0854909043a00d798

Download Submit
C:\USERS\ADMIN\DESKTOP\GHH.ANARH
Filesize
1005B

MD5
697b2e9f1ef833a0fbc8437dadda8740

SHA1
a925adf3d888426e9907dee16b3385e61edbbe4e

SHA256
0c21ec086fda5a0677a4d1bfcedb1c1d8d5e9c4e6f719346fcfe1504cd86ab0c

SHA512
b74ec946bd56e4640652889eac43b8796edcab6c5d470d8fcdffb3ff8fedc1bee33212877e06da1351db26275c94027b277954b8d0534f405713a96000e86fd4

Download Submit
C:\USERS\ADMIN\DESKTOP\INVOKEREVOKE.BMP.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
526KB

MD5
0158f47aea82d3780ad91413174a34f5

SHA1
09aadb517ed22fb50b5c5942ce09bc5c4d2c1482

SHA256
df404aec7c2f862da26553a385a9be6691499e3fb183cf7d757fd793487077db

SHA512
02745d90150d3240486654047d202f05e2e773f688b375cc3b5e63cd57771c6f0fd2969da374e03df9bbd591a0acba6901bdfd0a4d0a1826c09dfdf3bb7fd858

Download Submit
C:\USERS\ADMIN\DESKTOP\MICROSOFT EDGE.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
2KB

MD5
69ea39c431145a8435ebe0e9c42d7467

SHA1
79d09b73f3ac4ee1ac822df42130c2bcc7657e1e

SHA256
df156ef55cd874e7bbbe3355bbfabd7f2653b999aecf8c7db806085b8f5c90ce

SHA512
04bdb20ed3aa0aca1c9e2f9e2c5737ea23dae97e5a7c2ece3ad5381bbbcaeb1fcb2eb528c04ec78d8e06d93f33edf0631e6a3c579e8500c62465c2fe2927d62f

Download Submit
C:\USERS\ADMIN\DESKTOP\OPENMOVE.ZIP.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
512KB

MD5
1136202cd4f3e0b99914337f6d440b3e

SHA1
432c2688ee5c62b246b6e3089931f5fec71ceeb6

SHA256
3c636ac2f29b7024e6f02f60984d22411719d2a3bcca60cadca4e4a7c9c1106a

SHA512
bcbf1d9601c54f13368224c98ef92e6fb9eb21d28e6ce0e4a46fc42d400290b1823a93d315e6c83becd4bb9205ed0b8b4261c543e7c11c762e678e80a901bd23

Download Submit
C:\USERS\ADMIN\DESKTOP\PINGCOMPLETE.001.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
386KB

MD5
b286a7af67bbda05de5165e2db82f611

SHA1
dc7f0791691b74791904c1c10141433873331600

SHA256
fb6b90079d21cdf4b8cfa29bff5d834ff6b2042f7e945cb9a75bbcc3e798bbde

SHA512
b6214e6542dbe2b97a49bd97a3e286d04d291232bac780377f28abc33c8939445668559ff1d330d49bd7a395e00fa9bb136e7ae3c9277616a0450782eec5d1fb

Download Submit
C:\USERS\ADMIN\DESKTOP\REPAIRRESUME.JPEG.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
470KB

MD5
f324f5662be1edaac46a061b607b5036

SHA1
7225f3485be6d27cbd86c70c4110c69b10890ec5

SHA256
2621a2c6181a6f1d9780fdfc2eb376a68ed4cae0acca3d7d433fbe107f5ed4b4

SHA512
9f449b59f5763acbfd55a9b714e9524ff7ee636e14449304990935e286d3b8dfe6db4d6d8e71b20b057b0f620578bc6089fecfce13bd5893df315e7d52e8b547

Download Submit
C:\USERS\ADMIN\DESKTOP\REVOKERECEIVE.XLS.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
442KB

MD5
96d4cf3ed77617948262e52591719736

SHA1
4094ee799cc7b7905bfd292ddea01517872f8c7f

SHA256
edad46f95dfa44307b807c58dc2b98c0d9f1943d7ca12ca3718d6ce1df7531d5

SHA512
fcc0492a06642e8e33c33f48decbb72652ef7191151c0407989bf42df370c68b2fb4e57ce1959519db73c63b34730ee0b6f1af31043b4fb8347b663eda8101f3

Download Submit
C:\USERS\ADMIN\DESKTOP\SENDCOMPRESS.CSV.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
498KB

MD5
d0bd2155f65a678aca3d04b1bbaa0ffe

SHA1
ceffbcaff969654b2e5c94c38d265608012e4335

SHA256
4f2a8fb5e94372b7264b0a0528a40039f4f63c87db9f9be90b0f34e30e8fdfec

SHA512
c5e5b41a35522d4dbbaaa3c8eafebd480be9e91c087be63fbf401b3991b8306ad8d65fd978432acda18d9ce7d9efc2adfb7b8f463a03e367f76d6b1c52d4c9a6

Download Submit
C:\USERS\ADMIN\DESKTOP\SPLITMEASURE.PPT.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
316KB

MD5
3e41a5cb5af1e532ffec9f692c35d013

SHA1
2505a9c6ca6539995c6110f1f22ed5d442b7942e

SHA256
eebe77eea9d70e9e08a9048318c17fd44cf46b038896326533481fa489d98e98

SHA512
a8c37f5294e6ebe8babb05c08b01adc3f9dfb5e7cabf5afa9dd9ab42835f148ed315310c1f3742b44cb2627d68547015948ca3083e74191834b430d302240f1c

