6c526b56946f1159ddf58f72542a3020e4610f9e70ea59bb1b30c8630a3faf79

Analysis

max time kernel
530s
max time network
532s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 21:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

avatar.jpg
Size

8KB
MD5

f70b24dfe9e49b0af3513dfbd53cadaa
SHA1

666a52fa433181c74463a4a07fc3b14225a1351e
SHA256

6c526b56946f1159ddf58f72542a3020e4610f9e70ea59bb1b30c8630a3faf79
SHA512

3439302faa2d0d8f7e8584fd630a8816205ea04e9fce0effab1617c71ae7590c08ae69676fc1647c3ce95eb5dafc3ed8ad1e82e607b82fda4d2b9ee65f67c2b4
SSDEEP

192:u7SVdhw9DmrAoPnQ7zads8eTVn24O2yyCfkC4VxzgGOJylq84BMqMOM51vUn1uPM:O9DObPn6Gdszpn2UyxEdkjBMSu8IPM

Score

10^/10

discovery link macro macro_on_action pdf persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.21 1. Both file and folder modification timestamps are restored when unpacking TAR and TAR based archives like tar.gz and tar.bz2. Previously only file modification timestamps were set for these archive formats. 2. Added decompression of .tar.zst archives with dictionary exceeding 128 MB. WinRAR 6.20 allowed such dictionary for .zst, but not for .tar.zst. 3. Switches -ed and -e+d are also supported by ZIP archives. Previously they worked only for RAR archives. 4. Bugs fixed: a) if unencrypted file was stored after encrypted in the same RAR archive and both files had been unpacked in the same extraction command, WinRAR 6.20 failed to unpack the unencrypted file; b) in some cases a wrong detailed reason of file open error could be displayed in the second line of open error message. Version 6.20 1. If "Autodetect passwords" option in "Organizer passwords" dialog is enabled and password matching a processing archive is present among saved passwords, it is applied automatically. This option is applicable only for archives in RAR 5.0 and ZIP formats, which allow to verify the password validity quickly. There is a minor chance of incorrect password detection for ZIP archives if stored passwords do not include a proper one. If encrypted ZIP archive extraction fails, you can try to disable this option, repeat extraction and enter a valid password manually. 2. If extraction command involves only a part of files in RAR archive, the additional archive analysis is performed when starting extraction. It helps to properly unpack file references even if reference source is not selected. It works for most of RAR archives except for volumes on multiple removable media and archives containing a very large number of references. Also in some cases such analysis may help to optimize the amount of processing data when extracting individual files from semi-solid archives created with -s<N> and -se switches. 3. "Save original archive name and time" option on "Options" page of archiving dialog allows to save the original archive name and creation time. If archive includes such saved name and time, they are displayed on "Info" page of "Show information" command and can be restored on "Options" page of same command. Restoring involves renaming an archive to original name and setting the saved time as the archive creation and modification time. Switch -ams or just -am together with archive modification commands can be used to save the archive name and time in the command line mode. These saved parameters are displayed in header of "l" and "v" commands output and can be restored with -amr switch combined with "ch" command, such as "rar ch -amr arc.rar". If -amr is specified, "ch" ignores other archive modification switches. 4. Faster RAR5 compression of poorly compressible data on modern CPUs with 8 or more execution threads. This applies to all methods except "Fastest", which performance remains the same. 5. "Repair" command efficiency is improved for shuffled data blocks in recovery record protected RAR5 archives. 6. If file size has grown after archiving when creating non-solid RAR volumes, such file is stored without compression regardless of volume number, provided that file isn't split between volumes. Previously it worked only for files in the first volume. 7. Added decompression of .zipx archives containing file references, provided that both reference source and target are selected and reference source precedes the target inside of archive. Typically, if .zipx archive includes file references, it is necessary to unpack the entire archive to extract references successfully. 8. Added decompression of .zst long range mode archives with dictionary exceeding 128 MB. Previously it was possible to decompress them only if dictionary was 128 MB or less. 9. If "Turn PC off", "Hibernate", "Sleep" or "Restart PC" archiving options are enabled in WinRAR, a prompt to confirm or cancel such power management action is displayed directly before starting it. If no selection was made by user for 30 seconds, the proposed action is confirmed and started automatically. This prompt is also displayed for -ioff switch in WinRAR command line, but not in console RAR command line. 10. Context menu in WinRAR file list provides "Open in internal viewer" command for archive files. It can be helpful if you wish to view the archive raw data in internal viewer. For example, to read an email archive with UUE attachments included. Usual "View" command always displays the archive contents. If file is recognized as UUE archive, "View" would show UUE attachments. 11. Recovery record size is displayed on "Archive" page of file properties invoked from Explorer context menu for archives in RAR5 format. Previously there was only "Present" instead of exact size for RAR5 archives. 12. When archiving from stdin with -si switch, RAR displays the current amount of read bytes as the progress indicator. 13. If wrong password is specified when adding files to encrypted solid RAR5 archive, a password will be requested again. Previous versions cancelled archiving in this case. 14. If both options "Test archived files" and "Clear attribute "Archive" after compressing" or their command line -t -ac equivalents are enabled when archiving, "Archive" attribute will be cleared only if test was completed successfully. Previously it was cleared even when test reported errors. 15. NoDrives value containing the bit mask to hide drives can be now read from "HKEY_CURRENT_USER\Software\WinRAR\Policy" Registry key, which allows to include it to winrar.ini if necessary. Its "Software\Microsoft\Windows\CurrentVersion\Policies" locations in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are also supported. Previously only "Software\Microsoft\Windows\CurrentVersion\Policies" in HKEY_CURRENT_USER was recognized. 16. Bugs fixed: a) archive modification commands could fail for some ZIP archives with file comments; b) fixed a memory leak when reading contents of .tar.bz2 archives; c) if source and resulting archive format is the same, the archive conversion command didn't set the original archive time to a newly created archive even if "Original archive time" option was selected in archiving parameters; d) if "Merge volumes contents" option in "Settings/File list" was turned on, the folder packed size in WinRAR file list could be less than expected when browsing a multivolume archive contents. It didn't include the packed size of file parts continuing from previous volume into calculation; e) even if "Set file security" extraction option was turned off by default, extraction commands in Explorer context menu still attempted to restore NTFS file security data; f) WinRAR could read data beyond the end of buffer and crash when unpacking files from specially crafted ZIP archive. We are thankful to Bakker working with Trend Micro Zero Day Initiative for letting us know about this bug. Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gr

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

https://technet.microsoft.com/en-us/library/security/ms14-064.aspx

http://rarlab.com/vuln_sfx_html2.htm

https://blake2.net

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.21 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If no switches are specified, 'ch' command just copies the archive data without modification. If used with -amr switch to restore the saved archive name and time, other archive modification switches are ignored. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the

Emails

-n@inclist.txt

-x@exlist.txt

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

256 2816 msiexec.exe
258 2816 msiexec.exe
Downloads MZ/PE file

flow	pid	process
256	2816	msiexec.exe
258	2816	msiexec.exe

Office macro that triggers on suspicious action 2 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Mathcad15WixInstaller.msi	office_macro_on_action
C:\Windows\Installer\e5a55a5.msi	office_macro_on_action

Registers new Print Monitor 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exePrintINF64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port Monitor\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port Monitor\Driver = "AdobePDF.dll"	PrintINF64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port Monitor\Ports\Documents\*.pdf	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port Monitor	PrintINF64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Adobe PDF Port Monitor\Ports\Desktop\*.pdf	spoolsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winrar-x64-621.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	winrar-x64-621.exe

Executes dropped EXE 18 IoCs

Processes:

winrar-x64-621.exeuninstall.exeWinRAR.exeWinRAR.exesetup.exeptcsetup.exeMSIAACD.tmpMSIAFBF.tmpMSIB0F9.tmpMSIB290.tmpMSI7CE4.tmpSaveRegTest.exeMCLicense.exePrintINF64.exePrintINF64.exeacrotray.exeAcroDist.exemathcad.exe

pid	process
2316	winrar-x64-621.exe
4884	uninstall.exe
4488	WinRAR.exe
4632	WinRAR.exe
400	setup.exe
4804	ptcsetup.exe
3064	MSIAACD.tmp
4656	MSIAFBF.tmp
4252	MSIB0F9.tmp
4880	MSIB290.tmp
1736	MSI7CE4.tmp
3908	SaveRegTest.exe
2876	MCLicense.exe
1264	PrintINF64.exe
1628	PrintINF64.exe
4416	acrotray.exe
3496	AcroDist.exe
2272	mathcad.exe

Loads dropped DLL 64 IoCs

Processes:

ptcsetup.exeMsiExec.exeMsiExec.exeMsiExec.exespoolsv.exesplwow64.exe

pid	process
1040
4804	ptcsetup.exe
3084	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2560	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2192	MsiExec.exe
2560	spoolsv.exe
2560	spoolsv.exe
988	splwow64.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe
2192	MsiExec.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe

Registers COM server for autorun 1 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

uninstall.exePrintINF64.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}\InprocServer32	PrintINF64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}\InprocServer32\ = "ContextMenu64.dll"	PrintINF64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}\InprocServer32\ThreadingModel = "Apartment"	PrintINF64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat 9.0\\Acrobat\\..\\Acrobat Elements\\ContextMenu64.dll"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exePrintINF64.exePrintINF64.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Assistant 8.0 = "\"C:\\Program Files (x86)\\Adobe\\Acrobat 9.0\\Acrobat\\Acrotray.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	PrintINF64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	PrintINF64.exe
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ptcsetup.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	ptcsetup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	ptcsetup.exe
File opened (read-only)	\??\S:	ptcsetup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	ptcsetup.exe
File opened (read-only)	\??\P:	ptcsetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	ptcsetup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	ptcsetup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	ptcsetup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	ptcsetup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	ptcsetup.exe
File opened (read-only)	\??\L:	ptcsetup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	ptcsetup.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	ptcsetup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	ptcsetup.exe
File opened (read-only)	\??\W:	ptcsetup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	ptcsetup.exe
File opened (read-only)	\??\O:	ptcsetup.exe
File opened (read-only)	\??\U:	ptcsetup.exe
File opened (read-only)	\??\X:	ptcsetup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	ptcsetup.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

WinRAR.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\autorun.inf	WinRAR.exe
File opened for modification	C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\autorun.inf	WinRAR.exe

Drops file in System32 directory 64 IoCs

Processes:

MsiExec.exeDrvInst.exespoolsv.exemsiexec.exePrintINF64.exe

description	ioc	process
File created	C:\Windows\SysWOW64\spool\Drivers\color\JapanColor2001Coated.icc	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64Vista\SET37D3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64Vista\AdobePdf.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64	DrvInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\ADUIGP.DLL	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_PDFIndex.ico	MsiExec.exe
File created	C:\Windows\SysWOW64\msvcp71.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr71.dll	msiexec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\WebCoatedFOGRA28.icc	MsiExec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\USWebCoatedSWOP.icc	MsiExec.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\SET3C6A.tmp	spoolsv.exe
File created	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_APIFile.ico	MsiExec.exe
File created	C:\Windows\SysWOW64\atl71.dll	msiexec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\WideGamutRGB.icc	MsiExec.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\ADUIGP.DLL	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_PDFFile.ico	MsiExec.exe
File created	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_PDFIndex.ico	MsiExec.exe
File created	C:\Windows\SysWOW64\mfc71u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\CoatedGRACoL2006.icc	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\AdobePDF.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\adobepdf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64Vista\SET37D4.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\AdobePdf.dll	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\ADPDF9.BPD	spoolsv.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\USWebUncoated.icc	MsiExec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\EuroscaleUncoated.icc	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64Vista	DrvInst.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\SET3C57.tmp	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_XMLFormsDocument.ico	MsiExec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\UncoatedFOGRA29.icc	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adobepdf.inf_amd64_1d3c7bfc55b41152\Amd64\ADUIGP.DLL	DrvInst.exe
File created	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_SequenceFile.ico	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_XDPFileType.ico	MsiExec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\EuroscaleCoated.icc	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\ColorMatchRGB.icc	MsiExec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\AppleRGB.icc	MsiExec.exe
File opened for modification	C:\Windows\system32\SET2459.tmp	PrintINF64.exe
File created	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\SET37F8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\PSCRIPT5.DLL	spoolsv.exe
File created	C:\Windows\SysWOW64\mfc71.dll	msiexec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\PAL_SECAM.icc	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adobepdf.inf_amd64_1d3c7bfc55b41152\Amd64\ADPDF9.PPD	DrvInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\ADGELP.INI	spoolsv.exe
File created	C:\Windows\SysWOW64\MFC71JPN.DLL	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\ADUIGP.DLL	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\Installer\{AC76D478-1033-0000-3478-000000000004}\_APIFile.ico	MsiExec.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\AdobeRGB1998.icc	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\SET37C1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\SET37E5.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\SET3C67.tmp	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}	DrvInst.exe
File created	C:\Windows\SysWOW64\MFC71CHS.DLL	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adobepdf.inf_amd64_1d3c7bfc55b41152\Amd64Vista\AdobePdf.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adobepdf.inf_amd64_1d3c7bfc55b41152\AdobePDF.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\SET3C57.tmp	spoolsv.exe
File created	C:\Windows\SysWOW64\spool\Drivers\color\SMPTE-C.icc	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\SET37D2.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\PSCRIPT5.DLL	spoolsv.exe
File created	C:\Windows\system32\spool\DRIVERS\x64\3\New\ADREGP.DLL	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\PSCRPTFE.NTF	DrvInst.exe
File opened for modification	C:\Windows\system32\spool\DRIVERS\x64\{68807228-4CDC-470B-815B-8A9E19DBF7F7}\SET3C69.tmp	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\SET37E6.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exewinrar-x64-621.exe

description	ioc	process
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\units\translation\cs-Translate_de.xml	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\docrw.bat	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\images\wa10.png	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CIDFont\HYGoThic-Medium	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CompatibleFont\LiGothicMed	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Resource Center\EN\qsheet\references\Science\period.xmcd	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Handbook\wavelets\best.xmcd	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\mcm\EN\Slider.mcm	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS58a04a822e3e50102bd615109794195ff-7c16.w.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\images\A_AttachDyn_Sm_N.png	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CIDFont\Jun501-Bold	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Resource Center\EN\qsheet\Techniques\world.xmcd	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\MAIN_TOPIC.css	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\IMAWorksheetOpenedEvent.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\images\ed06.png	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CMap\Adobe-CNS1-2	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CMap\78-EUC-H	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Resource Center\EN\qsheet\Vector_and_Matrix\aw6.xmcd	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Resource Center\EN\qsheet\tutorial\plasticwall.txt	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS58a04a822e3e50102bd615109794195ff-7f4d.w.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\images\A_3DPointPoint_Lg_N.png	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\Graphics\st2_vars.gif	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\tree.css	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\whgdata\whlstf19.htm	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\wht_next_g.gif	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\mupad\mathcad\lib\xpatternfsa2.mb	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS58a04a822e3e50102bd615109794195ff-7edd.w.html	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CMap\EUC-V	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\Graphics\gmean.gif	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\Headers_and_footers.html	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\eficorer.dll	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Handbook\improc\flower.bmp	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\IMIUnitsXML.html	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Handbook\datapack\mydata1.xls	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\units\unit-label.xslt	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\whxdata\whfwdata0.xml	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\Graphics\image6.gif	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\Substitution.html	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CIDFont\TBKomachiM-E	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1255.TXT	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DAEP\whxdata\whfwdata0.xml	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WSFD340055-0EA1-4dd2-BDD8-6E920744E041.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\images\AttachSecurePDF.png	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\Dialog_File_Properties.html	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\whdata\whfwdata.js	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whcshdata.htm	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DAEP\whskin_mbars.htm	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\Fonts\COO_____.PFM	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS00E809B7-1119-4416-8731-033B20B684B3.w.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS58a04a822e3e50102bd615109794195ff-7e73.w.html	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CIDFont\GothicMB101-Ult	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\complex_results.html	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\Handbook\wavelets\wavelets.dct	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS58a04a822e3e50102bd615109794195ff-7bdd.w.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS58a04a822e3e50102bd615109794195ff-7f73.w.html	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DAEP\whihost.js	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS42126311-36B3-41ba-94AB-E257419F7464.html	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\Graphics\adding_fractions2.GIF	msiexec.exe
File created	C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Signal\wht_next_g.gif	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WS58a04a822e3e50102bd615109794195ff-7f1a.w.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\WSDD95883E-EB9B-409b-8C7C-33E0DAE68FFE.html	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Acrobat\9.0\images\wa11.png	msiexec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Data\PSDisk\Resource\CMap\UniGB-UTF8-V	msiexec.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exeMCLicense.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76D478-1033-0000-3478-000000000004}\_XFDFileType.ico	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\Table of Contents.xmct	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214658157.1\mfc80CHS.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE53F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\874D67CA330100004387000000000040\9.0.0\ul_manifest.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	msiexec.exe
File created	C:\Windows\SHELLNEW\IT\Corporate Definitions.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\ZH-HANT\default.xmcd	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\E-book.xmct	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DA8.tmp	msiexec.exe
File created	C:\Windows\SHELLNEW\US\default.xmcd	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214658157.1\mfc80DEU.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DA9.tmp	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230328214811312.0	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\default.xmcd	msiexec.exe
File created	C:\Windows\SHELLNEW\FR\Normal.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\EN\Web Page.xmct	msiexec.exe
File opened for modification	C:\Windows\Installer\{E87C64F5-1AC1-4780-8C11-93DD65DCE627}\icon3.exe	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	MCLicense.exe
File opened for modification	C:\Windows\Installer\MSIDD9C.tmp	msiexec.exe
File created	C:\Windows\SHELLNEW\ZH-HANT\Microsoft Word.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\FR\Report.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\US\Specification Form.xmct	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214658032.0\8.0.50727.6195.cat	msiexec.exe
File created	C:\Windows\Installer\e5a55a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEBA.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214811406.0\mfcm80.dll	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\SHELLNEW\KO\default.xmcd	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\madewithmathcad.gif	msiexec.exe
File created	C:\Windows\SHELLNEW\EN\Microsoft Word.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\US\Table of Contents.xmct	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20230328214811391.0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F42.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4477.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45B7.tmp	msiexec.exe
File created	C:\Windows\SHELLNEW\IT\Calculation Form.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\EN\default.xmcd	msiexec.exe
File created	C:\Windows\SHELLNEW\US\HTMLtemplate.mlt	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\mycorp.gif	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F9F.tmp	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\Calculation Form.xmct	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a55a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\874D67CA330100004387000000000040\9.0.0\ul_ATL80.dll.97F81AF1_0E47_DC99_FF1F_C8B3B9A1E18E	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\874D67CA330100004387000000000040\9.0.0\ul_catalog.97F81AF1_0E47_DC99_FF1F_C8B3B9A1E18E	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214658157.1\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214811547.0\8.0.50727.762.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A22.tmp	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\Microsoft Word.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\KO\mycorp.gif	msiexec.exe
File created	C:\Windows\SHELLNEW\US\Normal.xmct	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214811547.0\8.0.50727.762.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4508.tmp	msiexec.exe
File created	C:\Windows\SHELLNEW\US\E-book.xmct	msiexec.exe
File created	C:\Windows\SHELLNEW\JA\HTMLtemplate.mlt	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214658142.0\8.0.50727.6195.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214658157.1\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20230328214658204.0\mfcm80.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB981.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD0E.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\874D67CA330100004387000000000040\9.0.0\ul_catalog.9BAE13A2_E7AF_D6C3_FF1F_C8B3B9A1E18E	msiexec.exe
File created	C:\Windows\SHELLNEW\EN\HTMLtemplate.mlt	msiexec.exe
File created	C:\Windows\SHELLNEW\US\mycorp.gif	msiexec.exe
File created	C:\Windows\SHELLNEW\DE\Normal.xmct	msiexec.exe

