Malware Analysis Report

2024-08-06 12:39

Sample ID 240705-vhqbpavbka
Target Anarxiya.rar
SHA256 8074d6085f0629dc715fbf492933cf91ae573051c84aa749d56f88936e8f0ea1
Tags
asyncrat stormkitty stealerium default collection persistence privilege_escalation ransomware rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8074d6085f0629dc715fbf492933cf91ae573051c84aa749d56f88936e8f0ea1

Threat Level: Known bad

The file Anarxiya.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty stealerium default collection persistence privilege_escalation ransomware rat spyware stealer

StormKitty payload

Stormkitty family

Asyncrat family

Stealerium

Stealerium family

AsyncRat

StormKitty

Renames multiple (3112) files with added filename extension

Grants admin privileges

Async RAT payload

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

.NET Reactor proctector

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Enumerates connected drives

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Gathers network information

Suspicious use of SendNotifyMessage

outlook_office_path

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Gathers system information

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Opens file in notepad (likely ransom note)

outlook_win_path

Checks SCSI registry key(s)

Runs net.exe

Enumerates processes with tasklist

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Account Manipulation
T1098
Boot or Logon Autostart Execution
T1547
Active Setup
T1547.014
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Active Setup
T1547.014
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-05 16:59

Signatures

Asyncrat family

asyncrat

Stealerium family

stealerium

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 16:59

Reported

2024-07-05 17:15

Platform

win10v2004-20240508-en

Max time kernel

895s

Max time network

923s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe"

Signatures

AsyncRat

rat asyncrat

Stealerium

stealer stealerium

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Grants admin privileges

Renames multiple (3112) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\Infected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-125.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\theme-dark\Settings.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-100.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookPromoTile.scale-200.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square150x150Logo.scale-200.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp4.scale-125.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Studio.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_24x20.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\8.jpg C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-150.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\THMBNAIL.PNG C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-64.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Skull.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-400.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-200.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.scale-125.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-150.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Hero.jpg C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\167.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\7.jpg C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-150_contrast-white.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\2\0\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\2\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{AEB66A9E-81CD-4726-93CB-AC2A626996C5} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\2\0\2\NodeSlot = "16" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\Desktop\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\NETSTAT.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\System32\cmd.exe
PID 2428 wrote to memory of 4044 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 4044 N/A C:\Users\Admin\Desktop\Infected.exe C:\Windows\system32\cmd.exe
PID 4044 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4044 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1656 wrote to memory of 1076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1656 wrote to memory of 1076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4044 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\restmaPrograms.exe
PID 4044 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\restmaPrograms.exe
PID 3940 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\SYSTEM32\cmd.exe
PID 3940 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\SYSTEM32\cmd.exe
PID 4828 wrote to memory of 428 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4828 wrote to memory of 428 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4828 wrote to memory of 3232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4828 wrote to memory of 3232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4828 wrote to memory of 336 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4828 wrote to memory of 336 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3940 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\SYSTEM32\cmd.exe
PID 3940 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\SYSTEM32\cmd.exe
PID 3108 wrote to memory of 4944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3108 wrote to memory of 4944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 3108 wrote to memory of 4248 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3108 wrote to memory of 4248 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 3940 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\System32\cmd.exe
PID 3940 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\System32\cmd.exe
PID 1356 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1356 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3940 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\SYSTEM32\cmd.exe
PID 3940 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Roaming\restmaPrograms.exe C:\Windows\SYSTEM32\cmd.exe
PID 4756 wrote to memory of 3568 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4756 wrote to memory of 3568 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4756 wrote to memory of 3976 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 4756 wrote to memory of 3976 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 4756 wrote to memory of 4128 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4756 wrote to memory of 4128 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4128 wrote to memory of 3228 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4128 wrote to memory of 3228 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 2512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4756 wrote to memory of 2512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2512 wrote to memory of 4532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2512 wrote to memory of 4532 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 4916 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4756 wrote to memory of 4916 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4916 wrote to memory of 3056 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4916 wrote to memory of 3056 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 220 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4756 wrote to memory of 220 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 220 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 220 wrote to memory of 2040 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 4996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4756 wrote to memory of 4996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4996 wrote to memory of 3216 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4996 wrote to memory of 3216 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4756 wrote to memory of 688 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4756 wrote to memory of 688 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4756 wrote to memory of 2944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4756 wrote to memory of 2944 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4756 wrote to memory of 3140 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 4756 wrote to memory of 3140 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 4756 wrote to memory of 4336 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 4756 wrote to memory of 4336 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ARP.EXE
PID 4756 wrote to memory of 4364 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE
PID 4756 wrote to memory of 4364 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\NETSTAT.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\restmaPrograms.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Anarxiya\Anarchy Panel.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\Infected.exe

"C:\Users\Admin\Desktop\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Roaming\restmaPrograms.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F7D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Roaming\restmaPrograms.exe"'

C:\Users\Admin\AppData\Roaming\restmaPrograms.exe

"C:\Users\Admin\AppData\Roaming\restmaPrograms.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Local\Temp\restmaPrograms.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "restmaPrograms" /tr '"C:\Users\Admin\AppData\Local\Temp\restmaPrograms.exe"'

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -an

C:\Windows\system32\ipconfig.exe

ipconfig /displaydns

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\explorer.exe

explorer.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 icanhazip.com udp
US 8.8.8.8:53 ip-api.com udp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
US 8.8.8.8:53 i.imgur.com udp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp

Files

memory/2284-0-0x00007FF982973000-0x00007FF982975000-memory.dmp

memory/2284-1-0x0000000000940000-0x0000000003FDE000-memory.dmp

memory/2284-2-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-3-0x00007FF982970000-0x00007FF983431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

MD5 56a504a34d2cfbfc7eaa2b68e34af8ad
SHA1 426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA256 9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512 170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

memory/2284-8-0x000000001EA90000-0x000000001EAA2000-memory.dmp

memory/2284-9-0x000000001F1C0000-0x000000001F7A8000-memory.dmp

memory/2284-10-0x000000001F7B0000-0x000000001FB70000-memory.dmp

memory/2284-11-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-12-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-13-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-14-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-15-0x00000000236D0000-0x0000000023922000-memory.dmp

memory/2284-16-0x0000000023DA0000-0x0000000023EEE000-memory.dmp

memory/2284-17-0x0000000023F30000-0x0000000023F44000-memory.dmp

memory/2284-18-0x00007FF982973000-0x00007FF982975000-memory.dmp

memory/2284-19-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-20-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-21-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-22-0x00000000241D0000-0x00000000241E2000-memory.dmp

memory/2284-23-0x0000000025A90000-0x0000000025D08000-memory.dmp

memory/2284-29-0x0000000023D70000-0x0000000023D7A000-memory.dmp

memory/2284-32-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-33-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-34-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-35-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-38-0x00007FF982970000-0x00007FF983431000-memory.dmp

memory/2284-40-0x0000000025220000-0x000000002533E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Anarxiya\Usrs.p12

MD5 77be5865f0a2515e94555f730120b9ea
SHA1 e36c2aa6d911a7bb04c39093548c3c13aaab6411
SHA256 3777018b3c3c76926bd3e41957fdd81aa4304ad5f2ebf07d4c35909fd1bcc716
SHA512 a411c026cfa710f69ceef89447b72ed2a3bb759805d1e0d05f3a714ea16076884a41349f2b228a1574348e49b8d6314368ca596d4be9db283e374cc7cc1df53b

C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_2xmj5pvpj41jarvrlcfnrvtix1def2yf\4.7.0.0\user.config

MD5 9025b70a7f167dbef4e464ecd25ed0b8
SHA1 a00c686102da3b3fb02c03a84c0fcfd5ee4b2d38
SHA256 42b2c48a0eee8cdcb33bcf897222096e5f9add383da8e64b9302ed4314629070
SHA512 146da32877dbf966014a7d3a40b1f01dd4dd6a5263b51538123ecfc4ffa49e1c2cb43d643fe801c9d095483a09a7b67410432599f3d88c67774549da03e67e03

C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_2xmj5pvpj41jarvrlcfnrvtix1def2yf\4.7.0.0\user.config

MD5 b50d838d6e732817391fcffdba9dcbc6
SHA1 31fad1744ca7eda3c79e1d6960e423580cc831b1
SHA256 4436cd1487d042f7bc907491f2cacd09712f9d80edd627d9d5b4bfbfb14ea0f3
SHA512 9c033fd2402a2c91a44c29594dfea445cbac9854f01677aaabb8e91ed908b89b8d8cee2e32bfb9fb0ea4e3a99e591a13c050fdeab0648dfd6954fe2c90b40af9

C:\Users\Admin\Desktop\Infected.exe

MD5 eefdc7ed5acfdfbdad5594d2ffc3abe3
SHA1 33a59ef8c4643db169b65632c1a86bf0e90672c8
SHA256 a3c756b36dbf95502081e9ff60c809693dcbb8039e7aebf5e8b20a5e8c98fec8
SHA512 46d280fa1e0ead09d571ac9ab4f3a2f3bc799cacb2677d4d9d120591242dda21e2150933dbe2059793a2cfd43c295c48a530d2ffc5d4f1436186b1ff5c2c32c0

memory/2428-77-0x00000000005A0000-0x00000000005B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9F7D.tmp.bat

MD5 14198999271a99ebc15a0d34f3b30ef2
SHA1 1c2143b361ed464cee1a47a1dc15f38a006953bf
SHA256 7d9f448a162bdf5d71fd1da6f6e2d7b64d4ced6fe5d53079c2571f83f5c73a30
SHA512 58b93a32f25983cc03aa111b24f1265666ef4c33aa69e65b1bbc5d7a0b1e40e0da301a5b0cad1457e2c2c3d9190c6d728cd41c176edc6183c6953b17bcdc0c30

memory/3940-88-0x000000001C420000-0x000000001C496000-memory.dmp

memory/3940-89-0x0000000002480000-0x00000000024A4000-memory.dmp

memory/3940-90-0x000000001C5C0000-0x000000001C5DE000-memory.dmp

memory/3940-92-0x000000001CFA0000-0x000000001D128000-memory.dmp

memory/3940-207-0x000000001C780000-0x000000001C78A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce3ed400-d1e84918ad678b08d2a369a3-Latest.log

MD5 de0dac8b16fcffa2b79b71bf3e164a7e
SHA1 d4497d05f396b53b699ddb5d6df5755e3ce6ed34
SHA256 497f39062c469628c8866de472f61f6c2bffada30679a946e10e7dab000dc5ad
SHA512 6b4bc8f2bd04d633a7728e3b90c0d446152acaecaac74773cf38f11b554168caef776467232a6db42b7f80ebe11bb891a34d3c4475d0aa44f0636ad97776257b

C:\Users\Admin\AppData\Local\38159454fdb13b87134fba9d95f9ff72\Admin@GSAGMHCQ_en-US\System\Process.txt

