Malware Analysis Report

2025-03-15 08:22

Sample ID 241020-1vtgrssdng
Target Infected.exe
SHA256 efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2
Tags
asyncrat default ransomware rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default ransomware rat

Asyncrat family

Async RAT payload

AsyncRat

Renames multiple (1279) files with added filename extension

Async RAT payload

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 21:58

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 21:58

Reported

2024-10-20 22:01

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (1279) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-ES\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalStoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-200.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-100.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.tree.dat C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\164.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Pyramid.Wide.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-150_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-150.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\office32mui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\162.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\171.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-100.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-200.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-150_contrast-black.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-125.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-white_scale-125.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-400.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-100.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-white_scale-100.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-125.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4 C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-150.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-80.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ppasshole.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF85.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "ppasshole" /tr '"C:\Users\Admin\AppData\Roaming\ppasshole.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\ppasshole.exe

"C:\Users\Admin\AppData\Roaming\ppasshole.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 options-printing.gl.at.ply.gg udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 23.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp

Files

memory/1704-0-0x00007FFA71B93000-0x00007FFA71B95000-memory.dmp

memory/1704-1-0x00000000006D0000-0x00000000006E6000-memory.dmp

memory/1704-2-0x00007FFA71B90000-0x00007FFA72651000-memory.dmp

memory/1704-8-0x00007FFA71B90000-0x00007FFA72651000-memory.dmp

memory/1704-7-0x00007FFA71B90000-0x00007FFA72651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCF85.tmp.bat

MD5 7f5dca5efd1e7e989630a067ce9ac5c6
SHA1 846496ef43f7f70ff9ab4b7c6dbc18f94e971beb
SHA256 13878b6977e18684b729b1765014b552acd7c2a0e5caded56ef679db7e46d40d
SHA512 3afea4c40cf230888183fbe8fd9d7002d46f74b529038b707f51fcacace6114a26638de2413cfca43a877228fd38e0d9308fcb44670327792196fe65440aaa6f

C:\Users\Admin\AppData\Roaming\ppasshole.exe

MD5 e986330d6cfb70291985b064bcef56be
SHA1 1daa9abaf721a997df355d091faadea3642bb671
SHA256 efc1995469709c3c47b68816853480833240b5d455b975cd5dc1e13545ab3ea2
SHA512 889556c410f3d8cdc9412e777d36f1feecc857fcfac4a5d7fee9eda2de3507e7cfeb4393d7e1ff70bb040b74b8eeb11fb07ffafd915ce0e6a711b986c98272a1

memory/1704-15-0x00007FFA71B90000-0x00007FFA72651000-memory.dmp

memory/3652-16-0x000000001D660000-0x000000001D6D6000-memory.dmp

memory/3652-17-0x00000000030B0000-0x00000000030E4000-memory.dmp

memory/3652-18-0x000000001BB70000-0x000000001BB8E000-memory.dmp

memory/3652-19-0x000000001D7E0000-0x000000001DCAC000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 7ae0bdfe5d3f44bc73484dd530a23feb
SHA1 f976e79a8a949601845714d4eca6080283fc983e
SHA256 6ac7ef2fc734f986bdb14aeccf410a6ff0e21a9f7fd735d466286443012092fa
SHA512 c71734ce1f732b59ad984058cbbd788ed3b4529c1be8b08d56cd1dd66db927493675dd35911db62192e5cd1e4427ba78d61cdb620e08897b0f9d25215e48f996

C:\Program Files\Java\jre-1.8\COPYRIGHT

MD5 588861f81ec211295fd1e7f6a1d009fd
SHA1 7f9c84b6c6bdf40d80a33c8df5edf3b13ed4ce8d
SHA256 37173148343c048168057c84ef9a94d4979f89d7cafcb81580cd518052f851a0
SHA512 2f189e7319623322881a0337da0aef156b3c23257bcb82c0b022f533529a9d1d1960407cb8b88468c3359f09da09346a19fb2b2378bed95651a2a34d106bbe68

C:\Program Files\Java\jre-1.8\LICENSE

MD5 3c3a18e24f06c416f9d4dde326e55aef
SHA1 403705a1d0f145e19d4eca52a73519422eab7f1d
SHA256 e23c8f3ca12f11037e4424d0087325aa2d3c87ed9ada979f24de8b76bbd3c0d6
SHA512 7624c9e4bcc1661b9897051a2d0d77937a153290c7683360c0b4843910efed13db8bcd478094f4ca7fff8d49f778f025ed13e92a7e914b39dcefa442ca8cba6d