HTTP links in PDF interactive object 2 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Mathcad15WixInstaller.msi	pdf_with_link_action
C:\Windows\Installer\e5a55a5.msi	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 47 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDrvInst.exevssvc.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a8dca56a4fb650f70000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a8dca56a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a8dca56a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a8dca56a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{f01fac5d-e5f6-485f-a8c6-27446425998c}\0002	spoolsv.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exerunonce.exerunonce.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}\AppName = "Adobe_Updater.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\xmcddiff.exe = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{08E8D305-8D6D-49fe-8603-03A926E46AE0}\AppPath = "C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6"	msiexec.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exespoolsv.exeMsiExec.exeLogonUI.exemsiexec.exerunonce.exegrpconv.exerunonce.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Printers\DevModePerUser\Adobe PDF = 410064006f0062006500200050004400460000005c00410064006f006200650020005000440046002c004c006f00630061006c004f006e006c0079002c00000001040306dc00d40553ef810101000100ea0a6f08640001000f00b00402000100b004030001004c00650074007400650072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000010000000200000001000000000000000000000000000000000000000000000050524956e23000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180000000000102710271027000010270000000000000000b000a4030000000000000000000000000000000000000000000000000300000000000000300210005c4b0300684304000000000000000000000000000000000000000000000000000000000046469ff20500000004000000ff00ff00010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0000000534d544a000000001000a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030020000454244410000010001000000010000000100000001000000000000005300740061006e0064006100720064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\ConvertUserDevModesCount	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Adobe\Adobe Acrobat\9.0	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dac0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Adobe PDF = "winspool,Ne03:"	spoolsv.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Printers\Settings\Wizard\Default Attributes = "512"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Printers\Settings\Wizard	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Adobe PDF = "winspool,Ne03:,15,45"	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices	spoolsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

uninstall.exemsiexec.exeMsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01350052-1122-11db-9380-000d56c6051a}\Version\ = "10.2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e36c1ca0-fc17-4b4c-97d9-317e6403311e}\Inprocserver32\14.0.0.0\Class = "Automation.Wrappers.MatrixValue"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mathcad xmct\Protocol\Stdfileediting\Server	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{01350070-1122-11db-9380-000d56c6051a}\9.5\Flags	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{013500c2-1122-11db-9380-000d56c6051a}\Progid\ = "Mathcad.DataImport.Wizard.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{30efcc84-b738-4baf-8834-8c0d06493283}\Proxystubclsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mathcad.ScriptedObject.Wizard.3\ = "Scriptable Object"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{013500c0-1122-11db-9380-000d56c6051a}\b.6\Helpdir\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ae7c5340-d9bf-11cf-87c7-0000c021af0d}\Verb\0\ = "&Edit,0,2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Mathcad xmct\Shell\Printto\Ddeexec	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4d2ee1e0-ab3a-4b3b-b76d-64f6e2d43402}\Inprocserver32\14.0.0.0\CodeBase = "file:///C:\\Program Files (x86)\\Mathcad\\Mathcad 15\\automation.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a59dc363-a0e0-48b7-a748-655b49113184}\Inprocserver32\Class = "Mathsoft.Utils.TransformHelper"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{782c3c9d-f187-4b3d-ba7c-a36445725c3f}\Proxystubclsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{d2444625-124d-389f-8bb2-6ad0cbbca9b9}\Proxystubclsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01350071-1122-11db-9380-000d56c6051a}\Inprocserver32\ = "imageviewerr.ocx"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6a0f8760-d8ae-3dc5-9b32-e3fe243ac058}\Proxystubclsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{df755bbb-7734-39bb-b84f-4eaf3a634e37}\Proxystubclsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8922195E-6CF5-4142-9942-810235240D40}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat 9.0\\Acrobat Elements\\ContextMenu.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mathcad.MCM.Slider.3\ = "MCM.Slider.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\PdfDistiller.PdfDistiller6.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5a49e673-7ccf-36e8-9e3f-bb3374c73259}\ = "_Rts"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{82c1ea41-4cd3-34c8-9606-e40c13b62f30}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01350030-1122-11db-9380-000d56c6051a}\1.0\0\Win32\ = "C:\\Program Files (x86)\\Mathcad\\Mathcad 15\\matlabr.ocx"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{a86f3a06-7127-4e0f-bcaf-56d15fa57ac4}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5F46C78E1CA10874C81139DD56CD6E72\SourceList\PackageName = "Mathcad15WixInstaller.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hbk\ = "Handbook.Document"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{93c85542-89da-11d0-883a-3c8b00c10000}\Proxystubclsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b17ddfa6-a569-11d2-907e-00104b69ff23}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mathcad xmct\ = "Mathcad XML Template"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Mathcad.Listbox.Control.3\Insertable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{01350085-1122-11db-9380-000d56c6051a}\Vswizard	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{273e49a3-02de-11d1-9ae9-0000c008720b}\Proxystubclsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F093C491-ED00-11D1-B976-00600802DB86}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroDist\shell\Open\ddeexec\topic\ = "control"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{061371eb-01d1-3278-b6a2-e8a1d9a4300d}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{15ce633c-4fb3-3b24-a9d0-484a5924a3b2}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{51baa495-1b5b-329b-95c5-b144c5af402b}\Proxystubclsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9e9ada0b-bf4c-4d12-9902-f2e1969a92a7}\Proxystubclsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{013500df-1122-11db-9380-000d56c6051a}\Inprocserver32\ = "C:\\Program Files (x86)\\Mathcad\\Mathcad 15\\glr.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{da6160ff-33aa-11d2-97a9-00104b38a38c}\Proxystubclsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mathcad.FileRead.Component.3\CLSID\ = "{01350083-1122-11DB-9380-000D56C6051A}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Mathcad.Worksheet.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CD675B1-ECD1-11D1-B976-00600802DB86}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\874D67CA330100004387000000000040\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\\Install\\adobe\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{01350101-1122-11db-9380-000d56c6051a}\Progid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{bd4e383f-cec2-4b54-ac47-3962009468a1}\Versionindependentprogid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{243fb6e1-3fae-30fa-bde8-0ff6a544eae0}\ = "_Constant"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5ee8ded2-62a2-3637-8bc4-a40aec43ff0a}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{013500f2-1122-11db-9380-000d56c6051a}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{ae7c5340-d9bf-11cf-87c7-0000c021af0d}\Auxusertype	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1e0113ce-07e0-11d0-97e0-00a024cf05d1}\Proxystubclsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{a05e25d1-be19-4b19-8189-8e5b48beba50}\ = "ITransformHelper"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{013500d0-1122-11db-9380-000d56c6051a}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PdfDistiller.PdfDistiller\CurVer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3734fbd8-2ecd-4b3c-9701-df7bb42067f3}\TypeLib\ = "{A870C798-2DE0-4383-A8C6-02D3A56BB255}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{d217f217-8903-40f7-86bd-af19787a1242}\TypeLib\ = "{3788D283-7F11-49BC-B117-FB7F0FFF3260}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Mathcad xmcd\Defaulticon	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{435b42cc-139b-42c6-a6b2-18d493d8fbf1}\Proxystubclsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57247b65-fe2b-4206-b9e9-7d78eb1f56d5}\TypeLib\ = "{CAC5EFE1-5EEB-434D-A7D9-14DDBE66C2C1}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Mathcad xmcd\Shell\Open\Command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFC0D08-D1EC-451B-B83B-8734BB0B8691}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23938be2-690f-4747-bba1-ce554b70c259}\Inprocserver32\14.0.0.0\RuntimeVersion = "v2.0.50727"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exemsiexec.exeMCLicense.exeMsiExec.exe

pid	process
2292	chrome.exe
2292	chrome.exe
2816	msiexec.exe
2816	msiexec.exe
2876	MCLicense.exe
2876	MCLicense.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe
416	MsiExec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeWinRAR.exe

pid	process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
4488	WinRAR.exe
4488	WinRAR.exe
4488	WinRAR.exe
4488	WinRAR.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

winrar-x64-621.exeptcsetup.exemathcad.exeLogonUI.exe

pid process

2316 winrar-x64-621.exe
2316 winrar-x64-621.exe
4804 ptcsetup.exe
2272 mathcad.exe
2272 mathcad.exe
2272 mathcad.exe
5056 LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2292 wrote to memory of 3204	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 3204	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 988	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 3420	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 3420	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe
PID 2292 wrote to memory of 2744	2292	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\avatar.jpg
1⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff9a3b79758,0x7ff9a3b79768,0x7ff9a3b79778
2⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:2
2⤵
PID:988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3360 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4740 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5028 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5180 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:1176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4980 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5456 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3476 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4600 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5916 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4764 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5632 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:1
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2856 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4704 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5628 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5996 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3236 --field-trial-handle=1820,i,11215724768918694280,3865510983813582419,131072 /prefetch:8
2⤵
PID:2328

C:\Users\Admin\Downloads\winrar-x64-621.exe
"C:\Users\Admin\Downloads\winrar-x64-621.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2316

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
3⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:4884

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3108

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy].rar" C:\Users\Admin\Downloads\
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4488

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 "-an=C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install.rar" -- "C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Crack.rar" "C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\"
1⤵
- Executes dropped EXE
- Drops autorun.inf file
PID:4632

C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\setup.exe
"C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\setup.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:400

C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\x86e_win64\obj\ptcsetup.exe
"C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\x86e_win64\obj\ptcsetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\SYSTEM32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Mathcad15WixInstaller.msi" INSTALLLOCATION="C:\Program Files (x86)\Mathcad\Mathcad 15"
3⤵
- Enumerates connected drives
PID:2504

C:\Users\Admin\AppData\Local\Temp\MSIAACD.tmp
"C:\Users\Admin\AppData\Local\Temp\MSIAACD.tmp" "HandBooks"
4⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\AppData\Local\Temp\MSIAFBF.tmp
"C:\Users\Admin\AppData\Local\Temp\MSIAFBF.tmp" "userDlls"
4⤵
- Executes dropped EXE
PID:4656

C:\Users\Admin\AppData\Local\Temp\MSIB0F9.tmp
"C:\Users\Admin\AppData\Local\Temp\MSIB0F9.tmp" "templates"
4⤵
- Executes dropped EXE
PID:4252

C:\Users\Admin\AppData\Local\Temp\MSIB290.tmp
"C:\Users\Admin\AppData\Local\Temp\MSIB290.tmp" "export" "SOFTWARE\Mathsoft"
4⤵
- Executes dropped EXE
PID:4880

C:\Program Files (x86)\Mathcad\Mathcad 15\MCLicense\MCLicense.exe
"C:\Program Files (x86)\Mathcad\Mathcad 15\MCLicense\MCLicense.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Windows\SYSTEM32\msiexec.exe
msiexec.exe /qb /I "C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\adobe\Distillr.msi" ISX_SERIALNUMBER="1071-1006-8094-6401-2690-6767" TRANSFORMS="C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\adobe\MathCAD.mst"
3⤵
PID:2784

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Crack\readme.txt
1⤵
PID:1620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4260

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9928B1738D51783C4ECCDFFBC7039D1F
2⤵
- Loads dropped DLL
PID:3084

C:\Windows\Installer\MSI7CE4.tmp
"C:\Windows\Installer\MSI7CE4.tmp" "import"
2⤵
- Executes dropped EXE
PID:1736

C:\Program Files (x86)\Mathcad\Mathcad 15\SaveRegTest.exe
"C:\Program Files (x86)\Mathcad\Mathcad 15\SaveRegTest.exe" setkitnum
2⤵
- Executes dropped EXE
PID:3908

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1792CEEE869BDA357FA08CB4142B81C1
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DD500C54D8ECAD902D45C06E382B2A38 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2192

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Xtras\AdobePDF\PrintINF64.exe
"C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Xtras\AdobePDF\PrintINF64.exe" "Install64" "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Xtras\AdobePDF\AdobePDF.inf"
3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Adds Run key to start application
PID:1264

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2156

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
- Modifies data under HKEY_USERS
PID:4628

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Xtras\AdobePDF\PrintINF64.exe
"C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Xtras\AdobePDF\PrintINF64.exe" "AdobePDFPortMonitor64Bit" "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Xtras\AdobePDF\AdobePDF.inf"
3⤵
- Registers new Print Monitor
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1628

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4528

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:4332

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 16384
3⤵
- Loads dropped DLL
PID:988

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A513350F81D0E496AB119E233049453F M Global\MSI0000
2⤵
- Modifies registry class
PID:4820

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
"C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe" /Q
2⤵
- Executes dropped EXE
PID:4416

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\AcroDist.exe
/N /P --UseSystemFonts /Q:15
3⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Registers new Print Monitor
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
PID:1292

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "9" "c:\program files (x86)\adobe\acrobat 9.0\acrobat\xtras\adobepdf\adobepdf.inf" "9" "42fa8b7d7" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\adobe\acrobat 9.0\acrobat\xtras\adobepdf"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3840

C:\Program Files (x86)\Mathcad\Mathcad 15\mathcad.exe
"C:\Program Files (x86)\Mathcad\Mathcad 15\mathcad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2088

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39be855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a55a4.rbs
Filesize
828KB

MD5
606bc833d7ed0432618832f70c9613d2

SHA1
daf4670c49b80fd7d62714bb647b6706742bada4

SHA256
054c4e186639932ae3af461ebc86edc26e02393a6cfaf96da70772c54b60c99c

SHA512
d4153985105a3f8df5fa4cca6e701f90a8eb990e4dd14b5accf88f154760455c4e36a106d6cb6807f4393abc7ed63808cd649f0b7dd6863756bbeaf2f5661b88

Download Submit
C:\Config.Msi\e5a55a9.rbs
Filesize
469KB

MD5
2622a7f80c7eaeae5e4e93e539aa426e

SHA1
fa88a29f307c6fd72d2b36e0ec497a1a9a975bb3

SHA256
85818d16d038958b5ea1de90d66963192d81941401d5d97eee51d560fc73614f

SHA512
68acc002c78b371e131da842bdcfecb9ef2dc005ec4581def8d68367a896bd19fc87b9df730cacba73942025645176287aebed1c2fe0200cb9879d0d68bf5d16

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\Handbook\datapack\outlier.xmcd
Filesize
141KB

MD5
eaba4a9ad2415a1bc6b020fab4b64f6b

SHA1
668f30e616f9ccacd833aea9d708771722819747

SHA256
9612144443615ab464b65afcb7180c00d29d8b22f8147e618df03eff7df1727c

SHA512
0cfac88513857b9b45fe8b0ffe250d6fcfcba1c1a1229396916ea2da4086b492b4cd892be19514a013a9d616c81a1e9114b6ee99d1247b2a8f9f1c6c5d62b997

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Author\MAIN_TOPIC.css
Filesize
2KB

MD5
29266cdb102df30b4bf804cf2bedc579

SHA1
271454d00a3cb9bd917fedeae9bf33878f621324

SHA256
32e49ba7bbef28909cc33ecde3b551c81aa0852917e108da4ebe3abde27f97fb

SHA512
4c43ecca7c2b5087c1e79bdfca0cbfc2a51ba68ba81d69728821289d42cb665a099a91829ac4ea47b1a9125a2188a91e77544d9db0f50fe39600233863493898

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\whdata\whglo.js
Filesize
689B

MD5
93b6a954c7ee4c0da718b3424e49084a

SHA1
ce74082d44df3449d06776b3f2c8d853b1bb7c0f

SHA256
1290e86df540d4da82d3d3e7c8b00c981ef1f84e5229452da5a63c524f6c3d8c

SHA512
6af737e55e6ec11fc520809be826e5a409d23916a4d826c7da56cc3ce063bee29fb75e4b5306ec1f49c26e032dbffa14d45451fd1f9ef283db596b4b01e27440

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\whgdata\whlstt32.htm
Filesize
8KB

MD5
7a7df36a1515bdcc01582cd31149d583

SHA1
45fb616d1d08036e12a7bd6f1b4c33f89e934469

SHA256
46287130499b4d6c8445a1628f1800c8831c0fabe4c1df071e1c90f4322606be

SHA512
38ba1675631f349fcd2a50640eaeb2631ff53115d901511956a844fa64b3a8d1ad019ddcdd287637f704aa7a0b5b2471008f01bc1f1385a17e54ce40fba497d6

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\DevRef\whgdata\whlstt36.htm
Filesize
6KB

MD5
89556d9d4c83cd01a5f3577c35f6272c

SHA1
05bcbe37ae5b8c3b35d1f3e48fab34aa9b35374f

SHA256
58c4d635d9b138e7af384abf7887cf690a31e087744295ef800268cff60ac5ff

SHA512
56c2f124ae218e26f27f986ff760ebf747bb7e329fdc731799b7c94f311697e94657b16fe62777f006b261c1da3bd70bb39ed7f7f716313e30315b77eff1c5c1

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\whgdata\whlstt34.htm
Filesize
8KB

MD5
38d3c019e86f0a3044f1970736047ab2

SHA1
42a528da16f1d17d0fa250eae33b42a7ca948710

SHA256
693d656d818a37e6071a9b5381fe664cef33f186cccec4a6846b2a089e97765b

SHA512
fd43e27dd5f457388ae899e371608a5f1bc0b006b0a26e861d4c7a64864e0ce4d4e9c227a74f86cc9862f2c0bae0e724f2bb61da2bdfee4ad74010892527714c

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Help\whgdata\whlstt54.htm
Filesize
7KB

MD5
0e8fcb6d207475de4c0cf5315431518b

SHA1
3b1065a5aee6e3161a1db94b87d47879939425c2

SHA256
23a93220753eb82a92dc04d74fc86f8ef514cad18457e9eb91cd1ae75dcb67fe

SHA512
23f47f62892d3292ac18d5f158d7227368cf1f008c5ceeccd6c7e5603b464bda493507278db33606334803e1ba9f87e3cd981e0022dd948f96a3d463f2b28fcd

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\Graphics\tutor_button.gif
Filesize
1KB

MD5
9c9f9348def6d454b09c671b836ce010

SHA1
50f4354fa12c55f763d73508aa558490590248e1

SHA256
8081787cdf5c3d459afb92f439136bcc0e139e5b552823b05f01a2b09eaf2bad

SHA512
1bb174a836f2e74337cf188e391b265a658cb2bb3b33e85484cea9a27fa12610003f74f44ac414cd7356f4116f50017beb32073ec0864d5c9405fb10ba949a29

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\MAIN_TOPIC_ns.css
Filesize
2KB

MD5
a6e2b888a1a5a78155a0b66b6dacb058

SHA1
d26895f0c5b4499bc87f21592d75d4a194f7ee57

SHA256
e7e6688335a2c8038e571b7730249e06fcf4efce5b77cf23fd6c2e49c98d2205

SHA512
c975f95638cf8f4f737d898d07978d30212b2b72c222f819af9f5951e446d875be0ecc43d278a3da1379194c7dc6938cb02d9e1c463dd944afd841a08f3514a3

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\about_mcad.png
Filesize
15KB

