Malware Analysis Report

2025-03-15 08:26

Sample ID 241020-xzktmsxdqj
Target Infected.exe
SHA256 1865d9a284b83545fb8b06802f90948b65598e6a7ceebe4b19e49430c02aee74
Tags
asyncrat default ransomware rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1865d9a284b83545fb8b06802f90948b65598e6a7ceebe4b19e49430c02aee74

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default ransomware rat

Asyncrat family

Async RAT payload

AsyncRat

Renames multiple (1282) files with added filename extension

Async RAT payload

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 19:17

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 19:17

Reported

2024-10-20 19:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (1282) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\cool aids.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-200.jpg C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_DogEar.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_36x36x32.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_PoP_sm.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.scale-200.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-400.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\el-GR\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_SadMouth.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\THMBNAIL.PNG C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-fullcolor.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-400.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_36x36x32.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-48.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-125.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-100.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-125.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\cool aids.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\cool aids.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 1572 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\System32\cmd.exe
PID 1572 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 4452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4700 wrote to memory of 4452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4636 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4636 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4636 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\cool aids.exe
PID 4636 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\cool aids.exe
PID 1304 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Roaming\cool aids.exe C:\Windows\SYSTEM32\cmd.exe
PID 1304 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Roaming\cool aids.exe C:\Windows\SYSTEM32\cmd.exe
PID 1304 wrote to memory of 5644 N/A C:\Users\Admin\AppData\Roaming\cool aids.exe C:\Windows\System32\cmd.exe
PID 1304 wrote to memory of 5644 N/A C:\Users\Admin\AppData\Roaming\cool aids.exe C:\Windows\System32\cmd.exe
PID 5644 wrote to memory of 5708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5644 wrote to memory of 5708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cool aids" /tr '"C:\Users\Admin\AppData\Roaming\cool aids.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CD1.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "cool aids" /tr '"C:\Users\Admin\AppData\Roaming\cool aids.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\cool aids.exe

"C:\Users\Admin\AppData\Roaming\cool aids.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cool aids" /tr '"C:\Users\Admin\AppData\Local\Temp\cool aids.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "cool aids" /tr '"C:\Users\Admin\AppData\Local\Temp\cool aids.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 options-printing.gl.at.ply.gg udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 23.221.185.147.in-addr.arpa udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 147.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp
US 147.185.221.23:29154 options-printing.gl.at.ply.gg tcp

Files

memory/1572-0-0x00007FFBD2923000-0x00007FFBD2925000-memory.dmp

memory/1572-1-0x00000000005A0000-0x00000000005B6000-memory.dmp

memory/1572-2-0x00007FFBD2920000-0x00007FFBD33E1000-memory.dmp

memory/1572-7-0x00007FFBD2920000-0x00007FFBD33E1000-memory.dmp

memory/1572-8-0x00007FFBD2920000-0x00007FFBD33E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7CD1.tmp.bat

MD5 497b5e50d04897910673bce1a0715e72
SHA1 025f684f1a2d4d487e736183af0131bdf752c389
SHA256 637b9bd84785a2bd183981239fda6dbaa2a489f55c2c5d34bd5df246146446c1
SHA512 f8522750b73197730a9a394476a875f455a14fee170fba6b56127bb53cccb318d740472a2d84c70f0cd8a62f0132459dbd6d02cb1b4f565ea39ff039a15f000c

C:\Users\Admin\AppData\Roaming\cool aids.exe

MD5 36e9d327e924e1c2eb407b010fc0f7ff
SHA1 18c1f755f08c15029164feecc2ca425d4bb0b06c
SHA256 1865d9a284b83545fb8b06802f90948b65598e6a7ceebe4b19e49430c02aee74
SHA512 1d5091aa4e6180a63a6cb7a03fa3b26afa5aab0a2c5748ed6e06a7296719f3b767a74829d67a8930338b24af4f8ded9f0a1939811a8396c8859ce0c15a2744e1