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 d47f26e5ede773dd0d1fc7844dbb7f45
SHA1 5d82b3c13edb859414b3a27f2838962970f1487e
SHA256 79cdc2dfd96afd0b5ed1fdaedd4b87df07f7fba5d5f92239b96a6b0e6df1413b
SHA512 b296fd701c4e4aa88dbe1af7e7e9dda42e7d2ebdf65a51de8585c7ab23852ef209273d34dc796dc2617d5a5943e92d65d55b6f3564d493f54184e968726ce817

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 b4aeb0831b9f3451e9fa779600691179
SHA1 e3c6f8e9dc17ec4aa1cbb08d636d421ec9460482
SHA256 b5d1bc760e746524ea5280a6b6c3ece36bb8c9ecabd58460010faf578e0f2688
SHA512 e5d23ccc1e6cd17bcbed276bc66c7e9060329f2503e6c4183dde81dba6d58b5b2deaf0cbe33436d6cdd652ecbe88793a0ae65fc38cf4a5ab23a7dd6374f4953b

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 262f7264e6ef3a648b159d229419bbf5
SHA1 a9670152a3b92102872898b1bf613c77ff7c9f12
SHA256 e8e8cb355069f35c3ba6a95ae86b73f85783099579f5611aa850cc9f4b01a8e2
SHA512 642ab69e291a8db78d950e21ae5cfa10ab29f9e6fbea022a7f223c2be5def5c1062c59b8eeac9d7e0c467a4ede7c6f99c32643eb6121087ff5628f065deaa49e

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 315c21338f1e9180778e16a6ffd0a4ae
SHA1 128d1b411559b66caec12b282d362c496febc8aa
SHA256 63aa89e10cee9433374b0e11f0356a1379ec0626ca427e469d53d6e24232675d
SHA512 a6ccbd6556c68c9afce2ba0c8cf2f07a6c2311f69900a3969e35f883a1295e61877d39281923cab40d987e972bbf37ddd024f31bb5343450ea46715a953036c9

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 312a0723e6688525ae166995e2b87420
SHA1 610926fc2cd17d190b848f5629e328ce0e44b1e5
SHA256 be47291d2791da378c91593b4e97cf8cea42f629eda3cf9d70fea604d2619ab7
SHA512 bf50c611822019f029c6d6bf74e51792513aca9a521764651959c0f19228a28dae9492cf55aeb69b5f28624eea15a270e389ef3816d9217c4657121049afcc0b

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 8b7b567c5139ded47061e102a2755c61
SHA1 01d33a3a44e2259d21ed1e0d35563ec84c4f3682
SHA256 1edf930677b52c08343c1fa879c627db105b335936f65fb7f8e0a838f9f72846
SHA512 96d6cab7f6cf0e8a5fb5dcffae015ade61506ad9a6c6d8d62c9e4e8a731d84877588a1a9eef9282297b85ba0a18dc442cca87d50dfcb562f3c22a8460f3a215b

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 7956e2e193610592c937acf15b5adf7f
SHA1 ba0df23fdc9cbea5254275f7ed6a9e2bb4dcf73f
SHA256 026deb470a057fbd03c1e14600db96ca9a27431dfa6cb5b93f5d3c4f2c6b6a11
SHA512 2fc4dea2b5a142a4fd5c0317c3d03839ff67e815884289e0e5d7015f776ec1f7cce6a0d2dff5e8972f60fc27aee8cb0528fe4cc882e4fad523a8c5ceda9e377b

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 64844c94d5f70118d1f9957b7dd109f7
SHA1 8c5879f3cb0f54bfebfaa3296969904f2ca731e0
SHA256 55f9efa9182ec0b3b7e58015f71d052a06eb69cd92ee37dea4bb2468cbf8ba81
SHA512 bf5f300c292b99ef439fef8c4c647fb5441f1a457d75c6355112fb1ad9e542a2f856a9f71ccd22284ca3361bb9e58d6c153095cf54695dd33be3d4cd14f843d1

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 bba0ce7d2303d7e7b07daf96c17691bb
SHA1 6946dac6b19740db2a636a4819749d013c929960
SHA256 3d8c251ee54197ca6f07e057df6999b1ce2cdf218b1caa462c1d61e482449f40
SHA512 9306dd67bb35d6d9a2fe9f1318acb641f9f35966fa523cbdaa7a9a3be61e7c33e2a73ed7df753bdd7b9fc3ccd278b59371ea1f5b4b8f014ccbf5ddb495ca8947

