asyncrat | bf9aa6957a814d551d3ba7f96690ff76c79ff884718b3a0f16ab17b96c2637ff

Resubmissions

25-09-2024 13:28

240925-qq3jrs1dja 10

24-09-2024 20:51

24-09-2024 19:21

24-09-2024 19:17

24-09-2024 18:11

24-09-2024 17:54

Analysis

max time kernel
600s
max time network
440s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy Panel.exe
Size

54.6MB
MD5

94bac1a0cc0dbac256f0d3b4c90648c2
SHA1

4abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA256

50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA512

30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
SSDEEP

786432:RvcKHU1yll1EcgYwm/7hPo9b9DMs2PTUpRYj:lPU4bZwm/NwEIYj

Score

10^/10

asyncrat default discovery evasion ransomware rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

LOL YOUR INFECTED.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	LOL YOUR INFECTED.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	LOL YOUR INFECTED.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	LOL YOUR INFECTED.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	LOL YOUR INFECTED.exe

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Infected.exe	family_asyncrat
C:\Users\Admin\Documents\Infected.exe	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Renames multiple (1272) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/4696-1-0x00000000009E0000-0x000000000407E000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Infected.exeInfected.exeLOL YOUR INFECTED.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Infected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Infected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	LOL YOUR INFECTED.exe

Executes dropped EXE 6 IoCs

Processes:

Infected.exeInfected.exeInfected.exeInfected.exeLOL YOUR INFECTED.exeInfected.exe

pid process

4340 Infected.exe
4320 Infected.exe
1016 Infected.exe
1276 Infected.exe
4120 LOL YOUR INFECTED.exe
3740 Infected.exe
Loads dropped DLL 1 IoCs

Processes:

Anarchy Panel.exe

pid process

4696 Anarchy Panel.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

LOL YOUR INFECTED.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" LOL YOUR INFECTED.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

98 discord.com
99 discord.com
100 discord.com
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

ARP.EXE

pid process

4312 ARP.EXE
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3000 tasklist.exe

pid	process
4340	Infected.exe
4320	Infected.exe
1016	Infected.exe
1276	Infected.exe
4120	LOL YOUR INFECTED.exe
3740	Infected.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	LOL YOUR INFECTED.exe

flow	ioc
98	discord.com
99	discord.com
100	discord.com

pid	process
4312	ARP.EXE

pid	process
3000	tasklist.exe

Drops file in Program Files directory 64 IoCs

Processes:

LOL YOUR INFECTED.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\winamp2.xml	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-125.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\195.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\charsets.jar	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\vlc.mo	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreMedTile.scale-100.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-125_contrast-white.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\joni.md	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-125_contrast-black.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\3.jpg	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\32.jpg	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-125.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-200.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\vlc.mo	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-100.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125_contrast-black.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-200.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\SmallTile.scale-125.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-16.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\WideTile.scale-125.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\199.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\204.png	LOL YOUR INFECTED.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.png	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	LOL YOUR INFECTED.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	LOL YOUR INFECTED.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1208 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1592 timeout.exe
3208 timeout.exe

pid	process
1208	sc.exe

pid	process
1592	timeout.exe
3208	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXEipconfig.exe

pid process

744 ipconfig.exe
2716 NETSTAT.EXE
4036 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3668 systeminfo.exe

pid	process
744	ipconfig.exe
2716	NETSTAT.EXE
4036	ipconfig.exe

pid	process
3668	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Anarchy Panel.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\TypedURLs	Anarchy Panel.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716797028201761"	chrome.exe

Modifies registry class 64 IoCs

Processes:

Anarchy Panel.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000003859d29a100054656d7000003a0009000400efbe02597b633859e29a2e00000092e101000000010000000000000000000000000000000e5e3d00540065006d007000000014000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000000000000100000002000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 780031000000000002597b631100557365727300640009000400efbe874f77483859d19a2e000000c70500000000010000000000000000003a0000000000b5f7970055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Pictures"	Anarchy Panel.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4504 schtasks.exe
3656 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

LOL YOUR INFECTED.exe

pid process

4120 LOL YOUR INFECTED.exe

pid	process
4504	schtasks.exe
3656	schtasks.exe

pid	process
4120	LOL YOUR INFECTED.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Anarchy Panel.exeInfected.exeLOL YOUR INFECTED.exe

pid	process
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
1276	Infected.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe
4120	LOL YOUR INFECTED.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Anarchy Panel.exeLOL YOUR INFECTED.exe

pid process

4696 Anarchy Panel.exe
4120 LOL YOUR INFECTED.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe
2428 chrome.exe

pid	process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Anarchy Panel.exeInfected.exeInfected.exeInfected.exeInfected.exeLOL YOUR INFECTED.exeInfected.exechrome.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4696	Anarchy Panel.exe
Token: SeDebugPrivilege	4340	Infected.exe
Token: SeDebugPrivilege	4320	Infected.exe
Token: SeDebugPrivilege	1016	Infected.exe
Token: SeDebugPrivilege	1276	Infected.exe
Token: SeDebugPrivilege	1276	Infected.exe
Token: SeDebugPrivilege	4120	LOL YOUR INFECTED.exe
Token: SeDebugPrivilege	4120	LOL YOUR INFECTED.exe
Token: SeDebugPrivilege	3740	Infected.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: 33	5036	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5036	AUDIODG.EXE
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