MD5 cf3d7e7116895886a02bbc14613f4d5b
SHA1 f0c61acde33dda302023947597644d0dcfd89e55
SHA256 d1c0601fdff3f1199d9d9ed5d950174236b182f1f5356d61f1dfb0d63b58fc20
SHA512 5482a5934e3fe486333e66b3f234851c04cf8d6fc44f9530bdcdb82ea2c563cb72db791c1f0e1d61c359656549b6f116b18d34e11abe10f3649008773c47f97d

C:\Users\Admin\AppData\Local\38159454fdb13b87134fba9d95f9ff72\Admin@GSAGMHCQ_en-US\System\Process.txt

MD5 d6e17c67b217f7606659bd3b1b4a3173
SHA1 82537370034a5d7af17bc889975186b4d79fe968
SHA256 4367838d80db1c07546811ebe8499a1922addc145fa6e864643aa78fde4cd092
SHA512 1480a062547a69d1dc89c20110203dce0024d4df95c99fb64d65f02453d203e0c5a8e926f8355f22bf02eb4b75446d07f7eb116abd0ede3250d30943497ce5f2

memory/3940-387-0x000000001E3E0000-0x000000001E502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3EBE.tmp.dat

MD5 c857059cab72ba95d6996aa1b2b92e2a
SHA1 ae64ff2cfe5bbaabd607f39b94f1b0ee1fb50aa9
SHA256 ccda1f7632b23805a220d406cece931c4a8624d87eb7724e9783e192999fb2cd
SHA512 2b047d52d4192625778d7589a5de32c6d9d3ad9a8524aa408a0c806f1934c584d46a5d67e34eb6ab47d00d1ac1dd784066e6ecc74861bdbb1c6fbd6fbb7e6878

C:\Users\Admin\AppData\Local\Temp\tmp3ED1.tmp.dat

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

memory/3940-412-0x000000001D930000-0x000000001D952000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 45fd33d32709909fa4037810fe722a37
SHA1 47f0e7c4c908f826718ccad23a2c8e3659069a69
SHA256 e07b61a213d562677938e647e4631daf89affdf25f9114df8286866bc39777f0
SHA512 dad4ac7ec1466c3fc75a76b78bf45f6fcd488b67270128b6eb7885b118acec6fcebc49318b53b65fc457ef4994f67abff13b65a150e9235c5ff5f2e302b06ed7

C:\Users\Admin\AppData\Local\Temp\tmp41D3.tmp.dat

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\tmp41F7.tmp.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp420A.tmp.dat

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

memory/2284-531-0x0000000024040000-0x00000000240F2000-memory.dmp

memory/3940-658-0x000000001BFA0000-0x000000001C01A000-memory.dmp

memory/3940-932-0x000000001D330000-0x000000001D3E2000-memory.dmp

memory/3940-1168-0x000000001E500000-0x000000001E9CC000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 2b99c2a7791bee7a0a6d035ea395ac39
SHA1 a911820205ff7cdc59963dc9e607cbf6a7f058c4
SHA256 a2769ba6e634246944de0a1dbf36502a2a2ba6c190b49dbdb4bee59c7e7e4353
SHA512 92c77d7367ce437582301cb6b0453d0116d1d0a09b9e861571d68e7cdef9774502a80e098bd5ed51e7367958cbf4277aa35fc42fd8173bebca5b9dc48432c977

C:\Program Files\Java\jre-1.8\LICENSE

MD5 ae49cf623125b2baafb2b739bd6307a2
SHA1 361f81d775bf6f1327596d423d55d2c37244e382
SHA256 f73c7ab886ddb15935ebabf4884276459e332446371e659bb2b7d2b490ba360b
SHA512 11c69eb05a21bd73e44d75e27080a0879a08e40aea5d962dc642cce2f11c362da0a5a8e1d1ad5956ecca645c890c98418b5cf9b7ff32e3451863f2d7b38d455f

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 5e582efd8e6ea172f4b62aa2f460a212
SHA1 d059621773988c255ee6f998ba61990049cb9051
SHA256 c98083fa907b2db810859c0bbcce7753fa1466a6e07f3546d46b9357176d7ba2
SHA512 ff55a0ae27381c9e16c3db2c1ac7f222fc05bb81072b5f850b19fdc77f159c4445163e09cb5219f076744efc59b31d506afb248037c78ebe4daeb86d7c51e120

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 ac1f347cf9d35de489a14267750375e1
SHA1 a39a15968846de7fdc27c6304d3c3abb38993ad0
SHA256 3a92ed23821847033b7ef7520e6dc7e325148b2ed8dfe2ebb354b3937ef6afa5
SHA512 6b8a2de68699ed9ad7eeee4e34eeb6138395506a4fc6d294e64faf460042b8d2b1dc65716dfcfad1928dc80af9220c64610fdea676113384b96d5bcd9191183f

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 210b94af174e524b281b22d929bd084d
SHA1 45ff0c793c9d8cec3664dc4ac55a386eb26116a5
SHA256 6cf81b2fb5573aee66119526834bbce7970830c60b9c07429284e130ff067071
SHA512 bb0a1976f0973ef5c4d11ae62d6d9acce6b676e065ce73007f8e5d91b01cb8a3e4b68917b9229273e8a45d6f04526a5f672c2189cd4ffcb96015d15274aa4b75

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 c6316879246aadfc17bfcecf9d44d745
SHA1 e17a1f15866758936d00853805beb31335c68aac
SHA256 e70e3d1d7c24b7574580dd04f50c2662556ecbfd8e08b83297ed8255e0b6ceec
SHA512 ba0b3cc04dddac0016db6779eb00c59cfc5eb945b34c455f5657deb7070bfae2a0289dc14b75e65b21679dcb07a7e93f4e7f5fb31bfe683d43cd961fbe76ffca

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 85ecea67bdd7250268471144087d4e06
SHA1 98ebd4293fe509a195f7d735391d6642582cdb4c
SHA256 858b5ba147b824eba429de88c282f6c0a2e53fbbd7f30e15c8d1a15aab794fe6
SHA512 a8a89b873f2893b9e6687a3106eb1307f36ba653829c10e0adfec19cdaf8f70984f0f194c660589b9a943efa7a590e73a4536f8ec5ddf570e165d73b690894c1

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 544eef7488fd981e69a77bac979e40ba
SHA1 e1235b24068575338397a971f13aeab36068a56b
SHA256 b58f04bc2c37cf020ad44316d32a7308c7fcaaa099fe0340fb6d938659f20371
SHA512 81fa89a86801b3cb6113f3b832542cc4321d928b5150f6b8937914f68d39dcc4296893838955c679b753ab84f226d5c79b9e437bb5e1f9b78b8802cf49c1509c

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 6abf8cc35546aac1745eef860d65b502
SHA1 36b2900091800ec5181ac4aa700e56b70c412cf5
SHA256 c71a6dc14e508a2fab218409ef983c9c4b0fa39918cedb54b8a07c179d246166
SHA512 b67800e739cc5bd92d481670aa6ab3d7178247a8f4bb5f8ec6f8eec8cfd9d92d3896449bbfddbf3763bd618c4d0b5ae54cf85613a5e8f8943a3c4cfb6761432f

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 4fedfb6733f15632a8b61903ace35dd1
SHA1 cdaa46224554401ea418d6001eed407faf2ee1f1
SHA256 6a0227ffaefaec56024c26ed1e19c9a13d2a6c835a0b42d5723eda4d57a7078e
SHA512 3a28d91a815a89e3c6672da6437664fcab4cc0bda27615e1e12655a818228e6e3399c492863f1df6f9ae85e6722d8622fb1ba1a4e71266dfb2dca8080cf29837

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 068c09ef1a8570326e435065b0f7aced
SHA1 2a5a9241bd103f0231ca5a8d2bb5620bbeecf1dd
SHA256 81a9f12d339469d3ce8d8e450e0f372c1d552175f2412509bb9168013b2eaf35
SHA512 766cee408145e1335f871bacffbad60caa4823659bc158f076ca5e39a17eb78bdeef81ea090cd0f53cf9c14f7aabe278404e1b2e3bab861516847f11523ccf7b

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 d2ca6695c76ee046922a91d98c9382ec
SHA1 773cd49dadbf997357f2f1f5ae5d19e6907fa842
SHA256 812aded26b054a868fe32d04fca22331f5c594afee6418fb7c27a441ffe512d6
SHA512 54405341ec79b7f3a8c40e2293b4f719527948da0c8b6a2f2c67b91b7a04f3da60ce35bee403444c863e4f6ab74e008e83c024902dc27778ebc249b9514dbfa7

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 5dafcc2617b9b10e13448f78b7891343
SHA1 4bf1e80d5f38ce9b04f3fe81648fec2dfefbcdde
SHA256 267ac51a5688083348c76006aa78aaa0115120db5e5e77bf5020afdded3365ad
SHA512 a846b6b50c6ec69f869a16ee8c5503889bb88e0c477f63253c6cc8743731db21415f088a856e73527b40b4bcea337c5d901b2d92c1e1d9dc8d5a862deb9b61c9

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 9cde5cb3b25d0b1ffdbb53eebd0ea3dc
SHA1 b205d2302ba2ebc2c549ead724d82fbdb5a6701e
SHA256 f82f80eddf9dd26030bad2a1aa6c528be966e4dc57a718a7893d46a2ebb41616
SHA512 4b1c17298e6b2b5a3f915cab2cf38e9466726a3f160f15d5d1217511f24e015100c82edf0b316744a22714e7d1c788f7a1dc6f36471f3a16427490dfc4a87010

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 55270cf911965b84d8b85c75ea492ed2
SHA1 71a37998a11aaa52aed1e03fabd3a7a1b3dc745f
SHA256 55280ac089dc5fbd8a88ea47a1d4f20feed93907f5cbbbca9d28b81777cf509f
SHA512 10a9a49fdccfaf535697be4bb6c8f09aeaaeac8de1a43aa311a84aa566691b44902d291f960114c2fc2ca65cb47c9542cab5b1d8c5a153584930527da0249a24

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 d40f15e1c1be0a4b904549432dc370ae
SHA1 7de2d04182bd38bed95a002eb4056fdc86ebf118
SHA256 7e88b0090d2fb50202b6f6b379ad1c3ea713fa768b3150ca81fe4a92c33b0652
SHA512 a4b808229b3d0c3e08a8829f8597212de9f4f0abfb719bbba39ca856e1471ad9e8559a99cc77d12e258c57d4665ede68837b69201da9384bc8630ae08b5439e0