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

MD5 79cdcaaf35560701113112535764c0d2
SHA1 478bc3b2ee0bcea86d4e19aa2ff60277b6e47f99
SHA256 6a3d94f6dde312c84e82a7328cff952f0d1002104452768f4861f79f87f32da2
SHA512 3df36907afae424175865f2788028658c6b66fc99251a2d4ff67b8433925434347d6bc5938216bc3d6dbaf045457a45a856387fb73a66a99c011a8710d1a3fad

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 0e7415fa02315140397eb06b434b3c87
SHA1 aff17ea1a5f2926dde42b2a0c000c323c9b30fc4
SHA256 12959eaf4472265beaed02c448fa4841918dc3b080f99d555e142b4248cd6f9f
SHA512 cf9c2d15223018db2225d03ac1cfcee7b3f72c36e8df328ed711caa512febc49a5ed9321c427815837e1dd0e91c06e6ebe3ff72c39a61579c338152cd81fedfc

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 92f0749f8959db49bc0a835c6a4eaf53
SHA1 fbf8902b4e2db98756e66d8dc1aefb98d1a007c1
SHA256 519b1673fb5684fed099c165ae93cc0d8623f7891c27b4c0c3f68eee202b88d2
SHA512 da8d7cc4feb092e3c657e86717e7e9b03ad5b1cf3de884a62ece7d14e5cfaec9c182c1d6a15c0929e438d5ea0bb459b892fc54612cee87cb0e400df0c0599fca

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 9891a2eb1509db64285e5f593f522838
SHA1 a2fa133727b8b00dff0a9214d319c5333fd2221d
SHA256 92ee9e964c63c332ad2df92da0d5ca992aed7e1cbb96c6a487d8b29a63304bd2
SHA512 d544403924902ce358e96ea81b3c7051c4897d76820671eaaab810f781ce568305d7ce7696538effee99ef2732f4713cd82ba4b28aa28626940505f3decddfba

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

MD5 a61e55ba33b5588783decb2c9dea3e90
SHA1 224bc00e35fc3851452be611a9f87245579e6ffd
SHA256 a9210810e12ad128f423447f17f8348b5878878940bba0fb39c550c2bd1f86ea
SHA512 5eff17a2ba1f65915295ae3d9b4af6ef126d347713eb2d80e0d99e47f3dc7dc366f409b01b095612b4a4f861b4c3ce57899e00434feafb6bc09822b19ea5df08

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 aa77ecb7b1da53524eb8bf67b32843ee
SHA1 57666acc7c1b5b0cae7598718b0b79df33779a12
SHA256 0c7b231882d4fc6dc3f8f99c9ef4fd4b4dbd8baaef52b95e0e316a612baed96b
SHA512 e21fa879202e4035f2fd8b1cc527d92b78f468cfddc9c0b1375501c16ad548cd1a64262697a8b28e2b8b8b290cd4e85b67a7329d5dc681a2dc2eb6f15e14346c

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 4bc2d8f21478b8ad67b9bceec90d035f
SHA1 3fae93dcc8e2b4d20214a9a8680643f4b91a6592
SHA256 6515e4d5b2ef77e1a8d8f0c8b923025de4e95451f5739c3c92a07bf64d4ffe22
SHA512 90fa84889ece6dc39fa9681bdcab8ed27e134cfd65ef45bbf28b7066dc984f200b5db5f29917ede817236ed600c818f3d9bbe8d0374d3d8fcc390cba5f0185ca

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 6d3bf2d48d8152111c4684ac9bce2d3c
SHA1 a5165c6607d5e5090a4afedd586f42ffe0798c7d
SHA256 28fb79b212255842b284c3fa50aa8184edcc1e5a8003d231c45d128da8212a21
SHA512 15dbd8e9f631848be9a9c7b2c62aef8583830d6bc86b9b8b6c2516ca79fc09c9aa12896ed7e33bffae419e74e6db6a012ff7039970965b038da0f7b1ce349ca2

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 613e0355f32dab0eafb6ff85aadba380
SHA1 353c86ed2c1a4fa8aa028f2fdee03e70ff491399
SHA256 8a1537c5366f847d8c136d5edec737c49076c929aec28748af6588f60ba41c7e
SHA512 3a5b67032c043c8c882c7326a830da29eb737f5b06ede8248e55dbb130479722c0ccff350ff8bf1ca06c38c1de966d45563bb8d987948e8d1c755c2810178445