Anarchy Panel.exechrome.exe

pid	process
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

Anarchy Panel.exechrome.exe

pid	process
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
4696	Anarchy Panel.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Anarchy Panel.exeLOL YOUR INFECTED.exe

pid process

4696 Anarchy Panel.exe
4696 Anarchy Panel.exe
4696 Anarchy Panel.exe
4120 LOL YOUR INFECTED.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Infected.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 1276 wrote to memory of 3576	1276	Infected.exe	cmd.exe
PID 1276 wrote to memory of 3576	1276	Infected.exe	cmd.exe
PID 1276 wrote to memory of 4172	1276	Infected.exe	cmd.exe
PID 1276 wrote to memory of 4172	1276	Infected.exe	cmd.exe
PID 4172 wrote to memory of 1592	4172	cmd.exe	timeout.exe
PID 4172 wrote to memory of 1592	4172	cmd.exe	timeout.exe
PID 3576 wrote to memory of 4504	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 4504	3576	cmd.exe	schtasks.exe
PID 4172 wrote to memory of 4120	4172	cmd.exe	LOL YOUR INFECTED.exe
PID 4172 wrote to memory of 4120	4172	cmd.exe	LOL YOUR INFECTED.exe
PID 2428 wrote to memory of 1936	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 1936	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 2996	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 1264	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 1264	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe
PID 2428 wrote to memory of 4436	2428	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2436

C:\Users\Admin\Downloads\Infected.exe
"C:\Users\Admin\Downloads\Infected.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Infected" /tr '"C:\Users\Admin\AppData\Roaming\Infected.exe"' & exit
  2⤵
  PID:8
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Infected" /tr '"C:\Users\Admin\AppData\Roaming\Infected.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B25.tmp.bat""
  2⤵
  PID:3692
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3208

C:\Users\Admin\Downloads\Infected.exe
"C:\Users\Admin\Downloads\Infected.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Users\Admin\Downloads\Infected.exe
"C:\Users\Admin\Downloads\Infected.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\Documents\Infected.exe
"C:\Users\Admin\Documents\Infected.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "LOL YOUR INFECTED" /tr '"C:\Users\Admin\AppData\Roaming\LOL YOUR INFECTED.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "LOL YOUR INFECTED" /tr '"C:\Users\Admin\AppData\Roaming\LOL YOUR INFECTED.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp76A3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1592
- - C:\Users\Admin\AppData\Roaming\LOL YOUR INFECTED.exe
    "C:\Users\Admin\AppData\Roaming\LOL YOUR INFECTED.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Drops file in Program Files directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4120
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe"
      4⤵
      PID:512
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3668
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:4320
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:3720
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:2368
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:2528
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:1044
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:4788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:4588
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:2376
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4500
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:960
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:2296
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:3000
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:744
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:312
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:4312
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -an
        5⤵
        Gathers network information
        
        PID:2716
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /displaydns
        5⤵
        Gathers network information
        
        PID:4036
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:1208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:4728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
      4⤵
      PID:3688

C:\Users\Admin\Documents\Infected.exe
"C:\Users\Admin\Documents\Infected.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbb4a6cc40,0x7ffbb4a6cc4c,0x7ffbb4a6cc58
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1808,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3396,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4828,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4476,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5152,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4568,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4480,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5496,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5324,i,2271753146420473682,5669553271935919358,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:364

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
537928ea8ffec8a7dc567b575d0dfe0d

SHA1
f2c9025583cdadc6ef07701028559ddb68e7581e

SHA256
25a0ea5a88c384c44b5f03e990c88b5ed13ed4fa480ff126ef9203870fdf48df

SHA512
8ced00e6012dd3a3b9f4d65943542f5aa5af23d801a0e528ba320b56cb177d6ee882aad3f0eccc9ac224d3331a3146be6b7dbbfce6c218a3f3439618d36fc445

Download Submit
C:\Program Files\Java\jre-1.8\COPYRIGHT

Filesize
3KB

MD5
99a4730a3f57f994df28698f9754b99f

SHA1
713e9e39b2fd2c81aeae7221a3d13a7dd1ba7d9c

SHA256
10d3417803c39adea947b4d76c0ae55c94a8af96cc95f24888f16c63f698f077

SHA512
6b0f7209efe45d8c019c844e6ef0ec3ecbda89edc68273498e7b3411f09e78842581fad4d2d8e0321c00ad3267e1f7b9fdb1ac8479916c8dc920d1917b002a49

Download Submit
C:\Program Files\Java\jre-1.8\LICENSE

Filesize
48B

MD5
d436e7ceb515a94f2d059fd9ebc7fcf7

SHA1
d58d22e7f566700fde472d04ea1761854a0a269b

SHA256
b7e6edc7d52b44c9538f057bbbcfc36f579ff3018fd8b2016c647abcc0dbca60

SHA512
206f9c51cf6709208aa322bc78aee4fba125c552da9009c6fba6f579e73fb3d73d85eeffebecefbce67d7c6876bd4785222870ec933e61867f86ac9e70d82003

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
bbc31d33141ee806b829b700c5c3bea4

SHA1
7f27a895b9319f1ec9fabd05359601ebc9efce0a

SHA256
b9a63f3b8770c111a4b7e39d19ebcdef14a2c272ae3d7bcb434c557a1c4772a6

SHA512
40409e8e49b21738d2a7a45ebd7ad05713351805883e3133666c9f0dcee422cf27e825f038c7d5b3a9751ca543f0f804ac1979b8d6babbf14cc217bf4afed9a0

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
c0eb87a92446765d3686e96437d287fb

SHA1
93558a9fef4dc85f903317815d3c640441a68cf0

SHA256
55a9dae0cf82efde58c0d381fe75003cd4c67adadfed11026199dd2421aa2c63

SHA512
b86b7f8c43bbe363ac9880ff14c7bf446c7fd480cdb27a0119e592bf54a3f03a217f3e21db0be6ddf8a3629e6d0831e5139ca8ea239b0ba1b5dcd183d60a7ae8

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
14d121337131b4a98844b98251a89162

SHA1
b0868c3651e9963165be0308197ffc5c169ce4cf

SHA256
618b27f2597bca921589aca25d107ffcfee9cb2cea6ba0fadfbac821d6ea2977

SHA512
c8525b6b58e105868715214b311e802676a81630d392906c655310ffa94867489f6d684b6dfab33135e13634f5bc28b18a42c266bb1ccb3117914e354a13cc38