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 69bfe6c0adea002b2d76fa24f1f38b38
SHA1 3303a8a8cd338a150942f83ab40d62a3831fb1aa
SHA256 137a9a3dd9845635398b2005fcd3b3e9c3206698db83a220bcb51d105651bbf9
SHA512 891f46f321519962df68cf01e1c776bd55ce2e04c82dc4fde47d3cc645d16cae6bb08e0addb5ffabe5e69996169ea5bcf020c5d4c34c18f05f0b810351413e9f

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 ab31f658997f82419824abb8806f0cfd
SHA1 cc8f9a087eceb5a8283a9db636d0333b566310d8
SHA256 7a57eb6e152bcc1f8a10ba2119555bf9d2a148dde8683a1f2c41e4d6bae3b7b0
SHA512 a8e0d30e37526212ae406d4a9d6588560a87998f45df978ed00c44de7e1e228e5663308697c2804357d432bb2146a2ea0bf9f8f0e8cc7282fc4d4836acd7a7a4

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 c4fd8fb0a969990051bb60f5b40bc413
SHA1 2cab4a4f0bc4812962f9a0c8581aaebee6b7a67f
SHA256 d6da7c02e368d1f49ab33aa1870126f72e57cf3b9a497c8b33e9cd9d056a46b2
SHA512 62ad820b2f52e0e37465f9131f5caa9dd3ae8845f18cb7577553642e36c89850801b799de5adf74620a1c0995762a9bfc4c2afaca5dd782d90431247750f2865

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 36efdd02fbca6832403df3c91dd23a21
SHA1 585d8cd399e47009d4f704854fd5260202561378
SHA256 2e77672bc316ca644a0fce6b74ed54c42d5ea4abe4a41acc5eb4dbcf935daefb
SHA512 ba3fa3c1e0f04c83a161fbb9346273aeb2a855b3aa7a3b663f74151ed3f5bcfe2452bbefdadc26a333d54b21c32aa1933d18c3b53fd05637b6721ab3f9ec5aa3

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 83d80376dbca35f4fafe5e311c175027
SHA1 cc4ff8c35574f1f255fddb55735da09d41e534e0
SHA256 067ed072c888df2cad4ca97df30fc878f3a9d7e38a72922fabe0d7ddc2fb378f
SHA512 3d36b9a0d58da4985e69794403b4b0f3ce2e91f4c93acd95f1124c593e5fdb4bb2cdb649798ed243d564e89b0e760c03b33e2fa10e0cc649181c03067c24aaff

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 c43cfd31cc9e322d022f305932ea55da
SHA1 288005f4be660770fa525eae4f4d477d1c21d66c
SHA256 ea6dc7debfedb9cd0851a636463fe6787bb33535a21f92b97c68003ede31b725
SHA512 d18b547a1b2e333e18a446455ba357bf902d4a016c25cb2e2666d2dd331824527d260aa05d9736df7721dc317ec7057ffee61aabfcdae7e36f597a2ae7e03e5b

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 d99ca2ef6c3c24d56d35e9ea8415c11d
SHA1 b67986f3ab66a5e72819ddbe47dc9d21a14a7aec
SHA256 1b61b7fcab512839f235ae95718d350b04dfe064fe08fe4d6f065a4024a96c6a
SHA512 585dae704ee60830b01afbaf21d03848a08b47a1a2882b24772ebd915b14b6627f5514a2956f7e30e18f4cff0a2db134ff16fc8670111f0849b3566a548ab1ef

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 c63ce3ba281058c5c4a1a233a60105fd
SHA1 3b06ebd21399778dc7b7cf6bcf5440ac2490f84e
SHA256 e8a3dd3a2187f7193c7fdee3bb5467dffa34daee665582a1ea98e1da42bb2679
SHA512 b8580c6853dafccbace6785631de5a50059414a6f2874a148b980d6e20207c861ccfa5f1eb90eaa3d9a3b8e2ee5936f481977c068e6908cd7510697424d29e41

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 a597914a50399372cabdb58d99ffbc8a
SHA1 882286e25551bfe001972e5b724f0f04d555ff29
SHA256 90ac8b362652459d3d7f166d29c48a9cb99c32b4593d0011850b9f5d49f1f819
SHA512 a97cc223245d1932dab60f4d7fa589034f748034e4791f9fe895b8975abfc567c86485174a972ec30ff6c8bbf73904b6359d6565ed2d6646ba5a13b462aabbcd

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 35fcf7699724d9f7a0054cfbf2143fbb
SHA1 2e14561c13d08d699bb3977a00f05a4d3ff71161
SHA256 1f4a908bf849c096eeb417843a2940bdc0bd728d1599f9acb2f3eaecacde4a8b
SHA512 c11cd2be5a93a067e78ddd1d0e7fdbf0bca621da8d3f954c9db46b1c3e0c4c829c6e3a91d1e9f532d8cb241cbc9a308fe60c479ab26e34d0ea37c1d249164d67

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 0f5689d6a1c8421188a8e6f8e979c1f3
SHA1 64b8e1e0e77e91bea8f292a10da2c54238d929f3
SHA256 34c4daa20476b8f8c1cbac2f3e7341c9ac396f2ece9b5409d22b4e098136a914
SHA512 cdda6ea471f66e9db266acf1a6b81d4e5bef2dc2472f3a5b4f53f193aa3b5f97dbb5cfbf03f9acc83b6303c72d58e832014d70ed0241de69fc01e95038dd2fb6

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 440cef445a0e12981b934ff44a2067af
SHA1 d0a72bd0b910ef9022df7e217e21031819d0efa2
SHA256 c8ec2ad875f897cacd6e86b9adbe0bdeff98d7a419b3d063843f41e0841f1189
SHA512 ec46440fe85aefa8b74a73f669db3be6c7b27a629e59ca2e7177fde68e06c2de7cbe9940c95bb0a95c785686129adcf144ac5736cb56a9943dfc88c7ba637065

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 8f0435b15b899217f3aa3aabc8561023
SHA1 b4f8d89522f3a37bf2d2139b6be76f78c84fa01d
SHA256 c72446fffdc1ad34fb057c673bd6b609ce7980d4a589d5d2cb1bca92c142285b
SHA512 39db9078801e561b67d001fd999d111824addac0d6be0441daa7fc33e55b65537b2427dbb3b6075db41eb08bc08a5d6238f544173279061d35731c976ce12fb6

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 444612e7000620431bd4b2816497fbaa
SHA1 06adec4b55a45ef5b3f092ba8312549351389328
SHA256 bfe9ac989372d29ea43be204cd3e8c85e248604986fefb889b20ce5b77d61edc
SHA512 802dc4253a4289f3c1d7304b5a0d301822a61d8974784e2ba5e9397d02ec070605c207b3367e896493c17f4623a89e79e2518c3560a5f52efd472db06d5e68da

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 1c2c9dd533122239fff7592ccd091493
SHA1 557116167554fd1a534bc1f6681ec515fd287449
SHA256 1a412f4b9b6ce9573d43487620d129d0382052557eadc728cc2f66446d84c9b4
SHA512 bd74544e9982e7bfd414b3529e1c59a9fd68fbb1724e087ccdba6f0d2741bd6728dd6bf8d79128868f06d24b1573bbc0bd58249e73ac5b65968f5d2319f76c16

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 094612cd16ff32a923ff315e9b37c709
SHA1 74785bf5b72c1b9424fb51a74c39db412b28e333
SHA256 76bade6ea9f0d65e03a7d2f881331df7bef99cb8a583219df8ba0e0634151b2a
SHA512 c913647163fc23d7a4b74e005a7a0a1e349d2b20857e710a89adf162f60aa7cd6e9901eba5a49287e4ff2cc82c9cf56ef2f82add83c5a958ee0da5d53d329e83

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 f54f2b98834759c645045626d9580947
SHA1 244546194dc06f35b4c1815f5d8a563ff73f1111
SHA256 f92cfabdd2c51333f87b2e0b1963fb594e15ff5b2242e100a2aefa7296616ce2
SHA512 8adc6be48f8ab0016746996a427c6ac77dbc5d01654ffb88e84536a5dbef95594cef348aacbabc73e98c760cd1be7f640ae7acb8bbb3cae0a2b53c388b4d659a

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 222e3ca391e6e04e8d6a76e3e77e5795
SHA1 3d36468222cf29484884aacb4631f337ce11b19f
SHA256 ee866a24919ead590c701c5a5b886d432730008985038c64990f2b46cda31862
SHA512 da464214b36801d970889c4945e88e686ff5de5732ecca72b166470016edcfb60db4e0d46436159b2da706ae373dbd305b05046bb9ef91a0578bc82ac0619142

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 afd082d096a883a7a2837d25116d7c9f
SHA1 046c2ac572d78212ad91aab1486bde63b94ee95d
SHA256 c45a49833bc76b769accab111aaf45979e949fefad1cc9d7c364b00e6f20b91b
SHA512 ac1fc40204dd61cbc4560db8efaa195e7356ea2d39f187b8ba544a2c651230ccfe03d761a337612bc2413b5575631f04d0e5ee35c0ec77eaac9a9bdb629a5215

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 8ae494cd0dc76eab3fb5e684333f5b87
SHA1 dd198fbab4db62e6060a17a29b47e410baad1a00
SHA256 40e7d46ad178b48f30b23e1f3a63b8d3758d45a017719503b66cce1e2d631b62
SHA512 2f842e2f5c4ab464c56b6ce90cef440cfe48551f37e1084976963b7a2d03c47e4cbdb5b98e93477d169893d6ec335859bc9c1063c740d2c2a0656de549c87ecf

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 87e00769dd94c5b049227fb038a74358
SHA1 df507cddcf705cbe7b51595cb44b0efbfbf0eff6
SHA256 6e7910e881848f84bdb99d02aadda2b9425bc94d4b46b11e97ec29237229dac2
SHA512 971a857423b1c7c7671e3bfb8e66a4050bfb3fe2f5527036fe160caa49c85c366e9e7250b1905ed8db8d5aa2cc8e8d261c15dd925a8b1f76a99dc9145a8eed28

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 74c8a66c29530c15e1787239fb23e466
SHA1 99041a5bf5fe8879c4e1fc35cfbf8bdd329e2448
SHA256 5d2d168732a521581a4c33019d18439675f7f99aa3a3d0e183dee96692caac6b
SHA512 4d3e58d63545c8cda4966e02adae14bb7e2c04a4bb31943507c9205c03823e9ae9895044009cb6e3a1494d2f624c75ff2e087d271a8bb0ba50eac0af3f9ac415

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 5a3098b267a7a778de81b926dbcceca0
SHA1 1d51df177307cf2fac96889cd42f8c3388fc3bcd
SHA256 0400c81280199378c24dc9aa5c5bf313fbd6a1e53d7e53b97cb822217583c1a9
SHA512 4a0c03fb77917000e05e5ca1ffd1c77b7b1fbc3a7bc91f3866e4ab1519af82d6782a9fafbb01ac14cc7c8d04a928bf9d9d6b70ca0581b2f41576a6dc12987d84