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 db1403428dcd5fe4cca7337264f01b6a
SHA1 372f8e18d06c0364532ac930753408317155372f
SHA256 1231f6c75d6034f3c9440f5b6d14e566d339430be3f478b6cc1c6e617a571b15
SHA512 d7f236a3c5d44ff9b045a43389bfa8411d25cdd3c4276d5a19cbb95cf0771d3b9d7695c98de6186649cb270c57e2da2c080cc1105e3a29b3d7b0b955ed523c90

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 ca2b90f06dad8d1ca484d7bcc6949f4f
SHA1 3ce07a129d254afd76cb82cd6fec18ec383fd807
SHA256 ff796b53a7bafc304977f001a8b43db0531b4ef30f3ecbac7c0c8de6e54c6892
SHA512 7662dcf00d092e5c6460ca49257a2a1e2d87c27a029c562e8c57972dda7455b2bd1ffde611ad031816905f8fb3863c92185d5791f0e5c7f673b25f39bc5529db

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 1c1840605577238780fa426df92b2249
SHA1 be4a34011cddc7a3b2401b52f1caa8d0fa7cb0c9
SHA256 233953daf43951afaa9c13daf57d7d4025dd6ce4685f37d06dd1b024e20fe632
SHA512 d52ef3252a280127b4114675173fe1c4fc91a51524def3063585382e323bbc0be55fb5343e5a6b41d5eb0e50d3d6db958706608890916f3bf9434698a1dcf4cc

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 686bf8c5fddbc4f7b891316a7e77617a
SHA1 616112b16990ace0ec70a17a21443b8afc75c5c0
SHA256 1c6c5f84d4a0999f600efae61bda53a4d800d4ec76d9aba5d9d7a80d82b7f5e5
SHA512 c0709948f57c102e1e0cf43a5bc08e35fac259024fe132930930799caaf5b0d6b611f9e3d443c821f3dd465cd8d50575dcc407b55f0a4a508853e33297ff6237

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 03ee76d94555f52021c1ba7c06e9baff
SHA1 7c21b15474b66efa87d32b280a992d9c0da6dc09
SHA256 1d660cfa5ae9d9601f29dc2c65f4f073715aefe4c3d3e85d3ce77c38d5c5c17f
SHA512 b06b15669ebc4d08d6488b4559e12b7a79e43081a4aadb634338297bbf2f24938a20335ee88a02cad93d0c5a0c5686eab051c0d355f59ce17cc8de59a632bec8

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 0527b1788a719a5518d66b678c253af6
SHA1 fc5cdf87ba8f48a17d8732c0a1aa90674217dd1a
SHA256 78463fe3e899df535e93a0d70a1996aa8576af38a473f2fb164862114cac7e7b
SHA512 687b8bf6ada55b1dbc2dce5d8e5ccbe5104bc15219b772036bba6c5cea4c8f01cad8c0d17f38309fefcd9991d1f8363b0b7327f979dfd9cff8aafe32f3524269

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 eae0e4e876f71bc57682ea0843c19265
SHA1 017849813580dc5c4c5d3255fb49433138cbc138
SHA256 3485b95457cb5a1cad33feb46efd84dc7126ae7a6342aaf9e31ce2b267416a66
SHA512 68e0205c9d8fef69f852652cbec7179054cc759e89e6b48614fe1d0287d40613abc16933ee38fe27c9045c6f3b84652cb8911b9637776ddb81dd5fb47469acda

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 159c8ad77628ddbffce87b2109418f42
SHA1 6e46e16751ca820397888c066d5447f5af4f2601
SHA256 bd2f55611dc8d0c5841ab30318df7ea5b13fd6a18df6b8c0b71258ed7136c5c2
SHA512 b37c81be2eeb6fe3628cb41c13133c7b137cdbbd5b705e2f62ff6c6c698744af62bf6543037605544a9eceb90939c8459311562bd9a38c76286cccac6b33a5e2

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 c770a41101259aafef481bd8186bb823
SHA1 4a9b1c35d4bf37fc73c7865200d86b2edeef0cf1
SHA256 8ff37a8bc64e5af0f8ad68b1e6ed8f2410370b21e363d565be5db30a6f02d26d
SHA512 c7622d9f042405ea3d9b979caf4c40f7d886aaaee8e7f882e951cdc14d21912b67ad94d785c918e37a68dce62bbe9e4cf48397654dc4d7b43ff51fc8a6477698