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
31KB

MD5
3e7ae760e6c59ac67db4ff1df6a7f0fa

SHA1
978f8305761d76f0318da626feee88858f7b8e04

SHA256
e2f8d0bbb45dca172de2345a4c5f81acbea3e1f8d658bbdd98fbe3f16bac45f6

SHA512
399f48d8291f5dc1da13456782a357c41d81d97b87cdda61476fb2faafd21b2205d3744ba27b3a273ea085d14e06f50b403381135cfe7fad773eda26c86e4dae

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
f823959bd5906a59f44b5982dede27df

SHA1
31a0e72de4f470987ec1f239e93279107dde6125

SHA256
2c8d9346e6ff1b0239bc51ebddb9bff9ee8eb52437a864f27a37e6abbb52506a

SHA512
1aa24ed4da0ae0ff7f8d0bdd31013d7de6bd463cebee999e14d383b99ff9a81a9d4a84b2a21547db6439aa46e194479f9445cf2eb3f41e4dacf894e0d02e9fa2

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
23KB

MD5
8bcab05d8c2fe2d8354d4ae5f5b84257

SHA1
0fa12c9f25d0ae650d794e3038076f6098ea9f7c

SHA256
7c1d230dbc207fe2e34471d8e0cc39e30a362eb2515a9e6915f56eb5abe62ebb

SHA512
c7df3f71369394c28458932a1df0bf67eb2bbc19276fddad6d2f537522ae7ddb3195df73f8d71f5646600d86177151e60f50647151ee818d5975edf39b2432af

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
29dad1df23661366b5841bf56cb256c0

SHA1
4aa82e9490a051693da62321dc38253f2787dfb1

SHA256
cdb4d760e39bc157ddcee71fa5fa8692a64328688c2764e8f137fa23ba3fdb36

SHA512
a4da217939540181802ae88874294215eca3a1695fb99f29668d265dc20800f7e6c9cdb3f2758ebafc12ddffabb41188b4a360b16b9b2e84ddb1bbf29dc1ef82

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
78470e98cf1cffdec98e707c47401318

SHA1
b5274c7648876445e62d8054b43e98f8c4c9a42f

SHA256
cdc9dac58757b8f0ff3ace25cea15748b5b5fd2267f2884f240e082d16ab6ff9

SHA512
f4158f65d27f5b6b1e17bca7f4bc788e0dbedc0297ae5406366f190a5fb4832fa0686dcadc8de210fcb2b8f2f2f34df4caecd40bafc5ff57a8d7d82909766e27

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
9677fe62253f27159c9fccec39016dbb

SHA1
aa8b2ac08107a4b7dbacada728c3fcbc73aa3c23

SHA256
21fc6b733d77c994dabe6f6c64ae5cd845a6b5e16b9690d91bf3e5b1a57af6a2

SHA512
ec804b881c173d3bd41f68f68729f447d8bd080575803fdc3a1a64ba40211f0687423ad7321a44542cf6f871fea9de6c4c32b6f023449508390a3fed5121bde7

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
9fbe9f603ac1427cacb7507e0cc1b2be

SHA1
6b9f222b42efaba11c100e94de94771214e714cf

SHA256
e6fb3a9955c9b5e86d3d9fb38648a2d49bbcb74a2e82e2296250be67dd6e40f5

SHA512
0f85237d3e709f52328a1fae2b418ba1965e217e483c7f5e2caab66e22d832d0f5fcccf1eef0cb6e74f5324dd4797886d92aca538694ae350301c3b26bc0bde0

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
5c408a8a2a68b20f6710772c8198583e

SHA1
1126870f579beac84387af02a572b3b11b792820

SHA256
7ebdea77dd2f8b1123eb4c1608ec001c5159cccae90c9d71182fecaec87a59a5

SHA512
bf62f975802c24885194c0c45d6e037379605df2d308881b68601db2dcf2c2ca4786f51975b6de97ea06ce307bc368332e9bade10d0024334619499fa11f7b8f

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
5129283d1b6ff6f2db367522412c78fb

SHA1
a8b145def92ac8342855f6ef91befc9533b1adcb

SHA256
130adf1dbe904c1ec9454e64255f1d79407a824a1212e83c5952d943878e7f66

SHA512
21a211dd1dfcda191e0b6f4d1becbcca1317964e28ebdcfc5a4427fa6985f77a6f322980d196286d90fd3103745bd02aa85a206ef439238ae600ef8ae133316c

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
9deea673d1aade8609c10392466691d9

SHA1
142d2ca13afa1f9433053d7b05d889ed4d41e856

SHA256
2f779bad118050f8f4a7bf3799d88ee6dacc35405bfd8390d361a944a4222614

SHA512
9d813c80bc560a987024915e73e67e23cc4f3f1e9d22b25196aed2bbb8510f3c87623ca86157b7b4525c15af6de6eaaf5fcd2e96b682b8cb64c72657a0f1c063

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
b81ac5717b6b945a6cbe71e42e5386d3

SHA1
69e10a03d2799b5103a9f4ac090fd70ff34a1f3f

SHA256
f83be2323aa94d44b376aeb0c0c4b18c6d112899d75b9cfedd54cf6f0cf9720d

SHA512
834978792550ce56f2b2b10f6fe82f9d6f148e0956f1643220018b82d7f6621a7156fe60bde1cfb4224eafd5d78b9007d3067d704c09a53cb344f0ff70ecb87d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
094f814f31cd5c9aa9a8a92a8d0edd26