Download Submit
C:\USERS\ADMIN\DESKTOP\UNDOSELECT.JPEG.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
540KB

MD5
643820915e2c285deca36ae4d6e478ae

SHA1
ac6b30be59184b708bbed60aacc3f766cd6a45c3

SHA256
03f2bcecdf3ca695cb2dad3983f74f9a4c2625e24e213432ccadd5e53e488629

SHA512
f6e9a230d0b58f440c853f7cb1fca5890a760eb4b4e59d14a93ee0561a7c4e202ba341f5f87328efcd8b61b47e741bc291ffae0d8b95cab1f782fb31be1c3f49

Download Submit
C:\USERS\PUBLIC\DESKTOP\ACROBAT READER DC.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
2KB

MD5
b15371abd354858168bc525f94ad71b2

SHA1
2054b12102608087abb64ea9fe42fe0417fa6a8e

SHA256
ccd4dc794e35d8b565fd087c37ce9fbee572b912d99bb721f2f04c1ebf9b6812

SHA512
423fc10f11f8036b9e862e259cf8730252c0b714fdff1e12854cbec4b83f2b5fc4f1bbf50500e268d663ef7ced99b4774040d9f279ed6f975383a8098d8b975b

Download Submit
C:\USERS\PUBLIC\DESKTOP\FIREFOX.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
1008B

MD5
44b609b8bf71e43a79275ed8e0ccfd5f

SHA1
f302b5caa7ffffc8f69f4ead10f46460e065d22d

SHA256
ce045774cc4022f65e6c688918727275ea532f07f7ed789de2c8868021def4dd

SHA512
18ba6cf42765279f862d03556652e0c10697e77fe8ccb50477532ab46a52dbccf7366393fcc52a7377376f29a5a6060af45a60775778e478a243772b9a5bdfbd

Download Submit
C:\USERS\PUBLIC\DESKTOP\GOOGLE CHROME.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
2KB

MD5
1a5379909f623c9617142cfc4ef9ab12

SHA1
9f865f50202961c05afbd6175e6d05bd5569b76f

SHA256
7c62135a40a2f65e5e3994a426fc220d439c703abcdb8c9582b70f1786a29824

SHA512
7e49f921edeb44c1487918a91027a1ebdcdc19527128f40a8270f3a290491fdda31b731e9899a0272973f6f42cb9991ff8aed3084c24c076a5f72798cf92c8e0

Download Submit
C:\USERS\PUBLIC\DESKTOP\VLC MEDIA PLAYER.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN
Filesize
928B

MD5
e90b966217a171add02eb4afa40b4eb9

SHA1
52740fb0e245f41a02dbfa49a01f352f14248459

SHA256
8265ca2d35d00466bf5007d56cf424c5ff435e55cd055e14d6003be600df98f5

SHA512
a1e11784b62ef0a337defbb5cf632c03b1354d236992d31ffd61857384cd1bed8a6e76002769ea87e81b2ac8a65e9fb6cb8ec6d7f8d4d809dd9302be928f123c

Download Submit
C:\Users\Admin\AppData\Local\38159454fdb13b87134fba9d95f9ff72\Admin@GSAGMHCQ_en-US\System\Process.txt
Filesize
1KB

MD5
cf3d7e7116895886a02bbc14613f4d5b

SHA1
f0c61acde33dda302023947597644d0dcfd89e55

SHA256
d1c0601fdff3f1199d9d9ed5d950174236b182f1f5356d61f1dfb0d63b58fc20

SHA512
5482a5934e3fe486333e66b3f234851c04cf8d6fc44f9530bdcdb82ea2c563cb72db791c1f0e1d61c359656549b6f116b18d34e11abe10f3649008773c47f97d

Download Submit
C:\Users\Admin\AppData\Local\38159454fdb13b87134fba9d95f9ff72\Admin@GSAGMHCQ_en-US\System\Process.txt
Filesize
4KB

MD5
d6e17c67b217f7606659bd3b1b4a3173

SHA1
82537370034a5d7af17bc889975186b4d79fe968

SHA256
4367838d80db1c07546811ebe8499a1922addc145fa6e864643aa78fde4cd092

SHA512
1480a062547a69d1dc89c20110203dce0024d4df95c99fb64d65f02453d203e0c5a8e926f8355f22bf02eb4b75446d07f7eb116abd0ede3250d30943497ce5f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT
Filesize
32B

MD5
01c332ceb6cff51972e0180c35e8c867

SHA1
65f13ed238a763e8c4d6f7f848205148124dd4d5

SHA256
558a4666415f042acb75dd7f22764ef1cfdf981633f03af3b3654d8bee075d2f

SHA512
8c7acb381fedaf15885615cdbddb431277cd04def6581526f855f7743207d7a9ab82b9f9a48b431902d5e7e90cdc8cef308226bbd9cd048d82cf842b36956431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001
Filesize
48B

MD5
c555495fe7372b9a0e031de297e27b43

SHA1
7ffebedc39a83f723c3f98bce1601b7f70db25fd

SHA256
696de98e9e5ded0939c215506a764fa415b0757f4aa71b943bd79ee80b31655d

SHA512
4dd90c9422e5bda2b68b8478d9c54b468547cce65139019ea7ec6e0de9dfa02416f1cfe83c52d857369ab38bcfb37f045b7b138af9a06bae26383eee9544e376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2
Filesize
8KB