memory/1304-15-0x000000001D0B0000-0x000000001D126000-memory.dmp

memory/1304-16-0x000000001AE00000-0x000000001AE34000-memory.dmp

memory/1304-17-0x000000001D030000-0x000000001D04E000-memory.dmp

memory/1304-18-0x000000001D490000-0x000000001D898000-memory.dmp

memory/1304-19-0x000000001D080000-0x000000001D0B2000-memory.dmp

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 cbe35f8056ba7caeba8a2c441605e132
SHA1 b973d68bdbe7afe429d32561daee0cb586fda644
SHA256 3f4c0636f31081d666eca7c4c943a5879a0f11dbb49c3e533fae099359b1b32d
SHA512 eb1bbfcf828cac5d1ed6e355ee1df8eb349c03046373552ad77a90163c8579a5e9f0743bc29c9f6d92c2cfd446e3509f60f367ea820f463db05f2153786c1efc

C:\Program Files\Java\jre-1.8\COPYRIGHT

MD5 b468551fc6528581035c105fa6dff04d
SHA1 e42ca48dbd3291a89246292a5c0d70c0a24c7c31
SHA256 59305a4b2aca2419bc3b95bfd2618f5e763e37c9bb4f21899b7b1fcede2d3d9e
SHA512 d879a207625829d94916529cbd9edf959316f8dbdd2bdbc52ba56abe2740cf3ae3b3f6a0585030814cf68a86479da7193ad3c67c58ead7b487529facab3c2ac9

C:\Program Files\Java\jre-1.8\LICENSE

MD5 1e49af4af392a0a13dad0f61967d53dc
SHA1 dbde71096ea339cfa92836f56620fb460f18783a
SHA256 a3d787210edb5858614e3606a8de14b469cac950c3d9bcff0c9f4bcdf2c8acec
SHA512 31f9a85004887e7e6f2f89d5fe3726e5d1e724cae661750803bf0c4bb7a515051efdd9c8da856a733c20aeaf6af6e4fe91119944b71adc5a5aeef771731320ba

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 e798291f3680b01906478f19bf4d7f90
SHA1 303cac615377c2ca013d49b1dbbeb19b1ebc8bc7
SHA256 d7ad59f34cb3d8242a0f651099aac4d8d65948c2bf668460a747b757c7b24767
SHA512 2412648c98015211b3a3e893a08822ba88ca889d653dae3f5b1bb094044507ac47114e2c1b69928648079cd1df2e56e30e82ac3976b7b601fd63f355b105e1cd

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

MD5 e98bf8c4916a23ba6cc27c5c7e804f5b
SHA1 60335fea5841263cbe9836e333a94d874a1f5fb6
SHA256 f3a0455e5753dfd85d89763020e62374395cabd639f221b450c2715c091046bf
SHA512 bbd4b5c9daa44d19d15889e30cd71cbae2272630304d8cc6b51122cd5c1e837c66660aba1ac6c0ca1fb16d11e8b6f6ab73b8461768676d9c9bb1dddabaf36553

C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

MD5 beb88e52c9624b6ca7adc3542a1d6a86
SHA1 7bda9e71a393ea05ee2e75d570f7d5131b067f06
SHA256 6fb1a4d684af33121281df60eae3b76605bf2264c2f2d90d1e80e8507306eedc
SHA512 0bc261aab7d11f772a3b5a81d0373c16f9143664b4a1714132c18015b2e6928410ff4315d64bff73d98d06c194560f001626570abbd5b6f475b0782bd2dee740

C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

MD5 4a2e174e24f3f443cca0fbd6ea770ada
SHA1 a5557e8d903eb897d3ad605a47139bd09f4ffad3
SHA256 89af89eca69c4e2a47b4e66ebbc352d58eb20e7ccf2fa15238fb8051ab014dcd
SHA512 1e653ab3804bd3c8475a0da0f2a41d15bb43e35c47f27e2e68fe03a05575279d08189d6eb4893d3d4d8658f008049d1c674c2b5290d73f7b314186415ae16068

C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

MD5 be5abb4a6a5f38e7e5560a0720faa6e3
SHA1 dc74f0f6d9bde0b268d2027327c8a4010f414c3e
SHA256 d4fcca2ec4a214d55eafcfed2531da828b3c8919fa592a719edd62f51f892b17
SHA512 52a93f48fdb6cbc13bd4abf6d5502a35b0830daf89b1bbf4b5b1acf226bc5b42c2897d65f200ea92c8d2fc091b71e4d29b48cd72dad3fdd8e36c6cfceed43799