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 fc51c65eee657c4bd5c236620510a47a
SHA1 92020e29933e9d4e8b1cee83009613c5f66dcad3
SHA256 224df0f33f1dbb5d9cfb8e4320b53393fa706910cec1c72dffb40cec97dd2dfc
SHA512 25ed70b4f5eb9b2001fb86b3a6d8b2e02a38cbc4ec71eab9ff9d2fcf0c3d048e5b080d9016caa41beff43d3f06115fcddb75224314ec0f9c8d6435cb13d321e9

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 547d46d4ae5660de4840428e3e2bac1d
SHA1 15c28ac7a4ae1faaa9e92a14a4baeb2709dda2b1
SHA256 6cc99d4abaadfb4aa2df78079ae2513d48c23b083ae0feb8b6b4d468748053a7
SHA512 8c6c21ef600adfc12d967dca7b5b8ee18569749123df00179d1760b059aa13294c663c148747dca050f77bb6ef79509de7295499fc968d0aaae1dd68e978ef61

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

MD5 61b303f97389228b0c4f15bb8a74a9da
SHA1 9e0320d912f72b57bb688ee005b574c267aa7d5f
SHA256 ec2247bf059a6ff5f7e33f7528badbfc9455581d47542b8b5c923b381d8b53db
SHA512 5b07f46e3b3bf10ea8f089431f135686af8d658f6d2221543e318b34e03de67fed8a72b72ee26a5509fce4ddeea4a010824c2431428aaf60b62143b6daa155c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

MD5 c7b38fc9fabf1b9e05595ab22c8a1138
SHA1 d5a6257b2d068931cf7f726f57b007e5092e7440
SHA256 1fc1fff89574629d2958cbac19fd76ba45729aa4d6a8d2dd2796b40d4ca7156b
SHA512 7ce3fd3095a53b6bb9fc1ba8e2fce1f2f2fb21332d096fb4afcfd8a2052febe9cfbc4a202c01d16b8bb9c9110c646fc13e224543549ce9111eedbe15fbc27e76

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png

MD5 d0c4afc5d0e7bd7bd6e0aede8e5c7655
SHA1 a95b1eef621ed4b3c16d04bfe50f760325bc4b37
SHA256 6bca18142733e9a032bdbc77a5da3c2bf1fa4429372d0db221a52552bfea1d70
SHA512 05359007432945ec3c6bbf78a7a1e419b4e25efb47bd32cf0bae8cf21f71a26a82ea8d9dfffe12ce28628ba703369b88eb3c5fc8d81bd6afcd70ce721523b3f3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png

MD5 aec9af6f8903f2803dc1d560f9646a34
SHA1 79db5c25444784e32b55810f6130577a6cc91627
SHA256 3e5398933862071666912678272e3ab2506f94cb1c0d2a340ea09e8f3948faab
SHA512 edd0aee2b47c3d83747997c4afeda298c6ef02278ee61270e9dbcafeb8caf6701255e4bbb39f879616c2194dda8847241b927719cc186f320ca0a52522eb48d6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

MD5 4ab735d3646da8af64007cb0629c8e64
SHA1 902b22d9b875e0555bde23c297a807cec79df244
SHA256 2abb1360800daf58b69a91e87e8e03b577873b227ceb2a935aea4ecac1c37a6c
SHA512 917c017ce96b155be60666614ffd766699e033c5f64c650f3cb92bc8a3b5f2cf58c419e43a3f96e49631e57d022a8a6de8e4429582873b17443ba9be16592864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

MD5 8d184a7f4b6d23474a4effadbe462b53
SHA1 eedb794404731973fbdc2e03f921ae9f4a947008
SHA256 46182cc4c23d404d2432f4e90f4a17041a90a9a9c4cb6fffc847a5f56b08d205
SHA512 739d88fa3a51c3c1c0ef1a51ffa08e28e2f1b223246eb54dab0a2b6bfd8e16b0e953c75ecc177657935b84c0f43e1cee45b0a24eb1059d9f0328f3ddb3161437

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png

MD5 a79392b000347de511975b96ced826a5
SHA1 2eb9fb27926eedeeb5a4c5c21acd0c4775e22e58
SHA256 b15d8ef9dc6aacfc7692dae0edfd0bdb5ccb5d5a8c01c17cf8be94f4b6db31c2
SHA512 8b089bfeaab4a614a5c65d9759f84a08df03ffadd453306f75bf22df14b1939b4a95090445280cc8f5caa50a805d264eed68e9fef84a8e3c40f6cdcaab4c9c7d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png

MD5 383aac362d2e3ddd1ec23ae2c78bd9e8
SHA1 5ad6e0cd3636f11182ef9bb41a9dc187dcea10bd
SHA256 9bf1856a8c5630b906805aa475ead48f1219630147a23c5322b84706a5e0bb5a
SHA512 b50035301334840921f4bc78f4cfe5552313b2896127e2365482468bdf9b7d9dbc125c928ab638669a65ce45c30bfebe239b7b6901ace9986ae85f9e1feba10a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png

MD5 87349f8afb30e15d265ffb82df94fb41
SHA1 ca40459e9864b1df033abf0f9d3aaf877f6e7d99
SHA256 8e5e3792a4c545faa210bb0e98d42e6344450c5696028900b884503ec1461ec2
SHA512 9463cd03a8e09b5a010d1069113547c966da86fdc65f69566d3d4bc3291aff72f0a5fe91acf28ee399ba887cdc1e424e9dddc88a2d8c8181e635bf566e242d3e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

MD5 1664ab9b04d49ed2b5753cf7ea654f71
SHA1 7b7efc1ad0dc30e4478ce08bd95f3b59def28bcd
SHA256 ba6693991bf1d10c67d48841a952936b3ad60a9ff9cc7d28a1b65ae8f74e4185
SHA512 07f3ce8bf950a73585090f68cefacdf46615c8ab468304d012ae183d4a6975f0b6ef4a495fe9ff6281b3ee187c313dc95291cf5b070957f7a4a03a6cf9c482b2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png

MD5 23d663e317be4becaff6f67ce4ece83b
SHA1 7ec6fd3939fc993595982600a85fc4d7432e82d3
SHA256 36e2f05eeac0305919c6106032c4b2ec7f62b36c2fb29c458c56158840025340
SHA512 0ea32b6d101137c59ec5b352e89d40f0b1e73362a624fced457eca69ff96c50fe534e6f3b82e2190f88efdbb2ff572f83fda500f865bd724c179ec7a6ac4e273

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png

MD5 f671911a9e3ee9a1f94f1e162a05c293
SHA1 a863b0dc3fbb0914c5a66b2cde877e9a0bea1e15
SHA256 c8c31379426cc32ea035d361dee3347685f8de8ec1d6b3060b6ae57481e9d024
SHA512 04b6d9e631ec32e841c15c0081ec8997cb4598174a60e097ab3cca4b2829b1b7563a69d3824476cb6be43cc418da941e2e4488e0bd57454e07f759be6fea831a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png

MD5 f85b51bf950bd3d9b7e62689c87d0cf8
SHA1 24ae6d3bec2ca5c2185a600ea12abf17c1107c40
SHA256 0150ae86e07dbd3fb03b4c8e2bfc1f83bf03092599ddcd7d57d4c652e39cc5a0
SHA512 ab47f4827c09543a889ec49b76379a9ae565864959e9933684e33f2852457a1a6d4e537e4a0b71366e6dabc93954ebaf77e865b4ad054618ac18b9aee02e7354

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png

MD5 8f360ee726883dc9ce0fb850414a6f1c
SHA1 dcd726e6769991fa094265491cce9a2e5938c7bc
SHA256 2cf8975945427da426ebae59f7df36d7f4aca271c04d25273429323dbedc429d
SHA512 7e2fa2fe7a32da8459a05c8f5db9350ce2bc212411b23a208128c84ae1fd7b456dd9d7f3f4d79816273161890ce43b77c1d5ec5f94524d7f9ea8b8751576fdf0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png

MD5 0a779ca586b93ec7a2cac384e1f1d1b6
SHA1 a4047dcccc88ea3cd622f5e81452d040ba0a7077
SHA256 5a1f9eaf11371b07f2f5687e01f5a99c81e2910e69538dd62169f0784dd9e469
SHA512 b26d284be07a83ff28119e2e5820881e4f44c32402da5ed63e21c6bbc2111342aab4b9ac59d7d9c9a65f3feee177b9de59f854bb0bec63d62f5636dd4fc05ec1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif

MD5 fa0c0cc1c4ad80242895ec984af9ff7b
SHA1 2d6cf3a3fb7914a1a70fc6ddcdbaef0466880877
SHA256 a6379299f096b4c02c1ccb5ed2e805d6cc1f36e82aa2efd7797ed33898d7d2d6
SHA512 120e2bee6e5415a3a035aed1194f4462d5fe69166a588340b696cbcf70a3e9b809368f1a07638ed2f20faa7665ff495652ab912cff7fdcef14f57ea34c4de3b4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png

MD5 c84becc4c19b19c3a274fb4241a575cf
SHA1 b04a871905fc6acd9a668b76ddedce4c4a0366fe
SHA256 e65bed5ba5fcc0095e3a0f30e89caade42540034669c5d683477b5f22897da6a
SHA512 49ef441d5ddc70eb483e3187555a6b4d99c5f45059ed17617ad934cb98ccb3d397270ae1adb90125055923c6f9eea5baaa7e73034af50d28502f2c457d940f0f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png

MD5 25ef0bda55f85f81fcfbddd7b2940ea3
SHA1 b21a8105370684905bec52a7677c493a66bec8e4
SHA256 9ba50b9dc53d462cfd91398314ff9706d03edf5087cca509b862ccf9d0e5b3c2
SHA512 ac95dd521afc4c5516829433474616bf9b4eb9a4db1bec53fe29fb506b201ab122edd939bef9efa217ecabb620c74d8cb29e5725ba67e267ba31e3d679845f7a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png

MD5 04abf97464cd2b5facc14595ae09d62b
SHA1 4f900cb0091f2373799b5a29e75b245876fe2a47
SHA256 725849ce64237858ab5bba9054cb7f3e0c38e3bbf223a3f1dee5dfd51542e69e
SHA512 0f0e858aeaf58cd47e1082288a7bb0f80984f815529dbb62f4fac6e90c7d70f000a6010c224229c656da8f42b7ac96af0003cd26817f5bec6ecc1f5a2429d6f6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png

MD5 472d3ca1daf6dbabc5dc3284c2acf1fc
SHA1 0147535dec824a19f0652528956aceccd20c3f52
SHA256 3024de11a764f7dfb8e5f4ac26e6d84db5da5055707b54c3bf1355f9e9358f34
SHA512 cecf2c3a3f0862f070d0ee474e0d8075d4c9c229279f1946bcc1b9ed5be0e008b24342fa30c22265a342a278d7229be5ec688647bd078a4601736e95cedfe02d