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 1c3885ad48a4ce84669420c93f21d4d0
SHA1 792d6e6f3521d69c9634cec8bb5d0e1c8f047c4e
SHA256 f33b0798296ea03af2f2a11bea1738c0c6d7105a9706d63a08e47a5dd5db3d08
SHA512 b831aac4f46ef57948f44f21236b3f83974d013558fbefc9d0348c3b9e18970a18db7304ba52c5b7b5bc29f258021f9deda246d9684a3b55e29f8a80375e5943

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 470164d1a63a519720d962334669f827
SHA1 ad9d8bacf42b278e21a3f71830d2295413c8d75d
SHA256 0fe46bd7ede3f5b86cbd6dc388d506f74564839726355f955e657521a1393cff
SHA512 d1890e425615aad1f4b6e1882426dd2178ac57d22f94d1e054f61ff9992b9ab836a89f27a829a5cccf7403b58ce462cb5902fabb23c47096899451e76e8e419f

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 b70d316e6a240b095c12391494e8c1f8
SHA1 de4e457138fcbb4a82a54e9a1bd012a692491beb
SHA256 72cd5914aa9847c01eb64253a86f6be027c8355b0e536837a7eeb25889964839
SHA512 5df98c5d6859236b97252ac9973d7200ea0bfad93133d6a0effcbbf6d50e11750ae7d380ad96e8b0f93277bca1341d11a6245616bd25445b14b1c3df1bf88af3

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 0a14b4c778d511da7a8dfb29fa5466ca
SHA1 5e6c524592f7ef746f133780f8244b86172283d8
SHA256 2304f5c720d6abd68326756f8443b0e10be72dfa8a9943cd2912912b2d7debc8
SHA512 30317311f87625bcfe685247f9550c289531d1b4367a4a8fcdccce17ecc072ef3db864dde50c8f14bff900b2dee9611d94dc35f7e7fa3181fef65822a874066a

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 8517726b82286253a74d5b02ef4868ef
SHA1 c7633941e0e46cb9943c6d6dacf9370953ecdd40
SHA256 8881aebdacffcee326a125ff072eed275716f7019bcdbff822e2a18e8f6914c8
SHA512 1e8f68da2f352e262bac4480d67ff2f46a2bc7875e3903dda174eb6c36d0541386e34072772455cb1ba368100bc71b4b35c407ff634e68edf7184c6b33268aea

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 2ec6d447b18b8da98750d559a711ec05
SHA1 4aba9dbd126aa4dd65ed343c116af0e81cfd88a4
SHA256 bf4e59c1c1b20d2b71d4c2d44884d3a4ecb9acba7e1ee6bca41e8aa098404c40
SHA512 0bce13ea097ad6d38766a5e9da51b2ab89464442dcabbe7adfe4bfa3d03b07dcc8b62352af4d7a4c69831e08d719251f3b8636e6b631ec6655c4b394701d13b6

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 8027a76fcd0a61c83b23b77a89d1e12d
SHA1 8fb0512dc5654ef9a11131f3b7029b30429980d2
SHA256 83ee8910290639d31423505e40187dfe4e9e47b884427eacf752a348f9f528ad
SHA512 87dce0ba0a106223e50e236ed2dc936fe9540e8394f4eee9e53ce9d228c9f931a565549576b38ceb316bb0106667b3a4a3403b2d5adfc65a706e0ed3494cdffe

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 8bd84e845f5597a5b0435772463f0dd9
SHA1 78be4090da80083cf63b6e30e21e1fbac2b482d3
SHA256 f91f86b51432a796a6f1731f98490ba6e62b2dbce21cdddf13c6f9ae15262ec3
SHA512 8258970a8217626bac24236927bff2eb3b0bcc14517502d3916340569453072504c089e1c1b6d7f6fe89ccedf86c2ec50ced789657bdb22e6249ee1d7c5e828a

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 9e24d24a18981b7fa104a58decdd6c23
SHA1 64e541a8300b43eca0ca5d1e33a20c3709073484
SHA256 68d4e9904a0a5d6d89bf6dd70dedf536e71d2cd403de134c5785594258907819
SHA512 6c5236495b0402409cd0a93ad3338148cbc9ffc5666da8146eb7995ad76acd28d00ca312cd3433194c7a8b6f349c5ae421daab461f9dc634c6eac5c659773d9b