MD5
ddfe25003c98a59a85e325b0a5b82515

SHA1
57fe25f7233725b3e383e62aabceab69805f45cd

SHA256
10aedda051079084e5dff40154d43d6de16af0d815643735707e3ab25b6834a4

SHA512
85a5ace7aa51b45c56737c60676c8c94290e3503c3bedb9fec4ebb8a25dcfb1a0720f258aec92873c5729f6e8a4776d5fe01259bd02396b8dae612ddb51fe28d

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\home.css
Filesize
2KB

MD5
6168a5b24457dc1795892ba9b5c95d60

SHA1
ab4f16ff2ebf535b12c3364b951405dea3c03a5c

SHA256
96e6e6252d07ea83bb85585df9512b1e64a44fda03131db9d7d55fb338e77913

SHA512
ce932424aba2ace2e211dddb461e5fa001357259ca012f86a3300a56e3cf4072075da7e437c39dd31cd13376d544a6d2b3d603d9e82dcc88079fa9d4d82623f9

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\home_ns.css
Filesize
2KB

MD5
11bbfb2386e8471e31195cbae91023a0

SHA1
6bf1f95ad55e5ac5b825328f360f3916a01bc10a

SHA256
e7d90f85fc12a7ad7067d1e2fea50559e531a79a85d8349d2cc024de237c5bbd

SHA512
349d099f666aff7697ba5a78cdb3479341a46ac51868745bc5465206988a65d34b57f890d206afc97aeda667db4dd1388b6147a8918e8e34a44e26e0299137c9

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\mathsoft.skn
Filesize
8KB

MD5
3abf08d098f0a8410ad0e9e14356f026

SHA1
148e7a930f76aca374cee83c99f3442b2ddd87a0

SHA256
8a86c4115140b07d1ce1ec81343be18af1002b7da846414c40942a270c145abc

SHA512
7127ec9ec6f969e72513dade781dcd5053e85605c55d4cc4916ea7e1ec77a6532715d186a2f359fe4cfe12bf56e5f60e289693318e60134a1b85fc8db4ad7a6f

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\small_ptc_logo.png
Filesize
4KB

MD5
52063e3c133cfb28e6b2f512bbc9897d

SHA1
c6b1a0b6dd6b9841bb65dc61e162fa2fb599c449

SHA256
073cdccbf71d80fb21bbd357219cfaacec5e29ca74c230fe13e3171ff03f1eeb

SHA512
1e969ddd5853f3452b70beeb721a79f98e05e65f475ddcd614eb45c359703c0d4495e36a5dd1504b9c151379a42a669e66603493cc673bce8eb2309df7a99c53

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\webhelp.cab
Filesize
87KB

MD5
68e643002c1c9ba0e2b67acdb148bd23

SHA1
99febdeeb122b0c3c04d2bed6f4b42f0df5dd220

SHA256
7765df74081557d1097268b6167337564f796f4cc1695e36ae0cb935bd1703ca

SHA512
0095c27c2a031e7e39d147272be13c70127e4c79003ec35186f401d10d11a7391e23a82cbd3138cd3a4e07217005b68f122c4048131cc6204c26691f14c0af50

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\webhelp.jar
Filesize
131KB

MD5
92e10d8f436c3109351725391a20f306

SHA1
672f46ed17dbd580593939d16cdf907d0190587e

SHA256
a1a599d1956e034acaf227da1a457ba9cd9e74aaebcbeff51e65f1512adc08bb

SHA512
754231b9959ead1cac34fed151e6c789a7a21e0b2f66e77d419bc86b47b0b332dd8c13cd008692ed75d3df79895cfceeb51f66aac5a465c453524fe61dc001a7

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whftdata.js
Filesize
458B

MD5
d37333bd77175ace19330ec606734cbf

SHA1
9cdc581f0a0d921dc46a49db0730c5895b68b4ef

SHA256
3ff3a18817c8de59a39b7b46ab88b23be2c5ad1bc8c869bd8c735e2d3adecf4a

SHA512
fe4dfd30bb313398929b5bb7f9f3793f9f6011e0cc5773c6f54828449c54f87fcdf4e4c222de712e64189b6f604e86ac19534fd2a26a9d1a82248c9c03822dea

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whfts.js
Filesize
911B

MD5
50b49164efe0c3e98e9bc114b79f6e03

SHA1
cf07a1075d6ab1d9f8f87bb60c8e850dc22862fe

SHA256
e577af5b3e2c8065c1509e705e0cb12362fe1d0e4418e511ade23cc57e322ca0

SHA512
5092a2d63c9e68f61996f67e487efefb9a095f38347d9d7c61f49d5a1bf1d9ac2f6f0539feddf9baca89e6d7dc17626666a98b5de67bebf21c24d8edfb6b9432

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whfwdata.js
Filesize
667B

MD5
4bb0fc10713f9bea59892c959f147a97

SHA1
622ed4fde2ecaad1f415b060fa86ad422e4e0437

SHA256
7c64c6d6aae118d33e796d9a7c8cdae800b96e1274d5ca6c2a9d7a82658ccb75

SHA512
f9a403a0a85eca85b84b94311c0d1c42e6dd261a1ecb9f030fadb66ed941e08f3c226ba2d8bb21dab05db7fee37955e3d77346cc79de7aa024a1b1459a170665

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whgdata.js
Filesize
411B

MD5
9d9618570354d0b2d9e5f95c9629ded6

SHA1
090e9d21d845c7666af3bcaec1ce00a2ddaee7e7

SHA256
e0c5415f1a59a181b5bf34a6d5e68628115beca531b2fc4d5a6da57362cc4259

SHA512
1818301689a3f46aa86b215c6d33495d2920c118eb748fecc04b111a2d49c810e97a2ab516e80f70e73cc700978ae6b2fd1a33b4b59b212a5c49a3cc5b4b2e76

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whglo.htm
Filesize
237B

MD5
e4339db9c63c34c7e9da368712e49143

SHA1
4fd04fb2f845e43ab3a32e936baf500c63ea779c

SHA256
fe01d2213c13c3fb5f359c6284f28d70dcdc01760e524047f01aa7861f5ed408

SHA512
8c20a2a98c3cb71606e3a44aa19a0ed1b3170d5f0004813e60bdb70560e206306bdefcc1a657b275f62fd9f8966e46b47ed7250c5f4c5df8dafccee1236a9dde

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whidata.js
Filesize
1KB

MD5
9ebb8894cbdf7b255cab094cd6045755

SHA1
23ffbfea134959d185aab636fc10212b90bb7ec9

SHA256
b33ca99c0fe9b9c5540207225af8c8f423ac0b9082afe9e4d17bc707f3041401

SHA512
a533351f78f73bc3e712978c8afd232bf9b8d874054bf8bd01c29dde505fc390fdd3b52ee56c1dfd080752288c63a09456367ee56873fef5cb8f857c6a8a05da

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whtdata.js
Filesize
1KB

MD5
6da969f9a04ac013d8fe85ede3022644

SHA1
07a3567e1eaec71c3fdb64055d5d0a913c97fa6a

SHA256
c7984e9e8f052779179d771cc74d91a2000018be127c01981290f2993df2cba8

SHA512
3b89d47cf7b57e9ecb15d03c2f7d00fcf3ed06f1ac49bc8dfc447f68dd59ca812f091c8389596913d030bc901bf8b552b910a99cf00d05c0e642b4f43ebe3360

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whtoc.htm
Filesize
265B

MD5
20e9213914991442a7d0dec79521a1e3

SHA1
e13a470d1ab5f529c879b73e9b0415b6ae103dd0

SHA256
0255851a463488ec4c71f398564198641b95a2b6e86e3dfabaa8cb3027569b8a

SHA512
b4198bb9a79aea2193719f974934e8c301aaf1ff6450c89ca6245b6369fb751c5087b55de2a4263ac316f4a89e9f5f659adda311c35a18a569d28cc757506e93

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whdata\whtoc.js
Filesize
586B

MD5
d80138a89a89b86edcb985e7cf8f1e9a

SHA1
483c5e96210b2c21ae1fbd880204230a57c93c9e

SHA256
d999efdcde02d86012bd00eb3cddfeaa4bd688394e809e3ae1506f9af7120d9b

SHA512
d1d7e358756e56bc409025e3bf8e2be887a57dc1f589bb3f1d2e9d19e68da2b91699012a562ff783f0d26a5e6866b04e7394db06c23ef8ac58b46bdb2976f02e

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whestart.ico
Filesize
9KB

MD5
dfffee8293870e4b29a513aa23bf4448

SHA1
39eb8e3e40924741b61165ffb9531b1066cfe707

SHA256
9b2efa1fa35b9adbe957b21d1f3a79c008a086eba299d0135524ca2ca99ec571

SHA512
ec0da3527198f3aa6f6544b2018a986b2308f303cfbf527d89e86c0ebcf2e6cefcfaee77ed92c2c75b4d18fbdb1745f9494a6b8d9957a0fadbfb16c9579ff126

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whfbody.htm
Filesize
1KB

MD5
99b537eb8930de7543933b525d608526

SHA1
088d0562cad2b5b3a45ab224efc1479a2b28df79

SHA256
42e3ff4ed7b2f005c14c2e9bed7d18d43b8b24c84c1eafb5eb8dfcfe17cd96f7

SHA512
d576dafddbe44e0c981acdcef9d165002cebb60df024da436a2c8e330c011b5c437f0d0017ff0c2e2aebb6cae5e9650950e2553207c4eff068e382c354d004e4

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whfdhtml.htm
Filesize
1KB

MD5
7cdf1bf51c35fb02bc27303d9a19cc00

SHA1
57a913e0b00007ce9729e6d4547dd3f81db5d89e

SHA256
bf43a61ca8f1cabf89188d61b8bfac6769a32de2057ee91ea27e05558e4cdb4b

SHA512
1af4d5e43c0b30c32671b91889ea463dc014f99cc3de9ad49d4a870426613cfbe80337d6e24c865f71d9e0544f86e0fd9f629d7c336561ca79f20f01800e12e4

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whfform.htm
Filesize
3KB

MD5
d67fd6bea81dbcec72d67db78d6095fa

SHA1
bc873c4710ae0842b18ff49f7344be7355dfcaf1

SHA256
81d38f9cf61ccd24e7abf0113c2556c9e22ca5d6dc9e97aa9abe250f8aeab554

SHA512
030e5c7a19f216a3c68551802deb824dd22b6d5df320423251f35b7340b37f8449e6cea2030d77b78dfdaa653065e701a8bb213de8c590305b8104e73df8fc36

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whfhost.js
Filesize
18KB

MD5
0caa8b3d4f18c627fc35440c79ca8ed5

SHA1
d73511dd74067412599f91707f91b2c041824c75

SHA256
8444081544732f8bd1f9312a1fc3e7692818afa4ac9017277a7327e958f953a9

SHA512
1e3e7d1a0d504a25bb4e5bcc6f48c90478b1fd380d5d6b28b6eadf7eed83ddd415e2ddbc615c36d3d036dd4ec387b835408467ff4db67fcc5a9491557076a4be

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whform.js
Filesize
5KB

MD5
9742be448bb16ca252490b0840b8c9d9

SHA1
4c03fab30050d3f8e3b4dc6199b284cde117ce9e

SHA256
dff828a76191574be029582c454ded2a3ba41a1428602a0d5c8a63b9fd5e8690

SHA512
90d6f673d4d3c68596b15cefa5632de26b9f53ab53e0ced52f46a9dcda43d547dfb3d91b4685b2f303a284b6c80e5e0fc5716e3ab21b8d02358977dbafe6433a

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whframes.js
Filesize
1KB

MD5
08dcbdad40f3c8a386bf4805c0925a27

SHA1
7ca941b1d1940d1b20b5ea821651d16852b9d01d

SHA256
4fffb263908d1a73f1bdf69838fb2100d60f9e2f21e65c8047094a8330d4e25f

SHA512
9b8383846e04c8b97db1419fe55c492856d519a9092c744d18d20703e45ed8e302926dd940f9241842dbe7777102eb216efb4c07455fc83c207cb492940f6efe

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgbody.htm
Filesize
1KB

MD5
0791671f3f64f40dd519c0d647d85837

SHA1
f9fbbd9bfd7f0ceb6eac64d4077af459b7927dd7

SHA256
feb6ce2c5f655d06b086ca69d99959a9b9f981aaa67871435228ebe8d1b955df

SHA512
88928bcfc4778e0146d8eb838ae402fe50813b680972e819c08185ab5d38589a8cb5a11394c000da3a435aa20c11023027415d076f647e4f351d93b97b7c424f

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whexpbar.gif
Filesize
67B

MD5
816d11a1f84f1bcd43c29ffba49e0b5e

SHA1
c9e22e58b5cef3d5343d7b7a7590aad834549aaf

SHA256
1dc51cc31d23aa72f50d9940c76a7ee0b741732cb3b5628323d54307c6bd27de

SHA512
6cbcf27eee69080db239fd504b8ee896e4e64310cf1242c6c89a47e88617a5501a2e6e55a102ff37925ec24fd568b28705a7d62310258e3a30d2b3ddf1eaa6c2

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whlstg0.htm
Filesize
1KB

MD5
98739969c5a27c32512e0d45b9cc6f22

SHA1
b674d5ecf280d6567de60a0dc7f6cb796c181b5c

SHA256
28bbc0ed57fcbe60aa2d9f7b2a16706525e0139546f4ef4a1360fd1ec419d05a

SHA512
cb73bb5792f3a8df9b8f404046172b288ffc53816ecf7e6b0afd5097c09e711b4328ada0c83fd7787afebd3152b00e890e1bf385eba4bf240aa4b9b67356d7d4

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvf30.htm
Filesize
387B

MD5
3e2c971a4fc8a80c24217b18307ab0b3

SHA1
5ba85320e44543f58336d6ecac13fc5e98ca9b1a

SHA256
35f457d19af65ec57e4d297c3d78a67d105f94cea2a488d64d959d1bedfcf233

SHA512
f7c3d9aa479ae52e5bd0ee0dcdaaf74b0b85ea2137ca7ceb306e27cee0d47a13c8b5e8dd3313f4d8bbd1f078f03cc44c4a87837cb665115b54c4e77a4fc68dc0

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvf31.htm
Filesize
581B

MD5
e347ba82a43a1040fa9a3557805119af

SHA1
f096893a7ed47d8a15aff375d3ad8ae0b6980f8c

SHA256
cd268d5449e0df7b98022e343ae767fd7d8a3e9e067022a7842814e7dd467c42

SHA512
d8562b3207754e46f03b894d60c9c4bfc2e0e794b953be5dc6bfb7567fe706099aaf42bb6a40a7f40ec27bdfd29e5db2a6aeae325170e27b60788a8c152bac82

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvf32.htm
Filesize
583B

MD5
5fdfe66234621e9bf34149fcfd985efc

SHA1
edeb08e28325671f1143786ecc0e5a6553e23c28

SHA256
23a267de8fbd15fba1c27181d921d189c2bc46071c5bebd3dd4f6964ebf062ad

SHA512
a8354ce824e7b5395b75c4bf669f6de97f1a6819c10651e2b451b88eb4d67b9ac461050d641b6ebd380c811f5896f269cce084257991a8ff50bd605800d2b02c

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvf33.htm
Filesize
596B

MD5
081a9b3998b6e23a3c16299c501d9048

SHA1
c682e3c527cfc0ab551e7fbd2bae39c32a9f3fca

SHA256
02f8b24caf190db85c35d88a6ee73b2985a1166927f5a1208a1285d59fa01867

SHA512
da8c6c7285a945a9ef3d341378d19f27b357e8b92660b1b943c606e63f3573492a19fdc128e568f9cf099937d1501f37486d2894f4674de29b62301d3c2b95d8

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvl33.htm
Filesize
1KB

MD5
2d0b25d38d15fa63846d0e908cc2fcfd

SHA1
769701b63a7cc2b33f096c1a61aabbcb83748bbe

SHA256
601aeb934480f34cbb5002ed646f3bcd3a6a14def030efb1c9030e8935b4298c

SHA512
2bc8591b5fcc9e552ca783d38f9e0807542cc292800cecb999e17fcb8d1452577ac1282c4fee2b75c5d536b1d04c9457f182e2fb3be6b394dec7615352cc7cb5

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvp30.htm
Filesize
503B

MD5
769329e0a3053e233f53b07139b25498

SHA1
f30fd22b6c0a2c6f08c0d781a432644fc96a42b8

SHA256
5e88a406601a839e75008c78076d6f71570befee5abfc3bec92ecb2d28ca38eb

SHA512
88904bd030d51dcef8d547e593460606aa95fe46508c7f48051bf3760b7e1ca4a5ff879d0de8223e0cf619f528e21b82408a9750956027f8184413dcd1cef893

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvp31.htm
Filesize
499B

MD5
de38f46930a5c6e687e7b110205140a7

SHA1
4fe1ddf0cba5dcd8ba982f5681aa0c22fbf36550

SHA256
5d92206afbcc0fbdbc183b3004358c1bfca013ec350dde75eebef69a6e8f2a8c

SHA512
b2fd8d496162821cde23548735070abcf457ce1291d2ba1e6b7fe583a9742c529df8f7b9e78b0a94b9c5228c93410db8ab81d18fd66d48cd351d5a0cd8c20118

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvp32.htm
Filesize
575B

MD5
501beebaf6add98c75c64ce42b1d8e1e

SHA1
c2a6ec41d6917da46c185313436f59d74e477577

SHA256
91d6fe92bfc37b1f2ea5a8d4dd913cfbe084d084f48ecb651196c95a95372bc7

SHA512
96e39349091d7317d3bbddf81359ca7758def7d377b4a6d894c205a7bc5e262043f6b801be406d4a66f5423b2c5035a2d3aa8602dc4126af562f1223fadc219a

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvp33.htm
Filesize
505B

MD5
f81502eb254bc2a838213fd11997a7f4

SHA1
6e0995c0c7003408d48197f556ade455131f76dd

SHA256
c8e1014c94361ee67d52cd0ab876d608e61495d0b6ece05437f1541ea698d9c8

SHA512
040df97e5d432fe12818b61f139e40e76d79b3dc9422e71c1a9c2a52029e1577ab42e584558a6e385a2a13e1c4c2f77d8a24cfbbb704284344cfa4c8e53d7a23

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvt30.htm
Filesize
1KB

MD5
7ad52896c37e1d2a8ba2b5b12b7574ce

SHA1
440f9166f0a98016a3c324c677f7bf3afa2da95e

SHA256
2313c72572a7139d25f2c0da3d7854005110b1fa4ae4e9868e15085d6d56c8f7

SHA512
bc5d7fea1696235f4dc97799a93085427b4ace3aa8f38e30c089c14c0dd33f21785f0c1accfe6ff3223cf1fb17cd9f71f964bc1de9ce22a80f5f208821fed2bf

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvt31.htm
Filesize
1KB

MD5
a3e8083d70c8cff3a1978577151a3074

SHA1
d3b3766b2e22f2ccd76c4c5c554f8252e0b4e143

SHA256
a754ae6fe4a890d3d21c8160694e6be0336190f6b87d8a37b54b3ebe2b66f594

SHA512
57a9af4eb17755205ca9a6695674433ce08e15cf870d418c84e971bd540ee1e9584dd7cc4bd111a6e827368e20438ee0aa43e9924b309ddb9da4b2eb3a8f875e