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png

MD5 6067b80231914c04db3764410a027a3e
SHA1 28dba1b9526685f1ee08d9966cacff7be1b2f738
SHA256 fba2844ff727daeb8a76c0c28e7b58b615aa93a85f890629da5bd477894b84e8
SHA512 078368635c2c82fb791e1a7e9dc20d75005a370dccbf4fe5dcf66413c48e8efb7f63496c2c2d07819b0db45c4a98d06ee8d6eb586b435cafd8cff3b4e666fb34

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png

MD5 0f6793b56719df9e762a6d80d019cbfc
SHA1 3314f250f0d1908786280eed708c2701253a7462
SHA256 4d11f99c8ce4435d63da967ff0cd88fd2de0a2ba6e214e7286a22aed7d955497
SHA512 41ccd29e184f08713bf0cc1136043e873d0083179c5043085b7e1ab9c26eed28d3727a404405f0d42a56e45d4170a4df456218cd08343337cf1419ff4a254fe0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png

MD5 15421b97e0ea6a99fdccfcae0e7a71c5
SHA1 85eb911088be23814ff568653bd96bc8adb5a568
SHA256 19833f564cfcd1b6e273c034fc81ab061911c4c5a813759b709e4750887e4056
SHA512 ecbbfa20ddc20afd9c9b6bb37789097da0d23dce4792e9b2d238cb8057e2067a4bf599354da4e6f8412058fb30666de15427b228388518766e448505a144b1c7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif

MD5 942d73a80a4f6ffb0f5b1dab7be057a7
SHA1 1acd97e25742a8e003433f0f5d1a2b5e2a18e519
SHA256 0d7cf423e4395589b422aa84531a8522136a8df79156deaeb2a82b16d0c6ded5
SHA512 ba2dfdf0aa094986d3c3dec7373fa92032a150d9d804895f7e61949ed61eeb02fb8a79899199a13be9f227c9125237e8cb0359538f1f67cf6be19d0503df6969

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png

MD5 8fc25886edf24d99524dad2d1bd835da
SHA1 4a56fdf711682ca69414980e3a478e565f488e78
SHA256 cacc62bcc351c1e05e2af666bfe98ef9046ab2a8001cf1b4383c63951f1d7d33
SHA512 ff6fbb014f52f1e07284c30bda34cd5cc62362221dd48a28d95d8fd8c798e9629ec50839ae30d30baf5c53fe0a54d9a75dde51d3451a8ee042047f5409efb07a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png

MD5 90aba3beb01732df8dc1e7f576f97c0e
SHA1 b8acf0f5fbf29836675ea9470f150ab822a168fb
SHA256 db5abf7577a64f68b88ccca5fbd539345c1cf8b90f6125b5c9ee09dbefb893a3
SHA512 4918a18040b6616bcb5543c37aadbef57227e13cad159e44d45f6f14c8cbb52da80de4d46b94c7bb6e4950c203026e5465f540b46459fe84951baa09b3ab2bfb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png

MD5 5d4da1e4db89e9fc7618d07ebe44015d
SHA1 3e662614b59996a24bfe79d38dd2f9dd543a39d5
SHA256 41ecf7ad25bc82c5dc217e60dc871e56a71df93794055d199e7eba0d28c8de0d
SHA512 e477137ad9c3b3d68e1f85e045cb9cd2b7633d65a80907e93ddd31b0265ca372d5f6195e743341ba124be92ae3020b5a1b45b07ff4fcc9eee9e1d0a405e0d821

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png

MD5 e7cae634a60bd77233ad742f1350d0d2
SHA1 b16946cd3ff338ee8d142212dc3d1c14231c5f6b
SHA256 a6ff428687b6a652a38c59253694564b6559188b51e348f893a8a0ab532cf314
SHA512 cb17081a22201f2643c2b7e0dd52d214aa7f09a829efe31f74b35d25b86ea48d13ab58238ccd36fb9f0dd91ef047da50d6aad658e0620051b07269d72c994f1c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png

MD5 f3f31558e744dcc25cb1cc3013785991
SHA1 02c12d37c798aebd21ade2bdefec0c69a333136f
SHA256 490c4d4b26cbae7379a2ed17b468852adb9d2302ecd289831396f6e1838fbf6c
SHA512 f63317ecf2777afe24c12aaf603852bb92864c59674b1fc0d9de59291df1d21a2229095f8ff5f5afc7263a393601e4fd4f1a508f8853b9e936956d8ab2b6315a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png

MD5 52ad077430aa1c3a5a54dc8d9cdf007e
SHA1 ff85b489fbeff5d09fe9b262b51501bc5508be8e
SHA256 599169a9a7e9bcb0c4122e422727f16173b150620fcdfa30cbaefd9d892f535e
SHA512 e7c06004778e91aedba7fbf647ac2a88cb22c4a04d03b6fb67a1704647e1dee65bcfe1c2f5c70e6a94696b669874e0f00a2cf0baca9cd43cf84e166fd64495e6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png

MD5 a30900fb034dc3cd7f225fcdca4f431e
SHA1 09a9d389f17bf723744a55b5205c0f558e437c42
SHA256 aa5d1d1ac1b42345cd8fcbc42444f1a77709104f4d24fd733665c7c43b3bb772
SHA512 0aed00741b0b5a701f5b9000bf15fa115f7963dff3b4ccee4a55201478514e9285fc10f56d258b54725987be1ebab4b3df61ef17976cea590203ead907305e90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png

MD5 d1196072ac1d99f991d8a3e6ea396094
SHA1 776a0e46c621db254e9783de239b31f721a3467c
SHA256 34a79355264468181036e8dbd361bc7907d90b012376175aa60ce54d89720f3e
SHA512 6ae624c118e38f825695cee6742bab734efc6954669abcdae6141b4df6d489241375239745a67279b528701337ed55ab51650231222ad944e97cd8336b924adc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png

MD5 27675241e71df0923b8d1fef38fb3f7c
SHA1 48480d24ee95c269aa6b5124de98678211afc5d6
SHA256 365a381b4fe8536aee7a9ce9f6768b21a90ab50bfff852c49e66cf560ea3a683
SHA512 ffce717432eb555f4f9bc1bc587432c96df3a33dd020a231a7217c703509bbd2c5b74341ace7834f1ad635f2644ba207215522d6767b84425bb4bf68f5c60d7e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png

MD5 03fc2c9562f0e116e0bf710947fbf552
SHA1 2da1e633e2d584b8829ada65cbddd41f3e9982a6
SHA256 206eb684460e532e10eb8dbe67f06295483323e5ace4a71f58576f548f558f5b
SHA512 a04d4c74294bac386bfcc9499aa9338872b790eeaa9a5149c78c27a74af883ea8eac482f4e8e29eb45e7119e6fd8420e9c3756edd7384fc0f8577e23fd0078f1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png

MD5 cf7d7994c07b6a90213ee8bf53c2937f
SHA1 ce277702d6e9f16116a828c580c14a24c6c2444e
SHA256 3aaeff89d8a15bfcd346de4790e451e942ae7d9553ee597db82051e83397304f
SHA512 04a3e5f628b975ec5d08f082e403271b8fe19b787bacd7403a3b60a8a62bad3ac7e94eb21e81fc815b3b872f6ab402647d61c10378d95b575f75ec97570d5719

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif

MD5 a9b3f3ebf512ef03858134bceaedf4f9
SHA1 1b52c68d3c7a04315537ee22ac9f64748bce1571
SHA256 936db524a8de4c2a8dd990c9b3851359db02b568c1d60e8b5f276b486351527d
SHA512 fa00aef67493e63b9c4edbe7b7a69965de1ad71da9d5c4288f78a3dbd78f1c0ef4018f14ef80831fe4dbad17e8039ff6b59d1bd2bb6eb215e735873d5aa03a90

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png

MD5 4003ed751879d435c34754e7f016c672
SHA1 28528eef63ae6258988b5635b2b3ff87a272b94a
SHA256 3191f8d23b56b9f80a2b2c37f438552e0fe7762be9f7eab8d5696119dadbb85f
SHA512 ad6bdb753b54a32ff17eab752eb7fd149927d1e85a4cc1ce95a7ccf14fa0b7c0fea199f6383217ca8389e015b64f21157181679bfd37594a5802b831eb0492e4

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png

MD5 19f4fb6266fda1cf232943fe52e0fc08
SHA1 6f53321e967307f7324aa05909af95f338974bd7
SHA256 4d6dee984de296affd6f11a5aa0ba283a7e45e5a85aaf65b1891aabb1704d1a1
SHA512 55d2d71146c7c468f52d15c027834602bca889267fae3ae386b9d89c18ddce933d3d43175fa8172239f0d7aedbdb24f5986f3dcdc799439f9e806e8c9d195aa1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png

MD5 a03f091ce3b38c81ee13c6cd2cfdef2d
SHA1 83e580fd12484f8f4394c210789b3010fe7fa371
SHA256 0a5d676fd3bec5eaa6dd33263eda343a277490d6521b80177d30e3be015aa043
SHA512 cbf37224ba49c7c3cd33f8a07ea44d275f1d6df21c82c839722c64ce5666d7a1f9197ad4aae0a1f079654f191eddb1d565627907bdc172df13c7cb6307a276aa

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 ea803ecbe22fdeac3b67b601b384b4ba
SHA1 3ff0931ba92a90a548fee4bd15b4631d14de0cf7
SHA256 53a5642b3fee14a6bc6d3eb033768485d5e896e52f43d50622c1788036614c97
SHA512 35be0b381b8b26831abaedf08b634e14ecd5e4f6665812a79f4f7157b6077e65d1011b125dc2f8858d1e3e1c8c02e1366c801bbb3db56e9cb0364c52ce4321af

C:\ProgramData\Microsoft\Diagnosis\parse.dat

MD5 04b7f35e9d51f3c9e74f47a84aab1ed5
SHA1 25bca554fa9cd3cb487223cd39853df3fccadaa3
SHA256 efc2566459e13d16b2552dd67778e67bd2d5c973590fc20afb9ff5b8ad489e71
SHA512 5dd04bf5f766ed47452201ecd1f419249625a534ac83ec6c9626293e9da483638b078e446e2a413b77108139baa72f9418ae903d78935fac89feffc393eafd71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

MD5 01c332ceb6cff51972e0180c35e8c867
SHA1 65f13ed238a763e8c4d6f7f848205148124dd4d5
SHA256 558a4666415f042acb75dd7f22764ef1cfdf981633f03af3b3654d8bee075d2f
SHA512 8c7acb381fedaf15885615cdbddb431277cd04def6581526f855f7743207d7a9ab82b9f9a48b431902d5e7e90cdc8cef308226bbd9cd048d82cf842b36956431