C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

MD5 884e6d764f6ee80ee6fe4a153af81e36
SHA1 fa1c146b927784538676a7443ca912b5c46df5ba
SHA256 be8a2e5ad73c72b4dd51bf472e502fd64712c56e98f2fe293a9453415cc992a4
SHA512 b1d0f2870a2d11a9a8244f57cc08ddb2db5cda8dc8c22468704c131e2a07c3607dfce999c35578396f771c684c5ec870c4e5e46f892399d2f3468f639d375966

C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

MD5 45e11109bbc08bfabf3914bd36ebdf00
SHA1 0d441564ea7dcce407707a518368f2f5c974a8e2
SHA256 4bfb1d8f956331d2ebca91e5ebac513b8485f2fe7cfc7f3967d54aa42acd8bbb
SHA512 7ef5c4cc0d7b1d8d41c9e2b0cf305f828fc5ddd32fafd0b46d8823f02f4f94c21ae7269d9a875be979d906fc93d4cb5775d01f9c0837c9497428db3996e6baf2

C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

MD5 c0586f7964e2256e5138f738a1081a53
SHA1 d88f6fecc91fd67a2ae1030516ab7cc6bfd516e5
SHA256 699e5cd8585d2155c32eb722a401049443b4f1f3592e417e796f586f3c370b3d
SHA512 5d7e7a3b61b50d0320ddb4791a44ee30a9e98638ec6322717a34f4980fc7574bbe189791662f5025f8abfd4486e4a85568ec0f88803b7669f0f5437ccfa0ffab

C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

MD5 a7549e4c74920f6a1f20cd425135af27
SHA1 09e9ee67f804fd0c09beab2fac4ea9245618f94a
SHA256 939184a8daabb5557baef13d5478189447bf47547de568ef66a8d8ae6b9f4cee
SHA512 b3761512f4dd633a41db56aa902d29f40c57107217c8ed237b65498b9e2a495159c2e2810dad1154c3e1d75e0fe4dfc54bada3bcfc95fb083933831ff1c057d7

C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 408c7ca1b99b1c91a5feb0a26a6534aa
SHA1 4db0352b21a0b2c21ff01fe49759712bb8434e2c
SHA256 665bafdc0a59fd03477c14d9344b15f06d19bd28e8f4b2791d948cf2a32d8f42
SHA512 9000b72bc9c60031976660605067c258eb91af2c1ed28b699ba7ab0bc88f321b5d1478e7dc741adb2b98b94ce9b5d2d2b014675f2657e524f71e64a23ac6dde5

C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

MD5 4a5bd959ede814e72f2e2d531a991ba2
SHA1 876ef74d08a4e24167b7e4f8fe6431a4224b5dd4
SHA256 81240d015da1f87a1280ac82d443bd9f82b56207c36575b6325c23b14dc183e1
SHA512 9624fbdf153b893aa2d376501ba1945b8fe6e1d8a16e223a00f73ed9ecafb6e3427084956858569a7b6a80e2541d46365c7bdeb1314c49c171fc103411a1e225

C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

MD5 4a735cd5ae7b017a72aea19526a21898
SHA1 793ce2362b71a025c0399a64680552290c0328f9
SHA256 db07152b64ae24d4ea89a69bb675feb9fceefedd0681e8df4f0c59a108ac512c
SHA512 fbc88d2229642b6340ee35afd33bf3eaf1bc85804f8c43b3de9d3d053f10d03591575a79c3fb2b91015b769b9eb93623c7df95c3a810de727251cb5f463c6cdd

C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

MD5 07739688704da7563073fad9bb1d1f93
SHA1 34efbfc620a1bcd69703173d8ed1201c668e5532
SHA256 e10dde7437a056f811dd35201ea2cd3e8e98bd4ca62aac2c96eb9196f1455d9b
SHA512 9d7d4df27264a320c8fa2d58265cc825f9086efc78a35a7f77867b0181868813a7c08df61d11924044e254828383cd89027a4ed32e0a3c0d0f5ad4b299c92cb3