MD5
755eb9e3d4a20b89deb4575c141969bd

SHA1
2459fe82a4bb96167ef918ba47cbe65c6e49e1cc

SHA256
2244d009cb08a8fb77aebdf204b924a0532436d81a3fa33bf2c4cd2fcd7b165a

SHA512
084ef86c7f3bf3ce596e085cf60548dc705d2e3655661ca42fe5d509109f7bec8b150cddaae659ab3ef90a55a29798ec77c4a2b600d40b292f60931d7ee3841e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index
Filesize
32B

MD5
71047d814ec308ed45a24498419c4df8

SHA1
17bb3b9b19f54dee7a2f8ef927b3a101d20f9e1a

SHA256
85fefdc0d1305d63ac62eb427f36a6ccf17c34aeb4a0df9dac7bef905c6dfb3e

SHA512
b401f76bf0a17b413ba69d270fa4324ce21260f9368eaf13655863feacc048f0b9292da1a83e73f2c0b516d9eaad0a4c6d7a3c7bdc620dbea9083cfcf03123cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0
Filesize
8KB

MD5
bfc16d885f4962852ebaaa330b8d5fa6

SHA1
2937013e1ef8b62623a63415cd98502c82961c09

SHA256
6d81a7445065651ba76179e1dde51981d9e79e561eb7eadbbfa593d166923ffa

SHA512
2652e38b110e31a4a5c6b5fac732e4c9a40df3430b6ed0a8418abc34166a9d80e24825234ed86c4789e2cc5a8d0055f0b1bf62ab460f1f17ca55227068def113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1
Filesize
264KB

MD5
dc4bac609548fd87534fa65ce7738049

SHA1
5f42c001a98ee7de546e2211eec46f5de682f09f

SHA256
305d9831829874aad8ad9e519617a8872ed36c1433de9be501277ac448da9a9d

SHA512
911698e8824d3dbc7fb6b4d86a0c44a59ac260d3ad86cd43ebb5c431b477495064b1e5046b82da1069d3caed3cd65281a59783f01bd3fa7d7f17236355fcd11d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3
Filesize
8KB

MD5
adf2274e4df4222f3fb5da0cf256bc85

SHA1
6c0e9e373b6b9a68a51fc2e4e11c800496b617a9

SHA256
76788441677c83df695c33e9a6253d75f00872063462091b0e92e1b898d3e5fd

SHA512
b050b5060ca63cc6290ed9ce8c0748a72a36873c703d199fd32fde5d9631adf25379af3966afafae0f5d9ca2c72aed4f209b96463aa8269a4b5cd130435bf1fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
Filesize
333KB

MD5
43acc45912ab8a3339de48a3ad99c70b

SHA1
81f763a99610702ccbcce538738f0baa5e7230a5

SHA256
0539c844cc7f88addd45697d712af7c680f399532e75fd3afaa4500c36454989

SHA512
9324c62082f52d3c1fb1fc68b0d5a14996c20f685ef0b863fc16b4e2ad83ea03d9fe3336992038cfcf88ea6f47e59ffc97adcbd019d2ed1855630aef13ebbc24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain
Filesize
413KB

MD5
519d186c8acde613ab7595b802c1fa3d

SHA1
0749365b64a012cde44f1c48c75e7c9eabfc7500

SHA256
19acc06d189ab9a6ab0c8a93aca5da61ffcbf83ad9501d30deb480e3a785b2f7

SHA512
ada4df1ac69f7c90ed0de8eed927524bd9512687a61749566d3da01c2506f02eba153138bebe2a3aac182f8c972770b0ed794a2b1aa4c25d0bcc8db1a00b80c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
Filesize
8KB

MD5
c41abbf25dd982096f817391ba209857

SHA1
b358f7dfbe4d5ad0a784f3580d82ce7e00e6e329

SHA256
6f2df123ff2a6dd6f49ba82ddedb2b0cfd6fcb8c92078d2d73df51ba498d4938

SHA512
ce469ddc89a253d8bda3b4bfc304b77bf731de5a819277e5c11760888dae1ad7b648b2076cba42f8f0ceeda5e7b0d8059ce35f78b2eeeab7e8baa459ab92a8da

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9WOT0LPI\microsoft.windows[1].xml
Filesize
97B

MD5
6f6303f616adb545f2155b3864f9041e

SHA1
25b80380c0534a38d293856f055535b091bb22b8

SHA256
9061389e723e0018e689ffa46151fffe48dd5531a5bd578e1178a3ee38adc5aa

SHA512
579b859a86f38c6e9edac9151e6631ef85c98183285ad2ed69671ddc1cf4d013a7d5c4ac944e8e1ba3e7b6a34f4c8ad84a3d65549e5fa4d909685664eea35d0c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
0f79b00fd6fbe393ce75c764fa2b1ea7

SHA1
ad1c6f199d15356ae943fc5321367f7bd4d0857a

SHA256
ff6585afac91fd0108888271fefc166db3cc677f21516b4a2e06ece6837c9860

SHA512
b71c6060e5c6e06aed58fbcab46a0c0e185ce585a39854e8bdec089c705553ac145c43509319f6efff9a1b61deebf8465cb4df3c75e0056f6ebecefe8ef40b47

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help
Filesize
36KB

MD5
77f6eca917f9717d8b82a11b60a60dc9

SHA1
9bbf3a6cecc2ff7155689f1abf075c23c2d9b9b6

SHA256
875182232bfb95571b3ee71f659c2fd4579bd275352eefd7ea203123e69f42fe

SHA512
c3a8fa6e8422254c830196865a59ec27505d63e2d0703f110cb9da10afe5e65483e9fb749b52f3143f61e09271f46de128772a9bbbbd8624353924d5fe33a22c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
Filesize
36KB