SHA1
7e3fbd4250132dc8a0781c78727f4d1323d3b3a3

SHA256
3f1fe2ca3833e278634c4f14386840f7555a9a835e3cd19a6ae833f504380948

SHA512
3a62fb2f4fa9b68e449a9c45a02287becf2ff37e85436256590c803935f85f3d7afb63aa2ab2bb79f24aa1d42cfa71d058095ebaaacccc7eab91ede78f13f4ef

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
8a53dcd83a487f780e140e70d5a0fd56

SHA1
8855d8aa861371eec14d786149875d30745b560f

SHA256
424cf24348a647412e6aac5f8c020bbdda3f3217131c01a1ff24ad79386b760d

SHA512
b2d005fe2431b31fe19bc119ac42833ba7b2bcdd8ed421d01e9d36e3bd2cc27915524ab5c2bc6a369756ccad94737c745b2752a819ac8c1e304c67c17ddb40da

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
176B

MD5
0d404cf830c3234e51eb3ab716f57d03

SHA1
5a4722ff2c13f34ddbc6a6b7c94b95b699890384

SHA256
10b46d27c62cf506a77a4c722a20d24ce7ac1cc56b60f10ffc888662996cf121

SHA512
361cec9fcfe09d20d61845bac85cd3611f1971c5defe822eae62d97fa13d58cb24a98dae271d542a195d46082ab846a70a4d481349700d75c7c629fa53dce424

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
e5a57bff8dbc08913f2c554dd08e5fd7

SHA1
6e80b33228943066c7d1929b5928b54d5257b36f

SHA256
5c6ef398e9ca1f1a4d26cc9ec8b2a764593b72f467eee49a51719e1c5e2890af

SHA512
e83facf69166b01d2d621439c7ebf4a6af19b465700658769d051f3ef241689fdcdbb08428294b08ce705ecc43ab38b356d38e33aa3066b99517cfdc6ec98edc

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
b7638a1e5f49973bc4f7cafd29fcb52b

SHA1
2a6564dafbc33978f4d7b04f022d14512eb2a2d4

SHA256
ec618fdc17ccab768b6df2aff8d68291a705e1a95298abfb4e9b0cb67ffd217b

SHA512
744554d4e1891dce686f5c60b1e8a7393f33238db14f992bb574c072dc9835934529cca2949f2ea1f15816e058f18ec6293d926531783925594ca37867591652

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
78dd059d8fb8c67693b4731e2050174a

SHA1
a431b1b6f1b41febe86752925c023bbd7f23a9a9

SHA256
019b5c8d58aa3985fc0bcad422718db99a6fd531b029ecf908f763a9b21e6bf5

SHA512
5652379bd36c6ec0e0338823e1704ddbb3d967f765678c69798da4b51c8c54081213bbdc7df7d073c8d1dd4b9393336913aae6f0f02c5e4f804159e27d8c3f08

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
62267926cb73ba7ba5fce16a5869da45

SHA1
044742341208fe01e055a60386e1656e27423a82

SHA256
6b4da4d9a3befc85cb189b5320ef840c351d4b53b25dd9056e5a04685f8be5c3

SHA512
523e53b36a78a65d0151c54023b100ef8044dedfcc39c1491995f650e01e02c9ca15ffab5ded8e191157873a77b853d56caf73b048ba1bbc882b348b747843e8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
ad4917018e8c31189cffe700e20dcfbf

SHA1
c7497c11449f8cd4908a61cc330caeff773123d2

SHA256
75905f925ab6c88b4217915eb29c448a5813343f7bc6880145cb1bf7f6e7a763

SHA512
3145f4eb208a3e736018f3959b5c799700764319eb253c178796fc4b974a6b28124ef275425c0590f1b2a9bf6a038ebb5c90476fd1ba9256397a857ad1c003c4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
4f3b8f8dcc1df9a5a6de98f66c49676c

SHA1
89073033ff53edcff5c395538b8223b7eb6b99de

SHA256
493d473b491387d34d7caeb712405c379108a815d6405506f7df734455c4285b

SHA512
ad21b777cac6e75904f82b08afacc67041a8d0ed75c09415f163efe9678a35ea172ef685251d2a09f4c371eef2a6c256d46739b15167498238746577444659f2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
edd393e6e958be14e6b4aa22be988177

SHA1
1378efbebcd0a950ebb1d5fe979ba4ad0db8c748

SHA256
2a33a0b699ff0b975bd63b49c12b0e23c98249cd50213408477299929582616e

SHA512
3a58785802ccb7e5b6e2595c0724857b3855bcbb2b95f9000d911ef97ee320406af58d8ef33bf490aa78d3fb7362f27f2249e793f688033a55d3789badd03946

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
b3c2cd8a70ce1f5eee0d607a6709ed57

SHA1
92d95b72b1ce0cd6c3845fc0690d219cfb360ad8

SHA256
f61eb93c7d8b20337cda1e6357ae904aa9b6ddb4ce706e7de9f22ea2fc46fea1

SHA512
c0ed854a4da9a9efbcde659ae1b44b34ce659ba77623d631fdce9351038dc928133fa5d51dcb1f0fd75a4d9704e7330e72d3b72e8e0f5fbe051b44e502de1288

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
ac713e6b3aa8154d5b80cbc7a5ab8ca0

SHA1
cf7e1ea05e5449b91f27336eb100f2960d5b5a62

SHA256
5249448076b1691af222d480e4a88b29cb4d337ac07f3e5ea8adaa504f963129

SHA512
c1c1fa350fba9b00d33870f2642eead3776c18ae3e0241209483f3a4e1239fc1357854e3605b4a6be2b2c88289fa35105feb6014549933b5af119dc6f43af788

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
162d341c47a5001ef14aee4d75cbeb1c