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

MD5 c555495fe7372b9a0e031de297e27b43
SHA1 7ffebedc39a83f723c3f98bce1601b7f70db25fd
SHA256 696de98e9e5ded0939c215506a764fa415b0757f4aa71b943bd79ee80b31655d
SHA512 4dd90c9422e5bda2b68b8478d9c54b468547cce65139019ea7ec6e0de9dfa02416f1cfe83c52d857369ab38bcfb37f045b7b138af9a06bae26383eee9544e376

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

MD5 755eb9e3d4a20b89deb4575c141969bd
SHA1 2459fe82a4bb96167ef918ba47cbe65c6e49e1cc
SHA256 2244d009cb08a8fb77aebdf204b924a0532436d81a3fa33bf2c4cd2fcd7b165a
SHA512 084ef86c7f3bf3ce596e085cf60548dc705d2e3655661ca42fe5d509109f7bec8b150cddaae659ab3ef90a55a29798ec77c4a2b600d40b292f60931d7ee3841e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

MD5 71047d814ec308ed45a24498419c4df8
SHA1 17bb3b9b19f54dee7a2f8ef927b3a101d20f9e1a
SHA256 85fefdc0d1305d63ac62eb427f36a6ccf17c34aeb4a0df9dac7bef905c6dfb3e
SHA512 b401f76bf0a17b413ba69d270fa4324ce21260f9368eaf13655863feacc048f0b9292da1a83e73f2c0b516d9eaad0a4c6d7a3c7bdc620dbea9083cfcf03123cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0

MD5 bfc16d885f4962852ebaaa330b8d5fa6
SHA1 2937013e1ef8b62623a63415cd98502c82961c09
SHA256 6d81a7445065651ba76179e1dde51981d9e79e561eb7eadbbfa593d166923ffa
SHA512 2652e38b110e31a4a5c6b5fac732e4c9a40df3430b6ed0a8418abc34166a9d80e24825234ed86c4789e2cc5a8d0055f0b1bf62ab460f1f17ca55227068def113

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1

MD5 dc4bac609548fd87534fa65ce7738049
SHA1 5f42c001a98ee7de546e2211eec46f5de682f09f
SHA256 305d9831829874aad8ad9e519617a8872ed36c1433de9be501277ac448da9a9d
SHA512 911698e8824d3dbc7fb6b4d86a0c44a59ac260d3ad86cd43ebb5c431b477495064b1e5046b82da1069d3caed3cd65281a59783f01bd3fa7d7f17236355fcd11d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3

MD5 adf2274e4df4222f3fb5da0cf256bc85
SHA1 6c0e9e373b6b9a68a51fc2e4e11c800496b617a9
SHA256 76788441677c83df695c33e9a6253d75f00872063462091b0e92e1b898d3e5fd
SHA512 b050b5060ca63cc6290ed9ce8c0748a72a36873c703d199fd32fde5d9631adf25379af3966afafae0f5d9ca2c72aed4f209b96463aa8269a4b5cd130435bf1fb

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 43acc45912ab8a3339de48a3ad99c70b
SHA1 81f763a99610702ccbcce538738f0baa5e7230a5
SHA256 0539c844cc7f88addd45697d712af7c680f399532e75fd3afaa4500c36454989
SHA512 9324c62082f52d3c1fb1fc68b0d5a14996c20f685ef0b863fc16b4e2ad83ea03d9fe3336992038cfcf88ea6f47e59ffc97adcbd019d2ed1855630aef13ebbc24

C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

MD5 c41abbf25dd982096f817391ba209857
SHA1 b358f7dfbe4d5ad0a784f3580d82ce7e00e6e329
SHA256 6f2df123ff2a6dd6f49ba82ddedb2b0cfd6fcb8c92078d2d73df51ba498d4938
SHA512 ce469ddc89a253d8bda3b4bfc304b77bf731de5a819277e5c11760888dae1ad7b648b2076cba42f8f0ceeda5e7b0d8059ce35f78b2eeeab7e8baa459ab92a8da

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

MD5 77f6eca917f9717d8b82a11b60a60dc9
SHA1 9bbf3a6cecc2ff7155689f1abf075c23c2d9b9b6
SHA256 875182232bfb95571b3ee71f659c2fd4579bd275352eefd7ea203123e69f42fe
SHA512 c3a8fa6e8422254c830196865a59ec27505d63e2d0703f110cb9da10afe5e65483e9fb749b52f3143f61e09271f46de128772a9bbbbd8624353924d5fe33a22c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

MD5 b26aaa80836211370ae80fa187d5f20b
SHA1 814e0cacf2e0cc141088f9594842e3efe4707ef2
SHA256 2ac266fd3adb3fde3f26055fc7c628ff8a2fb55346c746e30d3ce1e465b7f8f8
SHA512 f348cf9892e39fdfa8b04e5b1e4401f888018a98fb504b80b050354ff6b2f3cb26fbc37203af4b1d5b1c191d46cd5e085dc9a868fe442c87affbc8277931bbff

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url

MD5 5000eb53127b04fc22948490403c423c
SHA1 c919d7e915ece00970673d47b33ee15645cc67f2
SHA256 5d4e8e8e34cce8edb8e0f579b2e065882073d26d495c54d587de8403f5ee5439
SHA512 83d752ef1c0e1c096f7a7cb3896351569d090b76a1b4d48e2486fb2f91a9acab48283745f0d5a4c7a71adb764299cb78986e9885e50a5c1d4dc209f80ea8a25b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe

MD5 21b1eed5b3e3cce1257c9fe1cb6f8918
SHA1 fee5d30f10f0a8e0d811d0de8377f644c0227e1d
SHA256 2c823dee47bc8e4695a5168996c29b9b7bb6642aeb1fc8ba789bb2779fbcc5e8
SHA512 39975951176a75ed165133e951fe414738773a5458a9082e78aeaf722216a0374bd2464d025c3b318f058f587cdab625909c493d7d74aa58921f18452927df6b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e9f3d0fe-ea9d-4742-856f-61871935c733}\0.1.filtertrie.intermediate.txt

MD5 3ca3011f4e38623b4705600a69aa6dba
SHA1 c1ac2766ffaecb23ba0158c530a2cf78224f7d1e
SHA256 cbf8524646691cfad7aefd26696b3081a22ea1a844aa7e08a4a7704a3bb029da
SHA512 a8429316de88b734dab9dcb6c4cba188ab17285e61cf1273f2f2a6e6f81b474bf7458558d8f1100d47304b23d6e2acea6124df728cb1e16ae8da8ea20055837c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e9f3d0fe-ea9d-4742-856f-61871935c733}\0.2.filtertrie.intermediate.txt

MD5 aa5ae1ce4028ed3da11c54feb6747492
SHA1 96b7ea30ba399d6b9ec7c8476067f5ba4bc57c9c
SHA256 765ea68798b7d4d02ed800c2f6faf6edc2b10e6460b758dcbaa0a27ceb1868c5
SHA512 7fdd096e019d571b8d817ab958d113e7bd8b90b7e09ef4a69a266a7d7a644e574a5e54767de68742489eb7ff783ef22d322bfade02bdd6a9f6d1d27e2a50d5b6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596438836529645.txt

MD5 5456fa864302237f7c0d4e9d649c7e3b
SHA1 349c91edf913f242f6c92edb701fc612197f9400
SHA256 2bd5f9586c39ea78fb2c9c270997d0deb8f2b97afc648a8c8f47b0f8a7801dc2
SHA512 ffa1198f107c595d861ca1c42e2937e7fb46289bb439f75e22201e2d160062f42ff7eee27020895237e13b7d698f1055aaea9f9c36f45a23a15f7f320231b732

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596439381468334.txt

MD5 a9b2c10b2fec6c55f9dcbe092401bd56
SHA1 9184846bb272939133e45dc695afdebc6dc55f14
SHA256 77c5d1d586e96ed4d671b8ab7d1a75a6c79f6b15d7b32921dc13ab05e5809257
SHA512 ee29881740eb9843ee02ad1660ec150cca35d5c1cd80af91e1cc5e4a5576ea470daad496f03ccbc923f6d8aa01b0b1f71dcacccd3db82e0368e5b0ee29f45ad6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596445939746610.txt

MD5 f6a4a6cb8cc03ad15eaa0853c9d61e7e
SHA1 df2e5bc28c5c4b6a6ebcaca10c447a7a854377e2
SHA256 39726c32e55e49f4d65fbf20791a623a65e95b7683ec0f1a51ac7d80aba7ae1c
SHA512 98cbce24c4601c83bf1622b0445e5a390d281867353fa3a82df1a15a83c3b0f47d96272cad72a6fe87dfe686b64f171e2eb280ba8c43df535698e332091cf03b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596449026566195.txt

MD5 a25f1bf6dd29da4f4c1a467cdacd6f97
SHA1 a89c6de1ceaa97a2802c1d3539507382162757a9
SHA256 ec20c4cd667a53efe5572eeabb09620e9b2c7befa329f3d97843f2e9198b78f9
SHA512 da2db6d55a994bbf65c96f8a42484ff8b4b819e902b6c29c77720c38a80f7410194020a08720d1e1cb05d26faa2b918b36bc6979c8630db0d953b3d4ff117eca

C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_121623295.html

MD5 f47640346db64e16935728967cb89444
SHA1 18bd66b9877fe0faa4dbc5ae9d050bf49ba7050d
SHA256 d2d26925464707b63f5f52a3d82b28f9ba92028e5b57750a82589edc63554598
SHA512 d0c59506b8d39c27f0b970e958eb1decfbdd6c93fca8bd6ed5bb25b065008f13ab232504837fa5410aa6739a73b376197c9940f3eb0f709c5b89147dc78446be

C:\Users\Admin\AppData\Local\Temp\Anarxiya\BackupCertificate.zip

MD5 c81091a43142cf81fdff9158bb09b0d0
SHA1 4e0603273281f7f15a75eafab3d4fdf837428652
SHA256 e9a7c1f8a7f8c3344e40ab0c57bd7dbbe15481bbbe00ed4468180515b79c03e6
SHA512 8686282809e427167d9d29509205b2d902b23b3cc0636f32863745b50bd5932d998d4d69a6e07ae4ddd4213689475cde825787b7d88411fdcd162bbf3711fb5f

C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Password\Password_07-05-2024 17;07;02.txt

MD5 c4313cb7ce8b07ce11f8db3c409121d1
SHA1 c69a0a3103ddacbfa6a706584784489f6ee93a7f
SHA256 41835d9446130ff27dce1b3710a260adc9806c368640161e8efea833815c25f4
SHA512 ebf21b7e33161a2eec1172066c14ceef6235f85e70884eb97cb06a03915a374963bcc353953e987b659329d771250af13ba433486c39516f19a126fbc061ee29