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvt32.htm
Filesize
2KB

MD5
b38f5b310ffa74c91bc436705472b23e

SHA1
53e40be1616eee861277f009b802f134b54b8892

SHA256
716ffe90dd6a6159f00791ae429837958c7a8515fb8d879668de22439325974a

SHA512
a918f0ba4977fbc5d18b6d946202b0ad05165b825506390d397977dff4e85f5a3050bd23dc281dd7b4cbcec075431cdc4c70ac606ba8d10c5013f58431f1f9b8

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdata\whnvt33.htm
Filesize
2KB

MD5
0afeb43bcc8d7269a00b6ae7fc6d5bf9

SHA1
5cf9bb16be4b0ce2d25d93cf9c44d68ffa716dc8

SHA256
a72dcbd88a79d0033c89e45f4432d3039c0601e7e00d62b70e3a3e23113d49e1

SHA512
bddefe5a2df58958e2fecad8c2752449bc9676d815aea7900be3ef91ea67d15197d106491aaf5d6d6dab614874b6aad232bf08450099e1951aa26da23498d905

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdef.htm
Filesize
2KB

MD5
8b1f2b79111e46ec3d95d9b3a59eb180

SHA1
f100a6cff77157e7b5e7f1f489d5869bb2d0204c

SHA256
25a855db12d6d894d156b5367b02a92a70e2d5ef5fd957c50639aa3b6e9196ce

SHA512
ad7c7ce21c2b8c4177c3f3e0bc4ab9e2881e6b274e6768f8f1fcd6da41dbae3ad0a38a92abf2dd8fdfaacc2062d138125b0073a90826c024ee49376a032fe508

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whgdhtml.htm
Filesize
3KB

MD5
9413d748684279065fa55f48824c2186

SHA1
7697826346fe8eda2f7fb13d9a96f90b7099f3ef

SHA256
26d8273feb98b35123e081711c3d3d4285605ea23ea097e8063cbf12adad63f9

SHA512
cc1cc46a5966561fb134f85d2bfe4746e344b32652fb414728d1687daccd8bbd85b75aaae3eaaab3aa0980ada745251e75ea867ccb238243d2c98d4bca29a083

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whghost.js
Filesize
5KB

MD5
4a7262053ce4cb5c876e0b14c41f1b04

SHA1
bc9fb589a94c0c59ecf9f9cd4756144a9f5fe588

SHA256
ca4c90af638d20384c0e025ce01d711f771d2febc4b13b65a7d59bcc52697334

SHA512
da7cf56bef2e71f3cbed366c299d6754138285a385f7aef19e662ff2a0488b944e61880a5ce0a5376a05c76e39ed0b69d846c543173a5bd289b7290605b559d4

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whhost.js
Filesize
24KB

MD5
fa1027c48ce7cd3962b73f923db59b74

SHA1
0fb8d69d583c86490b94ce20cf4f0666cde7b18b

SHA256
60d20355b2ff7ad38d21bd1e313652d1ff028c163e2656f5313b4f16f80df0d1

SHA512
5dee60188a568caf160b9fff96a5c9749b7ac2919fb8053eaa47c4c8b36595a1e57a39a6ee2d60342ad4fd415a51ac2ba95636d6e14b105cbaa062ae47d28c00

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whibody.htm
Filesize
8KB

MD5
a16e8aedadb1e40464085bf4866ebd81

SHA1
b70827e8ee2a1c137b6f9a37762e413901ffd633

SHA256
187cd93a392e99cb317d30203c49b44135444a8b22a707bdf19bed1a9f604673

SHA512
3bccfda967a5faecac7fa16fff29fc66283f4e4a8af83239b4512ac873980bc5332b6ebe5e2cdd58d02f951eb81e4893f9b0b774d25fe9c2d64a2bef7841cd4f

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whidhtml.htm
Filesize
1KB

MD5
9bcfb4fe90614a6875104826162eb054

SHA1
1e439ab03b84e2fe7083dd43ac4f2f00e62a7985

SHA256
8c3463b7c7f64d36b169c85b4b2ab6981b8cf33bec2d677a60f9e1c10253fc99

SHA512
b30853be3465e4ae9e8f4c9e169964bf88028e69b1428e83f7f0d84755d0eed70c4912de10b0b6a5e11c6ce832e1aa5fa6fd44b37f13bb8169e053190d0128d0

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whiform.htm
Filesize
2KB

MD5
93ce8318f2f79185781affe3f5e6c40d

SHA1
8c406d8495bcb573cdb561f1ab6400cb5db5190c

SHA256
902c02f9a17020dc99e76617e5b7861bb72d95faef5df141c4cbd1fd418711a6

SHA512
eae226cca4bba5f416ab34a7a3717c99610258363270e69aa116fa0bad9910c4eaa0391004e4c6b6c73eb55ba047cb95bcd934f8ccd66af6b3b1abdcfbdd3650

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whihost.js
Filesize
10KB

MD5
806e8e4d37fc635d2b7d675e98453af1

SHA1
280b2ae14375d81e762e1746ba83448462c967f3

SHA256
e5de80615f9107777a5e38f1ef87f801dc920e694eb5af14c43028acbd30ac5e

SHA512
10c513edbb5e77e6487ed0e159b677dfd8f925e68360c614262f62afc043af4db3dbe80f74a871c0fc15694fc1764288952507725952cd937c4cd58cedec1be0

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whlang.js
Filesize
10KB

MD5
292cc95f5898d0df9b6cb376639e6234

SHA1
c173f45cb1d637feb75fc9d693bd93e1f2908bc6

SHA256
544351ace3e0e2ec105ab3e2173e68fc3c26a6bfb71ad8f9ac68af7cecfb8006

SHA512
b51db834d61bab1b7c13590a0ed76d14d9026f8969f434192fb65d98464f8e0d29cf2c83820eaa35c61e48c78e891e3e3eec4f77d0723f4d79ae205d128be0d0

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whmsg.js
Filesize
1KB

MD5
ea18bf7f581353d30a6365f3c8bbb6c2

SHA1
174fa8bd46ab9d5d4b27d66d76051d73b5deec19

SHA256
0a6e4968196ec12b6f4ee524e3339f375d4a6e749ebe6a0f467616733007543f

SHA512
76cbbad971210f9048fd83227fa791d7fdaceaebe4aaee9dd59fc7454a6ae9cdd7f080b0c12e025afb6252f5f2a492375d169f9236ee71b6899a9925e3c620da

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whproj.htm
Filesize
650B

MD5
517531845cad8b088c02fd94c775d8e9

SHA1
b162227ca23a68c18c1d30d49818e5e7db7afef5

SHA256
4d65b2c8464e612133c8fd99b4379d3ddfa74aa49b348801bd200ba1868d7fea

SHA512
7e375529c5204f788537533c8f805b203f0913e2bae12c20c2718591ef877d3603ed9c60632fd178e947689713f0568afc101b268cfc6c98487632389e874f4a

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whproj.js
Filesize
1KB

MD5
242d275476902d17d6bb46c7c5b7990f

SHA1
081683137bf633a388d60e02780fc8c602d82135

SHA256
3a71008b82e1a1145ff1a652294759284c3e0f05cd7f8191148be3bac1e09131

SHA512
62871284eaeeb68d2d546fc41f72a3c78fe8b59f9a1b2f36033904e09fbe1672999d205f7869c41e7549c0df7c5fc0ea91c038e4e3f7935f4b2a4dd46dffe360

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whproj.xml
Filesize
153B

MD5
f9e81cd74cf6d00b0eb786d97128339d

SHA1
89fc7cbb1332693a44a6616107c03d1fd3a9ef04

SHA256
ecec62562d2471d047df33d36c54c706aa2d87ff88e2d1f81329f4c9a7a74793

SHA512
22dc331047160b7affd0dc6d48b165cd9909b2e510a133af2dc887f4a01d3cd3a2d2a41c37cea02b380d1361242a96d66dd9ae57dad13d2cd22810a1b240380b

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whproxy.js
Filesize
1KB

MD5
34ea03747542da77b750a80d34e650b9

SHA1
c67e8db728cf6efb6ac64d04d2706fdce347842f

SHA256
1af0f68a4d0a677febffca6ef72eec48713c6b44f6a564c0bb1c0d45732aeb45

SHA512
091661e996ff8bd075a51ec754a7827d5443208a51bce699872e7d7dd3449edb155a67ef6a2e7d4e989c186844e746550f12d7f5ae5cb2e79a1dca4e643e55da

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whrstart.ico
Filesize
9KB

MD5
6e1f3bf8ec8fea0f9cb4ea51c7c1d165

SHA1
911c12d6b5d1cd43085122878eb66d7985700e13

SHA256
ed4401585d4a0611172f829f1f56a82a01ff24cdd89c72f6708a58724ce55c1b

SHA512
cb4f7a35974882cdf05478afc1058d92051bd86f4f8ca5672140ef8dc6e92ff10c8f3818cc7ce66690d028445fd612258debc1d9c9b7254022380a4c9f4877f6

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_banner.htm
Filesize
2KB

MD5
0c6905c91f4cfb2c7e6efe134d90ca59

SHA1
3ebc0a08ddb91801757e201d5f6f50cdfc46d021

SHA256
f45aebe1ac4f045d1b6a0427413a67a39c805190360b39500a22459f36546b79

SHA512
814b25f7cbea23bd88617bc5173dcd35fec4abc1c29b8dc2abb2f862ce547803d68818fbf97b645f8b19b1313d9ecb87e1eba4c1ad09b7b702ac9b4639df4ac4

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_blank.htm
Filesize
283B

MD5
d658ce6c4bd455babcd752878c3acdef

SHA1
92bcd16d20fa99a4630fde701c183e7acc04de16

SHA256
b7e65caf6fcbfe75c681b3dc18750bc4beb34d8bcf28b5f804b901fbef11e26a

SHA512
01d05a71ac7dbb91f952b15d863ab353c3120446dd5d8141a6405538ba995224ec19f09ef7fd8ff671052cd3a95c76c5f117fde923e09a2377b993e51620e689

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_frmset01.htm
Filesize
4KB

MD5
0bc0359cd508a95670c625b1180fae36

SHA1
3255722c3b3aa94bd510d9f09eaadf385c89087d

SHA256
2e0db80d59c5e271a1a3f044d55462738c792aee45fd059397f45c191b7b3300

SHA512
2f48967b684fd758a3548f43bcab4230195cf126a7a5f3614cb23eaee6e144a1736ac21a81fabdc5c1539596d22dfd8f34262c7b1c731f237067231d794fa8c2

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_frmset010.htm
Filesize
1KB

MD5
299c62e5182843a6ce14b232aa4688ab

SHA1
d8f54ebf8e094dea23a96b1b8425011472eab104

SHA256
56544ae7066b1a85bcd0c3bd0ef5a8cb22a5d7110bb9621b6c1cf49362162843

SHA512
1951998f50292c0a4d9490060bf80c63e2b0a6008dba1deb86f1e2bfad14353aabd2acfb8d6a3a1a241be3d0f0bb5ccc4ddc148e3db3fe30a1d15a70616c354e

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_mbars.htm
Filesize
1KB

MD5
da7f5206e813d5ff6a8a2ed21d16c7d2

SHA1
f56fd9a980e24ed4149488132cf345cd1b2d2eb8

SHA256
30fdf1fa3d52beb185da3a187c2b3f11794521e798eb2f2293f8430c46a99e9d

SHA512
8397300f4324281d69b041f581e4e7bc73812998428d0613ade12498126954b438586153f43d10ce748b799a5fea47cb7748b08cd636f00a241dd79471394470

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_papplet.htm
Filesize
9KB

MD5
c134ee0d644cc6db9afaa226a0684f1d

SHA1
6efb6302c4d0e514f0ab65c49b6a140d7992b2a4

SHA256
ba162f95d479025ed5e59933d1a7497d03a9701e523cfdae16099e9b8cdd8965

SHA512
0d5618c67676626bb48c1f1d3651b3e58447d02f90766828f82ab8913fe70dad58f0acfb621282d6643debb799ac9bd0bf57170288ae462ea20cd2af82674b08

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_pdhtml.htm
Filesize
1KB

MD5
0560a95365d7468f2a07bb0809a25b53

SHA1
ce28b13589bb7de6af918b4208c7ecc2a57cf7d3

SHA256
090bd277796e373d9faa0d6b7285c2a2ba8bf8dbd8065bade4ba5fed8a024152

SHA512
137aaaf0e50ffa838d56e6d7e83de9200962652c9ab16c5ef31d242b808b9675851ec9121c02402efd934069ed37654b05eebee08a6829b37a50c6490754a026

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_pickup.htm
Filesize
6KB

MD5
4c7e089981953cfd1b6428709939c7a3

SHA1
2cb4026f6effbd085b4237e3e63a081e6ded1af7

SHA256
95d891b8e0d20ba2b4971490448c6676c7ae72b9a2b5deb135cd1bbe8eca816b

SHA512
08a8e355bf8f6a27221b737483a3f951c17cac5985f7ac63847c4e5e5acc82a2bf70c1dde0ca375b2ec4267f8544b5310482ad62803e7d0b93538f166104ed45

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_plist.htm
Filesize
5KB

MD5
ee7eddeb0fb27141899d32ae6ea18bac

SHA1
8e67ee9c96d839a4b90ae2befd2d7cbe04459edd

SHA256
44461b57ed0a977da6c4fd5657fba6598ff16e31d8bcf446e2234fe392d9f176

SHA512
668bfcd825f65770c7c11c09dbc6206862fdf5dba8d561d59e8d659fd9746448d92f8246b6e0bea22bf2ae2402dde52645d988d4a34a8ad5407d8f34a79db8b7

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whskin_tbars.htm
Filesize
3KB

MD5
0afda53c062de77c5fc2cbad16f10b30

SHA1
eaffae3901ed6075af1f52800b490fdf6c8516c0

SHA256
b08d639a06634e1c41ea16d4b7441b9957249da7a357a578b8dc8e1ac1e9e71f

SHA512
3047143a019b26147402f684e197068eb26bb3743f91526d8c3f6f256112a5b61533d5d2f6122b1aa1a33ce03cb67b913d0ed348c92266b381873ee17436ebf7

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whst_topics.xml
Filesize
2KB

MD5
e45edb7f73656a9277fe104ef80de6a5

SHA1
3c97bc7dbc228b5a6def316f925d10dc8128cc78

SHA256
834b8f8b30c2f6d47808677a23293d9fb4b4091f1034751adab17290d721b222

SHA512
5bb4f272703b87d058b0e0ab22268b9ad6ddff11e70f704e60eb473176ff86c20e04eaa26c3a5560fca5765af3553191b52818fd70f36a56d9e939292a90ac22

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whstart.ico
Filesize
9KB

MD5
1e6458a407de1f20694d147b737b81f9

SHA1
ae563376e133425e65474dd40be9f11cb78155e3

SHA256
edd1ab0dde904564ffd0cb248d10cb7a1c584bdf7ddfd0d162eba784090652c3

SHA512
c952825e43783ec769bb6ba78d8abc459d43342038d0d6c6e48304308c459c598ddb846c9b87360890e6b0f1312ad10c72decc74a331c1294c9f4baa93f062d4

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whstub.js
Filesize
3KB

MD5
fe44d7aaf6ae6c6ef38f7807c44a4bff

SHA1
4e21a3708c5d5e2b1245c73c8e8febfcc653d684

SHA256
81be343405df1d3eea82bbd03c67aff12bbce3cbc9161ab1b09b6143a3ae1135

SHA512
3edf123106aaf63b8e22f8b63575ba0142feb89d4771d34fd0e10e9c64339eeb0663b42e37ae1a1f769eab508b7afd02568a0ebe46024569bf10a3fad5723d41

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_abge.jpg
Filesize
6KB

MD5
586c64fc7cd75d0ea6cbbd424fbcb20e

SHA1
4ba026d8f73b55728e7f0adce5c85a12a053362c

SHA256
0c42e9982855b450e1e31ec9d5b88d25e39caaf71136a2ecac0c2df1a56e156b

SHA512
ba38789b8cb6dcfb744d0c83ed6ac4883680a0aa0fdab49c582e1ac316152f7ff2f3cbccdf77858b2b5eaa16b4433887fd73644538d73cb05550a3ab519e7c71

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_abgi.jpg
Filesize
4KB

MD5
12fd84e1817a2f19cce69e0a474f1af1

SHA1
e607cf49365aebcf037b9c7ae1d84503a1301bf2

SHA256
b5d776fef417cbba2cf4bb29d0e949fd074fb748a5dee70c802544b5b3dd4d69

SHA512
3fe12167e411dbac5c7985e1140787d51b236941168cb0292b83dd3e52aa06d98ce6dcee9b1b408b5c578803df9cff52aea9ec92c337b3671dd55337b9289fab

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_abgw.jpg
Filesize
5KB

MD5
91b858e0afa319b3256f1e6e39bcd31d

SHA1
050f7250984db30d387137ceca32335982d51650

SHA256
a62c6589222865adb6c07482b09aacacf6d53d92110ecd628d1384bcccf2994a

SHA512
fec0e3c5043245dc8a38a3ab5c5b93fb0d3ceb53241d4adb7990bc251278d61056ee4c0cfebb88187f986161fc38cc94f66640419064f095ed913806dbd49aaa

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_abte.jpg
Filesize
4KB

MD5
fa3cf7af426aa72620c9642ea7656e1e

SHA1
f8b1b8d1d439f4a60ab1e5ec372371e645a37075

SHA256
581683ded4a0d38ce57e034c3d73c6b2be4cce301ceea9ba4ed94ff3e7918d2e

SHA512
d720b15ec959e8aea4b54fc6557b2ec650d32510011fdbaaabaa22117e4e7dd0a3c42b2d0d1777123fc1180f7836264756d007b6a54ce116e077a59254f8d903

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_abti.jpg
Filesize
3KB

MD5
5e5520539bedbc77c33bd28712bc56d5

SHA1
da1d64b22889d4b7c2af585c714e98c66f767251

SHA256
19a831a9f6b0845a445987279b7cc408479baedc06735c001bafeabb2c8e1d2b

SHA512
6c5902305d98e67e21d9d9fab42f1e16465db03abe7d41d0080ceae02bb59f09adcd7a1a54da40f023739d2d6b655c26c233eddb2590ae0e706ca5da21f4a858

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_abtw.jpg
Filesize
3KB

MD5
3f439f76d1dd2e01e4640f016917f41f

SHA1
9199104874bd86a64d603fead5747256e93b6211

SHA256
040693296265c7f31cd6bb59c76ba8203735aeea22ff14ecec3580a857863da8

SHA512
a54720ca7c90050cf2f0a40d1d00bf0c650f4cbdff1d53fda96aaee007a10eadab8af3baf5e08a3325d17cc7706a1b781ef282fe26eb0d6766e73cc2662500c7

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_fts_h.gif
Filesize
188B

MD5
917366edb341f5cd1e26bc94d140c699

SHA1
b5864f56ecb610ca72796f7b56b72b28cce87e56

SHA256
858b2cbba1ace020114ade5a60fd61f531c36913bd0ecf5be25232e1ce094b22

SHA512
470e1639ca171884e1f6320fa2851bc39f50d7c68e28e714d7a4f336496bbb6ca3b96e86c00c78efa1e09329c2c0e544c9e34b05e5257cd0879938dfb8c6abc2

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_fts_n.gif
Filesize
188B

MD5
adadb15438c9715049c526c6eb88cef6

SHA1
6cc31eeac44441a24f9a4de1adbe803d3fd2a245

SHA256
0e7b777ef368a1ccd30cbd26252e884e9f2a82d39632c500d5c29fe2c8f7b80c

SHA512
8db9179990f13ea0ca45d57c57903b1d186213c96319c1acbac3486133e6508475cb6124a222261f266a7470b68e4f00c77bfe9b4cafb6bf276972c7e76f231b