SHA1
dd0874bea985cf286d1e5fe8e8d1ea37d020972f

SHA256
e8dec62ac42dec2a6285471f77a530029208ccf020a313bfb27122aa2970ddae

SHA512
95ac5b9192edf69de571c4f4c75de55cf2105e4a02dc3dc37a64a941253f325f1a3997abc6999b71244a25e8206b2d1f1b7705458d15c6f1c432284647978817

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
20226e0b061b7b6c394b08421171c970

SHA1
3cce6820b344d7041d8ddc7dc4428a6fb070f4ff

SHA256
1d7a581ceb6e7e810a7a89e704f6d6a1f1384265a42f530702418291ec517ac5

SHA512
a7682aeb08dcf842601e6b9b2bb48e491eded32c2230073ad9c613f7c66741396860b6e97e3cbd0d314d6c9bc94f079b3e554049927b9b2a5b994e97d8e293a7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
cf47a4dc5264b87a7896309a8099c4e6

SHA1
84cea7cc0ba457f4ebbbd7af99de2591d56edc6b

SHA256
0e8aad3772f76dd4c8225435a72efff81cd5fd413bc0eda0092afaad3c3b56ee

SHA512
20f178d4bbde67d6c6342c6f00e93be2913300b76632664c089007e5f363c490bca045d6f0c9d8cbdffd984772db7cf702e091b5afe9761744f046415b05814a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
9638d1093a26856c5813c85392df50c1

SHA1
8f0fac31b5906790d1c02f4904273d7119f25209

SHA256
71eca83a7fb97098e7e4cd320fa959c17d7c024339c0360a31ac81cbc21db46a

SHA512
cfdb903821d2b6f528d27675e3f2db86f7a262ccbb06ad84a410fefbf8141d67ec1fdc55fa0585501d7519149a55c3da5d961deed94dfce75d2eeefa7d4c2c97

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
3198208a2a10c065253453ce9c2e1b89

SHA1
3dcf16a02174615a9657f639fde9e763ce31be86

SHA256
45c50dee271756308b802102cf0195e2920cecbb356884fc58a64447ecd2710b

SHA512
393d54c4dc1e0fddaef6e0d20c141b73d9864171e6d4d92873cd73610eb33b9a0086fa0aec6c7f90710470013d37df7e06fbbbcf3678bdd293862eb0634ccf85

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
22eda72e9efeea9daa6269bcbf1277ce

SHA1
b292235e770d6127a6a9d5e49cf6803fa367d25d

SHA256
e1bc53155d3d8bdfa509f82c6ec6cc5c86d8ae2e4c61932dc969c1678247eadd

SHA512
cf07b6e43ec6aeec14cba807f006249fbe8f19d22f2d68c36e9cc52aa1eace28178d35f4265dfa071d42100b6e25bca625bc1036d1ea7560897755700dcf94c9

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
87e5ab42c699bfafb73dee7eb9ae093d

SHA1
e26c8a77b3a57b48585dad1c910c83728e568929

SHA256
ed58c9fbe2a591828f3d1f80de5d232cb042854b26a7b31754550275b61cdc5a

SHA512
43187beaa26e1564b6481ee57295f3474c9befd88ab2552cceeab0f8eb4a2eff82b373f4520dc8656e91fa118cdea95a0f76a528c3ce23be87d5d50e1ba903e1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
55985f63417730593b9594df053fedb3

SHA1
aac867d1280433fb11259e76d4af1bc5ba80aec5

SHA256
3d3ec47b03809a298a287d70eded2c7311fb17d14d8aa14c58e94eb49589b3b6

SHA512
6e97af8c25216851d638a804d8a16278c8bb1504942e0032efeb27d2f1b1e6cddd4c39c2b88c1fe7bff20f38d933aa788e979847c5ae2c811645df5604e05cd3

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
8366ec97f15319f2f32a176a4e13da78

SHA1
7cb177d93021b93dd0c34029fe694f374e16aa2a

SHA256
1752c4e8a2a32ee6b527c24c926705e05e1d5661c97dbb81cfc3a44d284690e4

SHA512
4e65a5a2bc10883c01ea78938bc514db502185b3087dbf3a37644316c6452aebb7523c0e18bf9d6e8ce0c1ce17d0ce2e40c5f3a264957a730795d990ce886fac

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
0b42fd3b416ea4ddbb4bfea0b94f8d57

SHA1
391bce26363261c793c5d8f350fd83a05d1348b1

SHA256
8a036324bd879cc6c7c4d41fa95e2aeb0bf094093d8d5b9c1b788041fdca8f34

SHA512
5913ac6d5e0c84c303d12bf0bca5e0208ec3419fc08e3125b743ff1b8dbedaf28ab2e2e9992088243e387a877b3eb2d6e2c08282570b6541218b8428e8fb8e63

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
0cf86ec2898a1aa0fecbbd84ff001b2d

SHA1
da4cc15d6754610fb6e4683794d2bc6e784233a9

SHA256
7853c24a0cbf4e5a9f89fa448954e776ea594df66f46eeeca371b1f47d2e207d

SHA512
d9e2a299012ff9061ff515d5ded546dbea6618a3e9408c88b5c58befbf882f04de8ef20fc33e32668d82b2c7526505a63ad9a2ed8fe1267570eff377b6376477

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
9479d8d31b5691a46b76753385d2594c

SHA1
0e78ac7e576cc072bce936c56e13d4d85d096c47

SHA256
8cb6117bef8c1b04a5d03fca30d0e5770f6f7ee8bf6c9b1aaa0e7826684a2dca

SHA512
3e52483210f4b11f0c61a3b256cd1d6f58f2612456e6051424875280c6a0e7c71be8162a7c696905ccf7db6288dbfec17c287d9d40b3d65380e5dea0ae35f024

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
e37c7196142c85e6b3d0e939d847932d