MD5
b26aaa80836211370ae80fa187d5f20b

SHA1
814e0cacf2e0cc141088f9594842e3efe4707ef2

SHA256
2ac266fd3adb3fde3f26055fc7c628ff8a2fb55346c746e30d3ce1e465b7f8f8

SHA512
f348cf9892e39fdfa8b04e5b1e4401f888018a98fb504b80b050354ff6b2f3cb26fbc37203af4b1d5b1c191d46cd5e085dc9a868fe442c87affbc8277931bbff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url
Filesize
36KB

MD5
5000eb53127b04fc22948490403c423c

SHA1
c919d7e915ece00970673d47b33ee15645cc67f2

SHA256
5d4e8e8e34cce8edb8e0f579b2e065882073d26d495c54d587de8403f5ee5439

SHA512
83d752ef1c0e1c096f7a7cb3896351569d090b76a1b4d48e2486fb2f91a9acab48283745f0d5a4c7a71adb764299cb78986e9885e50a5c1d4dc209f80ea8a25b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe
Filesize
36KB

MD5
21b1eed5b3e3cce1257c9fe1cb6f8918

SHA1
fee5d30f10f0a8e0d811d0de8377f644c0227e1d

SHA256
2c823dee47bc8e4695a5168996c29b9b7bb6642aeb1fc8ba789bb2779fbcc5e8

SHA512
39975951176a75ed165133e951fe414738773a5458a9082e78aeaf722216a0374bd2464d025c3b318f058f587cdab625909c493d7d74aa58921f18452927df6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e9f3d0fe-ea9d-4742-856f-61871935c733}\0.1.filtertrie.intermediate.txt
Filesize
16B

MD5
3ca3011f4e38623b4705600a69aa6dba

SHA1
c1ac2766ffaecb23ba0158c530a2cf78224f7d1e

SHA256
cbf8524646691cfad7aefd26696b3081a22ea1a844aa7e08a4a7704a3bb029da

SHA512
a8429316de88b734dab9dcb6c4cba188ab17285e61cf1273f2f2a6e6f81b474bf7458558d8f1100d47304b23d6e2acea6124df728cb1e16ae8da8ea20055837c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e9f3d0fe-ea9d-4742-856f-61871935c733}\0.2.filtertrie.intermediate.txt
Filesize
16B

MD5
aa5ae1ce4028ed3da11c54feb6747492

SHA1
96b7ea30ba399d6b9ec7c8476067f5ba4bc57c9c

SHA256
765ea68798b7d4d02ed800c2f6faf6edc2b10e6460b758dcbaa0a27ceb1868c5

SHA512
7fdd096e019d571b8d817ab958d113e7bd8b90b7e09ef4a69a266a7d7a644e574a5e54767de68742489eb7ff783ef22d322bfade02bdd6a9f6d1d27e2a50d5b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596438836529645.txt
Filesize
77KB

MD5
5456fa864302237f7c0d4e9d649c7e3b

SHA1
349c91edf913f242f6c92edb701fc612197f9400

SHA256
2bd5f9586c39ea78fb2c9c270997d0deb8f2b97afc648a8c8f47b0f8a7801dc2

SHA512
ffa1198f107c595d861ca1c42e2937e7fb46289bb439f75e22201e2d160062f42ff7eee27020895237e13b7d698f1055aaea9f9c36f45a23a15f7f320231b732

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596439381468334.txt
Filesize
47KB

MD5
a9b2c10b2fec6c55f9dcbe092401bd56

SHA1
9184846bb272939133e45dc695afdebc6dc55f14

SHA256
77c5d1d586e96ed4d671b8ab7d1a75a6c79f6b15d7b32921dc13ab05e5809257

SHA512
ee29881740eb9843ee02ad1660ec150cca35d5c1cd80af91e1cc5e4a5576ea470daad496f03ccbc923f6d8aa01b0b1f71dcacccd3db82e0368e5b0ee29f45ad6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596445939746610.txt
Filesize
63KB

MD5
f6a4a6cb8cc03ad15eaa0853c9d61e7e

SHA1
df2e5bc28c5c4b6a6ebcaca10c447a7a854377e2

SHA256
39726c32e55e49f4d65fbf20791a623a65e95b7683ec0f1a51ac7d80aba7ae1c

SHA512
98cbce24c4601c83bf1622b0445e5a390d281867353fa3a82df1a15a83c3b0f47d96272cad72a6fe87dfe686b64f171e2eb280ba8c43df535698e332091cf03b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449026566195.txt
Filesize
75KB

MD5
a25f1bf6dd29da4f4c1a467cdacd6f97

SHA1
a89c6de1ceaa97a2802c1d3539507382162757a9

SHA256
ec20c4cd667a53efe5572eeabb09620e9b2c7befa329f3d97843f2e9198b78f9

SHA512
da2db6d55a994bbf65c96f8a42484ff8b4b819e902b6c29c77720c38a80f7410194020a08720d1e1cb05d26faa2b918b36bc6979c8630db0d953b3d4ff117eca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133646732950585214.txt
Filesize
4KB

MD5
503966cb90f716e708a3248f2ee3ae76

SHA1
bfc9bf92765a8d7877c701cc4c402bcf9635394d

SHA256
8021745edeffd2f162ecae21e401a9f41160ada9c433b341d4bef640cda6f383

SHA512
e56a5caa46fb2a2ba095048f31e0ae33efa46021ae4c2c419024e2a7e389aec887e774ede2d022d4d6683dd06f778ddbe1723f0856bb22eda15b49c8ec44c4ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize
1KB