C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

MD5 59e7fd68494c15cc52823122e7f7adb9
SHA1 72b092dce522042d2ab3ac50548f7335b2e12e58
SHA256 2c26e633274308f7276d77fec98f0845ba911ee4424b9b6d86284ee78ada6964
SHA512 c66773405232b2a782771438a269607a4766d269ee042e9182f74c7bc03196a64db83800a4684a41bb535cffa66d71d5c6b32f7e59ebbd0a7b282d06829319b4

C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

MD5 e3806069826d17ba087b90f7e49346f9
SHA1 03ca0673d0cd410e824347a2a55da7333cdb552c
SHA256 f6faa76ff155fece7fed7c4b4c7dbe1c0d96f4162acf1febd2ab4c05009eddb2
SHA512 6dffb092eec936c9edd2619e32f7de88abd8da61de17039fac837da5b3615c159c058f643ef56bb6f2fb5b175a3c29e853dd785cc140b786500aa65ffe6f471a

C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

MD5 a91a9d70b97b81839c44bdc70a81075d
SHA1 b2de3cfb1936ea4a94ba19e93f09f77e5b7fe119
SHA256 bd4144686fde81c50875a4cdbd7932aaa25824a74afc86171adf73d388de5a28
SHA512 90c1193f7ffd8173f358bf26fe39081f1ea0513379336ed4d62313952874a6f6321e464bfe92c88a7fad8a9951ae919fa4de6d3b6744cad75e029abf9e23d147

C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

MD5 b68b2fcae506c2f46789ff0fbd37deca
SHA1 2aa7825a07c228337870aa71ee3662d8b037d7a3
SHA256 d30548e09a41e6e984ef2bdd3e21efb6e275508fe38c41a68954c1c8022fe0f8
SHA512 1b84cd6a797716e862378107cc04f269c550c0e4f4134f77357edc4485541974a3c9a9e059ccbedee4cd13570caa69cfae549d841870c757760fba37d3990a33

C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

MD5 a7959f2911c2483d6f752f24378216db
SHA1 4f1e215fdab56bb1ad5359f8b98587a8571a11cc
SHA256 7d417de7351bff6ab075120c2ce0f881083edf6515399867870f04f209522ed7
SHA512 f8237295a48e5558be04b56a6c15d020e48a00b6664d2ef5286cb32f18a421e3c3f798bc0067eb9c13988f94c95751331174689cbd3fe3660b2db6a2393f7086

C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

MD5 a5fc7b0d23a560b2fe179b7424b34ffc
SHA1 0b6431d166fd194155bb3786e46163f27622b215
SHA256 9e61ba0f3b1917418c23109e1f69ad2d82bc926555631be9a18e89117e04717c
SHA512 1b9081f11d148c49c52d23bddc2068f62d311e335f638f0da46c49a924ac62d2df021dd1ee508e6c166abeb34174f002973690019f67c0fd2ad131c8276617a1

C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

MD5 cc79364ab1d4a11f3363e5f7e0266f4f
SHA1 d77a974bbe337721fbb34f0e2360fbfa004fd11a
SHA256 526662a0bc3452bba5750f6e3de3b8ce80ddcd5e3eecc28e640ebf1eb8a5143b
SHA512 0ac2ea6e608defbb6b6f3c4218e4e37a39d1f68eec2a1ffe079b4c8abd119376d9339626515f053917ab4eefdfa99d75c496a58cdeada7392e6aa16c288523fa

C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

MD5 ad3b5101f9b52dd0781bb9c87624fa7c
SHA1 9526729c80a5ac813919886d0634c56a6370257a
SHA256 591b5d617645548ee64192901b18ef893e6151b615cdcbb48fb00110e71c684f
SHA512 aa41be3b541dbbc9476460721566d6c8f168d8f8fd8278e28132a4575b4566df1600d3866de53838ea6aff42f417052d2830f584e46ce68d26f03e4dc2e9822a

C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

MD5 a6e30f0d5ddd82a7653d3c0d3f76e648
SHA1 930d84947e6cf22ca6c008ca4af3a5514e5bee92
SHA256 501c7323e603613d0a6053f2d7a0c63ba42ade9f9e8ecf3694fedcfd3a96ca34
SHA512 26c0bdcbf7ecfde8d218b5ec13c7e19e792b186de3ce5731efc22e8613d6065f25b6631c7b337bc70352a03db6058db9d30d208dc140c8272f218c3e09d01063

C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

MD5 325b08bc8f8f8fba12275fac90571305
SHA1 bd734c6fcd52e829947f8acd0c65274f0ead5025
SHA256 e25e667cc179d7475689eb1c3d217caaaedc2cf65aa120267f8fbb8421545522
SHA512 bf92cb3d0cb7f9af489fc89a07ed563576decc26eb9f763cf1ddca59f9be5d9c9e01a46b5bd3ff6a554f873a38ca104d899931eef12b2a814b88346336c4f74c

C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

MD5 7e68abcfd657d5bfc677fb69edb1e35f
SHA1 cbb321741c36e3ad2ca9af780e9c37a77d317180
SHA256 c0dc3504a2e73de475f138a0251eb0552f560df40be44c5bd375f06a7d90514c
SHA512 241f1eab52c16f92c0f94f9d4d65033c2ccb59210a59fed2f442f4c3927b45c853bd3ebaed245c7f01900ad3a569484dc53920fdad0000eacf57704e26dc0086

C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

MD5 4f1b026bd3cf33b7df7d857780d2343a
SHA1 6dfc65978274bc065350389e94b022b88757b8df
SHA256 8f3cb6e059eb3bdb8e9b2defdd148e42afa99c5ce1cf2eec71aa33c8eadfd080
SHA512 bec9ea0a70bd89dea10615fcd0456b56c2fe6169a00607469eee71bf8d018789089e22a885e8a15d1c5b948c3700403881c6f984d175b51c86edf58f59f7f99b

C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

MD5 a959bcf88d82ccdf4298b8404ceebef3
SHA1 ab544c9bb2cfaee54a48de8201d4d43f7d8e6bea
SHA256 2f25fd517343685422553eb1235436d6c497f7d1bdb990c29c612caf00ca8c08
SHA512 3965fb5c00f7c0f0a174a13187794dfef3137ad077ab88f9fdc56f17ad9f5a5d18e4af11feb8903b18c369fb1b50f1036009429401115b4f61919f74130acac5

C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

MD5 7744e82ea19faba341b9d56ce0b2aa48
SHA1 6b177c9b59165303ad47a2af905888f978f5b7b5
SHA256 84cf3d1334c28bc5afd4b8844358997c3e7df17bb5a12ca5e4323601aee14188
SHA512 588b602cc03d04581ad31938b6ae96378f1b8f14115881366a1fecaac71cccf45466335ab7b5a80ff709778608781bfd0834e8d1aa44f53319aa7fa375d64879

C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

MD5 bff8602a96e6ba338ba1a16820fe26e3
SHA1 1f3415c9c42aba85002a6116ff9bea50045ae468
SHA256 9ae9ccf3cec20c81f0f9b474984ef0c9921c9ef9c056afbe22e05a37f0c2c952
SHA512 d4c602de7e54ed1bb2b43a424b6e1923ba12eabcae7769465be3b432f6ea7c87f0ebde381314057ca6f0ff9750a6fd2a53b691611b0fe2ce1cc029c44eb65b52

C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

MD5 13b3bcecc25d20b0a6c1b0f427a3492b
SHA1 559803778ae0e28ff2973b4712e1cb704938cd93
SHA256 a7b20dbe803b9bdb8c26c38c20f2bb04efa85d4cc2bf277ffabbc0a5490da0ed
SHA512 4bcb5c3855c428040712b90fb48a25ab1c0ce02f2ffae6a8eb1578b71b7d847ba4e3ce8043e822ff57429778f003b97a5cebd748ed5d9d2024e91e9d8bb2e102

C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

MD5 457d3fece049f6753b5514eb21012d83
SHA1 31876ca3d4f4cc852987c89daa5d59dd72c79f9a
SHA256 3f2bc0caad901ea74e188bbd7b609f3b3feb98fec1f104acaaf1ab65c58aecf7
SHA512 98ff91eb9c2c66e4d45c172b4cee893e3a67d0f2edf7be7aa3d926f043e7ccf0688dc31536af6aee136630582036319c0418b802ea732fa2af0e8e1af01b33cb

C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

MD5 13ee6769b71e0facff8146b707ccdf7c
SHA1 0cd6a185a120a31e4f3f25bfb7ac2dab9c208bc0
SHA256 a144ded86e26d978c15b6b4183f12e9b0d75b5dbf4a83fded0e1755b6fb5b8be
SHA512 800baa8f22ac81c6989fe7a34733dc5f2fc44a8946de466d7bc51e9e5071dfcbb36b06833eedcf0123b1d8985a35ce05576b00516c563e11e7423f869c4e3ff6

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

MD5 f639a1a71e998090a7c9c4f1b4c7479c
SHA1 85d6b287f55d92ff4cf917f853a19354f3326c25
SHA256 3ea29cdda9c62e894b0e16dc2e7741029bf30bef521e0c476598d8821b3906b8
SHA512 7acd5a36f8e7a626810b3009c81bbcfc334adc28f4ef91578a7b69a40ea0b3853faf17b53dc794b7d3f8992e7011287d66ea08fbaf5b5867f816adf6cd2b64a5

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 50e569dd4bf4bf2373fc3d65d9a75297
SHA1 d339408dd9c5a6d89fe24a6b6ef76c7545ca5771
SHA256 ddabbbef5ba68c92d994ca425a1268a21fa7674fe2845132d37a40ff4cb66bfe
SHA512 f6ae2f034fdbfa823e90d46048962be7dba548a60db6d542c198db486ae8cd229fcd7843608009fe7234383d00be58365992215b1a1e2fd504d0260c4a1a7e32

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

MD5 03a7113d9ef3e88ce91842e4d67ec8e2
SHA1 b3faa73af8c6a96709fc4c11613fe19de8f039e6
SHA256 7e18a0ce14a06f37a026209dcc98d96bff271324ced5e991e2b8eb579ad33222
SHA512 9902af56b66b81615e38b62c32a19719edbfcc93b0432dab79a79b82edbd1018e678225b0ce7f493864c3125347c5455af5231502bc8759da8449769848bea12

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

MD5 6cba58f2e90ccf70477d6174ee58e70b
SHA1 c76a63bccd246cf18c30b806266d13e26dbab673
SHA256 1d043ad95f94ebe1512ea7885eb7ff22f2432757ced2796c7fb6d3eb17a574f8
SHA512 a149a83d399286a542e5638a99f9f429b801b59ef4426525236dbcee2f0a78062f55525e29b2865299458947f91346604467e91a12b1b68fd01e5fbcb1459d9c

C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

MD5 78d853fbc50dab3ea5d1f15fa5c922e4
SHA1 a26b47ba6b3a9748c4643a5f682c12661212a700
SHA256 87419b98416d1c0505bd767d48111d95e8364ce97c17c215d6b4e064860f0bfd
SHA512 bec051e87eecbbc77522d9c94525e59ef69dbdf8c103b93d5879600bc11ef758be3942136f23f78de1eeed80685a1bbfbbeff87612db6cc9c6345a4e593a83c7

C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

MD5 f7266ffdfef68db46c744f041b0d27c7
SHA1 c822402ab9277ee14c345d27d84fec64038103d8
SHA256 40297f49a4a2d873ee5155b46bbf0d1fe8b083d3fa617a26bca7e4488bce4a38
SHA512 34d51a5c5075cddb5bd1bebd46d30807a70b4172e968cac702ccdf60bdb489f0b52191e66751a7b0cc10d6b55e75f69d1381db6f27257d6b1f50a9489ca49eff

C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

MD5 f22d70cb087db8f8b0593dc8abfc959b
SHA1 90e4cd79b5f478a649c82e5664a931c697bcd5fe
SHA256 0cc0bd164368445585c6e867d463efd940411ba249e4bdf6e0ddf81659a49575
SHA512 086ba540fba5fa52d3c3519273e3fdd516ae654bd3e945805aa96517658d7f69d3dc06e397bd133186b44232711b1101bc1be40bb0ec76f6f406c78444874a4a

C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

MD5 da32035a511c4962e1bd4b1b9ae7ae70
SHA1 67f9127ede90782b617300c62b0944a58203f0ff
SHA256 9eb5f60eec96c0b65ac30e7bb5894249c93f8065584e361ce1d48bd3acd858ae
SHA512 853fb83e7cca0efecb696d9a9d163f0ff61906f14cfce05b300f06ebd9e808edb6ecee87aa76a75d14ca42508410df599a36919ab688b0a995694b0dc734cb65

C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

MD5 1ce1c19a40695dbe0b25a55453394ace
SHA1 b74ce05a315bbf8228c8a67bfb55e6c324893a83
SHA256 85b683c110d375e59a9fd227baf34f4f39220f8a19fbc7e4a25b6f77e8d6a835
SHA512 d20870b7a299777d211f437b9500e7d8bc9c513ddcbdaeda3827d70b670c1bc6f7bd8bc99c9b39a5f7cd62d9c7097be87e94eb27d7716d28bd2743069bfb4b6c

C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

MD5 0bc71b948f10b453901b8816ab250131
SHA1 cf2338e5b9e2153e31c57cb02209acd6ecd9bcad
SHA256 63c51ee8f82668e7e7fd080b310f5deeb7d8710010cfb0768b57de6370bb8b70
SHA512 94b7576f312f58694024ac8d79b349143401064709980fbe68755f7cd039ce6368079aa381788a57911938ccb3b3c513a9849d898fab55d3544426ff0577e3fd

C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

MD5 7d99b86533c33f4b42a40308f08a6d90
SHA1 d329eb1c69c1f9b04cf26f56fef51ba9fdfb8216
SHA256 d35e1de4aee8938926524e13919dab36827189512b6ce4befce05541a8e9d890
SHA512 3621e5d68387303f08c0f406d918735fa30359ca89bd078b3675b23904544e4c943e484d14c5abef4ea79d8cdb919054df67728138d78ab90d3e7ee67f6193ab

C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

MD5 7f968d733c9db45862c5718a3c5c33c4
SHA1 cff90e3079c3c06f774345ebbfc5ac39dda4d71e
SHA256 8aab0045296880610ea315fc94b21e5f23e91a23c293f01e88a3deabf671463d
SHA512 f05306a0f167884463232bd5eca07d71902a95118db9e1f57d3d7511145cf09eb601e33a4de14061982a989f11a05305609edcfc7d765f1f8f52e346031bd7da

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 b823af82237298c0dce2f1910658e9e8
SHA1 6a4d39edd88b58ebd352b105c7de551e57be30d3
SHA256 d600cf5a22aa997bac8cf0ecf7153a09536be3a403314789facf7a148e2e8396
SHA512 86340e8e2e4b3fbfffc075121c5dd3e2ffc17b3b696c2e467a4423273e84338799edcb0e471ca443634db666d002daecf4b4e5adca175637dc6081cf2122c0fc

memory/1304-1681-0x000000001DEF0000-0x000000001E3BC000-memory.dmp

memory/1304-2239-0x000000001CE30000-0x000000001CEE2000-memory.dmp

memory/1304-2240-0x000000001CFE0000-0x000000001CFFA000-memory.dmp

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

MD5 68a1957ed14f8aafb225b90cce7e3fc5
SHA1 e79ce7bd611590cb8e4f522be56cf9213f39ce76
SHA256 4abcbb7c74d25b2ef1015f2711d4c2bb40bfed9f96cc8e82903dd3e765212cd2
SHA512 b2dafab231bdca2ff8911dc5aa8a7a9acdf510c234f047fe94ca35ff112c90ebc3ff2b9703c043c063d67e52811ccfcea4a85c553b7b6d303a5b8b5941bb900c

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

MD5 df16f5611806aff7edf78ee17033f54b
SHA1 0ddd3a6fb02fd7f2b84e0cd846baab63db8e214e
SHA256 f34aac41ce3bef6af2f3f91a74d5e9af61c8aed25d0c87eb3c62e35858c126fd
SHA512 e754a96a4252f9edac8ac0b6c89d545fc8e3e22eb43e3c368f93c6b1aa4f6a9aba80f77b2da88fb0125802cc86ee420501f3dce899e1e9e6413699688f8c4927