SHA1
03081747290fa20de4594eef1d1025ca140fce0a

SHA256
5e2df1fd563b8c65a2218e78b084abce9ecef6f8b08a31b2ce0599bf0a81441b

SHA512
d2d930b01b078dabcb591c093b9f8c116ebbc28355bbe396153d7147f5f6b8ebcbc9258ee5bc82cac0eda780cf9fc9640d0a58e2d7f63488681dd4ad7d4203cc

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
87fbedb470cfe25b44ae52187e051f1e

SHA1
93a98977f7bd4d5ec906b00d9f3cbdae3c829276

SHA256
d5e4fc3ae04fa9005b9674d37f9ea6522635bb0dd894ed0e64aef20a60b6e98d

SHA512
b41f549197028dd96220a1e1cfecde87d41f8e07646df6036ad1c37bba154fcd4af6f719eb10460e06d00bb291b59e9faf1ab31bf8974b49e9de6caca706e1de

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
c6602ec03c6f158056967bce708a25ba

SHA1
2bbdc4ce9e430383398f1ff72b4ce908bde01293

SHA256
fde597aa8ce80e55e5f53c113fa9593ec5af7e333f22daf87a091e4f3929e763

SHA512
07ae69b19d3eacd5c81fbbb897e0ec26feaee6a4c0c8126d9dd8b21a179f3ee1b61ab32b2ccf43b150909262cbed48e9b5755bac78632a581d0e633f745f77d4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
36c0e193bc48b52af805ac882eaee7dd

SHA1
506a7c458356a62a9ff86acb7a42ec35cdea40c9

SHA256
47d1f77906688d2a59e6fd1148fbfcc1743f9d366ce5ee2d06b6697f540d3116

SHA512
c89a70cc341d433f8dac15b5fbb68cedc6ab66de8583be4093f6e66b481f8cb0cddb69b210bcd3bcae32ea080118cf6200774e09d798fe6d70df56361543a0b5

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
d56b281f958f90e1788b01bd50b7ca3b

SHA1
b33c5bff238e7fb4082826d7e163130a66562db4

SHA256
f4ac78b026e88e0e79e3a2da79adb754c878e14e3ad7bd5e09c7103465b1c273

SHA512
c1399c8ded0c5ee914786a9e752866089ac3efed6d543f29ac0c103e93783a20515e635f662f3e07827789ec1b92978202f994bb812f50ae7f4b79f0229d4e54

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
95f220a14ed3845a84c116605d70c80a

SHA1
0a0356bd86f74e3e53f9443a8acb1d877d7f0587

SHA256
20bcff5ef6472d6b1fbcc1585e813eaf447c4880b3353eb7474a2f510e38b341

SHA512
f2101c8f557bad71c8f4da79a0c0f32131554649aa550c792296dc96665242c1721672a4dd728932a354997bbe622b4064df7fa8dee0cdb2e7f9c79abdfc9253

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
d64b452795de4f936ed753f0b5c1c208

SHA1
14937027fe575a3cb3f3850eec3bffc30187ac3e

SHA256
9cec0c86d11357678098934c0f7b9378581a8395205bdb4621c635729eca621c

SHA512
ef04f2697ab8598c8c38630e561a1d5dd45bc59c6f24a133604a90a8b9e225666f3d775475ba3f6e813bd0b737f746e00f46f3de43c1eda9cdd5e41174bc61e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
64b3a6e4613505a7ea91f27c23832e55

SHA1
336917cc536f60aacdfbd8e93ac2e64e8cf362de

SHA256
e42b7d23c179a1648bb9901606b96519be6909daf545238e6127192af6bc8b25

SHA512
708b93eecaf0f158d0dacb586e656f530e6b1445877b64de5ca683637d72f453349e242afa0b81f395500e56d9829b3b0cdd98c1ff556886edf0da6c8c7bb757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
504B

MD5
eeeb0689e77835b39d0db64fce3b7337

SHA1
7a6b1237947fc38a7173682e84cc1495ea32166a

SHA256
36265e8c2327ef20d3f4ab9975f33d8843f1558e6464bdc44e208a7a1cc5e797

SHA512
e7eff0c1bde94ce66e1462c11a87e45bdd1c8a6f5da7332c8e7b29ab56f7f2d1465b35813bd7be2b5a348bf5b386b5c9472c197b4ea47b1c60e7c901b169b88e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a68bd8791673d1598f9812eb4d1b0c08

SHA1
5d27f59af6c5fad3afc2e391bc51d200a6345c8c

SHA256
69f20a9e80ab5ac2b18bdb31db0a7a431dc9b0199880664251c5987dd0d4246c

SHA512
e72bf5f4e6bf2009a2c3cc91f2753c76e429e86c28ac5c8ea19830b9da951ea2d4e4cdf35bf9726cb30e3f5902775de1d446a182808890341dac0530c22b006e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
de36ebf011d4d4814cd5a547df4bdadd

SHA1
eb6511638b78fa0e1354e9c542b4cb23736c07e2

SHA256
677d607591c6843fa59ca96e99c2f191b4bc64659338a4508e9ae34b560d15e7

SHA512
6d5c413286923f43e347985849bdc381ab438e561f77495a87d7465fa13b71c8c59bc04dbdcf7312595741e88708f69f9b306c6703e832851985842a8704f592

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ae3a24ba69c9e9ec36390e2847f70a55

SHA1
cafc7888885c98de4451de05538026ec69ac3fae

SHA256
18b89c16c349755a73499b2b3e77c3207aa1c7d4e53b63a2a06659289007f3ff

SHA512
9a18107a3fc35bb6b7556ab93753d11bbbeefde2987165bd3c279bfee1312d811d4ba94aa018eabf67b4db242c54b4142a5a01c6e3a0758645418c42f165ba5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2943c44b1f7c7264bf35cae0f0b5aa3b