MD5
aa3df8e64a2dfd6374144933d331ced3

SHA1
31aa7e9ce30bcf353e9db93c72ce860e3e2039c2

SHA256
5e1fbd6aab0f653d456c44d165002d4c56420188c46ec53683de054dc1728ec7

SHA512
9fd049bcdd515e05c44a686c203f0fdec18e37bb951baeabcedc30475a5078fd252953a4c544027f470dc74325e935ff79e0dec7dd655624f4f71c201a0fb205

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
Filesize
1KB

MD5
f23530a9f6702d8e4b9c6740957e7d45

SHA1
790dc16f97b5a77479baa6a20c88d43dc142f112

SHA256
aad9e5c6ec61ea7ef68c260b107d89db9044e3ebac6d084eea32396a94aae378

SHA512
17b2ca978db52fb4e1c57836b7a1bcff86a7dbc96baefbcd0e743b4f04d223c60df66902bec36ee442982550daf5116a2a31880988a80d1695fc0855a4645908

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize
5KB

MD5
70f122cde93d0642213d4cfb84776b0a

SHA1
2f2d7bd76741cb8e29fc7675079c93cb8599cf44

SHA256
d42a6bf1d010c44f4ecc26262787b80c61d36fb0f10131af502f9b64000282a3

SHA512
b51b9c3a604cd986adbffb471878d5295beacedf414fbf88b66e1af30075fb9b6ba07f07baaccec48e05fa3656cd76ba3ef4d9e745e473d53063162c36c2241a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\BackupCertificate.zip
Filesize
1KB

MD5
c81091a43142cf81fdff9158bb09b0d0

SHA1
4e0603273281f7f15a75eafab3d4fdf837428652

SHA256
e9a7c1f8a7f8c3344e40ab0c57bd7dbbe15481bbbe00ed4468180515b79c03e6

SHA512
8686282809e427167d9d29509205b2d902b23b3cc0636f32863745b50bd5932d998d4d69a6e07ae4ddd4213689475cde825787b7d88411fdcd162bbf3711fb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Password\Password_07-05-2024 17;07;02.txt
Filesize
15B

MD5
c4313cb7ce8b07ce11f8db3c409121d1

SHA1
c69a0a3103ddacbfa6a706584784489f6ee93a7f

SHA256
41835d9446130ff27dce1b3710a260adc9806c368640161e8efea833815c25f4

SHA512
ebf21b7e33161a2eec1172066c14ceef6235f85e70884eb97cb06a03915a374963bcc353953e987b659329d771250af13ba433486c39516f19a126fbc061ee29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\AutoFill.txt
Filesize
213B

MD5
af253b3f98ca2cb6155fddbe1d7ef59a

SHA1
524ab4141c16abaf7408561b77cdf0241269382f

SHA256
0b0fee013adfb00a863956d3c21fd6dfcf5b7ebe5d4c585ac5439381505e13e4

SHA512
41adef9fbbf29c3b46e7ffaf5efffa38c7119c58f306ae8da8f69b6462de1a1069f10ece078354961899efa4d4bf5df5ff2e02c68792a874212ac9eac90a804d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\BookMark.txt
Filesize
323B

MD5
a2ebe0889b0a985519e9eade02694c6e

SHA1
435ebf82ec544204e4f0f7f343d237c8a42c17c3

SHA256
20aa05ade0f27530dc1ddcf485205af1a9ff9550c43a79804f17686021fe0819

SHA512
daf7aa8dbda5d279e1323bd008488c2b1e6f54661da42111832898555ad940c4be80e6926f38188ae71df993306a6d7ea56bdd2af3eb1e18da51a60b8c42ce6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\History.txt
Filesize
213B

MD5
8b86c34ada826314848b1847cb078b3c

SHA1
407a1dc237ebf44035c8ee22bbd3c3dd8e5925b0

SHA256
422d548c18f4c6cc4a4a3b68e383edbcfafc961f7ba1c639bfd55474946d9d38

SHA512
b44b69cd893a9d6bff526509b7b4d0589ec630a352ba5892584dc4fb475dde7586e5afe09fe44d8fcea03cd26b3a14cca1c0e3b14d106912bf2b6cbef5fb9188

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\Password.txt
Filesize
659B

MD5
61e39cd17c25f8e978e0f2863ae33f48

SHA1
d7d80edd329c240c529da0fd082270f852eb9675

SHA256
5acee54af9a2e16e5ca2278d4a91e7bd65411d67cf035974d10e4ed6c8f47a33

SHA512
d1459a9919b1fd11e5ca995d35d6341f289413e4f96aa26bb599fddc68f12511cd13030583fc806313457e0d1e846b211fb2e73834c1f8cf28d2fb0ca1a01304

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\StealData\AnarchyData.zip
Filesize
72KB

MD5
58c219eb176a1302258ac63691d75b54

SHA1
994c79235080ae10273d7affcacbc93aa210113e

SHA256
5d533d3f39788a85e8b233b740d0896f559ba5c36c98c507bed11918bf5f2446

SHA512
c2e5854c556647ea24978b31c861bc46af266d36c50f810c70b90c89669cb87e3f083a9a1f0af6fd04a24543a34f1488d4ac062f869f9b096daca9a65229364e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\StealData\Information about the data.txt
Filesize
1KB