C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\AutoFill.txt

MD5 af253b3f98ca2cb6155fddbe1d7ef59a
SHA1 524ab4141c16abaf7408561b77cdf0241269382f
SHA256 0b0fee013adfb00a863956d3c21fd6dfcf5b7ebe5d4c585ac5439381505e13e4
SHA512 41adef9fbbf29c3b46e7ffaf5efffa38c7119c58f306ae8da8f69b6462de1a1069f10ece078354961899efa4d4bf5df5ff2e02c68792a874212ac9eac90a804d

C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\BookMark.txt

MD5 a2ebe0889b0a985519e9eade02694c6e
SHA1 435ebf82ec544204e4f0f7f343d237c8a42c17c3
SHA256 20aa05ade0f27530dc1ddcf485205af1a9ff9550c43a79804f17686021fe0819
SHA512 daf7aa8dbda5d279e1323bd008488c2b1e6f54661da42111832898555ad940c4be80e6926f38188ae71df993306a6d7ea56bdd2af3eb1e18da51a60b8c42ce6b

C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\History.txt

MD5 8b86c34ada826314848b1847cb078b3c
SHA1 407a1dc237ebf44035c8ee22bbd3c3dd8e5925b0
SHA256 422d548c18f4c6cc4a4a3b68e383edbcfafc961f7ba1c639bfd55474946d9d38
SHA512 b44b69cd893a9d6bff526509b7b4d0589ec630a352ba5892584dc4fb475dde7586e5afe09fe44d8fcea03cd26b3a14cca1c0e3b14d106912bf2b6cbef5fb9188

C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\Recovery\Password.txt

MD5 61e39cd17c25f8e978e0f2863ae33f48
SHA1 d7d80edd329c240c529da0fd082270f852eb9675
SHA256 5acee54af9a2e16e5ca2278d4a91e7bd65411d67cf035974d10e4ed6c8f47a33
SHA512 d1459a9919b1fd11e5ca995d35d6341f289413e4f96aa26bb599fddc68f12511cd13030583fc806313457e0d1e846b211fb2e73834c1f8cf28d2fb0ca1a01304

C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\StealData\AnarchyData.zip

MD5 58c219eb176a1302258ac63691d75b54
SHA1 994c79235080ae10273d7affcacbc93aa210113e
SHA256 5d533d3f39788a85e8b233b740d0896f559ba5c36c98c507bed11918bf5f2446
SHA512 c2e5854c556647ea24978b31c861bc46af266d36c50f810c70b90c89669cb87e3f083a9a1f0af6fd04a24543a34f1488d4ac062f869f9b096daca9a65229364e

C:\Users\Admin\AppData\Local\Temp\Anarxiya\ClientsFolder\C0E5A63A427B0B660D3B\StealData\Information about the data.txt

MD5 69d9e3df58cb39b6984e6ab8bce48429
SHA1 3864115dd3a60cf1437ad0440774ff448c253af1
SHA256 cbca551cba1198f01ccb1e174eb43a67bfe5acd75a27e7f70b74d4bf6d51ec6e
SHA512 fd60ca9fc1891dca54955d6b9cccc91c6d99db8cc2a84f6020ec98673a9deee725f09df4b5c9b67a1f0f2f0700cbae10725e2805dbccf817e6dcc35a412880d2

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2539840389-1261165778-1087677076-1000\5d8eee303ee05b169c50f2d5467db810_468f6343-c0e6-4931-9703-30c6539573cb

MD5 6397b3e40a5d5d1c42db3e95d04da1f6
SHA1 b34c2f3cd4b70a7c9640c6a81f2e50d5e94af9ea
SHA256 7973bb6502ba0300da6791f5d8adc5c718cb49f75c69953fa51516ac71d60c45
SHA512 437e08888100f6546f545462701aeca1a32f516bb7a2c0471efab2d1c0002cdb001b8c7370701fd103a08fcda62438e80d927410ec5c946635279161c99e0c6a

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk

MD5 0962da26ff0751031338565f788dde09
SHA1 094766805b52674c6bbd13e97682bbde0d396a0f
SHA256 f7b79614ddffbc5049e1f614fe4ffb6743b7af2e5c7ffd9f99a800ba089ec4dd
SHA512 5e28e789c8e1e01a127da132967658eec25523fdc3f3cb05a48bfda5f8c314fe8a89d1c219f2a78bbfcf4811fdb841a9095e203f9ff64665c5f13f14d5565635

C:\Users\Admin\Desktop\README.txt

MD5 af4587c5e11e2fd2292003618983a1de
SHA1 38ef333a8bed57e77badd8e0251104edc2c40d04
SHA256 2692a6708e5622e79d683ae669a051b97a87913ee1582ac4009518f7756fb473
SHA512 73f3a18aef45572f0c080b2c6cea9babcb020389d976af5190398b8c354ed2d7f3e5167d8798aa7a109e9aeb0fc96038fd85544d3f006db7d37cdb91f07cb586

memory/2284-11065-0x000000001EEB0000-0x000000001EEBA000-memory.dmp

memory/3940-11098-0x000000001B830000-0x000000001B862000-memory.dmp

memory/3940-11375-0x000000001C060000-0x000000001C090000-memory.dmp

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3940-11643-0x000000001B730000-0x000000001B762000-memory.dmp

C:\USERS\PUBLIC\DESKTOP\FIREFOX.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 44b609b8bf71e43a79275ed8e0ccfd5f
SHA1 f302b5caa7ffffc8f69f4ead10f46460e065d22d
SHA256 ce045774cc4022f65e6c688918727275ea532f07f7ed789de2c8868021def4dd
SHA512 18ba6cf42765279f862d03556652e0c10697e77fe8ccb50477532ab46a52dbccf7366393fcc52a7377376f29a5a6060af45a60775778e478a243772b9a5bdfbd

C:\USERS\ADMIN\DESKTOP\UNDOSELECT.JPEG.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 643820915e2c285deca36ae4d6e478ae
SHA1 ac6b30be59184b708bbed60aacc3f766cd6a45c3
SHA256 03f2bcecdf3ca695cb2dad3983f74f9a4c2625e24e213432ccadd5e53e488629
SHA512 f6e9a230d0b58f440c853f7cb1fca5890a760eb4b4e59d14a93ee0561a7c4e202ba341f5f87328efcd8b61b47e741bc291ffae0d8b95cab1f782fb31be1c3f49

C:\USERS\ADMIN\DESKTOP\SPLITMEASURE.PPT.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 3e41a5cb5af1e532ffec9f692c35d013
SHA1 2505a9c6ca6539995c6110f1f22ed5d442b7942e
SHA256 eebe77eea9d70e9e08a9048318c17fd44cf46b038896326533481fa489d98e98
SHA512 a8c37f5294e6ebe8babb05c08b01adc3f9dfb5e7cabf5afa9dd9ab42835f148ed315310c1f3742b44cb2627d68547015948ca3083e74191834b430d302240f1c

C:\USERS\ADMIN\DESKTOP\SENDCOMPRESS.CSV.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 d0bd2155f65a678aca3d04b1bbaa0ffe
SHA1 ceffbcaff969654b2e5c94c38d265608012e4335
SHA256 4f2a8fb5e94372b7264b0a0528a40039f4f63c87db9f9be90b0f34e30e8fdfec
SHA512 c5e5b41a35522d4dbbaaa3c8eafebd480be9e91c087be63fbf401b3991b8306ad8d65fd978432acda18d9ce7d9efc2adfb7b8f463a03e367f76d6b1c52d4c9a6

C:\USERS\ADMIN\DESKTOP\REVOKERECEIVE.XLS.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 96d4cf3ed77617948262e52591719736
SHA1 4094ee799cc7b7905bfd292ddea01517872f8c7f
SHA256 edad46f95dfa44307b807c58dc2b98c0d9f1943d7ca12ca3718d6ce1df7531d5
SHA512 fcc0492a06642e8e33c33f48decbb72652ef7191151c0407989bf42df370c68b2fb4e57ce1959519db73c63b34730ee0b6f1af31043b4fb8347b663eda8101f3

C:\USERS\ADMIN\DESKTOP\REPAIRRESUME.JPEG.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 f324f5662be1edaac46a061b607b5036
SHA1 7225f3485be6d27cbd86c70c4110c69b10890ec5
SHA256 2621a2c6181a6f1d9780fdfc2eb376a68ed4cae0acca3d7d433fbe107f5ed4b4
SHA512 9f449b59f5763acbfd55a9b714e9524ff7ee636e14449304990935e286d3b8dfe6db4d6d8e71b20b057b0f620578bc6089fecfce13bd5893df315e7d52e8b547

C:\USERS\ADMIN\DESKTOP\PINGCOMPLETE.001.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 b286a7af67bbda05de5165e2db82f611
SHA1 dc7f0791691b74791904c1c10141433873331600
SHA256 fb6b90079d21cdf4b8cfa29bff5d834ff6b2042f7e945cb9a75bbcc3e798bbde
SHA512 b6214e6542dbe2b97a49bd97a3e286d04d291232bac780377f28abc33c8939445668559ff1d330d49bd7a395e00fa9bb136e7ae3c9277616a0450782eec5d1fb

C:\USERS\ADMIN\DESKTOP\OPENMOVE.ZIP.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 1136202cd4f3e0b99914337f6d440b3e
SHA1 432c2688ee5c62b246b6e3089931f5fec71ceeb6
SHA256 3c636ac2f29b7024e6f02f60984d22411719d2a3bcca60cadca4e4a7c9c1106a
SHA512 bcbf1d9601c54f13368224c98ef92e6fb9eb21d28e6ce0e4a46fc42d400290b1823a93d315e6c83becd4bb9205ed0b8b4261c543e7c11c762e678e80a901bd23

C:\USERS\ADMIN\DESKTOP\MICROSOFT EDGE.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 69ea39c431145a8435ebe0e9c42d7467
SHA1 79d09b73f3ac4ee1ac822df42130c2bcc7657e1e
SHA256 df156ef55cd874e7bbbe3355bbfabd7f2653b999aecf8c7db806085b8f5c90ce
SHA512 04bdb20ed3aa0aca1c9e2f9e2c5737ea23dae97e5a7c2ece3ad5381bbbcaeb1fcb2eb528c04ec78d8e06d93f33edf0631e6a3c579e8500c62465c2fe2927d62f

C:\USERS\ADMIN\DESKTOP\INVOKEREVOKE.BMP.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 0158f47aea82d3780ad91413174a34f5
SHA1 09aadb517ed22fb50b5c5942ce09bc5c4d2c1482
SHA256 df404aec7c2f862da26553a385a9be6691499e3fb183cf7d757fd793487077db
SHA512 02745d90150d3240486654047d202f05e2e773f688b375cc3b5e63cd57771c6f0fd2969da374e03df9bbd591a0acba6901bdfd0a4d0a1826c09dfdf3bb7fd858