SHA1
6a24e969d62d262ad244999d7f97ed8492eedd3f

SHA256
d80f6f4a969ffebf89f52372cec8174bde8dc7e2dc9b07eee2b0919f6721bac6

SHA512
c131a93563226b37cd7a0a068fd065450a0914c65b95213bfd64ec1bdb1f6595e63d45d8fc7e290e492177db492e0733ad887f618c0bf0ac548ab8e881f3be42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1dcea7cf4d394f024226e4f8f9dfcc9

SHA1
6df231dea0ddaa3d2d353d21f10815e7aef32818

SHA256
003a8beeb31a6f2b8f2205bb641c88eecf4828fb3089c1983eebd0acdb78587b

SHA512
410cb06536996621231b0dd8ce5c316f9aa941ff10668e15d4b3ce5714ec6f3889ecc82d537935a4876deeec2f94257f7a2bfbde3ca484f2410d0e49e3602739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5980ca7cdb7bbaac84830a3cbfebafe9

SHA1
4be82b8b52d587a6e90caef79a33beb6fbb693f1

SHA256
b4e96c3c8e48ad3b44ee4a8380d12174fd0795c391912075e8163ace0174e02e

SHA512
093cd5dbe3cac5bdf4a28c93b14fd51b0ac968cfae371832e375dd5747b394562bbec4da72ca2229e5245d5fe885b273044ce6aca808302cc57739c3af45ab42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dac2a61cbfc8d753b60e4de3dbab7505

SHA1
88c7737658c501ed456e509fe038287eb7a56c61

SHA256
cd28aadc939b8b3033653288b05fedf1e976cc6618863ec39faafce2af8ec55b

SHA512
cd2ffe59481727513693495fae75fc9d7e66ab8dfbb3d4f6d6dedafe1bc941b0fcde27b61df557b60f238512c0850f8b6f258a06654d6b23a17c916005e7975b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
be266b6a510907bb91b90b17079f4c78

SHA1
237dab7bae0d3201e74b0bbf69af3aab414ed9cf

SHA256
1b20dda82f9738467e46b98d75ec262425d6ded9f05ac292457657df53ff1e5e

SHA512
6590ebdcd6a933fc9dc8f649ab00c94a50b496cffe78ee514b47b6e218c4644044c8625d5ec867689ecb861ab009dda15414f2291337a0481e85d330d5aa766f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
9494b5add7d58d7a50843c1d14f2c8b8

SHA1
16437e6e1805eb905ad637dc8af1a8029b5b24e2

SHA256
1be457193d1f30d6a07362d054f03d0b307309534db298b4fcafbc4a1b66abe0

SHA512
b27ef52887fb5bc91503343b681ab4823352d3679eece7ace4cc4706520431ce496beaf05231eeb47a577122ec2aaa1fb86c3f2f21b9dbb3b7b53de517f9ab39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
71c44be1debc6ca0e8e61af21a9029e8

SHA1
23553bd11ffd1c09f21cf564f91f6825f03d8307

SHA256
535c0800d4ced9a2a68a85ebd4ae2f0a46d03a8b0509a9df4ff5313cf13502df

SHA512
af3536e6136fc19b6b6bc598c93e8a075898f25603ed24bd01280f2379f3606124bdd170e142e5650256bd944e02e7f7fcdea30c514cf21e94175410b8260b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
4a0fd831e01af83f49fe75dda7b61916

SHA1
d2d75182bef5cfd2865a2edab42abcb14e5c9536

SHA256
a8933788413ce743fdb311b257d8a54e80d8685201b3223bd82047afe93193fe

SHA512
cb955c3d31029032d5576c284d0593d100b09e569181d2090aeb5f7dd9d6c7a51fddaa0fba04ade7c21d13ede7c639779cf374892bc91b879f06360772d4cede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
9e03c3bbef04dbc9b3050b9dc67d97d7

SHA1
4a4c922e7e2e3ab51ccc577c54ebb4aa5c28db68

SHA256
70be53d211f961de2580779ba29b903eab58120e0318164199ea429ec62213d1

SHA512
c55a3d142da5f6e120f11699332390dc3cff6b58c8eea84972d877a2cbe1bb3a9220e606f3840e0f049343c2cc1f6ee82009037d104c5c4419dfa2587a844659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Infected.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usrs.p12

Filesize
1KB

MD5
ae7da8a29b94bedf059fbc641a79a532

SHA1
ee388c292e3c26bd7f3e83d8a711d3b7936eb8b1

SHA256
81128a72555e143053403021a0172fc848b1fb087d30262430f9f0030c1e7480

SHA512
56a55441dd129cda45e77ebc69e635e7f3353b388e2dfbe56fa989a0eeffb740b9f652c9caa1865f13ce8b8b8cc05e07b5c491bfea6624c0acc3379a05265a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmsdxe20.nho.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp76A3.tmp.bat

Filesize
161B

MD5
7c618691a4b188620606aa5d79755100

SHA1
60c1bfc09842b5806225d33b76bb0180c75fb6d4

SHA256
81231b093e44dbd6afb235b43a84b8ee040c611454ce75d7b80466ce20251caf

SHA512
18c7c5231812720aef98fd919a0b2320cb0a58055d30e060eead26b1d20e871c65c17c683dcca6065e34f8370d125dd4874173f02047b3a3736fc4dde7904ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B25.tmp.bat

Filesize
151B

MD5
c168d515408fb0c1565a9ee2ec6c6bc6

SHA1
f059ddd7ad842e62225fc4d271b8392397d1d6b4

SHA256
4d8c372de87186139e1afb39134600cf1befbf74ff4abf4f47a26ed31715315c

SHA512
3f7e9d0d6bbbbe9700c68e5eab727a0e896e67c15ba93ec3b84b317ec634109186ebedaf0f76f6d943b28dc73180f6db32a2efdb97eba6044a4d4e8a35670ad8

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bhennukkrj4ap4ybumzdxwrmvm3shh42\4.7.0.0\user.config