MD5
69d9e3df58cb39b6984e6ab8bce48429

SHA1
3864115dd3a60cf1437ad0440774ff448c253af1

SHA256
cbca551cba1198f01ccb1e174eb43a67bfe5acd75a27e7f70b74d4bf6d51ec6e

SHA512
fd60ca9fc1891dca54955d6b9cccc91c6d99db8cc2a84f6020ec98673a9deee725f09df4b5c9b67a1f0f2f0700cbae10725e2805dbccf817e6dcc35a412880d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarxiya\Usrs.p12
Filesize
1KB

MD5
77be5865f0a2515e94555f730120b9ea

SHA1
e36c2aa6d911a7bb04c39093548c3c13aaab6411

SHA256
3777018b3c3c76926bd3e41957fdd81aa4304ad5f2ebf07d4c35909fd1bcc716

SHA512
a411c026cfa710f69ceef89447b72ed2a3bb759805d1e0d05f3a714ea16076884a41349f2b228a1574348e49b8d6314368ca596d4be9db283e374cc7cc1df53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_121623295.html
Filesize
93KB

MD5
f47640346db64e16935728967cb89444

SHA1
18bd66b9877fe0faa4dbc5ae9d050bf49ba7050d

SHA256
d2d26925464707b63f5f52a3d82b28f9ba92028e5b57750a82589edc63554598

SHA512
d0c59506b8d39c27f0b970e958eb1decfbdd6c93fca8bd6ed5bb25b065008f13ab232504837fa5410aa6739a73b376197c9940f3eb0f709c5b89147dc78446be

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3ed400-d1e84918ad678b08d2a369a3-Latest.log
Filesize
4KB

MD5
de0dac8b16fcffa2b79b71bf3e164a7e

SHA1
d4497d05f396b53b699ddb5d6df5755e3ce6ed34

SHA256
497f39062c469628c8866de472f61f6c2bffada30679a946e10e7dab000dc5ad

SHA512
6b4bc8f2bd04d633a7728e3b90c0d446152acaecaac74773cf38f11b554168caef776467232a6db42b7f80ebe11bb891a34d3c4475d0aa44f0636ad97776257b

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw
Filesize
5.0MB

MD5
45fd33d32709909fa4037810fe722a37

SHA1
47f0e7c4c908f826718ccad23a2c8e3659069a69

SHA256
e07b61a213d562677938e647e4631daf89affdf25f9114df8286866bc39777f0

SHA512
dad4ac7ec1466c3fc75a76b78bf45f6fcd488b67270128b6eb7885b118acec6fcebc49318b53b65fc457ef4994f67abff13b65a150e9235c5ff5f2e302b06ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EBE.tmp.dat
Filesize
100KB

MD5
c857059cab72ba95d6996aa1b2b92e2a

SHA1
ae64ff2cfe5bbaabd607f39b94f1b0ee1fb50aa9

SHA256
ccda1f7632b23805a220d406cece931c4a8624d87eb7724e9783e192999fb2cd

SHA512
2b047d52d4192625778d7589a5de32c6d9d3ad9a8524aa408a0c806f1934c584d46a5d67e34eb6ab47d00d1ac1dd784066e6ecc74861bdbb1c6fbd6fbb7e6878

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3ED1.tmp.dat
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41D3.tmp.dat
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41F7.tmp.dat
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp420A.tmp.dat
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F7D.tmp.bat
Filesize
158B

MD5
14198999271a99ebc15a0d34f3b30ef2

SHA1
1c2143b361ed464cee1a47a1dc15f38a006953bf

SHA256
7d9f448a162bdf5d71fd1da6f6e2d7b64d4ced6fe5d53079c2571f83f5c73a30

SHA512
58b93a32f25983cc03aa111b24f1265666ef4c33aa69e65b1bbc5d7a0b1e40e0da301a5b0cad1457e2c2c3d9190c6d728cd41c176edc6183c6953b17bcdc0c30

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_2xmj5pvpj41jarvrlcfnrvtix1def2yf\4.7.0.0\user.config
Filesize
1KB

MD5
9025b70a7f167dbef4e464ecd25ed0b8

SHA1
a00c686102da3b3fb02c03a84c0fcfd5ee4b2d38

SHA256
42b2c48a0eee8cdcb33bcf897222096e5f9add383da8e64b9302ed4314629070

SHA512
146da32877dbf966014a7d3a40b1f01dd4dd6a5263b51538123ecfc4ffa49e1c2cb43d643fe801c9d095483a09a7b67410432599f3d88c67774549da03e67e03

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_2xmj5pvpj41jarvrlcfnrvtix1def2yf\4.7.0.0\user.config
Filesize
1KB

MD5
b50d838d6e732817391fcffdba9dcbc6

SHA1
31fad1744ca7eda3c79e1d6960e423580cc831b1

SHA256
4436cd1487d042f7bc907491f2cacd09712f9d80edd627d9d5b4bfbfb14ea0f3

SHA512
9c033fd2402a2c91a44c29594dfea445cbac9854f01677aaabb8e91ed908b89b8d8cee2e32bfb9fb0ea4e3a99e591a13c050fdeab0648dfd6954fe2c90b40af9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2539840389-1261165778-1087677076-1000\5d8eee303ee05b169c50f2d5467db810_468f6343-c0e6-4931-9703-30c6539573cb
Filesize
1KB

MD5
6397b3e40a5d5d1c42db3e95d04da1f6

SHA1
b34c2f3cd4b70a7c9640c6a81f2e50d5e94af9ea

SHA256
7973bb6502ba0300da6791f5d8adc5c718cb49f75c69953fa51516ac71d60c45

SHA512
437e08888100f6546f545462701aeca1a32f516bb7a2c0471efab2d1c0002cdb001b8c7370701fd103a08fcda62438e80d927410ec5c946635279161c99e0c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain
Filesize
1024B