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_glo_h.gif
Filesize
142B

MD5
becef04c921e830655cb9977b332f35d

SHA1
1dadb17f6c53e7f6c3c9e1cec6332a8d8a3a3ffc

SHA256
7fac567d4476e14da40e666a2b0c5b05fbf93c9d8d37f7f8c3d51ac2d9c219eb

SHA512
8256e11f59f4893b3574fd17d7a1bdde64f6f0cf3912d3f142bd5a984bf415e8ec301d39b1c8dd6f7e6adf791aca424cf1f2413a47a8ad5435275ff5bddbb723

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_glo_n.gif
Filesize
142B

MD5
d8c8ceb5c2abf7d88bc9f894da0dda18

SHA1
270fed628ea3ba302d1d8e24b305ea83bf5df2ad

SHA256
f7a1733b49d2937909b854a324aae15a3f11364e78029552a40755ded1043096

SHA512
154b23f308b02177cd2ac5eddffa3bd05da21aa0422e04c78459b38aa0f9c7f2e5d6e5682f6c4f6783594d4810c3c3c08198f92ee78cdb70e3978e6e1d634611

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_go.gif
Filesize
260B

MD5
edf56bbb0fee1f0b448127ae452249ec

SHA1
935b9270e79de934a6ab5228888e69e30eda936d

SHA256
6db28be2dfc94288b83c076a5703d17102f5f46c155f23d4993362d34cf064da

SHA512
922b2abfe3ff99a9e9e925869c5b470839cab26293a78a0e9aba2175b5b8d044961206b015a81094ca1527e5ad046b32a2ccb3490e6f50d7a4173dce297d17a9

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_hide.gif
Filesize
842B

MD5
c095baf1f671b2538e7f8f1e711feaf5

SHA1
c66799228f900aff0d6fb6c3104e7ed0ab958b82

SHA256
7c894c5fd5c8b8a6360c583823ad3db83e2ed5f06f7916fa1f1b0a23246df353

SHA512
ce6a9822962ca49ef9556f4076a15839353d05e4e2e8d187d1cef527fff70d6890e54c430a16d46d766f76daa32e623c753b41969a6a53b6766b11e53591828f

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_idx_h.gif
Filesize
168B

MD5
2e0a50b1ee7aaa80b23c10087cf06fcd

SHA1
433d568f71c2269897a016d2a6f0756e1dc4cc71

SHA256
0afb8a8114c472a9e4e21e8ef89a6380a1ea56b149b82b9e1083a5737c135d6e

SHA512
46f87d28f8a30ef74475a809078346eb944812893a16106ad84637119e31e5832b0802960c3622f9640f6a29014e9056ecfd8b87a60dbc6b766ee9a6b633900f

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_idx_n.gif
Filesize
168B

MD5
5f8b6560f73b8ca9ce129d54555bbc37

SHA1
55613cda0158c106c66369d360fe6df1579e1ab8

SHA256
b79e12c5554e41cf00edd88aba409dbdb13cb432f19169dbeef913ad3446349a

SHA512
5ae3e1c9bbbc32669ad5bfe2ab23ec77dd2d76faf728d10f42a6fabbd985e9264b59ba38e9ed6b667b4b6736d0311a5f628623ffbcefd6b86e7c40a458d4808d

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_logo1.gif
Filesize
1KB

MD5
50cfd996e697f1f3174d7a299084bf28

SHA1
dd818dc1587dc97fc2589fc877556f72a374d721

SHA256
e85a1a4b2df57bd24e18f18cf8a9f0343268b6a7c1fd1f8fb4d87c390cbd3996

SHA512
2e295b83bef21c0745e1161bb28dee8118d3c9a2168bae59591d4373fff615946a431b2c053f6e130b76e5e23e0769c04c359e7245ce4432ba0e0d1cb05ff519

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_logo2.gif
Filesize
1KB

MD5
5c1a2c820d4fed4c074004d90f8c1c99

SHA1
72b237aee0d60e8b09b3b4bcddb9b91be8a1f3da

SHA256
2ea30e663e286db51621f29b9c46792adbfda198eaa1692a78d442fc4e468ac9

SHA512
e2b42c011b28ed1e641e72d6e266e6277d5fc8f96dad6e51ae587d61b049349087a1490a91a2bc9cbb2dcf76d6404cdcdc4bf163e191316fa9021358898e9d13

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_next.gif
Filesize
73B

MD5
608a7da838b43443258e5199566713f3

SHA1
f6c382e7d565dc5ba642ce9d42c619eb30b78ef8

SHA256
cad9d3a7c0610b51bf5a891832f9ae2864429b68197ea1b31fa04d8a4249fd62

SHA512
bde7d7f21f9664b3dae243b651440461b0fb5b9f309f33c73f94b4a05d5539c7782b8afdab65f1da0acc7ed84a7ca0afd65aba5f7baa098e445a95d4cd396b4b

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_next_g.gif
Filesize
73B

MD5
acd2543155c682d5c4b395ec6335c33a

SHA1
0a1e58537401183ce54b53d1b1037d284bd8b32d

SHA256
7406b9d0dbf064773874993c92832ba38fbf795f9f9499e27632061798698887

SHA512
5baecef4bb18cf25188955b62020b4cfccc9232d941681701e802ff73c985a9436bf0cfb08877067a9f2f8bc116451d5149f029fef2d7b1f2fa681f8c370a201

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_prev.gif
Filesize
73B

MD5
a7de8a63a7156eef42f2c5d5ec0d8ca3

SHA1
753ad4f10b85df009b4b4ac0e7d3051db329d896

SHA256
949da45d6905fcf07ef370a212fc42502e0efcfe2e5db979cbdb2413ec6ff15c

SHA512
71cb18f689fb02565e4e8a8df5518b373e24953beb788c36746021fe56369b02efdabb85fa4abe0862ebaf62917eacfd2df6290981d7cda8e42bdf00766f65bb

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_prev_g.gif
Filesize
73B

MD5
394d7f7a354ee81376956c392336fdee

SHA1
2df52ea2f115e045c1a8c3e3d469fd083a0b46ba

SHA256
87a64cbbcb9ba71d5c15eef642874f1574dc3ef23bd8e70498da9182b290731f

SHA512
5669e8b161671bf076e7fb722c5e03a680be6f8fa96c558eeb102903c52916bc4fc9b686c907f7b016731add914278ba4bd1317c3f5fa7f376549412b43c8291

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_spac.gif
Filesize
43B

MD5
221d8352905f2c38b3cb2bd191d630b0

SHA1
d804b495cb9b84b9007a25b5d85f9ae674004cde

SHA256
89fe0ee6020314794fc2cfeacf3d10c31050cfe56f8ebddf1ed0a33fbe941fa7

SHA512
cb3397776f5ca1d15d24786896b2478c6548d0b14dec0832bfb16c4c419135300704f8a7a4dfbf56d625429c1598ee8110958648f25a3cca09e6956c1fd3335f

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_sync.gif
Filesize
846B

MD5
9aa58ed8dbf256459d80066d06877113

SHA1
d8a4ecc593ef674a8872bebf8e77cc72f50ed481

SHA256
3039f099982e7aa10a6ade0eb1026696295d4536755b581f9caa80b09597d635

SHA512
cffb025efcea53d1c9fa4797d7152eba8a5505667f2d18e745ec82995687bb53a5e98b220f582de06b534eca2460a4839759ee8e25ee3cbe300c8811b85a1074

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab0.gif
Filesize
285B

MD5
7b192fd89c97b8f7af95ae178a6dfedb

SHA1
1151e22c5179138d6d8a7349cd38aaa02409687a

SHA256
c403eb07fbe25b966d43e8468eb7e3cac18edfaaca8c4b1e04628e5448e914fd

SHA512
575d191a1a40aa83db5749a2fa7513ab2ff871ca747d50192b784388f6389ca940fc949ae80aeb3e28a9291c6ef92654055f49b072beb248666a44b7310a4cc6

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab1.gif
Filesize
237B

MD5
6a082cb4901285175872f3b76268a597

SHA1
7ee9ece3e1e531b5fe929d7e834931c5afac3567

SHA256
192e945a7099fd87cdac4f99ae8144c20d8047130b7f121e9daec23d13557001

SHA512
fca3af91e676bb3dfccf8d7580da1bc599e80166c1cc7a9c15d9c4d1610aaf9f1a37837c5a65a48adcd73edc183f2fa21aab1f20a35bf58addfdfdc35f77b2ed

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab2.gif
Filesize
226B

MD5
ddab4754b9a4f3212c72879bc8dffb35

SHA1
f5878fae00c14a38f050ccf7e8a7711a4bdcfc41

SHA256
cab2860f8f88f82e80209c126f23fda9104c5de7b27ce0b11148ec7146a81c1c

SHA512
a88c26b9615325ae1eb494d2c27a19403d1f46ef0c8b7702d0a908ec2124a7de8dc79460488b278d128a8c4000e413bf903f6e131bcbf644eadc02af7893ffaa

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab3.gif
Filesize
209B

MD5
c63bef5aa8f0e6dc4fcf62182893d329

SHA1
34ca3e0835989ff93405538cbe68cd6d9d7b169c

SHA256
66aaaba618443f5d52513d38dd4fa00012c9d45892a543c259bce1b1556c1b49

SHA512
171b52fe4df38ac37cd02f0623c8af5647a66e57ab804822cb6b977ba0066cd0fe9123d85496a93624b444dd011e2f319a1e2c190eb8e69695f9d18615f19bac

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab4.gif
Filesize
198B

MD5
385bc1641e9a9ad25426996fbd7ce24d

SHA1
4a8a853ca478c16a97340925387462c51f873584

SHA256
20c1a206d04ac4c5b42f46d6f8408e66b5fa2780ad4575bbfa3509afcf7c0bd3

SHA512
dc53ce2d637a5e37fa9fae1f00f4cda9cdb360cb96e3ca11c6521586e4a282d62c44010cd24cc356c03a265d8457590a8b555a6c527cf5a1b0040a8fd0d6baef

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab5.gif
Filesize
221B

MD5
9bc1c90bf46a0f2be761bc8ccc45abb0

SHA1
026e485c9139d639a289eb55a7c6cc09b3111efc

SHA256
6d3c501fe83967e1a800411d5dc8195ce881918922c5438369ebf65a7dbe6572

SHA512
e960528fcca8323dbc168940759c0947f18240dc7a264eb7f8c9329c9b116ffb272bd780ed108b84d3c1677f8618e27ba922e2eb29390f554f813733a522b72f

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab6.gif
Filesize
212B

MD5
3d31b2f71c1cc97a395d20bda0ffb068

SHA1
5ca9b2f213aceab3174aef3fbf457e83d0db6911

SHA256
875857f593299e344d62df95e4c58b3e951458976083b23e051fa5bee13bf5e2

SHA512
b65977ddf1f781c1ebdd8a851a30b14968adb0405c32c2c657c8629996293e1a83da43666faea3d33756e53fc44517378db88a78742752dda10508e885fdc373

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab7.gif
Filesize
236B

MD5
90fd70fe70058856ac3e63226003acec

SHA1
7e186bcd776931a196336f307e86b659a90f2e92

SHA256
20dda766b4e4700339a23874ff7c7e8c57c9e2c1ca313258f6c137fa52772eb8

SHA512
31cd5e45076c4691ed237b3ae6b96c7dba881ef167dcbb2abf5c1f105be2d85b3f7b078b7aaa3920957bff5fb4e4633d5d51a2d2a8470891b1af809c419c26d5

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_tab8.gif
Filesize
225B

MD5
2fa577b3a945f2c917849dd0ed1a0d56

SHA1
b037f0e7b80120816c7990888d8ff7312f616f55

SHA256
c51cc4f0eddb34fb470bfee5b72d2047af9b0256f564fcca02c4d4dadddeb3dc

SHA512
0f1b9eac52b61ea01dfc6d6f6915111a6482d4f50191283cf64bbc9d420c4ae69c91d10ce0296e1a6d87f0c501b7d6f70fd9a9ce6865928376afba1720c37895

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_toc1.gif
Filesize
124B

MD5
8b0f87ed22abadf506d4677500dd1d0d

SHA1
c83362fea42e25ce67830a89c53340cf11190249

SHA256
705b9d14f68fdc08e4f32528b8a9381abe2db3e8c3329fe0668bed5b153a11e7

SHA512
4d04077dc3220c4a6949f4b4865276cca73413e3ad922c8702a478ee9c6c6709f89ea9087f97210cc8fb77d578100bbd41441949ddc42a7d5148091841e13097

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_toc2.gif
Filesize
922B

MD5
4cbbed93e97d583425fb71fea2470de4

SHA1
b25388b28fe2050f7ba5b761ed7b2060e1355909

SHA256
f2f9f96c588bd51890d70acbe65a212e6d848f09d7f8e27db9b7569692dd9c9d

SHA512
8b3ac2208f394f7c9560ded617a81804519c2e0abb1eafc26560b1ec3874a20c6bafbe24fcdc22096761a5e786812681f8e23c14260d547d1e8928b4b273fac6

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_toc3.gif
Filesize
911B

MD5
e64205919507ed59a897607bdc3d0f3e

SHA1
b5f55b0dddf5a1b4393dac0976e6714411c4720b

SHA256
ae930b3b16ea2781d3b422c2c6d2be78e52310d8ee1336b30a6632d321b6e6b9

SHA512
e5b1b3775eb7bfe5f59f0e641d6ca50ba5e48ac7bedf110c3e71e7685f481df479aa974b3c04c4675089d1ae5c82e7d90c389fb4ada7f6bbcd86e74e239acdf2

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_toc4.gif
Filesize
953B

MD5
92f684111f468f6bb9fc10e56f25e5f1

SHA1
3b2bd230d1ab036dc9386043352e921a445bd729

SHA256
36d445d3de511c8a67a8e5a5eb592ef9f693d9dbb0f19cbd5bffcd7a695825a0

SHA512
f3e521dc3d91e30d7ecaf7b684618ead22ed12d603b08e6bbb7cb3927fa4d7800f94c0daedfab78704d5c8c6c67d89bb41767b0b44ce9655a13f2e3a4e606318

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_toc_h.gif
Filesize
204B

MD5
fba75ec9e7eb2dd53aa6bf2d3dd8616e

SHA1
3ed71d75f631b13052ea59f4ee0bbaab6732984f

SHA256
9deb2413d98beadb35bc8c0d95fc7a3c2c57a5dffbed05471d8f82e913a64752

SHA512
ea3b2783902187b3c1d2df9be186cf5fe0ebfaac124542266ad7f5f9c734f881df7864a79b1605a885287d630ed7957084b81874af3023dede83d02aca0dd96d

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_toc_n.gif
Filesize
195B

MD5
92e601389caf4d027408e021fea59c9a

SHA1
404e1d20bf7ba3de6750b71fdd21bb3963825709

SHA256
85e56bec8f1f28a11952ccdd652b6bf5ea4d6351883ca8a3c9fd58b54d4baf13

SHA512
5d193457b0f42a96fcdc17cc219ce60707c144824e355406b14e8e326ba8b3824c11bac6c87e06e6989138f836791bfaa059fe9f37670807ba4549cce9872a8d

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_ws.gif
Filesize
973B

MD5
89ec9cb7b5ce56eca6bb5cbcf0ce9716

SHA1
2416373c9e69973f0fcf12778efcb67fe2e2cf97

SHA256
2acff445360de401613d6e5926140e450ec2b38a8f5274848075f17a69d74eee

SHA512
ac63336b38ddb596d22fd3d83976c9fdd400d5b6acb22afbe635f6dbaa23ff26db3afe9af7e9201057708fa6b9d2daff8744831d8d0dfb72ba444438046dbb3b

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\wht_ws_g.gif
Filesize
949B

MD5
b31d7c29aa097a1eb85e9bbc09ffb7c7

SHA1
fa09382b292f21f68ad4e500bcea8583d7b33e24

SHA256
3b40857daa14581962f654a3ce52366485709c044a81eb9508e5a195b378a62e

SHA512
44abceb858d218e26ed0ab828fdf3283dd33ef578daecfef2d89f9f3a30e9d08ed2a4f37feae4343e43eb3a0bde3d0dda5772a33693afe66f46f7c28b8270ea1

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whtbar.js
Filesize
44KB

MD5
e3f9871abbb312e5bf32c71138d9fbdb

SHA1
13b4fa0fbf05bf2c7c75e314bc98e6d4a6dfe305

SHA256
99fd09575a75385fffd011cbd2219bf4a3a4925b3cc607127f5d2526fe7fc025

SHA512
b652ae1f04091430a5127fee8de614807da7d3449eb16f24149f56a9db146bfc6d0de009c390ac372b6fbf1bd4abb5a1d2f88b8ef69984f2296a1b73a73d5a7a

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whtdhtml.htm
Filesize
1KB

MD5
ef9c2e316a70cccc73dac0b91d8a7154

SHA1
2dfa02b49ad89ee82d2374f5203185a1f454f589

SHA256
99041c07809e1a9055c958dae82fcff2052231d3a9aac2f1ab77fac8e23cdac4

SHA512
08090a2bc38511d4cea7fedd18879874bbe60e169195b06b3b21d0f34043bc9d00b506e3f41db7bf7a6623d4aa4bff9d87739a30c34f7c3956f36c0641bbd9cc

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whthost.js
Filesize
29KB

MD5
264799745c117e5e39dfcacbd1c4e74d

SHA1
999975d344afa7e44c0c2b09a8254218031add35

SHA256
c855072483ca6b2e25b75d08645c96f2018e10d60bf96d8887472c8e638b942d

SHA512
c794f4d2af3739143cac0724ae9ac7f5a6081786c25e9b679d8364f47664163c9eaf991d9c7f61adaf85ddfc9064d6c17f018a1ecfbe1a01746cd41317b2af0c

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whtopic.js
Filesize
15KB

MD5
4b02959825a6c5da1ad8b9c16c2a7f75

SHA1
63b3e929ca773825ba9e77a99cde12b28b6f24fa

SHA256
9f37bc7409722c3cf09e2d2da2db646a953cbc37bc7df9407e4038512fe01553

SHA512
b975ba59207821fdfc3bb9774d6c32959510c595fb52088d32fa0af8f96a110ee67ded15e133ff25e6c70e9e51740eb2c3283e8c8ab14fe6771ca4d4a411a971

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whutils.js
Filesize
10KB

MD5
18df539d0d989533906c2f7ed14e5add

SHA1
ae338e812cf04386bc5a4ced43c0b9fd4480d993

SHA256
07d4c7a78699530c3f1d8e61830ab9369e969374f4209eec68dae96de0b61ecf

SHA512
41956b3af653fd0fa21a8577ea78e8a907a7747d38f63dc0bff23b4f80d454da241b1c0848328f46e740801fe7f5f46a74b271b88e9518f725df0dfda248ca2b

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whver.js
Filesize
1KB

MD5
ba774cae5d7edb2bfc15d3fcef92737d

SHA1
d2560cb107910774ff8e86524a3ac50755248eb2

SHA256
060c6bff9e03f625ee8119edda4374211946ecd9bbf931dd2bc1e3083baf6d84

SHA512
be800b25480d9813353ca29f5f6ab21d73fbfdfc027c98c832cbeee67a07ac3f1edb327e4048317636d0c0d0232ea1a74819944b28cee6e93962fb0158d31050