Filesize
1KB

MD5
4b01719ab493b81d429c574dbaca15ef

SHA1
719ef1e4e6616a3d8afce09de7f89ddcf186a3a3

SHA256
33ce546b728989bc9ff5dd4c487a87723e5eb7b3953b7cb56e747747411b6c54

SHA512
4d5293d8b58c793bbbe6dedc061cb4fd3e7302771ee91789240ecf80f2f79d08dffc36d148f755107a3d12de6037ab18c57cb42494de80a40d90b64bb04ef234

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bhennukkrj4ap4ybumzdxwrmvm3shh42\4.7.0.0\user.config

Filesize
1KB

MD5
495d368baef768dd527dd8b772702c87

SHA1
20ceb83c7076024e0491f169173607aa4a2e3931

SHA256
38f1820a88401c8e117bfeca56a11aa06dc806a175203e86f323dc6fb81fb3cf

SHA512
75770717f4bc7c9bdd13d747fdcd6306c38423b1b5d908b5d7cdf4da1b7bbe722f65bb52e63c61ca6da89981d8f5a99035c1d610a0fdacb706a046520c291d18

Download Submit
C:\Users\Admin\Documents\Infected.exe

Filesize
63KB

MD5
514fd649d36f68058e98d205ace22fba

SHA1
b1774fbba21389292120bc513168e2a74b309188

SHA256
3e973b97756de3845c1655f27d539fce87e24d4cd313b27f698f3b9d2eedc7f5

SHA512
c951a10d3cefab538c643e6c366995c8d54560bbca39f3b97c5ef8e42958db40337cf6afec21ba45b3c42af0a357c426595dc66574918fbc9781669885db84ac

Download Submit
C:\Users\Admin\Downloads\Infected.exe

Filesize
63KB

MD5
e87f337f9a721d3104f15b2c8dd02288

SHA1
b7ab289af84c5815d57787fe024adbe991661a37

SHA256
14cddc5b1baf3b0730270832f54ea7f27d544e1b2723ee864bdb4a3888c3e6f0

SHA512
901566ca4a5fd7bf980c024bacce683c7ca0b895a903926f18e4978889b03f38a9cedc1af486e25102194a9b1b0566ba9d9e97365014c6f43e58be6259e85c34

Download Submit
\??\pipe\crashpad_2428_SIAMYIOACQAHLPRQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1276-125-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/4120-477-0x000000001BC20000-0x000000001BC52000-memory.dmp

Filesize
200KB

Download
memory/4120-471-0x000000001BBF0000-0x000000001BC20000-memory.dmp

Filesize
192KB

Download
memory/4120-137-0x000000001C7F0000-0x000000001C822000-memory.dmp

Filesize
200KB

Download
memory/4120-136-0x000000001C7B0000-0x000000001C7CE000-memory.dmp

Filesize
120KB

Download
memory/4120-135-0x000000001AF00000-0x000000001AF34000-memory.dmp

Filesize
208KB

Download
memory/4120-134-0x000000001C830000-0x000000001C8A6000-memory.dmp

Filesize
472KB

Download
memory/4120-478-0x000000001D120000-0x000000001D154000-memory.dmp

Filesize
208KB

Download
memory/4120-503-0x000000001E4F0000-0x000000001E9BC000-memory.dmp

Filesize
4.8MB

Download
memory/4340-467-0x000000001CC60000-0x000000001CC7C000-memory.dmp

Filesize
112KB

Download
memory/4340-465-0x000000001CE60000-0x000000001CF12000-memory.dmp

Filesize
712KB

Download
memory/4340-75-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

Filesize
88KB

Download
memory/4696-28-0x0000000024C50000-0x0000000024EC8000-memory.dmp

Filesize
2.5MB

Download
memory/4696-14-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-476-0x00000000046D0000-0x00000000046DA000-memory.dmp

Filesize
40KB

Download
memory/4696-0-0x00007FFBA6CE3000-0x00007FFBA6CE5000-memory.dmp

Filesize
8KB

Download
memory/4696-41-0x0000000027D10000-0x0000000027E2E000-memory.dmp

Filesize
1.1MB

Download
memory/4696-40-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-39-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-34-0x000000001ECE0000-0x000000001ECEA000-memory.dmp

Filesize
40KB

Download
memory/4696-1-0x00000000009E0000-0x000000000407E000-memory.dmp

Filesize
54.6MB

Download
memory/4696-27-0x0000000024B10000-0x0000000024B22000-memory.dmp

Filesize
72KB

Download
memory/4696-26-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-25-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-24-0x0000000024A40000-0x0000000024A54000-memory.dmp

Filesize
80KB

Download
memory/4696-23-0x00000000247A0000-0x00000000248EE000-memory.dmp

Filesize
1.3MB

Download
memory/4696-22-0x0000000024070000-0x00000000242C2000-memory.dmp

Filesize
2.3MB

Download
memory/4696-21-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-20-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-19-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-18-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-17-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-16-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-15-0x00007FFBA6CE3000-0x00007FFBA6CE5000-memory.dmp

Filesize
8KB

Download
memory/4696-102-0x0000000004680000-0x000000000469A000-memory.dmp

Filesize
104KB

Download
memory/4696-13-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-12-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-11-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-10-0x000000001FAA0000-0x000000001FE60000-memory.dmp

Filesize
3.8MB

Download
memory/4696-9-0x000000001FF80000-0x0000000020568000-memory.dmp

Filesize
5.9MB

Download
memory/4696-8-0x000000001EB20000-0x000000001EB32000-memory.dmp

Filesize
72KB

Download
memory/4696-2-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-3-0x00007FFBA6CE0000-0x00007FFBA77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4728-488-0x000001C167160000-0x000001C167182000-memory.dmp

Filesize
136KB

Download