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 5e2994ae212e7fa9831fc3f74d50d36e
SHA1 ea291689072d6df6470081c2505bddc7e8abdc65
SHA256 dc9f3c8c8f95d81abe7444e2ccae0642c9f8bd102a146bb37475a413d72d551f
SHA512 0863559852fe77bcac07668d1ce3a962ee7348ec568d19c34f696942c737aa2957ee446296534a5dfc081094a791f3f8c3f312d2c48f1ba4937fddf2f167bc1b

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 6eb4c1392d39092ce4ff1311c3983f09
SHA1 090c26bdd87da23cdea21f88600fb4c38ebc68de
SHA256 b16414a1c8e116716d131433c9866a719dbf82abc4d97d799ff51ea9fe7b3004
SHA512 5a89a58a3867023df590c0373a7e4aab56a8da6a45e466efffda89851ad9731ef64102e99f880429baaafa67a5c33be8ae959f253e0d43f03a497ade6a91ec1e

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 0a14892fcdadf6e430dd715eaef71734
SHA1 3f08fbdb56866a310bea131f643bd3e29e01ca98
SHA256 7bf4fc6ea7bdf0171f5ac5b767ec4f1680533587039d1a1d288bb7a9b17fd762
SHA512 76acf7f8b12932325986f7b92ce2487a2552a1e049c274267f94f2375685d694c9d32edf998da2a1b98920480583a83699d98e136b45e6bd9d576b2365b98576

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 2065b30cf96cc9ad35d0d5b111a50b02
SHA1 a28c072fa285ec69fc508382e83023176dae1b0c
SHA256 f41d36e52de571da167f4021e9023c03616d9a50180b076b7f87672b2fd0ec7a
SHA512 0bd9715d1e42b5f188ac8fe10eac03f86a03fe595059c2adb568e626650179e86e7bbea54e654efeea59dd2d8f044e9ccf30b828952f48e5a397cbff907c24e8

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 039cd281b318f0801ff31a0e47cfc222
SHA1 2a06eb2482509a63fdca44a3ae947ef88d4b8eab
SHA256 bec9a12988a61a0d50aa736da0d189744b748d08eb4cefe2ad396554329dff1a
SHA512 9ec5312ff7addfce031b4f4a4c3d58fde6088c20b118ca32fef13c85eae7311eb78d1384a46bdc30cfe20335d55426cde4fc02fb780adab6b320214e32a141ff

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 a67d803dec6e0f0d159352775b754f3c
SHA1 81406ce3c9c7fe12e68c0fceeda36e6e37b4ea5e
SHA256 24be678ec229ffbc4c472da8adc16353eaf70998c25f001e2d41d081fda8285b
SHA512 4e82a8cb4f1e7cce9a922e8fd162600a657b7523f9f6ad5971077110a234c0f4d0d12eef36d846986899859f37ca75fc4266f305934999ac0b2f76a45e216750

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 5149df597b92e1d02cde2af2409b1160
SHA1 4b616b3e065eb8341a730db5224777af873d658d
SHA256 6f6838988ac3507631eaf5da9c7aef52b05dc07efdd4efe1df1985f61e3fec68
SHA512 1e0fe847483fc2082b92739e967819ac5b858fac4e34a4fec18d3f8b6f8a8bfb7accbd89f7373b2c11b92865afc46869a825d0ebe50f1bbce912ccc3eb361546

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 a563d50c05dd05f11fdec9541d2f132f
SHA1 6aa8c0c91a7b07adccb35dcf7f4df41bf8e8ef33
SHA256 bd96410f1d91c23ed3ad9458a0f186c99110ee5918f52a85e8aaedc17a3ec5e6
SHA512 2aa316784933b7bc5d9cea26d003f207e01aef21dea8eaf6379a7b7f3cb36b970bec8c4e5c421f906181ce20daff710767ef26852e82a9b0a1c1a9ef5befe12a

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

MD5 fada0812cf74b6d17aa1e4250d341cf1
SHA1 7a90cbda1e8225bd747d8a2ccccffcfdba07eef4
SHA256 13bf0ddfc7c2307f6a1adc6d121758805a109a53046942329b167c4cada9251d
SHA512 9616f406632f976300cd7125fd40cfd92de3bbcbad86792a571498ad63acff6b6597ccf933d1d41bd069762908783786fa0fd763564389095e419daa02c82f64

memory/3652-2578-0x000000001B440000-0x000000001B474000-memory.dmp