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whxdata\whglo.xml
Filesize
71B

MD5
5e3fd7b7616dfeedee26da2a32d5f6f6

SHA1
0722917b95953285365d7c25b7059aa4bf3678a6

SHA256
2bf13d6bfbe22a91409de2b99c3ce59461a1ebd2c319d3f6d57c7ca48829589d

SHA512
1a4acdf11bc4cc457a128363979c00efea105d44f0fd2dc73a359160f81590b5c0748a3d34e306d1e0ccb799761bea865329d362c95283d9c61d8b935e5df64c

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Improc\whxdata\whtoc.xml
Filesize
83B

MD5
d06ba9af1415206ad87672f37afa75f7

SHA1
7bc3a385a78e25f57008a009a3661cd54411e13a

SHA256
2a1366359349a38e4ebe70e000ee46c160bb189c4f2de6364171746f4542ad9f

SHA512
9ea1f8696211c3b059e7089dc19427f1b55647ebdb7bc31315152ae91b8477b9096a081d1bbefa714440db435779f1f945eaa832180ee1b6772b42f8b5805d35

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Signal\Graphics\H5.gif
Filesize
78B

MD5
bf41230ac97b4176bef1de3c6f246cda

SHA1
83e527dbc18b894cd8d53c432e248b775f1a92f9

SHA256
31a265f0c4788453b2db1f30c6c93ead7eb63387a0206cbd237d8e5cbf2181a7

SHA512
29a076ff77b5caee19e119937adc53507914a81f13cf9f15cb152c0e650d6c2382f8bfa1edd9dd4b5b11af8b2dd74e2ff21cc92a74e63f4585b82a275883ad20

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Signal\ehlpdhtm.js
Filesize
119KB

MD5
233550d317745f2e19d1b4ed1500352c

SHA1
26e190ea96aa12c301be78f5b20c204a6590727a

SHA256
1191964ebe828588808ab4d114e21f1494386ced9c5a22d4179a9d47f9157ba2

SHA512
fc5f75bd09b015d506e684f7c00c7090f78c3c45d54de013a43407c50218e0de1339a6e23745cbb2f71bbc575f49e216a7f20a593d59195121f6b010b36280fa

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Signal\whmozemu.js
Filesize
1KB

MD5
22b846bf4d416129b45f63f2fa06bb51

SHA1
26155b51bb48ef104589b879d7a5233f57917705

SHA256
4087f21a9cdd86d0e249da648db6361e654965d8c28e14380e0dd61907ded999

SHA512
677b2670e6bebd06b5e8b2d26757fac91cbc3d5f8321b8b0a2271c872494f687fc32925c85580c54ec73e695f616568c4bfe46cbd8b81f0f93f557a7270b9e31

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Signal\whphost.js
Filesize
12KB

MD5
8d8bfe85030e99040eda5a9c70d10b0d

SHA1
e4a9e9b96d132c7d6c26ce3deb1eacc8ed98c869

SHA256
9b12c71e6e2e0c1a83096505af1af6445d4432756a2c4b45758843ba70f1cbf1

SHA512
2af0f0ed646a65e83abc28cce7379276394f541b54b1de011182b8a3229f233780709b9a9c8fa7c0eda0ed2bd394d3a22d5a08df13c30db73be5fa85ab83d38b

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\doc\HELP_EN\Signal\whres.xml
Filesize
10KB

MD5
9caee4590e86e826e9d22a006c17552d

SHA1
9cbaaa17a823fb1cd23c99d068c270a2d864c3cb

SHA256
eff7f9f3e880d534594ec597251c655f8e00fb2a410131618e4b2aaaeb567324

SHA512
2e25ed8f13fcb087bdbd49193116a5ef41115e1a19626d17e8f9f739852276ea895b22309607ed4adea1e4f97774bd110615bc5406d7223a6cd2b5502aa469ab

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\mcm\FR\ListBox.mcm
Filesize
3KB

MD5
689e41bf5e1e73ec20cc5da6a687d886

SHA1
8f2114164cf44185bf69f9278688384df12af233

SHA256
127d546158a5477257e0750b3cc25558880a7a3cae4000094c8d7d8dd291269f

SHA512
aee265e88970a24add5f72cddce6cde98f73b09e44cec38b0099897069cf9d9487a0575763d6a96863801109e62bca9e024ac180bb4942d94ef4946238e6c397

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\mcm\FR\McadDAQ.mcm
Filesize
4KB

MD5
ed5a7e8a30f765cf4708c55b6e427865

SHA1
ffd6a0ce2cea1ba5767a7f8792b3235702d9c4b6

SHA256
dd3b5d3d2e8f5b38a20b7546d54113471ac0d7d9fd130a377b7c7bab576b0af5

SHA512
93ad5167412a0096d1700fcb0340b3c69df2f71c7f9a89e5812fe5917b0744d1200e7c37410ed270f7728a5a7e5a3f6d886a37d7f54c0c78303487f969da557a

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\mcm\FR\Slider.mcm
Filesize
3KB

MD5
f16587b5b59c1b41bf4b83bed1beffcf

SHA1
b498a49e6838573aaf8448d44f4068187b92cd2b

SHA256
a27027e52a05de9c22e336b971a72b3579e76596f1a2bfe3d07cfcddc0e1f37c

SHA512
54b14e68ab07f4db977a7882a453cded564cdf56599c19bb444b3e0e3d17c52aaa8fcdc72c539a8e69e729f50b1f2a9c33b359296e1a52b61f0e1ee62df58ecf

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\mcm\FR\TextBox.mcm
Filesize
2KB

MD5
831d5ba8de46600c74b4524112af489f

SHA1
15980097d346535b64c439ae731befd50a8e0fe4

SHA256
3a924cc8cbe401a71b9a7f4c580438e479d74d3abc344d655d4d572bb74e1150

SHA512
d43b09acf7e352bb7022ba8d03c6e3f5466b98daf0a3a0e73f1a40584f4bbd1474334fef822480e5ef365219e4a4f37f2fd48d408484750400796fb9e32eddc6

Download Submit
C:\Program Files (x86)\Mathcad\Mathcad 15\uninstall\instlog.txt
Filesize
755B

MD5
abbc946d1eea5a6827f07bfb3b18cabd

SHA1
0987f30ef24e474aadc26a1e52c05784ba3ce056

SHA256
17a3cc410b1a66eb8ba6b37907bcdd29421a0d1f1b83a4f9b5ab7cbccdb0980d

SHA512
119f9e8dc1dc522fa734204b28b8a1be1fb11993cb92036091ed772ec26ec89650378e3271fb2f6abde421b73cc24ddf63af26c0519949bf6636078c97c3c454

Download Submit
C:\Program Files\WinRAR\Rar.txt
Filesize
109KB

MD5
e51d9ff73c65b76ccd7cd09aeea99c3c

SHA1
d4789310e9b7a4628154f21af9803e88e89e9b1b

SHA256
7456f489100ec876062d68d152081167ac00d45194b17af4a8dd53680acfc9bd

SHA512
57ab82d4a95d3b5d181c0ec1a1a1de56a4d6c83af5644032ff3af71e9bd8e13051ae274609bda8b336d70a99f2fba17331773694d7e98d4a7635f7b59651b77c

Download Submit
C:\Program Files\WinRAR\RarExt.dll
Filesize
659KB

MD5
4f190f63e84c68d504ae198d25bf2b09

SHA1
56a26791df3d241ce96e1bb7dd527f6fecc6e231

SHA256
3a5d6267a16c3cf5a20c556a7ddbfc80c64fcd2700a8bfd901e328b3945d6a1a

SHA512
521ada80acc35d41ac82ce41bcb84496a3c95cb4db34830787c13cdcb369c59830c2f7ff291f21b7f204d764f3812b68e77fd3ab52dfe0d148c01580db564291

Download Submit
C:\Program Files\WinRAR\Uninstall.exe
Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\Uninstall.exe
Filesize
437KB

MD5
cac9723066062383778f37e9d64fd94e

SHA1
1cd78fc041d733f7eacdd447371c9dec25c7ef2c

SHA256
e187e1119350caa3aec9d531989f60452d0198368f19cf65ffd2194a8a4003ad

SHA512
2b3dc50fb5006f1f3beec1774d0927a0533b49d20122e49a0b4b41840f83c494376c8e61da735aa58d27453c44450203d5c2bb4f03fdd37b648ee0f51f925c59

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt
Filesize
103KB

MD5
4c88a040b31c4d144b44b0dc68fb2cc8

SHA1
bf473f5a5d3d8be6e5870a398212450580f8b37b

SHA256
6f1a005a0e5c765fcc68fe15f7ccd18667a6e583980e001ba7181aaaeed442b8

SHA512
e7f224a21d7c111b83775c778e6d9fa447e53809e0efd4f3ba99c7d6206036aa3dde9484248b244fb26789467559a40516c8e163d379e84dcf31ac84b4c5d2a8

Download Submit
C:\Program Files\WinRAR\WinRAR.chm
Filesize
317KB

MD5
381eae01a2241b8a4738b3c64649fbc0

SHA1
cc5944fde68ed622ebee2da9412534e5a44a7c9a

SHA256
ad58f39f5d429b5a3726c4a8ee5ccada86d24273eebf2f6072ad1fb61ea82d6e

SHA512
f7a8903ea38f2b62d6fa2cc755e0d972a14d00a2e1047e6e983902eff1d3a6bca98327c2b8ed47e46435d1156816e4b0d494726fce87b6cbe7722f5249889b88

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
Filesize
2.4MB

MD5
46d15a70619d5e68415c8f22d5c81555

SHA1
12ec96e89b0fd38c469546042e30452b070e337f

SHA256
2e503ad5a9c800f2dac2fed2b3e8698d96d25b219ed86ed1a54896232cbe4781

SHA512
09446dc9d0c768844213f7f71ba65ee4e86b61d7a61610b63892d1b142952bdd346d14d27d878c026362e012e22fcb49c6746912d5e02db6b40223cafa6d01fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
a446ec6199ecde753a971653cb696f79

SHA1
4378c05109c9aee9abf3a3f9ef98073e762dc115

SHA256
68221769990f6883d00ced252cddf8d1cd9ad7d1ef627e93ae0c627d219822a9

SHA512
53e0a9ab8b91145c8ff493dcf46044634611a69b5eb2b68d17bf001c470a5b5276ef1d0544d032e2d1e3f76030dab4daf332b3198a71c8ce07b863945ecd9c7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
ca1d04a8803bd151c2b45d58b1a811d4

SHA1
28aeea96ac3dcdee7f68448dffeb09856a3a80cc

SHA256
bf72a2f4eb54391fd22b739e1df455fd43e8d7176e58bc0b38ec88488e2901d2

SHA512
bd9f1f705d11e303d82361b8ecdc0b1302be766b8f1904428161e1b530e7f882aa9614e3cf412afd2ff1deb3a58d3db626d94053361a47298e5144ced43cc20e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
ea3571e58c8bcb0e1aa16db50d96317d

SHA1
033f83a1cdb38ac4600fb6c4bc42c9bee8cd9167

SHA256
7d5fa01cd654ed8caa21923261cc715d001f753775089f70be1763eb02726eae

SHA512
389a224ff892a62d7faa64e0544025b7e723eb02a68a0935601800f3d748224be989bbb5d2a0c62e6698a5dbd75bcb6ecc75037c5adb0fba950880a029a31214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
24b3340e0b04aba8ec2a1d73df280e8c

SHA1
f7e1fa10b5a0518a355c8cb24b2774d7c6ac6921

SHA256
d075759ad781630d85bae027f06aa80ca5ba218d0321e1535d4cf772039c0d90

SHA512
67bf21480b0fe911627d84cee075f644880038badf0b0f019c9e57620b0a6b3dca9f52351ff728321fb6bfa078503659e51c08cac48431197d82d83361f8e6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
d1fa52b61eaa6200045bd37f83fcc94f

SHA1
9f44a0f2f3af93d1bba1ffc95dc17adfef9ced81

SHA256
e3f91cc9b34364f956c39f19783aac7d0584b3414ecadebf94cbc0264d8ede9f

SHA512
3ab45a158c1f579a715740a125e717f65121911ec7f8745c08ce93cbec1072e8774dd4749e3a9a55cd51ee3b1ffc9140802709a25a0c668659a75cc9e1bcf99c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
3c3d75dbbe4cdc0b3a87c72862eb4fb1

SHA1
3ea27a2fc814009a85ae0c8619f465ed231aa2d0

SHA256
18341c8707adff544cebd596710d72d2902cbeae24bce5e40748059a11b206a8

SHA512
81936bcc8081f1f0b5a0ad62fdd498bae51828682a8b2d978dab5ca1aee3132a1957084442634fd35d990b9640017df6a287f5d8bda123a2c85b1312c6848dd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
83be3d33d4fd69fc6e2443c121688c8d

SHA1
304925a6d41e13535af8c7b6b037f106cce370f4

SHA256
c77e262cc93606a96ee894092958462d3a2b4034d1030fec2e109646c082c9ba

SHA512
9eae50148ea45b40b5459538d8e93768c5ca9ff756e3f947f4a3ea3774dd783c686df407e29309fbfa1691f8454cea02c8c535df2d087d541f892fa259033bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
bc1de7225b6567f1254de494f95e23d1

SHA1
18b742b9bf886d3b567b63d8579e4d7d4b6b4156

SHA256
fae28f474a607cc0dcc53503ea9de87095d9d69a7c4080c12005e5b838d2d110

SHA512
e1a7be916ba7e5aa8dd8f30dd56e65d0110bc7d68abe4e434d5a88ca5c938fb32627aa6a2353f901e528d6dfc0304e8f4f97cdf6856fcbb8f812ea338de34214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
64b36e336eaf3b39b9e69a53b56c26d1

SHA1
927235a2756257acb60bcded5a7e69f63be8099a

SHA256
32a56ad6616723323af7cc58baef11630aab990c4c3c57a9d573a8cd5d431c99

SHA512
9e2a98d5e4651330637e5ec8edb9053eb952e148228ac9fc30805dd34f91b575a7cfd3cd6e6aa9250076d935c5db839cfb137e0e5637dd52713cf1ce6d55d71a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
451edf066de1c801011772cf2a915dfe

SHA1
fb78b56c1f165082de4d54e883f59032573ebf97

SHA256
54fef48dd5ac17be3d707ef95255871989369ca382a9e0d0800ba125217c9932

SHA512
02016f598041dfbb895d9ded94aa69a44a79175ad32524bdb5556fc2661a7e1c214216148fefa08d7f94ea1bfb7cbcfc86a5cefd273f62fef9fb771fc5475572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
6e1156150d39438feedbf26a24b542a5

SHA1
2b752e5a040b9f5349e41407fe292d252c4aa65d

SHA256
1f288b2a4bad3f9c8aab8953eb02aa7e6b165a377ede4e417f886a4aefbb6a1a

SHA512
46177a671badb32e1f8249497059795f91f5078796fd5dcf121b2f77c4bc23e0df73f2608074e6f4891dddd79b36ead9ad43e1500d29821da9f168e70d5666a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
08e76c50cb709dd58f3c9ed0b56aafa9

SHA1
22d1902679a9b877196867f85adafdec11777b3b

SHA256
d8ccc7fc19e8b0fe0e6d4c67b736ab703b9a77dac217226fb0c2432294d1ae4e

SHA512
ff18575ae2d5939ab2493d8a5f3a315c9f01e9f1afeeadb86b2a703c1090c9c3c5d1106db473ef541d4dd89d5bbac4e5c688331070fb34cdf93fe2ec649f3e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
773df5405fc05ecf6eed1fb4a9f7a2ae

SHA1
d0c195d4fd719a2a9bb6ac0c9a7b179b1f772b53

SHA256
671b3c9df471a0fad6f6aa280126ca472fea8ef7227fa78f31177fe1f47fa835

SHA512
5364030d65c0e6d62de3424cbcf5cd12d0d4bd46b7fde614f3863a993f20d8ad8d0fb81da8537f10675d17efd83823b0fc2f698c06bfe0c03cc65abc526e50ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
7fd9a10e4d9f20b03bf35a853578ebed

SHA1
b2db88ba96247184938fe09af076ccf0a9117a01

SHA256
372f287f57c7c93ade00561878aa8e7476ee90fdd02e983f8eda15ca8d6336e0

SHA512
9c5ca99ba716e3948a994ade1d295a48bbeb787a8b6a4e94452f8c4880f7f13b777c7752cacf6bdf7e26c2657a5504a3dd3598f088bd30bb40076ad9d9c59ad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
b5d64acf84f0a3c67ba9af2a12f19c32

SHA1
9978c85f0a50f9ec2364d2fce8e89576e7c99ea6

SHA256
edd74579efeb47360b65c88f53937eaa166ad5a4aaea7b486fe0351e3a6394d4

SHA512
0a4fcf6cf7bfab5d90c2c91c70231ef6ee87804e176c02fbc9be7e2809d06351db09924e8608b7185e5450e4f16f612f1d88fbe09770eab06c9d0c84dbda8330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
108KB

MD5
fc936d17fb4b2d77f5d16ec99cd0dc79

SHA1
c7085b168479c17626952173b0a21a8b210ee3a8

SHA256
c7a5d147e67d2606b0fcd744b02a424e30c71715da5fa3ab8dc1edb31881672f

SHA512
dea8915636d005f9f09b613dfbfc1f8085cdd43a848c4b1b7903566003e14170187b8ed116f01eaa4d9572dde4618d9f695b3b83700d9919d1728b8262271ccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe577d4e.TMP
Filesize
96KB

MD5
d7a1c16193152346bdd76af66d95c0c0

SHA1
fd0b4f143a66f5eaac60bef46c77662315845aa0

SHA256
39ce8c327c7dd92b3aaff3b35fe0ae4127863eb91e39ba82bec4ee1f80ab3bdd

SHA512
91b110a3131d6aa0a31fcc9ded03d1351233a6f31a7e3fee762c40dc4a94186c7dd5765819cebb57aa720c48945de7fbdac6a9f56ae515366b61760db907e343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSI7CE4.tmp.log
Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB0F9.tmp
Filesize
24KB

MD5
78db15381b8a83badaf5f63bd04e57d0

SHA1
32af32cea5b668ef2f4e7d6193480c3f41f221cb

SHA256
9219299af82d407efa05c68c7bb79d57dcf90358c37ba40cec27100c9c53c83d

SHA512
6a83ec8e6b5b5c9a112b0c10386c5f379e8dc276bfe1c79607d4d62eb2d36c22b0c58c13ca232fb4e3b489ab00026b45a6a84bd4cacffb9a9ad910ba56599f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mathcad15WixInstaller.msi
Filesize
290.6MB

MD5
8052898a3d755a67cf3a7f1314ae632c

SHA1
417caa4f63abe1bf77fcfee2231bcd83fa596b59

SHA256
ec2bc73bc849e829bcbfe0e7dd933127ff92a1103156560674e5f3369be56522

SHA512
98be3e118c958a7c5b8a38c78bfaa55a2eece69c974005ce5c2dae52887a9b83e64c0256b236f66fc27b1d2e9093838fb4f0467cfd0764dbf9088040db7a2feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AC76D478-1033-0000-3478-000000000004}\asneu.dll
Filesize
124KB