MD5
f4dfd7b9c5e87be75287a5ef5b45633e

SHA1
475c8214d3f218cf707fffe8d653e50ca9f356aa

SHA256
23556f6bb76403b3522bdd4ec33d06e6dc3a86bd7523675e9955d88ecf45428c

SHA512
729eab06860f8f2e2b707d6928264e6e8f972df17171cca50348b9de538b9a899c78a794aa31fbcfb42a5c753fa70286d503e143a3bd4e6ec60c97297ee0eb64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain
Filesize
2KB

MD5
abcd9c93b093521efb9f2afc0664d848

SHA1
7df66a2c5331d61fe0126a6402e6d27c9ad27fc7

SHA256
5482090c41ac37afc1bfaa9b143b0b9e5d5f2430d4c1c06cffdc7677aef839fb

SHA512
f3e479d90846d46e9f461bd0d3fd245e0195857767ce81186bae47e61304b609719b9f8633d6a0a45bdfc1dbf37d148cefd80ea8e8dc545de52bdb8aa8f659b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain
Filesize
2KB

MD5
1f0751a2a9db639807d78d44290daf46

SHA1
e083277da3cce9ef51b31ef2e00ea4680214480b

SHA256
31aaa95279e1fe963a4e03599fb95b585930cfe1b3351084d255ac7b80b7b69b

SHA512
36fdab9b99d9b6c845d932ad2388b0909313bca4cd588c6e28ff1fd276c43519b79bd714e954035e82cb6b615ec1f5112bb21ed5fa12bdcca0c47b816b4ffd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
Filesize
14KB

MD5
2257fa8cef64a74c33655bd5f74ef5e5

SHA1
b9f8baf96166f99cb1983563e632e6e69984ad5c

SHA256
ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3

SHA512
7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

Download Submit
C:\Users\Admin\Desktop\Infected.exe
Filesize
63KB

MD5
eefdc7ed5acfdfbdad5594d2ffc3abe3

SHA1
33a59ef8c4643db169b65632c1a86bf0e90672c8

SHA256
a3c756b36dbf95502081e9ff60c809693dcbb8039e7aebf5e8b20a5e8c98fec8

SHA512
46d280fa1e0ead09d571ac9ab4f3a2f3bc799cacb2677d4d9d120591242dda21e2150933dbe2059793a2cfd43c295c48a530d2ffc5d4f1436186b1ff5c2c32c0

Download Submit
C:\Users\Admin\Desktop\README.txt
Filesize
301KB

MD5
af4587c5e11e2fd2292003618983a1de

SHA1
38ef333a8bed57e77badd8e0251104edc2c40d04

SHA256
2692a6708e5622e79d683ae669a051b97a87913ee1582ac4009518f7756fb473

SHA512
73f3a18aef45572f0c080b2c6cea9babcb020389d976af5190398b8c354ed2d7f3e5167d8798aa7a109e9aeb0fc96038fd85544d3f006db7d37cdb91f07cb586

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk
Filesize
416B

MD5
0962da26ff0751031338565f788dde09

SHA1
094766805b52674c6bbd13e97682bbde0d396a0f

SHA256
f7b79614ddffbc5049e1f614fe4ffb6743b7af2e5c7ffd9f99a800ba089ec4dd

SHA512
5e28e789c8e1e01a127da132967658eec25523fdc3f3cb05a48bfda5f8c314fe8a89d1c219f2a78bbfcf4811fdb841a9095e203f9ff64665c5f13f14d5565635

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/180-12767-0x000002F3789C0000-0x000002F3789E0000-memory.dmp

Filesize
128KB

Download
memory/180-12780-0x000002F3790D0000-0x000002F3790F0000-memory.dmp

Filesize
128KB

Download
memory/180-12759-0x000002F378D00000-0x000002F378D20000-memory.dmp

Filesize
128KB

Download
memory/268-12149-0x0000000003E80000-0x0000000003E81000-memory.dmp

Filesize
4KB

Download
memory/552-12536-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/1416-11930-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2036-12158-0x0000023F68BA0000-0x0000023F68BC0000-memory.dmp

Filesize
128KB

Download
memory/2036-12180-0x0000023F68B60000-0x0000023F68B80000-memory.dmp

Filesize
128KB

Download
memory/2036-12191-0x0000023F68F70000-0x0000023F68F90000-memory.dmp

Filesize
128KB

Download
memory/2036-12154-0x0000023F67C00000-0x0000023F67D00000-memory.dmp

Filesize
1024KB

Download
memory/2036-12155-0x0000023F67C00000-0x0000023F67D00000-memory.dmp

Filesize
1024KB

Download
memory/2036-12153-0x0000023F67C00000-0x0000023F67D00000-memory.dmp

Filesize
1024KB

Download
memory/2284-9-0x000000001F1C0000-0x000000001F7A8000-memory.dmp

Filesize
5.9MB

Download
memory/2284-29-0x0000000023D70000-0x0000000023D7A000-memory.dmp

Filesize
40KB

Download
memory/2284-40-0x0000000025220000-0x000000002533E000-memory.dmp

Filesize
1.1MB

Download
memory/2284-11065-0x000000001EEB0000-0x000000001EEBA000-memory.dmp

Filesize
40KB

Download
memory/2284-38-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-0-0x00007FF982973000-0x00007FF982975000-memory.dmp