C:\USERS\ADMIN\DESKTOP\GHH.ANARH

MD5 697b2e9f1ef833a0fbc8437dadda8740
SHA1 a925adf3d888426e9907dee16b3385e61edbbe4e
SHA256 0c21ec086fda5a0677a4d1bfcedb1c1d8d5e9c4e6f719346fcfe1504cd86ab0c
SHA512 b74ec946bd56e4640652889eac43b8796edcab6c5d470d8fcdffb3ff8fedc1bee33212877e06da1351db26275c94027b277954b8d0534f405713a96000e86fd4

C:\USERS\ADMIN\DESKTOP\DISABLEFIND.DOC.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 e043d9c517800a6be4bc672d0562f5c8
SHA1 22eff370d81c4a9b37de07fd95e6213b61efb550
SHA256 ac0be2544070ef8caf2a5579b7ad1c011af797bcf33a2acd9ee9cf37573c40a5
SHA512 43aaa3e97e9344015bd86da44afa5085cdef5307cddd61a1f667e6a21d32375b818b633c1aa907b23b648f89e9905541e592837cb45144a0854909043a00d798

C:\USERS\PUBLIC\DESKTOP\VLC MEDIA PLAYER.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 e90b966217a171add02eb4afa40b4eb9
SHA1 52740fb0e245f41a02dbfa49a01f352f14248459
SHA256 8265ca2d35d00466bf5007d56cf424c5ff435e55cd055e14d6003be600df98f5
SHA512 a1e11784b62ef0a337defbb5cf632c03b1354d236992d31ffd61857384cd1bed8a6e76002769ea87e81b2ac8a65e9fb6cb8ec6d7f8d4d809dd9302be928f123c

C:\USERS\PUBLIC\DESKTOP\GOOGLE CHROME.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 1a5379909f623c9617142cfc4ef9ab12
SHA1 9f865f50202961c05afbd6175e6d05bd5569b76f
SHA256 7c62135a40a2f65e5e3994a426fc220d439c703abcdb8c9582b70f1786a29824
SHA512 7e49f921edeb44c1487918a91027a1ebdcdc19527128f40a8270f3a290491fdda31b731e9899a0272973f6f42cb9991ff8aed3084c24c076a5f72798cf92c8e0

C:\USERS\PUBLIC\DESKTOP\ACROBAT READER DC.LNK.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-AJ219SJ1UAIN

MD5 b15371abd354858168bc525f94ad71b2
SHA1 2054b12102608087abb64ea9fe42fe0417fa6a8e
SHA256 ccd4dc794e35d8b565fd087c37ce9fbee572b912d99bb721f2f04c1ebf9b6812
SHA512 423fc10f11f8036b9e862e259cf8730252c0b714fdff1e12854cbec4b83f2b5fc4f1bbf50500e268d663ef7ced99b4774040d9f279ed6f975383a8098d8b975b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 519d186c8acde613ab7595b802c1fa3d
SHA1 0749365b64a012cde44f1c48c75e7c9eabfc7500
SHA256 19acc06d189ab9a6ab0c8a93aca5da61ffcbf83ad9501d30deb480e3a785b2f7
SHA512 ada4df1ac69f7c90ed0de8eed927524bd9512687a61749566d3da01c2506f02eba153138bebe2a3aac182f8c972770b0ed794a2b1aa4c25d0bcc8db1a00b80c2

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 f23530a9f6702d8e4b9c6740957e7d45
SHA1 790dc16f97b5a77479baa6a20c88d43dc142f112
SHA256 aad9e5c6ec61ea7ef68c260b107d89db9044e3ebac6d084eea32396a94aae378
SHA512 17b2ca978db52fb4e1c57836b7a1bcff86a7dbc96baefbcd0e743b4f04d223c60df66902bec36ee442982550daf5116a2a31880988a80d1695fc0855a4645908

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133646732950585214.txt

MD5 503966cb90f716e708a3248f2ee3ae76
SHA1 bfc9bf92765a8d7877c701cc4c402bcf9635394d
SHA256 8021745edeffd2f162ecae21e401a9f41160ada9c433b341d4bef640cda6f383
SHA512 e56a5caa46fb2a2ba095048f31e0ae33efa46021ae4c2c419024e2a7e389aec887e774ede2d022d4d6683dd06f778ddbe1723f0856bb22eda15b49c8ec44c4ca

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 70f122cde93d0642213d4cfb84776b0a
SHA1 2f2d7bd76741cb8e29fc7675079c93cb8599cf44
SHA256 d42a6bf1d010c44f4ecc26262787b80c61d36fb0f10131af502f9b64000282a3
SHA512 b51b9c3a604cd986adbffb471878d5295beacedf414fbf88b66e1af30075fb9b6ba07f07baaccec48e05fa3656cd76ba3ef4d9e745e473d53063162c36c2241a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 2257fa8cef64a74c33655bd5f74ef5e5
SHA1 b9f8baf96166f99cb1983563e632e6e69984ad5c
SHA256 ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3
SHA512 7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 1f0751a2a9db639807d78d44290daf46
SHA1 e083277da3cce9ef51b31ef2e00ea4680214480b
SHA256 31aaa95279e1fe963a4e03599fb95b585930cfe1b3351084d255ac7b80b7b69b
SHA512 36fdab9b99d9b6c845d932ad2388b0909313bca4cd588c6e28ff1fd276c43519b79bd714e954035e82cb6b615ec1f5112bb21ed5fa12bdcca0c47b816b4ffd6c

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 abcd9c93b093521efb9f2afc0664d848
SHA1 7df66a2c5331d61fe0126a6402e6d27c9ad27fc7
SHA256 5482090c41ac37afc1bfaa9b143b0b9e5d5f2430d4c1c06cffdc7677aef839fb
SHA512 f3e479d90846d46e9f461bd0d3fd245e0195857767ce81186bae47e61304b609719b9f8633d6a0a45bdfc1dbf37d148cefd80ea8e8dc545de52bdb8aa8f659b1

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 f4dfd7b9c5e87be75287a5ef5b45633e
SHA1 475c8214d3f218cf707fffe8d653e50ca9f356aa
SHA256 23556f6bb76403b3522bdd4ec33d06e6dc3a86bd7523675e9955d88ecf45428c
SHA512 729eab06860f8f2e2b707d6928264e6e8f972df17171cca50348b9de538b9a899c78a794aa31fbcfb42a5c753fa70286d503e143a3bd4e6ec60c97297ee0eb64

memory/1416-11930-0x0000000003230000-0x0000000003231000-memory.dmp

memory/3760-11937-0x000001C354E70000-0x000001C354E90000-memory.dmp

memory/3760-11932-0x000001C353C50000-0x000001C353D50000-memory.dmp

memory/3760-11968-0x000001C3551C0000-0x000001C3551E0000-memory.dmp

memory/3760-11956-0x000001C354E30000-0x000001C354E50000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9WOT0LPI\microsoft.windows[1].xml

MD5 6f6303f616adb545f2155b3864f9041e
SHA1 25b80380c0534a38d293856f055535b091bb22b8
SHA256 9061389e723e0018e689ffa46151fffe48dd5531a5bd578e1178a3ee38adc5aa
SHA512 579b859a86f38c6e9edac9151e6631ef85c98183285ad2ed69671ddc1cf4d013a7d5c4ac944e8e1ba3e7b6a34f4c8ad84a3d65549e5fa4d909685664eea35d0c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 aa3df8e64a2dfd6374144933d331ced3
SHA1 31aa7e9ce30bcf353e9db93c72ce860e3e2039c2
SHA256 5e1fbd6aab0f653d456c44d165002d4c56420188c46ec53683de054dc1728ec7
SHA512 9fd049bcdd515e05c44a686c203f0fdec18e37bb951baeabcedc30475a5078fd252953a4c544027f470dc74325e935ff79e0dec7dd655624f4f71c201a0fb205

memory/268-12149-0x0000000003E80000-0x0000000003E81000-memory.dmp

memory/2036-12153-0x0000023F67C00000-0x0000023F67D00000-memory.dmp

memory/2036-12158-0x0000023F68BA0000-0x0000023F68BC0000-memory.dmp

memory/2036-12155-0x0000023F67C00000-0x0000023F67D00000-memory.dmp

memory/2036-12154-0x0000023F67C00000-0x0000023F67D00000-memory.dmp

memory/2036-12191-0x0000023F68F70000-0x0000023F68F90000-memory.dmp

memory/2036-12180-0x0000023F68B60000-0x0000023F68B80000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 0f79b00fd6fbe393ce75c764fa2b1ea7
SHA1 ad1c6f199d15356ae943fc5321367f7bd4d0857a
SHA256 ff6585afac91fd0108888271fefc166db3cc677f21516b4a2e06ece6837c9860
SHA512 b71c6060e5c6e06aed58fbcab46a0c0e185ce585a39854e8bdec089c705553ac145c43509319f6efff9a1b61deebf8465cb4df3c75e0056f6ebecefe8ef40b47

memory/4728-12345-0x0000000004F30000-0x0000000004F31000-memory.dmp

memory/5076-12348-0x000001ABF8020000-0x000001ABF8120000-memory.dmp

memory/5076-12352-0x000001ABF9040000-0x000001ABF9060000-memory.dmp

memory/5076-12347-0x000001ABF8020000-0x000001ABF8120000-memory.dmp

memory/5076-12365-0x000001ABF9000000-0x000001ABF9020000-memory.dmp

memory/5076-12376-0x000001ABF9410000-0x000001ABF9430000-memory.dmp

memory/552-12536-0x0000000004350000-0x0000000004351000-memory.dmp

memory/4880-12538-0x000002216E100000-0x000002216E200000-memory.dmp

memory/4880-12543-0x000002216F0A0000-0x000002216F0C0000-memory.dmp

memory/4880-12540-0x000002216E100000-0x000002216E200000-memory.dmp

memory/4880-12553-0x000002216F060000-0x000002216F080000-memory.dmp

memory/4880-12565-0x000002216F470000-0x000002216F490000-memory.dmp

memory/4880-12539-0x000002216E100000-0x000002216E200000-memory.dmp

memory/4072-12750-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

memory/180-12780-0x000002F3790D0000-0x000002F3790F0000-memory.dmp

memory/180-12759-0x000002F378D00000-0x000002F378D20000-memory.dmp

memory/180-12767-0x000002F3789C0000-0x000002F3789E0000-memory.dmp

memory/3540-12899-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/4280-12901-0x0000023185100000-0x0000023185200000-memory.dmp

memory/4280-12902-0x0000023185100000-0x0000023185200000-memory.dmp

memory/4280-12907-0x0000023185DF0000-0x0000023185E10000-memory.dmp

memory/4280-12928-0x00000231863C0000-0x00000231863E0000-memory.dmp

memory/4280-12918-0x0000023185DB0000-0x0000023185DD0000-memory.dmp