MD5
4b88bd98983a2cd9be90f368b4f59f0a

SHA1
02acf8dc68685a22fa02465cd880f8eb3e244841

SHA256
b1bdd73ffb46b905f12923a4110fda77f1474fe0171204f91df59c939338df40

SHA512
efb5029f4ac2be9287dc6a14ee0be258e5b3f5b881843f7f6cac545c0d91b19c9543a5c0d80141294a2a02df2efc81d3e3ef973ffee4f11ef6962cae07d08df7

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
Filesize
12B

MD5
b0cd19e07f19651f096782a3b69891e2

SHA1
7e70fb8285b7b07953ab5451da600d6dd5406b56

SHA256
5e8bd55ec7cfc9914684ca72d73f38aea7c72afc0c668785b9731953f57b05da

SHA512
ae3d82ab034b8174635d6fbe33a542833a7599faaebe243971fab0063fdb906517afed827c211443dc000c115a827d96dc6d09e949a95cdaaa2c191974e80b8a

Download Submit
C:\Users\Admin\Documents\ptcsetup.log
Filesize
1KB

MD5
b1d538f3246c0b084dbb8e87f746ccf3

SHA1
0277fbd97ba8356519cbf9f25e085b55aba884bc

SHA256
c69dc36365d853baf2188a3440d35e46c3fdf4b899b31d960924db55e4fb8976

SHA512
bdcf60eac82bc8edc367054db67b154c4f6200d4e38486f0e13154035402f20488e69a073637b6160601cedb2e19423236cc1db6fdedf78661ac97de7672583e

Download Submit
C:\Users\Admin\Documents\ptcsetup.log
Filesize
2KB

MD5
45bf5cd3b661e7f234aa6c695f23f7bf

SHA1
c9541926f9850c7d35f82ebce07bc61df59ff0bb

SHA256
818204dfac4d465d19a6029546bd4770fc9deb1e85a27694ea9b5e98a039e422

SHA512
110b470d8d14fa9825682c0080d9ca7c1e58d277240a709a8d05efc9924ee55afd46e55ae969b00910da5c96986f54cc1a2d4c7a47fc05fa9f14479dcc006175

Download Submit
C:\Users\Admin\Documents\ptcsetup.log
Filesize
4KB

MD5
fac4bd0eb98fe1b8f8200443cdf380bd

SHA1
0b899da31a68c2beaca9b950e5ecb93689c80893

SHA256
9c463c917b5d782c835ba804010c025ff04e557d3843eccdc7dbd8737463d64c

SHA512
cb23fbc709f62fae6b9a833bb1264124a6f470dec1cffc70d534ba160f440c5140f73b8811870c8425465877dca36416ff2e2c758b636602189d4b84538e394a

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy].rar
Filesize
223.3MB

MD5
56a77bfb96cc9c0f6e8c9e4ab622fb89

SHA1
71abad10ba3b8df64803e26b31d22e570368dd5b

SHA256
502c46e1fbdb09650358b78c417cb1f8eafaa80281f00a63211bfd5f4e211c2e

SHA512
5d6c40d4f033369d1acb349c0c44a142598841a76196f87c52618f7c196df6869249c49aaaa61070aa90ba2de0917b5df83cc59b8a454422345f1d12220d2bf3

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Crack.rar
Filesize
450KB

MD5
b15eb49694382e15ecda8e958ef67fe7

SHA1
b2ff6e4a812549949139a90e473de6e31e3cfd96

SHA256
34b046077aeb35d7a13ea58527484fa12683ea04b60d525e159f4e3ee2c24f34

SHA512
8b798c123143b1c3d524e1f207b3348312db9e9845b34144774c7d4ab7f740cbf449a969675b6f4b1f0bd9dc8e07d7552321b063d1d4f50ec72cc876817948f1

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Crack\Torrent Downloaded From www.Androgalaxy.in.txt
Filesize
245B

MD5
17be03fe5d37ab8269b5e38c59c43ff2

SHA1
8993fb91c5299d2cff4bfa4a0d575d1723cd8cb1

SHA256
0ba8f263c5469aada675f0e6ffded1d4c52228755c731d74da23214d6f0e65e9

SHA512
b25aa30beccfe9be0882c62b5111aef61a7e1e188440e05aae8e6af756accc164e99f12071de7b44371f73b65ee27906f898d1eb594c55bce2937412a0e52a14

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install.rar
Filesize
222.8MB

MD5
530020ba843f4f09054473a2e87a3f21

SHA1
168e9ab32f60ae26b268aa214d4195c9edfa95c9

SHA256
e8a2b929040d54c6e17dfbec386a4fd292008b4cb40898e197981ee999335d1e

SHA512
dcdefc60bb7ce44c1e6867928cc09b90bf1b7f37f565e4da13164ba57d92660e94a4f25595fa05020df7b70c1e739189e7007f660e8d0dffe96f5e024134ac84

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\proe\uitools\text\resource\feat_cblloc_offset_axis.bif
Filesize
682B

MD5
9729ba30109e266ee3cd2f7a52e03b1f

SHA1
14b70b7f0c472166cee9b0928c914fa4a2663d9f

SHA256
756a199884cb662d4d5798d837ea12b6bd3f1b66d55e7cea4df054daaf960572

SHA512
c15fe9f2485d6e5803c58747f376c737fd1d84b0dcbde60b17be4a55f78abfcf70769b7daa0dc5b17fa931cbc5590a4c1b3aa7f1176407f61efcd0d931273cff

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\proe\uitools\text\resource\modifiedwarn.bif
Filesize
1KB

MD5
739eebb841601ac6bbaf3e8ee6cf2505

SHA1
6dd56b7a89387e2612766825a903cfd7e5827caf

SHA256
87ad3a06a2723cd2ca3a8f3f051e81d8f063f9c8c175afae0f0dddd5ce0e67cc

SHA512
bb9c3087abb2c4d2b2e7318f9bcd3f57bd9c84c371670b738ea58ceae0d21f82307744c3c3c65b8f7f3d0fdb35c79b5642a13de983cab2147ecad1a0050eafcf

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\templates\win32\w_start_readme.tpl
Filesize
32B

MD5
cc850e1164ac780b8a7eacd9c2074f2f

SHA1
f57f9669918298eca629fec594ea4a1c7353245c

SHA256
50fa5e9bddfe878d28d4c3fb0dc6721f020159247f22516f18d82fe7d1e66b1a

SHA512
f5910f61e7e0e5b2a2b2915cd55b49e00e7a252c958b05695b5ade5c14e08dc16a52f2c94bf442af0a009e7c873a4455c505d5aba09015ca64fd904ec1aab64e

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\compiled_resource\ps_default_resources.dll
Filesize
752KB

MD5
0692d7837dda636aecb098422f4b0769

SHA1
bf8ce98a1129c82d8295a1d61ed43198e59692ca

SHA256
0e5e10126aeefaed209c2409380b0050ee09b1b7698cafb829174d434d039b3f

SHA512
ba2eb832cba7ea8a3b5c22ce39720aa8a215225d96f82e55b5b006131b39af373c9cc61473a45e3e02df468dc280e9a6f94bbb80007695e076bd3b7faa5b9e75

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\compiled_resource\ps_default_resources.dll
Filesize
752KB

MD5
0692d7837dda636aecb098422f4b0769

SHA1
bf8ce98a1129c82d8295a1d61ed43198e59692ca

SHA256
0e5e10126aeefaed209c2409380b0050ee09b1b7698cafb829174d434d039b3f

SHA512
ba2eb832cba7ea8a3b5c22ce39720aa8a215225d96f82e55b5b006131b39af373c9cc61473a45e3e02df468dc280e9a6f94bbb80007695e076bd3b7faa5b9e75

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\compiled_resource\setup.sdf
Filesize
132KB

MD5
60d5470ef02474db5ddafee0259b3476

SHA1
edbb558917b08a13a4bf991aca3e93a6abfab3bd

SHA256
74ecac84a0354cfe928279038ef6cc6c44a275d39004066a125e70eeab8577b8

SHA512
427778eaa0204468e06e3fa02801fe54f5f5c1b6a95f93b6139f64f94e77fd3ce51785ef60fe51ed03b7385f57c88e248922a6b0971df49fa308a419f6dfd952

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\french\msgtxt.ndx
Filesize
101B

MD5
620b55e08c6e275ac74fcaacf0c39ba4

SHA1
59697278f5203270b63d113bc74acabf7da1b1ff

SHA256
f08ca7b411cb3e7cec3e0a1c34d074d418ea401bcb9f2d60223bfda0c41378ec

SHA512
7b7307b4095d19234cd61fb7c71640f62508df12bdfdc2795ad1d02b0d8aeda142726feb5d26ede45ce8cdc7d9e45dadc60930fd2aac844aa15c31db4944a9b5

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\license.res
Filesize
38KB

MD5
440120e0aa2885f7a36036c42e3b7068

SHA1
05b9546c81ec71e04c296e31765fa3bc5e25d185

SHA256
10b69e4d362745046227e11711e2491dfb35df4ec992b79a6621e64a20acee41

SHA512
a979ebd5d0370e7674e883fc21470c725839644123d8442ad77eca9f16ed2a8a072d1336f0b310029cd838af63b75adaec28266dd344f1efd5543a57d72d88c1

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\pro_i18n.res
Filesize
13KB

MD5
355d841b2e8cb10a6ebe220b6519636f

SHA1
721410be9a478a7b773b76d6efeb0176fc8daa6a

SHA256
b48943506cece6b89a9dc06452a8979df063d35115fc323c766da99f38a54cee

SHA512
ac714908c61644c91ebb5f0713213e8ef4bb0b43c56aa6ed3039c3de4d1815bf74ca21710664203ff7ce347734ae518afc07ae2d2ef5de1556885dbffc278ef9

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\coreutils.cmp
Filesize
2KB

MD5
4e87baf525f23e09a59f7ca91de89002

SHA1
96b88c64f4990437890809697d7e3f96b5b9f8cf

SHA256
f097390fafbbf76c6c2607e74c25d60861042dbfe9d7f3549632121eee930812

SHA512
ef497b53dc931f8324cc0de518843279314fde21422892afc2637e4cb2568acb261b953557352b266d158f03c900507f12a603b5eeec92abc6b20de14313d883

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\featwiz.cmp
Filesize
2KB

MD5
d04f5d2ae86fbf7ed112a49ec2a2bfe7

SHA1
da01cedb762e8e34b44b49a232952ae94979857b

SHA256
d2645e2ce6bbd45ec44a0e4f84f4ec14d229b7d0f7da78d61e6821ad4defe438

SHA512
2086f33b5518039132339a134a1185a18110e222d884f1683fe163c825a6918b9388861d5412d61cf9355d29b600b48e136608b15c089fbfe81f8876dd7188ce

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\msgtxt.ndx
Filesize
101B

MD5
620b55e08c6e275ac74fcaacf0c39ba4

SHA1
59697278f5203270b63d113bc74acabf7da1b1ff

SHA256
f08ca7b411cb3e7cec3e0a1c34d074d418ea401bcb9f2d60223bfda0c41378ec

SHA512
7b7307b4095d19234cd61fb7c71640f62508df12bdfdc2795ad1d02b0d8aeda142726feb5d26ede45ce8cdc7d9e45dadc60930fd2aac844aa15c31db4944a9b5

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\msgtxt_g03.txt
Filesize
59KB

MD5
08617aa1fc50d878317edfcead0d858e

SHA1
6d93b126803db8a58368da2894d3ce5ff55ebb88

SHA256
b0b1cc2cb172f0f2ad7db501d2433aeae1913fdf366c8b3964aa6e888be6fd28

SHA512
51bc02392b416e113d86597cfc56fe363fd8ac567948d1ec1263167ddff7424739adac06ee99fd7a7c101703517298d2efe831ef026c284aaad594b412c49481

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\psgen.cmp
Filesize
15KB

MD5
820ce14d1b38ba6900e52c1ba2df49ad

SHA1
ecd2a3cf75794fcaff2d13281cc621e64bed2dad

SHA256
c52e6ee82563160beb25357003659ab547b166fbd19e99dac55641e18bc871c4

SHA512
36e3a8ecd21edac24b0c6e73bd059c9dfb273e24d41fed5e09acd81b545dac9b7a011af389909c151d4b170883c8e55229b10bf45d4f55f8693fd7ef872bf64b

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\psra.cmp
Filesize
27KB

MD5
73be0de0ee428d6bd6959b7ecdd522eb

SHA1
3081f8dc305921b8ef808cfc4e9cc7fc8f34ff8b

SHA256
9644267673c8e516c8acfa39db34dc19d61ac3ef0134049fd8e8827daa8da13b

SHA512
9447ac6eb10f79d49fc5b4487ba79b26026df6cd4353ecbbdffc8143a20214fdf3767a3922c63e6769c19cd6e8ad4cfc282448b5dfea27f95eb5bb217a78eb08

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\ui.cmp
Filesize
1KB

MD5
c00a9bb9274f3419db5df579dd2c6aad

SHA1
0d3af5604e2f84b116bdd4a9fa76c757c5cb677b

SHA256
93400c14bc05f1b3ca853e6f6bdc06ef67ff223e76907f58ae9014c27d8846d7

SHA512
93e71dcbe84b50230c6a6ea6e73d983a14acde386087d2535f7939d696ef83499aeda6b7869cd8dff3f987be8dd98eb9ae162e78a7dd2e41ce6d066606d39f47

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\ui_comdlg.cmp
Filesize
3KB

MD5
870ac506567c7181c0de28eebac63ee8

SHA1
1a01aa68e8132cb5f12804272f41b35387cc75f0

SHA256
b72ffeac4fe3a2010683afdf41a259153f2502280367ef29e855a6d463877e0c

SHA512
4153c1b3459f1f15212c5b06a0ae140c716a505f5b758723f1d77c6e8a59adaf06a197d609ea528d71127342bca5d3b202f073246dce9cc6df2e313c73a48509

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\uitools.cmp
Filesize
8KB

MD5
df1a82f2267e70862124b90998aaa2e7

SHA1
8af60009f5b836bbfaf1c8e0e848c6cedbd1e76f

SHA256
310ba745406c71000dda32dda5863b864562110b3d10fcbeec1cc93b8eeb297b

SHA512
2de5aeb525c15a6d49f0a68ccf7165a8cd9b9c3edffabcf1ac34c1da441470fb841fe4c38c7a00e8f82a93cd8a9768065a8a68b9888677c35ce9258d3e571971

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\text\usascii\ups.cmp
Filesize
48KB

MD5
92905209cf8f721dd8f7f4d3b1816d65

SHA1
cbdb37dbbc8affd95a3b0bc69575e36a6734410a

SHA256
93c8fbd5d2f276f44d5475c503a21d29e1d860653866d9d069aa8c3ac83d2096

SHA512
fd8d01c3eaebe25bcf30d526a90130b94c6df9153ebc1874c973f73148961249628d3f76e9c15d838d7177a3b97e836d3864c5778035f36814ba3c6734e5d5df

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\x86e_win64\obj\ptcsetup.exe
Filesize
24.1MB

MD5
3edbdabb0a8a354811f0401c4d5db59d

SHA1
e8737b3a0affae7cbc1c2a88da352207c7344850

SHA256
fe1fdb4b7099594b86fa389c1f2e0fa1282ce1a795ea7b1bfbc0cca982d2de39

SHA512
26c41e5e4f1da1420dc31effc07ae286d3db8319859385d22eb96b8cfe9da29b5e56539970b55e68cbc933519f596eb0940ba988bb545deaf00d39e0aeb2579a

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\dsrc\x86e_win64\obj\ptcsetup.exe
Filesize
24.1MB

MD5
3edbdabb0a8a354811f0401c4d5db59d

SHA1
e8737b3a0affae7cbc1c2a88da352207c7344850

SHA256
fe1fdb4b7099594b86fa389c1f2e0fa1282ce1a795ea7b1bfbc0cca982d2de39

SHA512
26c41e5e4f1da1420dc31effc07ae286d3db8319859385d22eb96b8cfe9da29b5e56539970b55e68cbc933519f596eb0940ba988bb545deaf00d39e0aeb2579a

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\html\french\images\new_logo.gif
Filesize
2KB

MD5
89e1be5339ec337f236e72c4ca73a507

SHA1
f859d1d88121d36bab3a3b0138944c5564588bf2

SHA256
4fa227812248a6aaf2294eaba7b0d0fe20eb25ff0017b32751cbd967b1434d77

SHA512
62751730af0142fa7c5267135e1c69d539e99e42c698bd6e049151587b149f388f3af40c87f1db8bacb6b1e32a53072090d6987aae7ddb4587e0038ee31b8e07

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\html\french\images\ptc.gif
Filesize
1KB

MD5
4c9b5430cacb3ed6ba5ec796e26bf5fd

SHA1
3c212d1c3c10817bd3122ca23475404df0d198fa

SHA256
ede2c0a767f14c37ffa9a45ab6b4deb45ad93ccc6ac337508a5284d2a35c9814

SHA512
fa34ae29f7dd1dcec291f8eeece04ebeb8304333a5f34dcada6ec306a7e188541074aa1f89869e3ba363212120c90b01b533f846f7d502bfd49a8e6a052d022d

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\html\french\proe\helpSysTop\siteset\flex.pdf
Filesize
1.2MB

MD5
135bb721a2f0c2d9788278d15bc6cad5

SHA1
edec41a292359a9bb45a1f2140087edda3d5b0c7

SHA256
bff0310799976fcbaaf7b18b6c89795076c397adb44c0e261efd8fd8040fe385

SHA512
bd9407be1c55fcdff61c71fabba9a45a8363dc1280b5c42ebef85555c10d46fe2ad504734ce03025675b672990180fadc8a7cccd0c33b7535494a09d944e534f

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\ptc_inst\arch.db
Filesize
4KB

MD5
658b03888e184162cb63dfeda9fc8e7c

SHA1
30b6768b840f52a6e57f027bbe0a665ac8faaab7

SHA256
2b439f426db1ea42afd52f55bb440d317f0b630a3bee915e224aab81620a6193

SHA512
63e5bf21e2ebfc282a02c535dab6c57f3e4e3b9cdd259d396e2a3d1b72074241948c0312131e22b85d2c93c835ca7550c1a61f55363e2e9bde7b53bd1645d9d6

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\ptc_inst\cdmaster.ptc
Filesize
14KB

MD5
499a24663bba8f635c027acf66b76375

SHA1
513cb1c2455e865cc11e9bb9ce115d3539e3b250

SHA256
1217a0e065f9b8ffd763f7fe399d2c2b640b72a16f09df270142fedd72fca0c9

SHA512
125789576210235dcebad4ec182a89fe86838dea5c150afe301a6bf50f98b9a9847c68b30c68b772d7362d4cb17175997ad29ee5cf768595e7edd2ba4ea4b351

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\ptc_inst\mathcad.ptc
Filesize
7KB

MD5
176bf7ccdf511b45d92f9094babe19c4

SHA1
dc6b4dcb2195d41216ac41c1eade3bead3a885e8

SHA256
994877ba9a35c2fe2fb3b910fb78758a3e041a40656c64c47e83ec5853e40667

SHA512
43c4c0d1ed27dbf24292d6cad5dc79207a6aaa89ce700edcec4ae35900055b2d0fb7a98f87ff4a5eb51c2225a36ab6468467b07c595eb182ca040371c26cc98a

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\ptc_inst\ptc.inf
Filesize
310KB