Filesize
8KB

Download
memory/2284-1-0x0000000000940000-0x0000000003FDE000-memory.dmp

Filesize
54.6MB

Download
memory/2284-35-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-2-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-34-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-33-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-32-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-531-0x0000000024040000-0x00000000240F2000-memory.dmp

Filesize
712KB

Download
memory/2284-3-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-8-0x000000001EA90000-0x000000001EAA2000-memory.dmp

Filesize
72KB

Download
memory/2284-10-0x000000001F7B0000-0x000000001FB70000-memory.dmp

Filesize
3.8MB

Download
memory/2284-11-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-12-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-13-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-23-0x0000000025A90000-0x0000000025D08000-memory.dmp

Filesize
2.5MB

Download
memory/2284-14-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-15-0x00000000236D0000-0x0000000023922000-memory.dmp

Filesize
2.3MB

Download
memory/2284-16-0x0000000023DA0000-0x0000000023EEE000-memory.dmp

Filesize
1.3MB

Download
memory/2284-17-0x0000000023F30000-0x0000000023F44000-memory.dmp

Filesize
80KB

Download
memory/2284-18-0x00007FF982973000-0x00007FF982975000-memory.dmp

Filesize
8KB

Download
memory/2284-19-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-20-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-21-0x00007FF982970000-0x00007FF983431000-memory.dmp

Filesize
10.8MB

Download
memory/2284-22-0x00000000241D0000-0x00000000241E2000-memory.dmp

Filesize
72KB

Download
memory/2428-77-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/3540-12899-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/3760-11932-0x000001C353C50000-0x000001C353D50000-memory.dmp

Filesize
1024KB

Download
memory/3760-11968-0x000001C3551C0000-0x000001C3551E0000-memory.dmp

Filesize
128KB

Download
memory/3760-11956-0x000001C354E30000-0x000001C354E50000-memory.dmp

Filesize
128KB

Download
memory/3760-11937-0x000001C354E70000-0x000001C354E90000-memory.dmp

Filesize
128KB

Download
memory/3940-412-0x000000001D930000-0x000000001D952000-memory.dmp

Filesize
136KB

Download
memory/3940-932-0x000000001D330000-0x000000001D3E2000-memory.dmp

Filesize
712KB

Download
memory/3940-1168-0x000000001E500000-0x000000001E9CC000-memory.dmp

Filesize
4.8MB

Download
memory/3940-387-0x000000001E3E0000-0x000000001E502000-memory.dmp

Filesize
1.1MB

Download
memory/3940-11643-0x000000001B730000-0x000000001B762000-memory.dmp

Filesize
200KB

Download
memory/3940-11375-0x000000001C060000-0x000000001C090000-memory.dmp

Filesize
192KB

Download
memory/3940-658-0x000000001BFA0000-0x000000001C01A000-memory.dmp

Filesize
488KB

Download
memory/3940-88-0x000000001C420000-0x000000001C496000-memory.dmp

Filesize
472KB

Download
memory/3940-11098-0x000000001B830000-0x000000001B862000-memory.dmp

Filesize
200KB

Download
memory/3940-207-0x000000001C780000-0x000000001C78A000-memory.dmp

Filesize
40KB

Download
memory/3940-92-0x000000001CFA0000-0x000000001D128000-memory.dmp

Filesize
1.5MB

Download
memory/3940-90-0x000000001C5C0000-0x000000001C5DE000-memory.dmp

Filesize
120KB

Download
memory/3940-89-0x0000000002480000-0x00000000024A4000-memory.dmp

Filesize
144KB

Download
memory/4072-12750-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/4280-12918-0x0000023185DB0000-0x0000023185DD0000-memory.dmp

Filesize
128KB

Download
memory/4280-12928-0x00000231863C0000-0x00000231863E0000-memory.dmp

Filesize
128KB

Download
memory/4280-12907-0x0000023185DF0000-0x0000023185E10000-memory.dmp

Filesize
128KB

Download
memory/4280-12902-0x0000023185100000-0x0000023185200000-memory.dmp

Filesize
1024KB

Download
memory/4280-12901-0x0000023185100000-0x0000023185200000-memory.dmp

Filesize
1024KB

Download
memory/4728-12345-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/4880-12553-0x000002216F060000-0x000002216F080000-memory.dmp

Filesize
128KB

Download
memory/4880-12539-0x000002216E100000-0x000002216E200000-memory.dmp

Filesize
1024KB

Download
memory/4880-12565-0x000002216F470000-0x000002216F490000-memory.dmp

Filesize
128KB

Download
memory/4880-12540-0x000002216E100000-0x000002216E200000-memory.dmp

Filesize
1024KB

Download
memory/4880-12543-0x000002216F0A0000-0x000002216F0C0000-memory.dmp

Filesize
128KB

Download
memory/4880-12538-0x000002216E100000-0x000002216E200000-memory.dmp

Filesize
1024KB

Download
memory/5076-12365-0x000001ABF9000000-0x000001ABF9020000-memory.dmp

Filesize
128KB

Download
memory/5076-12347-0x000001ABF8020000-0x000001ABF8120000-memory.dmp

Filesize
1024KB

Download
memory/5076-12352-0x000001ABF9040000-0x000001ABF9060000-memory.dmp

Filesize
128KB

Download
memory/5076-12348-0x000001ABF8020000-0x000001ABF8120000-memory.dmp

Filesize
1024KB

Download
memory/5076-12376-0x000001ABF9410000-0x000001ABF9430000-memory.dmp

Filesize
128KB

Download