MD5
9159da83bad62b43507e2b30286f8a51

SHA1
e6513c3082900561202d4c6c7b5d9102719c86b7

SHA256
2b4b81af4ddb6f85ed982485b3d83ca97fa134a6800d104b95876890281b66c1

SHA512
c5ddb1e45b0326aeaa33a13c67f361c185d1d9209bceed9fbd25aa728aae0ea8752c09d1c4dda1c3d3f93e5ad9e903ef4c660eed83a0eea5d5cea19e321354bb

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\setup.exe
Filesize
274KB

MD5
b32a5c9c11914d79786e0fae41f738a4

SHA1
e96a21157e224864a33448c9427517d1639a236e

SHA256
bc3feab402335bd66fd9dd23cf9edb8db4fc3a818cb42b1d17e31ae94095d58b

SHA512
a2989cceafa3ce8be3d67f4dda2ef327801b79c9739b7e3191660dfe12800527d703a9796a236ebd374ecc2b5cc9b98d46b597d7d1170c81d0a525ec04898169

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\setup.exe
Filesize
274KB

MD5
b32a5c9c11914d79786e0fae41f738a4

SHA1
e96a21157e224864a33448c9427517d1639a236e

SHA256
bc3feab402335bd66fd9dd23cf9edb8db4fc3a818cb42b1d17e31ae94095d58b

SHA512
a2989cceafa3ce8be3d67f4dda2ef327801b79c9739b7e3191660dfe12800527d703a9796a236ebd374ecc2b5cc9b98d46b597d7d1170c81d0a525ec04898169

Download Submit
C:\Users\Admin\Downloads\PTC Mathcad v15.0 M050 Multilingual [AndroGalaxy]\Install\uninstall\text\french\msgtxt.ndx
Filesize
34B

MD5
0c1922e4afd33c497505d51366b9eded

SHA1
f6a31d77887254204e018869c5e7ce493937f7ca

SHA256
bfbe21b5e2db68ff90b3f04bea48f6f77a628cfdc1202c13fe074b6bd96afca8

SHA512
058d3ed5259f6abe685607f651d16e62d8e05e52774092382085449481d7da4a77aa095fd1ce4246d530110e749eb95063c2438a97dea6a4cbc63968ef99a8ef

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.exe
Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.exe
Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Users\Admin\Downloads\winrar-x64-621.exe
Filesize
3.4MB

MD5
766ac70b840c029689d3c065712cf46e

SHA1
e54f4628076d81b36de97b01c098a2e7ba123663

SHA256
06d6ecc5f9d88636b0bac62218c296bfa1b2222f734c9cbed5575bd9f634e219

SHA512
49064dc2c30eecd7320a6431abfee49d250ea7cda5e8ae630d2c55325f5bdf338355ae8d7a3246b4036afce5c100b8b30599baf19ab64d20190392d2d9a28608

Download Submit
C:\Windows\Installer\MSI4477.tmp
Filesize
92KB

MD5
46ac22444f177a495d597ddf6cb857b7

SHA1
2a257d3434f29c0737c12bfd032457ff860ac955

SHA256
87a8c93d651d2186fd7eac141ba96e31055fc4520850203ba3cc6e196a0d9d86

SHA512
f3f58ce2cf8715bc588aeedb4e6daa4b9db2456acd0e0d9fcca1fa75e4f645c31f5fcb824d0c0fb9ce110e41e2da088b8af384a217572b5e6ea4db9d86f0119c

Download Submit
C:\Windows\Installer\MSIB991.tmp
Filesize
156KB

MD5
a44986470c4513447017ebf68fd2903b

SHA1
d5816fd82873fc9b1b35131624daf70fb86c2e72

SHA256
b75408cd4961060f0ebc89340d37fb94c42509c17d7540464f6a13e6a94c57c5

SHA512
1b28e5f30049d8b50e1d4245b988a995a5901a250f8af3fea21a6b9155c7529ba6720784f7da0f63ad2be33b118c5a8f6c734939d8c49711d20486dd89ea0b84

Download Submit
C:\Windows\Installer\MSIBF28.tmp
Filesize
116KB

MD5
415f71ad8a87ab764b765333dd12e2aa

SHA1
08d24c7ba1fdeb7f1e69c27a275f98fd256b647e

SHA256
682d8f20da8b5a6473e19feb022c10ad0aa59b57ebedce8336b43485742babd9

SHA512
2452fad01b0f991cd1593de0a05945a5a659539089abf355597dc5845314570c38baa044404b79b92e6d1b252d5b3138993280304caf074eed17f1639bf31a26

Download Submit
C:\Windows\Installer\MSIC1FB.tmp
Filesize
112KB

MD5
8f680e0f517d35bb14f984a7f197e35c

SHA1
1ad84f7120c2712a32ef5aa82edde5b704eeb27f

SHA256
030d6e3dadf9da76a1f5e15657cb7673265ea545402f181624cbf64a45e53805

SHA512
dda5cec6042f2c255dcc814c5f19e7692beb07de9ab950bf817169d076b368cdfb268aff1b5b5caa12409058e015124206a9b87714133226b84d3eb5b850013a

Download Submit
C:\Windows\Installer\MSIE791.tmp
Filesize
80KB

MD5
f12f1ca3d3d1fc9c9499208cfa3b89fe

SHA1
6d3a88a085964fa1b9718889094096ae8754f711

SHA256
870e8c174b44eb5e95f1d4680b3cb314008b81cb5080dd0658ab10987eb2488f

SHA512
89d1c179497b13fca46226411868ae05448eb0c827419c8990b4522287519d7df1f12c3bc32dad3dea1cccab2a13fe6b09c952f3ea6a29f3c48e3f1533adbc90

Download Submit
C:\Windows\Installer\e5a55a5.msi
Filesize
290.6MB

MD5
be45b5ae15341e81a5d9c9455e098e4a

SHA1
3f1d5b079967ec3c3ec1accb88f3f13b504d931c

SHA256
0821371ec6be74ac28eeb3f800544c84cb7d23322af5198ea045f399fe607ce1

SHA512
3e68bec095974f1fca1fb95c41ffd6a02a2013b5d2cea752942f487188617b9ffda9e3ec83056c1d48f45255057f3423774ba96829548c4199775c95ce61fca6

Download Submit
C:\Windows\Installer\e5a55a6.msi
Filesize
3.4MB

MD5
0fd963f8ff8e75e7832708007a833787

SHA1
1de313473d9ec729ad436abf114876454d60ed7d

SHA256
e74c983fc806c21119dab70f12246bc17d0b541772d0d5829c791952638a1273

SHA512
4c3ec8a878b19aef73d2e0a157773646ec4c9474b2f7114660c38908a31529784957322362a72b7d2f6bfa32bbb997bfd7c8bc4636fb27be9155da09d5c937e2

Download Submit
C:\Windows\Installer\{AC76D478-1033-0000-3478-000000000004}\MathCAD.mst
Filesize
676KB

MD5
207fa3f5832bebb1581ea03f9c5dbf6a

SHA1
0d0d09208f40cfcff6d2c5fb6e9ace1655b0fa13

SHA256
1294ebac3b39f504fd3aac26ba188fd060f632f78eafbaebddf14f79a8b20793

SHA512
bf3b4b5aeed061e0fac5f8e812b43837f61ddcbd95fe98b6e416e114dd583037b157c3b0c98f3ca6ca63323cd6b0e84088a6e3b50274ecfe7ee0b846472a32fc

Download Submit
C:\Windows\Installer\{E87C64F5-1AC1-4780-8C11-93DD65DCE627}\icon3.exe
Filesize
1.4MB

MD5
2bb1e036e65969682326b1ae5d1673ce

SHA1
8ebef99b307d5947ca28aff50413d8febac5f9d4

SHA256
34684983f037c77de57a58bee760f0f1fd730786a1b9d0e5fdef114529c26138

SHA512
5d7cd07d3f9d238c0d4db47217cd11ac40b68d52e6fea53f627273ee55edb52a5b3c83ed58c52b25590dc2520819d7dd4d81a98a455d07780fdb777b54d499da

Download Submit
C:\Windows\SHELLNEW\IT\madewithmathcad.gif
Filesize
920B

MD5
2a0d003fde6ceb4f613f8f9b9feb4042

SHA1
06202913fc88d17b3a3193a5251941ad5469eab9

SHA256
4431c0d6fe472111ed848cd31cf6bd58d75dd09c21f263241048794e59aad913

SHA512
ca9e3718c959c255535b7a3c66cb849bc9d5da615c433f133350662dc7ac6170c03548127cf198c99ef956878b1a49ae76e2e70cfc100fa4b44468981627ce1f

Download Submit
C:\Windows\SHELLNEW\IT\mycorp.gif
Filesize
1KB

MD5
b6976b8783c463039b8f0c2230658f57

SHA1
39308590aaa528b2ca7532ab46ad2ec1fcf3a7d3

SHA256
aa167991240ba77afb2f8241338e8580112ae1da21e7511050fa54f2cb15cdbb

SHA512
2ba6fef15ace06d3729b881a338c75b9fe7916dd0ffcfdd80b6b8a6620bd09c5e1c7b85ac91e1b62c3065bf4ef0f9f0334411d6155f2b67c9f15e366d90c70cc

Download Submit
C:\Windows\SHELLNEW\JA\HTMLtemplate.mlt
Filesize
1KB

MD5
746e02ca7f6003df3b0e2f43c9c4c9a4

SHA1
01dbdd4a344795399bce3b41cbf239780a428e7f

SHA256
be721a548a3fc653f04768075320cac79fefce8558b7a443b97014e141626840

SHA512
682254f824626c47c5f2c0b09f39b5062fcde23db8c79881e2c8d0c674820c7c8ec793b0e4325fe6e26fbce3c558868bfc9f2c19d5c5688117ac7a692144e94d

Download Submit
C:\Windows\SHELLNEW\JA\Normal.xmct
Filesize
9KB

MD5
a8af780f0f9c956f32790e0ace31e7df

SHA1
0ea6e8bf5740b42e9372246132214be1c5601e70

SHA256
d158a8cd6cbb47592bbd093aa38844008b7d5b6d253a79ce230085088eab38f6

SHA512
e4b5caef34ed4f68c7096f450b25fcbb61920fa62b7f30901c1cdaced571b2b1e64743ec55928902c137a9469bc47625d9f756ab2997c0e03e89b267a6a280a3

Download Submit
C:\Windows\SHELLNEW\JA\default.xmcd
Filesize
9KB

MD5
f98686a60a4da2da0a940aa9595d5da7

SHA1
8eb666d7352c8845a817be762af8e28b22cbf2f4

SHA256
35f8659e25997a3e485be0ee9cf9611f870b528522ee6f32efa0325864d7bf0d

SHA512
3b23328ce8e1eb251cf222494b1255e9dc3344dfe022d657182443eab5289bae597de89db17469b03ec5483547daa135abf393b2f0773a1ee6e1464785f60364

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\AdobePDF.cat
Filesize
25KB

MD5
1aae60fbf7c74ca66b87fe4b48bee68a

SHA1
f8f235adb44e1dcaa0640724e42b6060afd7bb28

SHA256
2006a031d163ee8447a60bf47dd0a0c6895ec695a26baca4f736b898e7dd772a

SHA512
3263c788bd3c019fbe87960f2b66d2f8d4d09041f9b83ad59e31b05d1d109e5c09520f296871a65942cd8edf5f7c47171e48311298d8a317f700570758f3cd68

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64Vista\AdobePDFUI.dll
Filesize
23KB

MD5
e49fd56c9c79694a122444131fd0cf66

SHA1
8ad7f442c20e0a4ca63f22ba2d76c9f00b24a531

SHA256
f5e7d36527ba7d08c789f1b07008c8c938b4b3505cc9d337c64f94ed6ee30016

SHA512
dac4bc40e3a4fd75a3cdce77dbb0ab2b2b79c387a66283ffb39f86222fb8d58ad348bcd1e850e7cbd4756f809ceeaa8476eb0cb7a7edc74bcd782ed3f432b398

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64Vista\AdobePdf.dll
Filesize
49KB

MD5
c25ca25a1d440ed3f88aa558017ad4c5

SHA1
957773aa26826545b0b280a7791d5ce49d66e7cb

SHA256
9087c0b710cf0575a2ff4bb8bf314cd0da4f02d52dadf74008bd950a77206c72

SHA512
50b850f7d24d92c41955f08d6409ba1e6920972d40a6b6ce77f45452f2ced60ee0b42bc129913e4d35f7b8bca300c3e245593499067d36d78d26a8c894cd10d6

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\ADGELP.INI
Filesize
66B

MD5
8a341064644235ce9282a13c147d11a3

SHA1
5428ae99259990063dfb2f9950de90d2474a51f9

SHA256
878f48238b7a018fb06c961714474904e400b2487359ca96de2d036eaac46193

SHA512
e7a6ef9e5d9d34cf4f03b0a9198b56f2de00f77d10ad61e2f2e100015e6cc0e6a0b42d8c19e54569feadf642a0143a2cb24d96ff4fb9613d32d58e0666b62917

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\ADPDF9.PPD
Filesize
27KB

MD5
1d416c30d81862fb63acc682ea5df05b

SHA1
ea1883ba145db7bfa690d58b674f440409d96521

SHA256
f036b71881c945bcf4644878009af853d7d39929ed7314195371669f8060c54e

SHA512
f6657881816d84d87b4bece60903dd6cf42db2fa8816f5cee5f4ae4d5a8984ee5bd5f4f88472495bd746323549ea2fbcc06ca7cb9450b31508954e686283bbe6

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\ADREGP.DLL
Filesize
30KB

MD5
90dd1c887a7e8ec5f24b0b024ee4ff48

SHA1
9d67db8081dd3878a48380069310687e93b83b3a

SHA256
7fcf52a71741911ee110f8e9f15c953c30d78646feb95f7fee95c91a0c20f52f

SHA512
f253021f573776a4fdf0944369f3ca7f1d2d406225c2446d86bba2e9196708295947ba18f74ff3cab640942c508cd7a7b3221439872abdf3c1e16fc423b79a07

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\ADUIGP.DLL
Filesize
214KB

MD5
d331a15779ae91efe550924e7ebb4eb1

SHA1
3145dfda049911241e33b3d74ba67dbb927f15a3

SHA256
2af05e6d4ff9359a4902f9fed26945841e1498be5189a03479de9042f73b04b1

SHA512
d061c87edf9e7dc96a4440a9c27b581146cc588003311bd86f53b541aef7948a6931f9645618ab1caf0bf8688d980262423f68f0d58d66510650abff2487cabe

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\Amd64\PSCRPTFE.NTF
Filesize
1.2MB

MD5
69b9d3ea3204c4c1ea0f30f5772a0170

SHA1
ade95061e03bddd156588ab57cdc6fec132e62e5

SHA256
d4c153cfb20ed35664f98653a1a5cac7165b291213971621c89f9784a4199bd9

SHA512
ea5b4b11fb8a108b0410ff93905e66b3226c4e5f0bdf309f322ec5bb361bda106cf89a27733a81ac4fce843918c7cf898b8d142af38a9814d47a3abad3fb3036

Download Submit
C:\Windows\System32\DriverStore\Temp\{bec24f2d-d392-3d49-b555-c0499e4bbbea}\adobepdf.inf
Filesize
4KB

MD5
64dbb24e92cbb9b428acfb55563cc478

SHA1
2b92c40ebb2b6fe89c7f5449b66af1d769d34366

SHA256
66198ecc6bd586b2b21a89a5f630c7d16e4bfab161fe4487d9d29a3b4fdcd6a4

SHA512
f923e61d42f162d59c6e608a78105aa0883351f1d3187fb01fbf204de7b4ce3362dd4e3b7fcc414bdcad47ac46af5093db2b0fdfab69aee9eafcb5db993ef8d2

Download Submit
C:\Windows\System32\spool\drivers\x64\3\ADPDF9.BPD
Filesize
20KB

MD5
f6b39de6ee23d0e070c7abd38b11ee13

SHA1
0d7443ef35c7dd021ebf979148e54701bdcda9a4

SHA256
bd2d62cd53704e66a547957ac81e9f52a29c17878751277c41728ccbd242c9a8

SHA512
3b9f2a6430630cf41ed9d784545db72b42ef5720c83d201549e7861140f7532cb0301f57534931f5adff33c6cfa592fa70e202953fcd8867c5c664389b93e8c4

Download Submit
\??\pipe\crashpad_2292_BGVQXLLPTQWROIJO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/416-12038-0x0000000002A70000-0x0000000002A90000-memory.dmp

Filesize
128KB

Download
memory/2272-14548-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14546-0x000000000FA90000-0x000000000FABC000-memory.dmp

Filesize
176KB

Download
memory/2272-14583-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14582-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14581-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14580-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14522-0x0000000000F90000-0x0000000000FD1000-memory.dmp

Filesize
260KB

Download
memory/2272-14521-0x0000000000F60000-0x0000000000F72000-memory.dmp

Filesize
72KB

Download
memory/2272-14523-0x0000000002610000-0x0000000002A63000-memory.dmp

Filesize
4.3MB

Download
memory/2272-14526-0x0000000000FF0000-0x0000000000FFF000-memory.dmp

Filesize
60KB

Download
memory/2272-14528-0x00000000010A0000-0x0000000001132000-memory.dmp

Filesize
584KB

Download
memory/2272-14527-0x0000000001020000-0x000000000108E000-memory.dmp

Filesize
440KB

Download
memory/2272-14530-0x0000000001170000-0x00000000011B8000-memory.dmp

Filesize
288KB

Download
memory/2272-14533-0x0000000002AC0000-0x0000000002ADE000-memory.dmp

Filesize
120KB

Download
memory/2272-14532-0x0000000002A70000-0x0000000002AB1000-memory.dmp

Filesize
260KB

Download
memory/2272-14536-0x0000000002AE0000-0x0000000002B64000-memory.dmp

Filesize
528KB

Download
memory/2272-14537-0x0000000002B80000-0x0000000002B92000-memory.dmp

Filesize
72KB

Download
memory/2272-14540-0x000000000B6C0000-0x000000000B6D8000-memory.dmp

Filesize
96KB

Download
memory/2272-14541-0x000000000B6E0000-0x000000000B6F4000-memory.dmp

Filesize
80KB

Download
memory/2272-14542-0x000000000F910000-0x000000000F9B1000-memory.dmp

Filesize
644KB

Download
memory/2272-14544-0x000000000F9D0000-0x000000000FA1F000-memory.dmp

Filesize
316KB

Download
memory/2272-14579-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14578-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14549-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14551-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14550-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14552-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14559-0x0000000010A00000-0x0000000010A43000-memory.dmp

Filesize
268KB

Download
memory/2272-14562-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14563-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14564-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14566-0x0000000010E50000-0x0000000010FA8000-memory.dmp

Filesize
1.3MB

Download
memory/2272-14568-0x000000000B3B0000-0x000000000B3C7000-memory.dmp

Filesize
92KB

Download
memory/2272-14570-0x0000000019330000-0x00000000193BE000-memory.dmp

Filesize
568KB

Download
memory/2272-14572-0x0000000014050000-0x000000001407B000-memory.dmp

Filesize
172KB

Download
memory/2272-14574-0x0000000019460000-0x0000000019472000-memory.dmp

Filesize
72KB

Download
memory/2272-14576-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2272-14577-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/2876-11975-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/2876-11972-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/2876-11973-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/2876-11974-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/3496-14418-0x0000000002270000-0x000000000228E000-memory.dmp

Filesize
120KB

Download
memory/4880-7447-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads