fantom | ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e

Analysis

max time kernel
1799s
max time network
1795s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

40KB
MD5

a2abffd7525046355e99e8673c3701fe
SHA1

6e1aaff66b5aac7a1c3df969b36da6141a95a4f9
SHA256

ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e
SHA512

96b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22
SSDEEP

768:olc+DXf6pUAbfsW09Uf929NiTnFPw9in6rOphHuUF8M:oW+upUADfnuNYFY9in6rOpxf8M

Score

10^/10

fantom xworm evasion execution persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

amount-acceptance.gl.at.ply.gg:7420

Mutex

k2N8rf6LqCqdtF6c

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

aes.plain

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>E+0CqNtpxIcYW8NKNGHdcl5bZxprw1HI7cStEZ+L3R38aVFA+hTO8dEJuv6WTxyH7cW645/UDBTJBDMnYsVj0c9La8JmWjVptj30kBNnv6EAcEjNkW0rp9DZwHPdAz78ERzsM6bK5q+pVI3tmW/3xt9+oFJ0gotzwCWVDXkcj+Ozk18SJT/NBUoVprqZBZF272WxIP7BXOZnJsjH21tmQnIX9dOPMh8U9P+8Ymzdj2QL9odR9kKvLAllCPcRXxR7y3aT7dnl68QVKFtZSSf37+RwvzIfHZ4OY8+PMNvtKjUZLE0dOngC4NysfF8tyTBNH3sYa6b2mUWPoNqRI1LneA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Detect Xworm Payload 23 IoCs

resource	yara_rule
behavioral1/memory/2740-1-0x00000000001D0000-0x00000000001E0000-memory.dmp	family_xworm
behavioral1/files/0x001000000001214d-34.dat	family_xworm
behavioral1/memory/1976-36-0x00000000001F0000-0x0000000000200000-memory.dmp	family_xworm
behavioral1/memory/560-40-0x00000000000F0000-0x0000000000100000-memory.dmp	family_xworm
behavioral1/memory/2588-43-0x0000000000F10000-0x0000000000F20000-memory.dmp	family_xworm
behavioral1/memory/2680-45-0x0000000000F20000-0x0000000000F30000-memory.dmp	family_xworm
behavioral1/memory/1072-48-0x0000000000F60000-0x0000000000F70000-memory.dmp	family_xworm
behavioral1/memory/1368-50-0x0000000001360000-0x0000000001370000-memory.dmp	family_xworm
behavioral1/memory/3004-52-0x00000000002B0000-0x00000000002C0000-memory.dmp	family_xworm
behavioral1/memory/2544-54-0x0000000001340000-0x0000000001350000-memory.dmp	family_xworm
behavioral1/memory/2560-552-0x0000000000290000-0x00000000002A0000-memory.dmp	family_xworm
behavioral1/memory/2900-1034-0x0000000000AF0000-0x0000000000B00000-memory.dmp	family_xworm
behavioral1/memory/1896-1036-0x0000000000F70000-0x0000000000F80000-memory.dmp	family_xworm
behavioral1/memory/2912-1040-0x0000000000F90000-0x0000000000FA0000-memory.dmp	family_xworm
behavioral1/memory/2228-1042-0x0000000001070000-0x0000000001080000-memory.dmp	family_xworm
behavioral1/memory/2492-1045-0x0000000001350000-0x0000000001360000-memory.dmp	family_xworm
behavioral1/memory/2800-1047-0x0000000000380000-0x0000000000390000-memory.dmp	family_xworm
behavioral1/memory/760-1049-0x0000000000110000-0x0000000000120000-memory.dmp	family_xworm
behavioral1/memory/1724-1052-0x0000000000A60000-0x0000000000A70000-memory.dmp	family_xworm
behavioral1/memory/1424-1342-0x0000000001330000-0x0000000001340000-memory.dmp	family_xworm
behavioral1/memory/2340-1344-0x0000000000170000-0x0000000000180000-memory.dmp	family_xworm
behavioral1/memory/1884-8870-0x0000000000990000-0x00000000009A0000-memory.dmp	family_xworm
behavioral1/memory/2268-15223-0x0000000001170000-0x0000000001180000-memory.dmp	family_xworm

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Renames multiple (3043) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe
2680	powershell.exe
2720	powershell.exe
2520	powershell.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\en-US\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\DECRYPT_YOUR_FILES.HTML	prpsan.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Executes dropped EXE 34 IoCs

pid	Process
1976	svhost.exe
836	svhost.exe
560	svhost.exe
2588	svhost.exe
2680	svhost.exe
2872	svhost.exe
1072	svhost.exe
1368	svhost.exe
3004	svhost.exe
2544	svhost.exe
2228	svhost.exe
2292	svhost.exe
2060	svhost.exe
2560	svhost.exe
2900	svhost.exe
1896	svhost.exe
1032	svhost.exe
2652	svhost.exe
2912	svhost.exe
2228	svhost.exe
2492	svhost.exe
2800	svhost.exe
760	svhost.exe
1724	svhost.exe
1304	svhost.exe
1096	lwrkuz.exe
1424	svhost.exe
2340	svhost.exe
1724	prpsan.exe
2336	svhost.exe
2620	WindowsUpdate.exe
1884	svhost.exe
2848	fatalerror.exe
2268	svhost.exe

Loads dropped DLL 16 IoCs

pid	Process
1096	lwrkuz.exe
1096	lwrkuz.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2848	MsiExec.exe
2828	MsiExec.exe
2848	MsiExec.exe
1096	lwrkuz.exe
2848	MsiExec.exe
1724	prpsan.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	XClient.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
27	2848	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	lwrkuz.exe
File opened (read-only)	\??\O:	lwrkuz.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	lwrkuz.exe
File opened (read-only)	\??\R:	lwrkuz.exe
File opened (read-only)	\??\U:	lwrkuz.exe
File opened (read-only)	\??\Z:	lwrkuz.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	lwrkuz.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	lwrkuz.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	lwrkuz.exe
File opened (read-only)	\??\T:	lwrkuz.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	lwrkuz.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	lwrkuz.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	lwrkuz.exe
File opened (read-only)	\??\J:	lwrkuz.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	lwrkuz.exe
File opened (read-only)	\??\K:	lwrkuz.exe
File opened (read-only)	\??\M:	lwrkuz.exe
File opened (read-only)	\??\Q:	lwrkuz.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	lwrkuz.exe
File opened (read-only)	\??\W:	lwrkuz.exe
File opened (read-only)	\??\X:	lwrkuz.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	lwrkuz.exe
File opened (read-only)	\??\V:	lwrkuz.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-ISAPIFilter-Deployment-DL.man	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\IME\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Enterprise\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\NetworkLoadBalancingFullServer-DL.man	prpsan.exe
File created	C:\Windows\SysWOW64\com\de-DE\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xnacc.inf_amd64_neutral_13c4e272a96185a1\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc309at.xml	prpsan.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise\license.rtf	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\srm-ui-repl.man	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Ultimate\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseN\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\WindowsSearchEngine\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\restore\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_For.help.txt	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_neutral_374f9d31af832d6b\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsupr3.inf_amd64_neutral_8416bd6e64a8e858\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4200t.xml	prpsan.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_escape_characters.help.txt	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdlsbuscbs.inf_amd64_neutral_351e56205fd4c200\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\System32\catroot2\edb006C2.log	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_methods.help.txt	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\zh-TW\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdk.inf_amd64_neutral_e567adb271831b5d\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalN\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions.help.txt	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pipelines.help.txt	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_neutral_9fdc5d710dd63e80\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\BITSExtensions-Server-Console-DL.man	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Time-Service-DL.man	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-SecureStartup-FilterDriver-Replacement.man	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_wildcards.help.txt	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pipelines.help.txt	prpsan.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasic\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremium\license.rtf	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.Wsman.Management.dll-Help.xml	prpsan.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterE\license.rtf	prpsan.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalN\license.rtf	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1500t.xml	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\license.rtf	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-ISAPIExtensions-Deployment-DL.man	prpsan.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_FAQ.help.txt	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\ja-JP\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-iis-rm\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc5100t.xml	prpsan.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseE\license.rtf	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_troubleshooting.help.txt	prpsan.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Starter\license.rtf	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt	prpsan.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt	prpsan.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-international-core\DECRYPT_YOUR_FILES.HTML	prpsan.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	prpsan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif	prpsan.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_dot.png	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar	prpsan.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml	prpsan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	prpsan.exe
File created	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	prpsan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip	prpsan.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml	prpsan.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\picturePuzzle.css	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	prpsan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	prpsan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar	prpsan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	prpsan.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	prpsan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	prpsan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css	prpsan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar	prpsan.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js	prpsan.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	prpsan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	prpsan.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar	prpsan.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\eula.rtf	prpsan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	prpsan.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png	prpsan.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	prpsan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js	prpsan.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-fsutil.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f3eefb2ca5d031e1\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msidntld.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4257f65d45f39d17\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\it\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ac2f25e3d4ed4318\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..s-service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_96324fb8194ee294\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artui2.resources_31bf3856ad364e35_6.1.7600.16385_en-us_93988f0c5e484caf\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\Panther\setupact.log	prpsan.exe
File created	C:\Windows\winsxs\amd64_mdmmts.inf_31bf3856ad364e35_6.1.7600.16385_none_bee826439264ce7c\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\iis-powershellprovider-rm.man	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-scripting.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e6ecef9a714b9ee8\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_server-help-h1s.itprobasic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9cf81ba928743616\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_099d2ebabfe3f476\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_zh-cn_7fa235f41a25ecb3\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_mdmhayes.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8f77064e151b8495\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..-ehepgres.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b8498013f00d5df1\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp1.jpg	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a164febaa701b3c2\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-thumbnailcache_31bf3856ad364e35_6.1.7601.17514_none_9d408bcc2fc6b125\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-12.htm	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-wmpshell.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5eeca2c456245c7e\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wininit-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4c7f193b2fe1c446\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..aincompat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dca2400be0e2e840\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..evicehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_69b43efa2bb9b6c6\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\Media\Savanna\Windows User Account Control.wav	prpsan.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..atson-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2196550de55e4a84\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_eee4e052cd1adbab\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Transactions.resources\2.0.0.0_ja_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1ce65a8a5424fac2\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_43dd555017315455\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapi2xclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_73d3b62bcc75c85f\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_prnsv004.inf_31bf3856ad364e35_6.1.7600.16385_none_622bdff1f27c66b3\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9614391514d4c938\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_10345ad37a849405\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasifmon_31bf3856ad364e35_6.1.7600.16385_none_26c4bb7a06df867e\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Startup.wav	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft.mediacenter.interop_31bf3856ad364e35_6.1.7601.17514_none_3e47e8989128e5a8\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-ratings_31bf3856ad364e35_11.2.9600.16428_none_a9e9516271c96c6d\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-1.htm	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_014b3f8dad362904\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_h.png	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shmig_31bf3856ad364e35_6.1.7601.17514_none_bdc47f0a8dbe8711\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_wpdcomp.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5b7998dd0243004c\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_disk.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_04ee672bf05cd1a8\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_de-de_80c70232a6123b2e\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..mostfiles.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_2fd80ab5f18f4a32\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_hpoa1sd.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_37e76787847804ec\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..monnoia64.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3db03ae7a794afc3\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..lprinting.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6e640f5c7b3f0b5f\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_lrg.gif	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smbhelperclasses_31bf3856ad364e35_6.1.7600.16385_none_46321726efd38801\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..lorer-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1f5dd695bc9d404a\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-jsprofilerui_31bf3856ad364e35_11.2.9600.16428_none_d5560cb5e3412933\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_e8cd1f348648ebd1\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ents-mdac-ado15-dll_31bf3856ad364e35_6.1.7601.17514_none_6a56e7f587463b17\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_prnlx008.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_471887f8845ff342\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..container.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7b17b7504ce5ab9c\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-shell-professional_31bf3856ad364e35_6.1.7600.16385_none_02f2d0326102c1bf\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_11b07c1bb446e787\Rules.System.Performance.xml	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..lsettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9be399f36d1b1ff8\DECRYPT_YOUR_FILES.HTML	prpsan.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d22414862150cbf\DECRYPT_YOUR_FILES.HTML	prpsan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425989520"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	fatalerror.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DEFF7F81-378F-11EF-A7A3-7A58A1FDD547} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000006d6b9a2b9cda2c650ff867bdcae7405eaf156aad3096d4d5ddb4ab1457c09264000000000e80000000020000200000004680de584d1e80601a33b976a96da2d7f26499667d0de19b389e2c5686854e94900000003949671932ae30fa59e6958739ebe4bee803ba0b0b6c87e93d2ecb7225d55685f9d9bcf5149238cd18ba2ae03d0f53c9d5a817cb3a726e087a2ce74cdac7715721b17b9c83ecc2a5cb55fe9359716714f9229f063cced2743f9a96e302f45bcc95f454649ebaf94408e9fca6ddaa3e9fc6ee3318e4f6ddaf07a4296dc69fbb6dc77664f08779d525d79d57f00436710d400000007c21a5cf9c01a56512824b84357b558c5b4c47be6f1215dbb146e34b7934d9c9a2f5b9b7699f4ccebb7f9c81c9eadc58a0d46df74c3114972a0ab31931bf1e52	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	fatalerror.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c044b7b39ccbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000003d9d7c98b6bd34ee3a508cf37b77898bba251eee58d0b4f8403b23b6d1953acd000000000e800000000200002000000098228aa011b3d3832af94cf69216b12083a8b34f8469a8f20f57c3ac59beb18520000000e18838f83d678ad64a38d6a51dd0a48bffb8082f33c3ccac6bee8d946712b3d740000000bb27ca5f0f49fab47552a73ba20f21e00f12d5779b0420672e560c92b70e69215e407e21525b3f21a48636a74083fed4b03b52031d286b8b4d9d8a1039a4790f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\Total = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	fatalerror.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DOMStorage\exmple.com\NumberOfSubdomains = "1"	IEXPLORE.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2832	powershell.exe
2680	powershell.exe
2720	powershell.exe
2520	powershell.exe
2976	msiexec.exe
2976	msiexec.exe
1724	prpsan.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	XClient.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2740	XClient.exe
Token: SeDebugPrivilege	1976	svhost.exe
Token: SeDebugPrivilege	836	svhost.exe
Token: SeDebugPrivilege	560	svhost.exe
Token: SeDebugPrivilege	2588	svhost.exe
Token: SeDebugPrivilege	2680	svhost.exe
Token: SeDebugPrivilege	2872	svhost.exe
Token: SeDebugPrivilege	1072	svhost.exe
Token: SeDebugPrivilege	1368	svhost.exe
Token: SeDebugPrivilege	3004	svhost.exe
Token: SeDebugPrivilege	2544	svhost.exe
Token: SeDebugPrivilege	2228	svhost.exe
Token: SeDebugPrivilege	2292	svhost.exe
Token: SeDebugPrivilege	2060	svhost.exe
Token: SeDebugPrivilege	2560	svhost.exe
Token: SeDebugPrivilege	2900	svhost.exe
Token: SeDebugPrivilege	1896	svhost.exe
Token: SeDebugPrivilege	1032	svhost.exe
Token: SeDebugPrivilege	2652	svhost.exe
Token: SeDebugPrivilege	2912	svhost.exe
Token: SeDebugPrivilege	2228	svhost.exe
Token: SeDebugPrivilege	2492	svhost.exe
Token: SeDebugPrivilege	2800	svhost.exe
Token: SeDebugPrivilege	760	svhost.exe
Token: SeDebugPrivilege	1724	svhost.exe
Token: SeRestorePrivilege	2976	msiexec.exe
Token: SeTakeOwnershipPrivilege	2976	msiexec.exe
Token: SeSecurityPrivilege	2976	msiexec.exe
Token: SeCreateTokenPrivilege	1096	lwrkuz.exe
Token: SeAssignPrimaryTokenPrivilege	1096	lwrkuz.exe
Token: SeLockMemoryPrivilege	1096	lwrkuz.exe
Token: SeIncreaseQuotaPrivilege	1096	lwrkuz.exe
Token: SeMachineAccountPrivilege	1096	lwrkuz.exe
Token: SeTcbPrivilege	1096	lwrkuz.exe
Token: SeSecurityPrivilege	1096	lwrkuz.exe
Token: SeTakeOwnershipPrivilege	1096	lwrkuz.exe
Token: SeLoadDriverPrivilege	1096	lwrkuz.exe
Token: SeSystemProfilePrivilege	1096	lwrkuz.exe
Token: SeSystemtimePrivilege	1096	lwrkuz.exe
Token: SeProfSingleProcessPrivilege	1096	lwrkuz.exe
Token: SeIncBasePriorityPrivilege	1096	lwrkuz.exe
Token: SeCreatePagefilePrivilege	1096	lwrkuz.exe
Token: SeCreatePermanentPrivilege	1096	lwrkuz.exe
Token: SeBackupPrivilege	1096	lwrkuz.exe
Token: SeRestorePrivilege	1096	lwrkuz.exe
Token: SeShutdownPrivilege	1096	lwrkuz.exe
Token: SeDebugPrivilege	1096	lwrkuz.exe
Token: SeAuditPrivilege	1096	lwrkuz.exe
Token: SeSystemEnvironmentPrivilege	1096	lwrkuz.exe
Token: SeChangeNotifyPrivilege	1096	lwrkuz.exe
Token: SeRemoteShutdownPrivilege	1096	lwrkuz.exe
Token: SeUndockPrivilege	1096	lwrkuz.exe
Token: SeSyncAgentPrivilege	1096	lwrkuz.exe
Token: SeEnableDelegationPrivilege	1096	lwrkuz.exe
Token: SeManageVolumePrivilege	1096	lwrkuz.exe
Token: SeImpersonatePrivilege	1096	lwrkuz.exe
Token: SeCreateGlobalPrivilege	1096	lwrkuz.exe
Token: SeShutdownPrivilege	1532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1532	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2904	iexplore.exe
1532	msiexec.exe
1532	msiexec.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2904	iexplore.exe
2904	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2848	fatalerror.exe
2848	fatalerror.exe
2848	fatalerror.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2832	2740	XClient.exe	28
PID 2740 wrote to memory of 2832	2740	XClient.exe	28
PID 2740 wrote to memory of 2832	2740	XClient.exe	28
PID 2740 wrote to memory of 2680	2740	XClient.exe	30
PID 2740 wrote to memory of 2680	2740	XClient.exe	30
PID 2740 wrote to memory of 2680	2740	XClient.exe	30
PID 2740 wrote to memory of 2720	2740	XClient.exe	32
PID 2740 wrote to memory of 2720	2740	XClient.exe	32
PID 2740 wrote to memory of 2720	2740	XClient.exe	32
PID 2740 wrote to memory of 2520	2740	XClient.exe	34
PID 2740 wrote to memory of 2520	2740	XClient.exe	34
PID 2740 wrote to memory of 2520	2740	XClient.exe	34
PID 2740 wrote to memory of 2924	2740	XClient.exe	36
PID 2740 wrote to memory of 2924	2740	XClient.exe	36
PID 2740 wrote to memory of 2924	2740	XClient.exe	36
PID 1668 wrote to memory of 1976	1668	taskeng.exe	40
PID 1668 wrote to memory of 1976	1668	taskeng.exe	40
PID 1668 wrote to memory of 1976	1668	taskeng.exe	40
PID 1668 wrote to memory of 836	1668	taskeng.exe	43
PID 1668 wrote to memory of 836	1668	taskeng.exe	43
PID 1668 wrote to memory of 836	1668	taskeng.exe	43
PID 1668 wrote to memory of 560	1668	taskeng.exe	44
PID 1668 wrote to memory of 560	1668	taskeng.exe	44
PID 1668 wrote to memory of 560	1668	taskeng.exe	44
PID 1668 wrote to memory of 2588	1668	taskeng.exe	45
PID 1668 wrote to memory of 2588	1668	taskeng.exe	45
PID 1668 wrote to memory of 2588	1668	taskeng.exe	45
PID 1668 wrote to memory of 2680	1668	taskeng.exe	46
PID 1668 wrote to memory of 2680	1668	taskeng.exe	46
PID 1668 wrote to memory of 2680	1668	taskeng.exe	46
PID 1668 wrote to memory of 2872	1668	taskeng.exe	47
PID 1668 wrote to memory of 2872	1668	taskeng.exe	47
PID 1668 wrote to memory of 2872	1668	taskeng.exe	47
PID 1668 wrote to memory of 1072	1668	taskeng.exe	48
PID 1668 wrote to memory of 1072	1668	taskeng.exe	48
PID 1668 wrote to memory of 1072	1668	taskeng.exe	48
PID 1668 wrote to memory of 1368	1668	taskeng.exe	49
PID 1668 wrote to memory of 1368	1668	taskeng.exe	49
PID 1668 wrote to memory of 1368	1668	taskeng.exe	49
PID 1668 wrote to memory of 3004	1668	taskeng.exe	50
PID 1668 wrote to memory of 3004	1668	taskeng.exe	50
PID 1668 wrote to memory of 3004	1668	taskeng.exe	50
PID 1668 wrote to memory of 2544	1668	taskeng.exe	51
PID 1668 wrote to memory of 2544	1668	taskeng.exe	51
PID 1668 wrote to memory of 2544	1668	taskeng.exe	51
PID 1668 wrote to memory of 2228	1668	taskeng.exe	52
PID 1668 wrote to memory of 2228	1668	taskeng.exe	52
PID 1668 wrote to memory of 2228	1668	taskeng.exe	52
PID 1668 wrote to memory of 2292	1668	taskeng.exe	53
PID 1668 wrote to memory of 2292	1668	taskeng.exe	53
PID 1668 wrote to memory of 2292	1668	taskeng.exe	53
PID 1668 wrote to memory of 2060	1668	taskeng.exe	54
PID 1668 wrote to memory of 2060	1668	taskeng.exe	54
PID 1668 wrote to memory of 2060	1668	taskeng.exe	54
PID 2740 wrote to memory of 2904	2740	XClient.exe	55
PID 2740 wrote to memory of 2904	2740	XClient.exe	55
PID 2740 wrote to memory of 2904	2740	XClient.exe	55
PID 2904 wrote to memory of 2572	2904	iexplore.exe	57
PID 2904 wrote to memory of 2572	2904	iexplore.exe	57
PID 2904 wrote to memory of 2572	2904	iexplore.exe	57
PID 2904 wrote to memory of 2572	2904	iexplore.exe	57
PID 1668 wrote to memory of 2560	1668	taskeng.exe	59
PID 1668 wrote to memory of 2560	1668	taskeng.exe	59
PID 1668 wrote to memory of 2560	1668	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2924
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://exmple.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2572
- C:\Users\Admin\AppData\Local\Temp\lwrkuz.exe
  "C:\Users\Admin\AppData\Local\Temp\lwrkuz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lwrkuz.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1532
- C:\Users\Admin\AppData\Local\Temp\prpsan.exe
  "C:\Users\Admin\AppData\Local\Temp\prpsan.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:2620

C:\Windows\system32\taskeng.exe
taskeng.exe {90576933-B71C-48E5-BD67-E730087A804E} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
  "C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2848
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:2268

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E315F71D9A4591B3781A5812489A333
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:2848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F86C0E4357B6B746968C34FC8624B22E M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f8c6ae8.rbs

Filesize
99KB

MD5
148291d164c22937e024e569f6c5affd

SHA1
1b580eca414f41ffbbb509c7e8e47c8b152106f1

SHA256
59ea5aa3295a84d7891ff58cb75f3aa8d2c2fbfd22570b238e0761febab936e0

SHA512
ed02bcb0360da6d1bf4528fab52eeeeda09016c2a6c003584aefeb5518ac212c611e1971304332472f46f52797f2552ba72fec1034db3e63a78c7052a73766ca

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
31afaaf421415b222220d8890c3864bb

SHA1
03f76cca7a678a460a5305e5f325d01b3a893153

SHA256
152ff789f8bb2b64b2586aa33b5647582747ea85a3b115eedd6021af57760904

SHA512
b6e0e6aebbf65fb3b18bf0d3cccd23701a3204f415a1f4e1486c3bac4d5128901f03635fd7fbd9cf56c83e1fde9fa6a55d5d02e07695f9d2a072c8ab9765b8ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
352B

MD5
91c35119362819fb5d5d2b9ce1458881

SHA1
346ddc01cb667908db5c47e2d1aef32705e2e1e6

SHA256
31971746a87544ed2826fcbee085d074e53e258e81adb6800d3392ec901f4a38

SHA512
1547bf84b62eb31f55c82c0ecf4625a3ab208b725adc15101f4222a70b479b390a097d9452f39753e9e6f70009c8ff5879de4b0314e3f49b840486ac3992e6b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
224B

MD5
1279ff92a1c826754af8bd76f52d680b

SHA1
57f6b14636b1a17785f9b2f2b5db30e1fd8dcf7d

SHA256
f69e089da4783a19d0da23db9838682b7cfa931ad73233e82dfc3ba720a6fcb5

SHA512
927a262edcd0a220ca1596201cc394cc5c2f6f8cb936b21690188a192c861f9eefb015a2619cd470fc12ffe4278bd70f14cca28791e14f1dfc09cb037d172bf9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
a2dd5a3cfbe362eae15850210aa954c0

SHA1
587f162a1ab3179a0a1fe8474fe5a818494d5ba2

SHA256
4596d11022f40d077369a50af0c007ad9696cf7eee853212afbe84cb196d5192

SHA512
d24dfe54625220efa5a14a4767cbfe25df5e596e52f0fc572f1ced9e8444b04359c0780016e07ce6c1b327e06be7c78d946a3f50fbb491f3c1d6d72deb89357c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
ae9e2f5f9174e27722f651ca98201eaf

SHA1
811133464e083326e5b41b6de6cbb53cde2c4289

SHA256
3690c9a9e42088cf8ac5fcfe5516d3570828faff9e040a91caf0500a560a93ea

SHA512
a6eb875f335650dcea2226749b09c37f57e700eef91e6a35fd0a192e92cfd4282a1421661fa021851e3f5b23259e071944c4870849312a0540f60c220b7fd213

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
b8427b93c3199f5dde43734d9f29170e

SHA1
4a015caa5956ca2ebe7cc9728fe47c4cb4735857

SHA256
cb9269b80b7a0c5f4bbb43063ea3f923b98cc8583d1ce17d06f276b655ca4310

SHA512
10201ae53b15c395742013c1ff4408dc2bf85bfe3c19d6474f09c4134e9c47e03aef6cdadb58413235757711288569ca796aaebef0364d23af08d4f6102bb112

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
271e9ce39efb6349e5d9974a02c1df74

SHA1
428354d247c81de9beb86367dc94838e2476a92a

SHA256
e894d72456cc131db35dd8864f352941d351580b9281ed2c288d314d569c64c3

SHA512
0144e3ef5a7f95a2eb937c89c56fffd2dbb7e2aff61a83b3b257b6dbe5d4a6e3f8cd08d9f129201ebc8912e47589901c5a12a83f00218531a5e9ddee15d01195

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
112B

MD5
bcd97af836d5bfb972a88b0a36264192

SHA1
7fa28b0250f75adffec67cc6553e09b48ad44a39

SHA256
8ea5ec86458ae93f718d5055273ff8bf3fd0fca5db7378fb6b26cb6516c29dda

SHA512
13fdb39c3a893bba8a3484dea11bb7038030c7d96eff25f1968a6a44aecf1e49954089062e670c1c20f99c5c9a5a725db8684f1aa7d1594e1479f000e94e8084

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
5234f1d2cd33dc91ddf6843151acc99e

SHA1
673a153d19ea9bde7a6b20394257944a12e4d4ed

SHA256
eed30861d4850da969092a2a3298dc42bb369b182c062bb71edced3ca6a879b4

SHA512
b6aeacb3bfab117ecdf10089ceded3583f39de98696b2578fcbe771984b104f0b0c771754265a657bcf3f08f510596c636fc81bd23fbe04a51c22d1b32a33eaf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
53f18be0f3a6a4df18ce4cfbda27cd43

SHA1
2986547754fc1d5675d4021822384218f5d889d9

SHA256
f3293a5f9e6f782bac375d7bb416ca327047e6c05eb9931b1bc7a883d25f71c8

SHA512
ae3da9953e84de9281f7128ddd09bd841958da89ca2c271829d8515b30c4e1c5eca58b482e6c4fbc3d4a38b7e2f09da5ab37f5c1e15bb6379980ad38b2b2d6a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
0347010f9a39d50e8d7bec0287475701

SHA1
04c4858c15c77c98e47b8e401d833fa42114d11b

SHA256
76abbe407fa1b5f0a01d83e5dd4e78d167dfc3be6b41af31b624c1fc2f0dd025

SHA512
106ea9239b2a5e6690a994c97e49f325583f958274ce1996b7da6c45051d6574d7a43d0c80b4737985e620f12a72ce5c1ecd3cbcf7dd4bd7f94c277b69501d23

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
c9f28a36f801a9c59e129047a7d3448e

SHA1
c4f43b9c96e712bd5c5bf1be0c067fee9e4d1175

SHA256
0c58d51be500f1bc0c125657a1609b8ed8c387ea05c5d386fec9cba10601de7d

SHA512
1c5bf0a4cddac7d449f8062c580c8a5c1973dcfc0072d6c90bf4745f9117aae0ea0e8b9ce925714ceebbc14a7119298841b0d7b128ab16b9520c478dc77ea93f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
5dfc350ee3e229d69f1a5a1d72e40040

SHA1
b7e4928046d3bd79d4b9192e96daf9e283d80697

SHA256
fe3ffc68337baf10187321951118055fc70cfb56f58e122e10ad4726e735a2bc

SHA512
dc35b612bd7b79ba94cd693a5fcd747c88290600fc50c265125f4e888dfca6b8549b94acaf82756ea55490c301a32fd354dd8912847c1e9974783f5b3a9d18da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
7caad635acd34d9e6a21abbd033668d6

SHA1
be63a7edda449510bd4d622f90c5c1f2cc5947f2

SHA256
3adb3e4ef910deacc0216933fc49db1ae5f1fec8ca15c41f4c243116f01fb007

SHA512
c0bbefe6a87de3cebeea1ab10418533a1de1123282754fba192a922fcb6bb38dffb70a60a93e738e0132846b9206d0e1411838d1284b7fea8233168a16591ac7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
4ebd2174ebdd3958a757c363f38e6b68

SHA1
954c3d3707402d388ca7c3964e869053fdafc1c5

SHA256
262bf2da8a0cb31c4ad508f54c62010b986dfc86332271aa2f0a3bae1c86ae83

SHA512
a04d7f2812f91222d9b1017203ee8aff49bc0fa8fdd88f5cf48dd3a0d77874627ccafbab49ad0be425c0f275b7dab7c02e19998940ddd8c5dcd45470fc3a9296

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
d21a9470563c0cab1fadc9838b667af1

SHA1
a935371cc77803b6596c2945a7983af9dff35459

SHA256
81168e8bb8a3abcca6d850ed6e9fe515f66ece08028ad2fcaa7e664b11225005

SHA512
ebc3fd990921cc87b461ed59686ab79b7b258dd28c1e3c72f2deb5b20110c7c110619fa425eafc7c31d0fbdb491dbfa94e5e76c6c7d39dcf5b6d00a6c27cf1ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
11437efc6575fc4a36e184fcd8c829be

SHA1
7f810267e09264750ceb490d965e86943525c63e

SHA256
b522ae5cc98cecee3bd83f7c3ce2c6530baa1a51c0081f9af8d00d65db8a4b55

SHA512
14f78f3123aab295b782b074dd4d3dc13281fbae62de141157539ef3daf803daa5e2c114727d504e0a5e538172dc8bd9869292ac35d08a8d1e770c501cd9dc6f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
336B

MD5
736fd2679fae15691773bce094c017f8

SHA1
d9fe5a8d779ff9ab180b53d29837ff83d927c564

SHA256
6a471d0721a589cedc248c2df46a5323d08005b6d3f28c52f283107f5e67f55f

SHA512
ac1e4cf1caad498ea93302b3773b758f55e7c3c046494603e7216bac9e6bd3d022db469098a292bee704ca88c89c2b4bd5f85127604a6c3c576ea3a4c907c995

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
240B

MD5
34c9eaa461cd4f1835bd1526120cc073

SHA1
c3ae2ed596151c07e8ad429ea1f8c52495e691d0

SHA256
15661463c008c92fa4141d16a04087359a46b36a54fa5ef9a9a3b06939d156dd

SHA512
1a7d846f7b21139f0267204829fd431627ea76f6c7ddd37c05eb7fb2ff0883c47e18e764d3997c18c72f7a8ca73305753f7e816ca20ea8c9e71d4f5a234a18da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
616b70bac3e7e31bd0c74f64ce3eacba

SHA1
f7ba36cb79e79f9c822b5a434fd352161a8ffce1

SHA256
0de0e54dc727caf05ac9a2f30128805f1cdb40ab5c868d66c8fe0eac5958395e

SHA512
bda202c180d5b6850afbf2e166b20963fa7088a09ecf9b88fba37fa16ff009936c91530519a3adb5f2151d7b554200fa1d3484bcd2d794c919016d46857baa45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
816B

MD5
1fb158009497aafc342758557be6a0d9

SHA1
12e712e119e0a03cc3fc3c53460869e948c12846

SHA256
f7d3899145acef299a6b412db83b57b76d616286460a82f5726d07d55fec6000

SHA512
0280d2a7f578c10701c1d5bef1d5d8c18042c696e6d29d52a04e0cb9f6890796be521bf715f248be6093d9526c0cae6179aba5ab7535e1d22ced0fd1520fe0c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
3cc1434275843f24e3824ee559a1f323

SHA1
91cd5fac903c1408439bfd32cfeb1e786a8af19f

SHA256
f6ac4dd615c9412435a532c03a4c2b36e2a7a5038163e24ead2b4b5310d80189

SHA512
a0d4a016f809e2e46fcfe9463603e571fc5401c27fe45082a10d5692031f27e95a0e59d135b5f81c71bf22d7cf7ab745d4d720f37bef17016642b141d52c9bb0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
67900587ff4533fa90cb7947e0ce03e0

SHA1
601529612834b6f2feb92d4377d7ef8afe8e690b

SHA256
f668f670d7227c27f2ecc24fe766cdf13498290c3ce1c712928d7d044229e998

SHA512
ae8344be455c65deedbb6fc4ea2418336cee7d5fee549be42e073e96b44ba7968ce3be5b39aef9bb206549b36befea8dda60ef9a10d8c03d4c36be396237cbba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
aa53f17314a72a9a3b296557dfacbcb2

SHA1
ff826fd54561393dbb303b62f1fc469586ec65d7

SHA256
44ded80bc969801cffb45035617a3a3d4dfbe9b04e9be47293c9445dc3cbfd31

SHA512
5f9371d696c1355d010d092bbc932509b50567851e56225d4655d781f378aaf527cb2a27718aadaefa91bea52e26f4684e8e8b93e521392a2b00165777095f6e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
896B

MD5
b8e2da4eeb5818e75b8fba656cbd2cc4

SHA1
bd083b1df9927af52ab706a1a24bfeb6b8b5c151

SHA256
962dc941a9e56e31ae97fed6b9ce77fad181e9683385c06df7b0e53b1b7f67a4

SHA512
c5775abfe33ab6d4b8541cd97dd83e8d8b39b856c9913de859bb6bc46a0ff6ddac2a575b61332aa7c144f1217eeb233fe805627672f8dc542af9d160fe81816e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
864B

MD5
94589292868f143003eab5e8c5102057

SHA1
856c59856955d216bb865dc8300367d9c15dc91c

SHA256
2db2d3be756476f622e3102466518c3e5c0983a98aa4839892123b5e109074b6

SHA512
cbb7e7834d1c707c47ca75ba206d9d5e9822578c6452f9dbdf74cad6c35e6b81fb2c04500c6309d596f0573995c676e9083019cfb6cc5803d5daec82c3ec34d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
864B

MD5
06dbf05321332891603b7c5130d9d728

SHA1
74d56ecfd0ef2784b2bf7b07cb73caaf2efd97e3

SHA256
430d5abd652773e91884eab082cb320d587a51c7d6be606f0965aa9d3ec75ac0

SHA512
38586af74cafe0c5ee71da44f00cedbb87193350809731774e6d56e86087edc83d9adbe2dfc951c74b1c839463f701bd88e8732816c09e31d2188fc6c41464c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
e948342e6fdddbddb6f32e08ee102af1

SHA1
df8e4b20ca84cd59eb743a07a3020833fd1f4c58

SHA256
fb3e315b6e627200fc7769cc566eabb4cac71c441fc997cc84765feaaf122cee

SHA512
af61dedb88400d8d4a0c1bea164b4b89294908be8645e9329210e912e2f6db41cf65897f713afa2e19a13182e4d4a198dc36fb2a571cf78baa368d83177b62f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
53f1d93ae03e43d4cd21bfdb4b0c0c0a

SHA1
625a658444342ee588c9180dd0ef5244e674ffd3

SHA256
12d276ae8a72d5b1169108f20182607d2c90fc0394aa59b40d98f83517511df2

SHA512
d6149eb0b2609174bf51ea958c2eacf680ebdede8e4fa03d9c93eab73e984839e150954eb94cec2163050499299055146e2ca67bb0dce1cf5511fa180fa21701

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
864B

MD5
e34015d884b1bcab19b76c4224471a28

SHA1
75903d3a614a34028ebcd7a8671f43fe2da36946

SHA256
10857c53f3ca5f4445ceada958a5010bf4d13d870d16d1eede65c9235df4a493

SHA512
7b9b641f18f68d8b6d0db10e0a50f1f1ec799df0ea7eb19a29bf1fc8e388685220b5061b8f3afe32040471ab4c5299c78f103e8b2c8206631b5de41f310d7d70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
848B

MD5
8ba0eeb686c797d44a06ea60fce86617

SHA1
e0d6e89cf91e15795d77aff25a5dd7744c8f0124

SHA256
ea2aacfbb99df5f066b606c176006ed2f7e5a307589b721609b3a90b24db6f17

SHA512
6f68c5b91dbbf4cebead09a958100c238f64588bd8b23c54d5c3312bb91962a822b1c1d8c7c93ffdd24ff0b04c07d7fe615897a406e445d4c6ae6ffb0fd943a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
880B

MD5
24183168b325de65d59a213082e69dbc

SHA1
12c8ab7c3f62b67852394f0fb28081bcfaafbbf2

SHA256
5bbe0105fa624b471c2eab0e1f74b3b0f9254ffb8e6cc0ebe2f8b4782daf737a

SHA512
b9cdc39d55b969416a792c6a38985a7574ef0db493e01843c75826303a8dd4bbfecc06f7fbda24f48c45b14ffb9e4888dd41e39a69d957f4d53ba565a8056160

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
848B

MD5
cfd093c04545bb2fc31236153e454dad

SHA1
41a49d0f4dfaa6b1a1aa3f295fc0cfd66e2b67b6

SHA256
c6226daa8409994b26c0d9e1839af5fa20b037bd576221c805f1fc822c631446

SHA512
213315cf9d1efeede36dbe95386d5d6e37de3f1cd58b57cce2278229d9d99a229a91fb97ae6d1e9ddba70b7aaa101f36b0fc3391baa407ff9691fd42bee337f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
864B

MD5
e428889b576d9b9fd7653bb611cc7ee8

SHA1
c4a16d939120c535371b7d9b2d9fca2d9e6dccf9

SHA256
945ba1cec76d8d776218ce797937e66b93e9da90825ae877779f9e67565e158d

SHA512
90b65e4dea276b7cf381e4e20d935655f4278013d346c84841dd907b55edb3c2adc3ac89c1fca154fdbd6f38a2f2929f49a8c999fadec36c023310d9e0d9965e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
864B

MD5
3d2065ace69a1aa935ce521f92dd05e6

SHA1
e891fe6cf8148cfe33365e91e9ccb53963d003fe

SHA256
52e4d6265d7f949e0a3ee227fd7107807151f7acfe5ff8c151ce641452905101

SHA512
1cb2789ea606c41a5ec517eff0170241dd4c506a2d44188462e1a8bb67479386e98092f4a62eb7f0712df91e56150833ecab1e9fdbf36f05094a06be9fa16413

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
864B

MD5
96f2ac2556d8881694550ab01b5de31f

SHA1
177eda73f50a3a1d6d08d779f76c263f49d0b8fd

SHA256
62d41d7e0764749b17053aa532fcc6a124ea84e42d99ae3ab36881571520f6e4

SHA512
8adadfd204bce0b317dd26548ab25711a385d99da1bcd3ac6b983b08efdd5d85339c5db6ca02a30e516343e97f2aa35da163b06c1be940dde8b0b98ce23a7377

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
896B

MD5
460d60c489f26e656920173ce88c7a26

SHA1
f88c9746de06f5a5b44ed772708d4fdc0a0185f6

SHA256
259b3cfd425e88cefe93d2ef1c99c29d0b08e04acc3781fc56b9392b0c07874d

SHA512
f8b3cb39603488ea6310174f1eee17f23e90eba496f7c2532ef0ea1a27f724e3b73a7bc5f7698f784b60a5c8ac563ba2bc61ebba4309199932e91e3071ab3861

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
9c77ae00c70d5bfff6b319962faf178e

SHA1
d0c5e3fefb9940ef2c683c05d43809fdaa1a5dc6

SHA256
494e248030dd8a23df3ba37af82a1ca280ffca7c802f3bf4ed8d7dacf4ca9a32

SHA512
f833d03c236c43127371f8c3522600d87fe7f6ec2ae6c8ee3d54a8156e8e555136997d054ad3508b0c4c102d4488ad2c8aed9960569ebd66f35522b2606902d2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
6faf2047fc2752799d624a9d7bd02912

SHA1
7685e700b18e4ae024f5ff94424024409784e933

SHA256
7eb1568c80070e9c9e87ea3625e117086458d13410b9aec57beebe1099a11640

SHA512
dd2d5e27b461feeebbfbd84f03155b8f43bd7f8290efb5df0234a679e65e77aec8e08836990a444c02e15c5e2bfc3a2d2383765ea6607f87abea5a1b671a3617

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
30528923e70fc535b839765bab549936

SHA1
ac2e8becdf9adfd52163369f5c8ee8994dac49b2

SHA256
11abf4619079edbd3b9a8883fe1f331e3f940beafaee62778048e2a64a7f4f54

SHA512
795fe0d9edfe3101e78228cef6921f6af11acc80fedeb162a0ef9ab02a233dea7c5a833a75a5533fb0645577194c7ce1906238e79352d640e90ce60a897c0d2e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7ccfdced6cf75694778e1b1e3e03883e

SHA1
bba65d83483a12ea3f28944f4a7f49ff9a84b8a8

SHA256
e2a03c3953f79d6edf0ce684a5a1f8009eed77781273b060256644551b310c74

SHA512
7294334a28026af8d2671c01d27af610f83491969c4e3af8c9572680ecd6d0185845402f7cc39cae15dde2ea4e543a515cdaef61af6395bb7b37b1e7b3c33559

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
fc1acd36d55026a1a0142cecf7bce8aa

SHA1
7af9ee8d2154ab0ab45508b6780756d022fc3743

SHA256
272054270ec509229d29b267e3cb4d1a55508ec510ec93630128e7442fc88281

SHA512
d0476d3abf4acb48a6fb50917aa9d6e6a98c95b0bf6454ece469eebae37ea892709cc40bef745608ee05e8e9f500152499bbfd8c7917210525262db72bb571aa

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9627537b4ae082954a85a7fcf87d3e3d

SHA1
3d18faf97dfe92ac0756e2b2d3e76edb57fb2a7e

SHA256
8d30c839049b248188cac2bbc6eb4450350859f85fe6a3d3a171ea6d5b56680c

SHA512
81af6c6e0d17917af8fb90e3a8a375af7b3ac5a942f6f240be3444465aaed93bd9e71490c4b14cbe196eecc6fb12b0d65cb1b966aba62ffea7aca13e3083f776

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
368497cb1c39321117388f7c5e1f1583

SHA1
23a90fd1721c67c5f84060dfd8836bed78e42466

SHA256
f6eb065b347f3a32dde242f12d3430990133d7a7a6fb79ab9d0c8d8065fb5ebb

SHA512
108ef4b76d186a210349d2a26987d7ad629eb394dd9e2156993afe29301e95b3c1a6f5e5739f02881880f81eca9d751926033b900d0e89de8d9b80d498c5f69c

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
16B

MD5
3b2453d55425cdcde74eefa4cad8d6f7

SHA1
3593e6ab01252fe05a49ca6a981dc9b33c95b038

SHA256
a5fe0732defe67bc86199e6a9269e2a3d4ab7c4c3a79dcf5a0826585b1c8937b

SHA512
f9f191acb9c0d95e52cf2cc1b1b45d851dab405d213d138efe9f67cde33a833b0d088b1c0d8d6678ed7b1967531b02604ebb7841ea5ed2a10663eab6ae079e82

Download Submit
C:\ProgramData\svhost.exe

Filesize
40KB

MD5
a2abffd7525046355e99e8673c3701fe

SHA1
6e1aaff66b5aac7a1c3df969b36da6141a95a4f9

SHA256
ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e

SHA512
96b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7bfeaca6f13b1f7884e35146dafbc6a3

SHA1
2f883101a628110c22e8eb805d8fa3077078402b

SHA256
1090fb24b6609fc7398708917b6e83a508d79ec59f81b966dbeef7b6144e58e7

SHA512
7ea708a98e4f87f7642da191ee9f4a0a550cc105a31dfcfe0d2e55d7949e3608d618b321e0d3886caab3a33a8d0e1844ae551e2ef224bb38c7428871bffb7576

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dc46e2881d1335062e484800ba6243e9

SHA1
8a5b4a7c26a26fa4f136ebf3b9c24c519c45461c

SHA256
ccc02f69bd640cf56b5a78f620202e63b219e6106c7de9de49d539bcfda31289

SHA512
e8f8789fc0a3340496ae74f8aafec8ceb4776d326d5db3c8ff0cffc75cd74849d2df217ef55d52f0ee5d74229ed96156eff7aa4f5c9b06ec4e6ebcf80d36ccdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bac2093c5d986a90065b4cb50d59f4da

SHA1
ead08b799abe7becf8458ec0f71533fe725d23e8

SHA256
f61a3320834dc8ea7a4950f2ad9aaabc011b9ac70bee157b1a934ce42620a29a

SHA512
872ee8908627e5844b16bc8171091e5406e9558038eba7a390ea8f3e84c7f4a0f2131f942979d55445e68920de3925358417872b78b38754e1694f5d2662bd9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2122681b6a272f66bdc37b71cbc278ac

SHA1
ae636ec56ebeb4daebe4e3317c2ee51545eda32e

SHA256
637bfd79a3135807080bd7782dc1b6e8569b735e8d45cb77abcfe5d5c4814152

SHA512
6c8f7631d84e70cbfc4c8727e83207d290d196fdfaeaf11c839f6060e12d864efa954272b0bbb1a3403c56a50f1e7089533f00e1396dde6e2a02f5fa9bc46d9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
215ae8da652d9978b6f391f8c04b4b9c

SHA1
c7686ed1849157f49702db4b8ddf4166a7c2523e

SHA256
f85a4662357059d5d1d9ed5c3ae643c7ffc0dfe76ec03f0da29e424bb0b2e6ca

SHA512
85ba56211ce85b88cfaa1eefc7a5b7fef03038d0b3278f0626dce45327bcbcc7d6105ce51eaa4bff678723a27df3a05be9f587b20cab697d29241aaa9b52058b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
415b9fe498ebb79b02bb6cef8e8b84ec

SHA1
15f5fe64726874f197c462628acc7e10baea15a3

SHA256
4f0d546154bc6203f311dbbefed3674127c1e8c01bfa8dff23f1a35d19a99529

SHA512
61a967e348cffc93246ffad2293648ae6ac6f73913291bef43ed635f00c6cd65ac01801a90581120ffa7d82f3297f7c9f3690961288f37f45e0f494074dc3a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
24e1b354be243365c057143c10a75abc

SHA1
2fe0c3ca90b1905e1b06eb13bc3ad54d65672764

SHA256
3684593802e277e80e8a447763969f9d64ff98fbe24c64cf70c5a73471da8e61

SHA512
d044c9b477f642c4241a5661e6539ad9118d8cb45549d2ca6f135b6bd22bd968e6df802f72e54452542b6268a1ae8951d03cdbdb41c374dab3ad0fb2f29ce9cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
93c9306b829d74926031a176db8c580c

SHA1
d767675646427575a464fb8a68f40c4351f4902e

SHA256
ed8b8c965878a8bc223fd4c2fd858cd110b5518f992640298162f54dcba20bd6

SHA512
b72cd305098aeac7d6492ae15c182afb53dbb1872976ec3fc2fdb5d288ead876192cc2be7c5286402540871d5ca3bcc9ea535ad3093a09d2b1ab206f56e88ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8281029226ee5b0fc85e2e1648b6e964

SHA1
c1dca6cc92192c273de162505461ec76f8e1da52

SHA256
6571288b0f7b9f00e711637ee5a374a321a84f4eb279b4167e8d89628c5eb483

SHA512
05228efc8563d2988124f97e750de37ed9cacb06d91dab8c1256f6dc872d66d47df366aa6f0f342b0dfb445c8330873c877309ef8dbcd9cad3ec2d5e71a3c830

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e2229fb8849592d1e3d9f42e2a314945

SHA1
7bb707bbea6ad63b2ae047aa7de2485887ef27b9

SHA256
75fc2f1ef8c6d183021a21f881fbabe4cbeb8d12db5e34ea4479adc2124491b5

SHA512
67fbc6819037c821c1247ca980b6132e5ef1e5eaf29fb9baf117fdb532c4ef05f6406ea6954c6d2d3c6762ea57cda106b395ede6a7c858586377d197360a5504

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f77b921a7b4bbad900324902a8066b5d

SHA1
7a854a285a8bec5514e7caa45996b36f92636ec8

SHA256
0ddcaaf3ae6928f8ce57c7ab12f71a28a839e2e4c806813931d606acc4b2fd08

SHA512
d3eb882d37e245a6852a3258ba52f521d825d1bd5fef22840709dc3c663330f04f08c1bdc19f8d03f79944af4f03c5d2ed758166667c00fad612084b305cc21c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b017484e42384ae46b8a93bcb37bd9d0

SHA1
0bd4936a138b6510082c174f2f352f3f825db9eb

SHA256
9f284b6aa0a407a8147d23ed03eff7cd405e04a02834e6af3d1b6f92b87b584a

SHA512
93cdc8ae510503cc8eb29a02b6f44babe533e1cecb13c4528fb27c5e2db208eb0977974e43a65f279a5320b14a2c0c40b2649d9efd6519750aa4eef32de3cd76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
11490e608f09310b47060cc4db9d97e3

SHA1
9c8a346b79efdb0306d9967feb78b5edde746abb

SHA256
6bb858c61c2c592a0ee76f6ed985b5b7d273bb019e07022874aa73fed101a720

SHA512
bc3cb26c9e7e5716520100ed6ca9cc8458fee53df7228ce97bfc8459311b0ee4346304aa468436506c11f823966519c23d928a3afd98044f03e46c0406be6e87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ec4d676d05a47280241074fe2c3e44b0

SHA1
ddaaf420d0eaed2a3955a3e8984af540f58d35de

SHA256
a600c53be64a999fbecf6468f59cb1fa91cfba8e892f2a53981e6a798828f40e

SHA512
e7c3e7c9b7d4efb81c1e422aa0c1e572cb1640a92a2a24d57275637407a21eaf59f25b69e1508e0621cbb51540c61e955c089d97a85aa9e52f6d9dfbfee32c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8c8f7940230683408f63db1438b2d3b2

SHA1
7361fff754c25ef7ad8e5a6bf8b9eaf5425c6cde

SHA256
3975d82fff9aa90a7d704c258dedde98aba44d34bf73af08385ba6e5ce9fe66c

SHA512
59dc583760a784ac0873623b33dbfad57177286b1a5a9d7ce3d9743ff71f5b0df065c7196fc42377dbf39c0dff760dbc6b8a66a6edd9ece32df2d12b26bb1f6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8ae7127ccdd3c80af447d8071e662597

SHA1
15994045f5e4a1be743c88f0ae97aef743064b28

SHA256
798ea70b7f3518d9c4fbfabefa6d92831cfb26ab5e4c35d9430f2074c2c17f0e

SHA512
2729c330b8cbdf6187010c125ea26c0436a77539b229dffd6b2aa3257edd1fdfce96d1747c61def7859edc76db40d388f4b2e801d8e9191a47d8d84d54520faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
75198ad65b051ba194a70ef425e400f7

SHA1
7c8f213cd19aca33873998386711d27b6e968d03

SHA256
4df2325214feb3298cc80781300c54520c5bc29ca4199be80c8fc9d12687ad01

SHA512
bd8c539b3135091036c304fe3cb29a92a001ff3183f26c06c744fb18a4779f26ddab161e7547364dc3aec2a7e6d48b8537a2f1f91b137dff28751bd1e745b290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G17BROQF\favicon[1].htm

Filesize
1KB

MD5
e0dc97debdfae982ba9dabbecfac652a

SHA1
f5dc07e878fb3b4ca3ed0a12e2b6bfd0736a04e4

SHA256
93c9b4deedd8116f7e455d5d87ac74c50cadfde9e198af6607f4ad2250cd3ee2

SHA512
2c792cb18141e0129290ee82e81956398c405b575ca6d8b4d00253435e13351faf79f0dbf4237d3eeb9dba5e9d477f07d1528c479a16d73a48a46539287bbd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
69B

MD5
d163b03b9985d8b9716c1fa64082d599

SHA1
bdc4866b4fd7174e8a53214b28be5ecbde109757

SHA256
19335459ba1ca3c961b80d6a64317dd2afad2b731ceb3f9f0e3411775bbac369

SHA512
e9718b3eaabb2f41ea4356cc9e28368048c77a53d3e98bf5f316e3e4d215a0939585b62a6a962fd9b55408abded191db6a3833ecf4a64de351c3b151374fda77

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
4e817054d9744e6d53ec31758db51c5e

SHA1
247152af0ecdd5fb7537629dbbf3c84f8448137f

SHA256
433427303a1a116e86ae392bb437af2aa0818144ba2b9f07e68f7d831b56c7dc

SHA512
e3bc2b653fc728ac57993e0b1d3511141e319e23845e4e47fa9b54257053c07fdef6defeec11b792e52ad5d4008577fd2de33e2e9d9ea0219ac1c04b27db1222

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
1KB

MD5
4fa12ecda1a2402e86031e194f182109

SHA1
fd21a3b4af22c6255febcff8623e66c6f454f616

SHA256
0124ab76a3bbe346a2fbd1e43f788db7f5a06475c2412e6250de5444e6861903

SHA512
950a36bca125c6d57d14e12485f074b5b60dbe6ca0c9ca08043509f4acf07003d25e2d042ee940af92b4155b52a8b42dabbf69f4f380e5a7cd27f1638dd41093

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
1KB

MD5
cfdb104728ec944909612a06fdbaab23

SHA1
6e9618a54b4988925b15bca540120601a4fa0fa2

SHA256
b89d544124e9248c7a9959d96c761afb56c2db4cf9f32fbca189e9e7ba963a7d

SHA512
8890f1af41325a25612f34f4db3dd38b8be76c4ce55784c02b5f6289b5e0916eca9d1e27f825dbfe989fd640e8141f35145d3853dad30ec5aa19d47ef1746a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
1KB

MD5
3ea5dcd8f4062dcb588fb105e0569ec4

SHA1
324f2f8611de3dd3d1914c6e53580cd5860ea19b

SHA256
20b17fd845c01805797922c6bf8a3fc16ab2b1c914a824e23eb62c15092e3928

SHA512
652d430a1745f5019cbb36a5ec62ad229b71768525ad64bb0c8b3ad5c6ebf18030f6d90f50af08a863f569431f4e093c298ad9dcc2d6abd3a1312acb46ae9505

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
2KB

MD5
ae3ce719dfef3896204eb273e38f168b

SHA1
ceba274afc15d9afdededf9cf8ba3895bdf22b97

SHA256
5831c7bc97c2f80ac607abf4bfb1aa75fc0ea12e608dfc7b44e7f5624f1594a2

SHA512
2d808817aa2911ded5fd4e1510e0997625852ccc3be2ccb5829445a913021c5afdcf42f0d4598a6669db8cce04dbf99f37400efe26a571bc663dffd1ef76434a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
2KB

MD5
c26461de877f1e2f34fa4012d357a53d

SHA1
9d0e1479b4f3ebf9911688cd4f1bfdf62038e26d

SHA256
08903a6b1dba124a2e18b18545f256551349b511cb8b4d5693105681a6486c69

SHA512
45bb926d34b7d56b578c73230b6cd2f713c4b106d9a04747689844756a3ada6d9667e712e96ae591203f4235c41e21e2c11c0f94370790ec2c60ae6d0398337e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
3KB

MD5
3379686e6ee37fc357f339271d19d758

SHA1
4e03c2f6c7ab3d8eada35460bc7b22ebc56968b1

SHA256
af8825643ab4ddd5af85fa6aebd75146af2ebd5d2bfe63a76065256f88caa21b

SHA512
dfa9057c5bcd8d7134cd6651d2c910b3c2d48e945baebcc60e96af42307f67868448c2a116af6140fd6e19898caeda0bd08403fdc661ba2197f37c45c8bc0b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
3KB

MD5
17d5726d55d5d60b2d4a3e5603d21666

SHA1
596233c79e8009832d28515fe49a2ccadbbc4311

SHA256
8b1b3528e8fc8857bf67f24595819bf2901f48117734738789648a88bfe34d8d

SHA512
f1aa90afc8cc810ac23c5c56b30b94cc0173c930d852debc73e68dfd5c18eb39adb82cea6b0d7115fd0d17792aee46076fae78b0061ef3e448051d64dfed8865

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
3KB

MD5
ab30762c35df14eb09ff7f8a44604045

SHA1
55fa32e367afbf29978be34c207d29789adff0ee

SHA256
6c712ff079450a0e50abd666be89952bb501e93b19f8975a4998f8f8fcc54770

SHA512
c4595dc968bedfb101c3f197ccbbe4c6381d6e7a2f49e758fce789c76cb44e244b22135a3879b9f51a49d44c9f23ec3d4ce909631329269d8821aac1e9d51e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{68D05AC2-59F9-40E9-9E43-B545336452D7}.session

Filesize
4KB

MD5
04ea7b66ac03a6dd598f21c4185c1f80

SHA1
d790e00d6611696922e0e25dbabb19343fef77e1

SHA256
1f376676b228275869cdc918cd293bc4eebba0b8e406e51e91eaa6b697ffb3a3

SHA512
a51c399fd10d961dbe80046504fed03800f9e6659b8349421790dd532d1a6cc263b95ed2b0469b487b04f4bf6736944f84f6d9e8abd2df1a06d93ad318e0f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBA0F.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_161412409.html

Filesize
1.1MB

MD5
03a03d26be760bca16bed3eea037af02

SHA1
84a327b1cca94733ebc93efb36463832018d6020

SHA256
7265480a7492226e1e0a889cb5890ca07e927fe66880802c5d1edc84aa2b38d8

SHA512
915f96d386844f8ee891de75225bbeb64c7eac2df59097dfd0695fac13b40abe6d5a40b6e6e357d94713606f8203e22494ac48901d7b88146e7609dcb4e458a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBAA2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwrkuz.exe

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3c9d1795936b5acd555f503c9f33fa9d

SHA1
73a9837fa7d8f949dabd72b8735a273d39ca24e6

SHA256
2a750843ce1fb183ff5c6f4b3c109047f6d45151c4c07c0b3703628e16f3e89e

SHA512
27c5c306b876be51e5ac75dbf42ad5e52f94929866c41539012ea2745873a02ca95007575128a1176eb3ff38801d6cc6b9413cddb09cf2ddeaac7ab8e1aa4575

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav

Filesize
724KB

MD5
bab1293f4cf987216af8051acddaf97f

SHA1
00abe5cfb050b4276c3dd2426e883cd9e1cde683

SHA256
bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344

SHA512
3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe

Filesize
24KB

MD5
e579c5b3c386262e3dd4150eb2b13898

SHA1
5ab7b37956511ea618bf8552abc88f8e652827d3

SHA256
e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2

SHA512
9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Windows\Installer\MSI6C3D.tmp

Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
C:\Windows\Installer\MSI6EC3.tmp

Filesize
128KB

MD5
7e6b88f7bb59ec4573711255f60656b5

SHA1
5e7a159825a2d2cb263a161e247e9db93454d4f6

SHA256
59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f

SHA512
294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif

Filesize
64B

MD5
8265133905b3e686dc539700acc81829

SHA1
a76b85121838551b8779574f744b2a4d2a34a11d

SHA256
1623b6cd5ca7ae9fed527946d6d263830cf01956e2857da061bc3ad732277fbb

SHA512
e034b1ad7439a0c695bb9456b0fdb8648aec4c8661c9faac6181cdf461d11b87a32e210f604800045e5117e8725c23c921c875da1275e3795662534405a3162d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
80B

MD5
c95c3a0673da0a57e6088b490af3290a

SHA1
408acfa1be74bb38094d3a9e0df913f4ca27ad51

SHA256
cd130e6e6501a7b8e39f484c0e2f1fe68725e09a8612e94e84d847a7473cbb41

SHA512
ebc24f44324489fa4aed31a7b2a5ffa9d150d14d58d3c918f9af87ccd0c23d796fb3f2d76a1cede9b293bb1f4719ff5bc70d4a5f2ff6250cfe54566e4fc5d875

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
80B

MD5
0b752cb4147b4dcd8111ebf981f90a4c

SHA1
bec5f8568b33355ad78d245e3f228d3a899bf3f3

SHA256
54094ab280788c259fccea3198611146c22f1269f4ec6ac128abdc5d17f31905

SHA512
09e22161b85b3f366ee61dd5a1fa6601b140bbc604e52afc0f8a6594559b8fe1091e4e6da5d5dc14972f9bb26ed8370064a593ae546e212abc6176245f8f3e06

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx

Filesize
6KB

MD5
8906e65ccd20ba4a5bd773d2538f05c2

SHA1
09c48ec81749e160455e1acfd71a3b362e440731

SHA256
8415b152f4d31754a34f146108475ade082c76749b0e77140ac1772fde30f346

SHA512
03e8f3a718f7e3da0e74069d3f4c1c6d7ffcd662231033a207848819847a35396b6e42fd2c809d5ebc2bb7138b6ff9a7c91a73fbfdfee4befffaa80e15f2a0af

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx

Filesize
13KB

MD5
d801ccfdf0583b1ffa350a897154a4f2

SHA1
29630b94392a7f3954d57c324e945cc4e69948bb

SHA256
59f6aa77901fe0aace38946d814220aa8eb17e251565e534d7e004b923d8581b

SHA512
f578bcfe891033cdeaae97ab4630b46784d3bee27f94015bfc568fe7abb890482fc0d5ab6373ac7c9269cc9d873eda0bda16f56d9aa8c2a639478f4682546c36

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx

Filesize
3KB

MD5
3bbdc60daf6eaabcd136942d7e3ca94a

SHA1
3fa62c5864f8026416a13e530494c66025dc2d48

SHA256
e08b15d61b46d182ec6bdf461f1066507a758206402533beb79bd642d255561d

SHA512
a767aa5cc35cef8007f314ea492e9d2c1ee3ea6ca80ea18d7ef768bbd1c91626b78615dcaa156a064c930c2ec62a213fda14facd6daa0ec329642773e4d7b68e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx

Filesize
6KB

MD5
92ed1e37a590b42bec8c2b0a31067782

SHA1
549948ea0805e88cc8718abb73719ed447d26c84

SHA256
5d7040e632ad9cf854271f64ef13cc87648a46ff9e2f1b0482f71361c14296c5

SHA512
d3f33bb263f391ac97d15ce784bd4a808390e6da1e2ffcc28a8730e7c41ded9f40aca1c24ba1fb38330e396b538fc4bf8df741d5d4f7cdc746dca155c047fa3b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx

Filesize
10KB

MD5
bbd979695ccfd9c3067bd600edc06ef9

SHA1
4fbaee53b2dac0b929b5476037fd32b252af796a

SHA256
0bba06e731b994a60f9ada0fa41343b4f5bfebfad3bc02e94ea94c0d21f92627

SHA512
75a64c4939156171c28e9a628545f18a64c6da68194423eb11304e092ef2a10af0fdff103bb76f71d971b340064a155d138850b88088a8e3d747bbe4d0a41560

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx

Filesize
68KB

MD5
5653d6f2750099493a6118f2ee888cb5

SHA1
81eece96ca8b2b22478dfdaf2dedf69a8bee6480

SHA256
ffdb952cb4a0fb7a03da8deb4d4e8ac85fb7b3e3f4fdf6e5790ca3a55d9f844b

SHA512
c7f49c384ee907763a7080ff8210cadf2a885a73a546c0f9fcc958a504ca240f36c4730202fcb74551fa1129a74aafba8c8ec46e2c23d88e19b70685a52bec96

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

Filesize
24KB

MD5
6888409d46ddf7cde9e94bab716bba67

SHA1
2c7b9ae9fc98e0d845734056caab8d5fb293d5fb

SHA256
d397f41833147b7b42086098f4c82fda0e105c4f7c3a42d8ba78bd17fc16c20a

SHA512
ed81309c6d1900591bdd30abd38c771533875ecbd92e1a3d6273fae4d9400cea23b1376bd8873c089ece3cb36bcfba272555c6275b8bbedeadbb1bd41e48862f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

Filesize
54KB

MD5
149b492ba6feca9dc02a385ce75c0e71

SHA1
e6cda89470800e2c4a08959e7c52f9d337b8108e

SHA256
92bbf73778a7ef065f6e1cfa88ec64f492e50727b28fe4e410165137132423e3

SHA512
530619afaaeb605e3f37eb2d1854aca07636ef8a359b0c4233f96dcfe106a771ddd2dcda166336f10eccd2d2e9fef7048bee3f799162a63f9c884be12d590bf2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

Filesize
51KB

MD5
d507f5d653eb8749c596dc3895b639f4

SHA1
96efba1cce229c706574416595e4fe95779ae9f2

SHA256
e60dd32d0478fa43458b04462c46c5f6503b2b52058a421cd2e49817664618d6

SHA512
fe02defc73a66764bf53cf4c95cfb249a943255db0da705ff2eaaa993f28c68cd68273155a3882be0da6212f5c49c84063504bdde26baf69158250ae6b62a4f1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql

Filesize
34KB

MD5
fd336fadc8571122cfaa0d3359db955e

SHA1
a319d22af8040fc654df6f685732a413b61a3c0e

SHA256
7f90d47ecbe07cd4512e001756e017e25498cb31bf5422232baff2f9d7e707e5

SHA512
60714c44a0fa4ebe04d8261aee70c08e09ac253482c4479ba03aea55e7fec4732853aa8ce01c7692fc49c09dc0d2ec241a2f2d2813e9bf53b2fb2618f5666ba0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

Filesize
33KB

MD5
c5ab80eb01332f1cba892be253aff8d6

SHA1
b8c9a246160374eb730356d5a23504c588734582

SHA256
3d13c6e63a4ee6ec714dd6311b61ad03018000aa92397eac61e41b9cd90a1136

SHA512
0fe317be8f3a353e84d38f7c811733dbc06e269b6567ee614ad07ec2b75e870c60cbf7557e2992d2f2a6b28c2addc07fd9ea43070ddb4a4e869150f8342f6888

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

Filesize
50KB

MD5
357ca9fabd0490d401928d242a51147f

SHA1
580730c197271546934a374e319cb51ab4103c56

SHA256
9092903c6fc838a52e8028ac0e09e06437e1ab9f87e2a005d6f652f4933cc9ab

SHA512
9382224e231a015e6479cb4805b80e623d344705b04c711dc68f4cd6d7c5ba16125993f1fb3f49524d66a639bce64f2a2059d3caaa7088a6d88c1bcf3b4f5674

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

Filesize
52KB

MD5
bfa89952dd429a2abd795c816af2c52e

SHA1
d2a226381a5c4d3953b00256a12e7f3fb2eb0f53

SHA256
d3aec0ca2b7d6bb4b8623d1d11e7e72d030779aa7e4beefa6d8aa3d5a2e7dafa

SHA512
1c9614644513df8e40f1ee482a4d6b39812b2183802b38e9368b8def3da0aea90107e2ccb9e36e1f8d610418b4ddcb2567b6e74ffa320f77912d49821a3a36fe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

Filesize
6KB

MD5
c300148fa8e7a74945c60f7e15f6e5fa

SHA1
ddbcad8042f0fcd48147fbc188a86eabe5c4c8c1

SHA256
8706245112196744fa13fcdd41b83fc057425b84d461ddb1dfcedb74a9d13b38

SHA512
d34a6870c82872a35ab325c1d75cff510dff4cdedd02cc504e0bfca578b8458e61b1c12e2a341364c555556931c5bb339624a987c5f69c83fcade761a98f7feb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

Filesize
3KB

MD5
77999154ab31244498cb73e1e33ab1b7

SHA1
4d81d3b1fd94ef04a594c0c74a478fd9ef2eb45b

SHA256
6f0883c86325c2eeb524848c9d6d92922622e0d53170a82d47893e69f0c1f6dd

SHA512
b7300c843ccb2d40602403523c643ea0cf6ee8093e8b4d2cb0f4c923b69a696b055ec67eb4bf0d69b9caaf19d1871852f6729f9f98dd64d79e569bb70d3ebacd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

Filesize
6KB

MD5
9259b4fb611dd54060b099d907ac60df

SHA1
e6d9a786d95f679b94003bbfcd43eb87f5352cce

SHA256
ea1a6f2fe165c6bc97809eecb9ae8507568b1d890214276546f074ab61ea5532

SHA512
45aec01aec11bf82e1770d913ff291c7ab70a9c10ff1e4285a9b53de76efa153fa78c1caf4ff09708bc7ec7874088fa5d4474c948171a9841a3419e405193a91

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

Filesize
9KB

MD5
d5a4362ad89e7183261adccdaa7656e4

SHA1
bdf383b3876b04b841d02193b4b3a78f7af92590

SHA256
cce1ed0d345d489705c219ee5630906d95acc0958528d8c7cbd4ed0088aff80f

SHA512
7bbd12016df47103a14671f691de53ad11072024a6270f0a0ec4ba001e370b2c678d077c9a565a257c7a9c557c2d5b6c795919a227b79a7cb9dbf32b1dc0ce6d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

Filesize
7KB

MD5
5bf54d145a04fd8aa6a58b97dfed6d76

SHA1
cb5a44ac33df9126b3743231bc863ce3bada1c12

SHA256
60d7543adc6ee6bbb26ad5af3277dd3e2b7cf283a0791bacf69c0976fbcf8f2c

SHA512
2f33e5c2c9f90d6d8b2426a79ed46c4c48a7b69dd1082c56db4b4dc8b8ac263430c664e344947b093e697ed5d74f0f5bff4d0566f3efeffe67b2320f9b00850f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

Filesize
5KB

MD5
4d79a95c9ead4a365e43e07c4ac7b868

SHA1
8aa72714c4b59b406174e88c6a7f7482c7405169

SHA256
a9bc8e4b31c1ce8a687d606332b915b0310fdbfb8ba55b52256ffc3e880c7832

SHA512
18f3edc3a020dd9c9cbd9886acbcfba31584d61ac5f5a492e8e7cc3ad93aba6f49224aa537c0505469f1de98e1da24f30c6ef1cc409d7bb132958322fe270718

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

Filesize
9KB

MD5
1e5a2561b9e7337f6b744dd24e4e876a

SHA1
ab2a34b47f79ad75f0b8e66a7a27f45478a27e4e

SHA256
4c613394484f9ffda4b4f2f67d868b2702c87a06001c112b2b7e0f1f1a178746

SHA512
56ef1eb890535cad383ee2e1c6c1425a70f0b53c802b30568d3226a18722fc2eedd2086d9958afdedeffa367ae8f5a5ccd09c7c0377a28bf6aaccc2378b491be

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

Filesize
11KB

MD5
a9a9f673b98149e52ebfa60ec9e3a257

SHA1
c691cf2e114630bd9e9f6e397605f40fac7d47a9

SHA256
342c3b647b7e39ec3090f05c8d8bf8d3b4fff31fa65116be06617b6866dba1a7

SHA512
dbf030f4df465209546e47f4c0b4654d4840fbd7d9ef5ca81560bf74237f06a3b233709e5eb128ec41fbe916d1d9e3b3c3baaa83ded2b0bc0574a5ed6889ab85

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

Filesize
2KB

MD5
d63c9ecc2ab90e7d475b07f0a3ce20c6

SHA1
77460f9b650bb45225835afc1453dd9981e18d50

SHA256
e1bcf9699c6803c46cab9b53dbb5e9f8fb989fccfdf585620ca3da3436372a08

SHA512
ced1f50b46efa64dfa10314316146202d3812c731ad8b902dfed388ffa19a0da9f912d56fd4a326337cb845541ae35ea205bca72f6d1ee6bee5288027d7aa152

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx

Filesize
3KB

MD5
f2f761bd26cee8411f206ba58cc42655

SHA1
07dad67291a6d52376a84a15a06d90e3fd86d28a

SHA256
2fc3509874a280f5b4ccc81c3233c48c62d6470a1e81fbec72c1e8c4ed91bd9d

SHA512
0ed07557b036be741f00d7c5e0bdb0e80577026a79a669ac5fbac21c74111ae213fc62af23a914961f7670d91f9de7c507387861708816122ab0f2c08fcd9e5a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx

Filesize
2KB

MD5
cddc618efe58e24bdf3d8293a1719f4d

SHA1
f5685aff5e63fa94faabae305b1c24e6e105ff11

SHA256
ad9cbe0829c18b746995491b80f1ba3bc47dbd58c9cf2101cbdc9b24d433cb41

SHA512
388b20af24e22bd9d2c8775e7ec90d1cb3e517fcd33bbad709d540261471e6aa6e29af061f611a2b9f345fbd79e97eced5a181d25deecc4f08ff992fbcb8aac6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx

Filesize
14KB

MD5
945d83d84655fbe3915d7e93ef85ed93

SHA1
40d871f51b31586b4fd15a839965739e7c7885f4

SHA256
6a219406283c687187eb1b9406a479626a604f5327cee0a5c444d573dd9d671b

SHA512
31f508d0fc273b236d446f3dc091d364eb875f339abbebd2f7f70dba945d9e51252aa097619cff64e2082096cdc3cf099db94772b6f8cb1b88b4c81d4f776383

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

Filesize
320B

MD5
e23aa8bb13bf9053fdc3efd99fd8fa2c

SHA1
9708e0d2eedfe1693759bcc67543cbbfad3493b7

SHA256
759ffd3d37a180058255eac13f0a359e81d0ea9c3d1e45c967f1e00c755e2596

SHA512
6a5f42c77a0807549582580e1d61b0b6ff61cddc14dced04940c5e97a81d1a89d0a926bdf49d8099f65a248479176373f5a25c9d35eef9ca4297a2fd5159d1ee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
d0937c19443ae995fbd4290660d06d96

SHA1
51eaaa184e9365cf3f22adcf9fdc6a8ddc0aa7d6

SHA256
8ed06f0b04f24b0eb9c7ea547099fa232df996c0cd9bc3ba105c8fc053e20659

SHA512
8762c9d42073c9614f3496d7d87a0c6883737efb4b2c80f662b96554804dfde6e87ae57595354d32ce9132e64994bbf90e4a0ebe50385ceaf9133df61593e927

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
b18fdda1009678c362135bfd9ea10d19

SHA1
9b364eee7d83d401808ace2e0e564eeb00cb35c6

SHA256
6a9d9400c7981168239fe5fedbbbff22d686a4f09940c839e21abcc917275e7f

SHA512
d1f88724af6fe99d3a9ace4a573ebafd112e9d13c2dc69c2825476feeea9233d0a1ce47c71cd1ddd99b03012986a39cb3bb97547785b19db4a4edfdf47d2a971

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
960B

MD5
f8a9a08feffead4751cc8e321df09843

SHA1
d5787de96b611e02764ec03c948e5f7ba8a2514f

SHA256
36e763d3c3bc3db149aaf6554eb736e7d2226d26fff22fb1615f962f20c88ea2

SHA512
329755af1c65a4603e112cfe6ab8cbe19d86a9da453a121bf4d54673df799bba5180479535b8d10f0227d3224825399aa6cda05ab9f978081d8caacd6f69e757

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
128B

MD5
f654b375fefc7a41dbed1fc30989740e

SHA1
700cc415ce98e54bf93023e5cd8aa2f0572c5b05

SHA256
7b443c5510e9cea305c3259207f3239baa54ec2c90f904733cf30bac3ad7ba8b

SHA512
0af74fd4270c999e9da10c5f7279082b0071cfec5296535da8c0ccdb484ee4bb51a3516585a32e1d720f0786daa17f2441b0b4a9344275e0dc2cf5569cdd3429

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
4530cd40c04cdf911b5c967534e03e07

SHA1
7158196cbbc72d56e3f92fe41f7dc1cfd58e4e7d

SHA256
9101769e4926dfb899ce36dc3461c50c6091e23822153195c25480bd3a4fafcd

SHA512
86571cf9bc1a7ab4d2f09fc00839808781eeafd9970252e84c3a7aa33dd9c071ae9ae0fb41bab16edbfdb857c1d538420c8bd6af8c00a8b663fed52cefa24bb0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
c6c8ff320dcd630c615832e1303f85b9

SHA1
1aef04aba333910013f7448138795b19ae6281c1

SHA256
ed07b0ca8741f820bc31b3bd065cd307879eca2b9bdc842c8911fe92b3a4c2cc

SHA512
bda8d9716d47beb99adf25c166e5850e00a0956454e43331352eb89dde2db6c955a400c5161c699f50acd429e5c6b77123756dcda0c01242ac8b729a3acf0e29

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
64B

MD5
23c2191b2acda305a6ed4cd7f3668d5a

SHA1
fe5851a10f76a8a37eaecd4c19cfebe487dde385

SHA256
3c58a7f14fdb3a99fa52809b2899362f02a2eb1e03b47cbd3f21215fc136af2d

SHA512
e0e63bde9f05309fee6e40d6b467b159678755e90b471472b2462e62bcc89b8e7b98b2e8cb6672106fbe7cd5609adc0782687b9d0eb0fbb1b646120d4c46aad4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
928B

MD5
0ad2f82c5c433b5bd9c066704d08db2f

SHA1
fd5da574422df4df9b644088c7ef65d50c28d77b

SHA256
31adb40fa44bd1e298577463a3aa1a4cdcd3692e9a5bad19688b652c7bb378fc

SHA512
10b4e72d019e144920ca617f4342e4e1353a2683d68441aca313a759d8a33fea49e92025aa0640e7f5c5f3cd2efc54172f8c0e2a4d2bda78aa083962ba3b3c1a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
96B

MD5
da869bf5575e5a87f22e8a01a854de93

SHA1
31e24b0a7507ed472aee68b2f07286ef05d8f508

SHA256
3298989e4e1501a835e67a0431e85e3c01c790e1bb45e92b00609557d26ef029

SHA512
e5ef09cdbc2d375faeb85a1ac3c32f862a5ea9f5ad60a2f10dc910b3a937c5ff317554babd8b01874f876b54a037e64a3f22e6deb84574d916c37fd969df16e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
96B

MD5
5191a7bd7fb4721daea39848d8c3cb68

SHA1
d1f3b4ca10a2d3c21e3441004f74f0729f156f85

SHA256
b18a25fa4ab3036df86e516985eee1f1b3d00ebe143c114ca020845ad85ee714

SHA512
cebfd90d10702cc9daa7d75eb7edcd15391fdc378a058a648c1cd65c26319e78b3b6ac0ccec76214d11443aba8fb4719d305e30a527ab4a5c243682ba97c006c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
336B

MD5
6f2241a38ea78ba6b8a1e25d6270b329

SHA1
331bcfa60ff4422ac103e66a97fa1be972e7ecd8

SHA256
8c277e7fd9110f2e716973a0f7f5b87067be273c1823e06f118f36a12868eb6b

SHA512
c2195f57ff4ae1e7d4936c0249a8b3677edba658d79f269e13376520153b21aaca84b276b36c416152a4765d0f018575865c3dcc892423d5ca4aca32b0aae108

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
5aea95aaf4ff7b8cd11157d4eff3bda7

SHA1
7524b1d347ffb7e52a02196115c7567a01ecd479

SHA256
9c173bddc5dd6169df70ba58699e2d448a5d0ff462028416ea4e08f7cbce4e51

SHA512
688670dcf38b178c9d09353c5d1e44fb46119c88a8691940169842c9692758ebcb87d4ec73bcda8c729097841101db49524fe34a307d245eed0f02eb1422e3ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
176B

MD5
ec29f6c8fa9bc0812fccb60e0c89970d

SHA1
7074058788f36b89e77059de20c71c93c0d4852f

SHA256
68ce7396af53c186e1aa8d4bfdd1e048b765f2f7d4e3fa3e6ff4183687daad5a

SHA512
4ac125d2014c7fa889605d34c3c9cb74517f5f6a2d8a21a968ac1d9daba73e898f2429f3c0a5b83365fe3947742c5299f106fef0c8275ff03af38357dc42f354

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
592B

MD5
737379c86eba8eb3a1b9dd751d9e554e

SHA1
715ca2e998ee5eb35a27f6e111f8ccf4acfcab8a

SHA256
b690ac52d772a7f80e147b5f0408fd9df7210c6dad0f62320f72c845779040f5

SHA512
cc4ad26a8bad5c09bde1e8e4c08d144d8ff9a8dde7887ecb6af56af6195f457a550139a37ae8fc2c98e5c56981a9c3c4f611f1d20e0a9ffb1f19fe6369acca16

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
128B

MD5
4cac3beb25a36f2905523992bdd1ff1a

SHA1
a0602fa5cdfb86119809d4fccca90dee42827777

SHA256
185c50740d06080615dde69b335dc52fd7dcd826d1d4f09061dd89f5590d2aee

SHA512
ef16f8e9d03a11e059a07b24afecb9cf1c76290918c3df3bce5f5435876057d2f5e66215f022aa5ce318d217d9514fb8160191fd0f742e4725d632c91ac69d3b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
a3d1ad7b31e3f6b7d996fd019861029f

SHA1
64955b85e0e666bc56ac11d7055176f9cffe4f32

SHA256
f41ebcacbf862fa7112fc96da3e54281d7915d9866a64bd9064f351d86fe14e5

SHA512
10594bd799cb8fe3d43cb671e1aee647cadaaea49d96a534bdce41a4b76a20931102b1af92432caff04da47c2df7080c3ebaeb6bf7164b35d04642a2ce06c27b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
896B

MD5
edc615c4692c43ddb664b0ad0f69a117

SHA1
e83e1eb7a40d7072c10dc6b9249ccaf7eb5639f2

SHA256
1c7ca37984321d0218b831cd243729c93361a9f8909f73ab26048eb9edd48fa0

SHA512
012257c0a08b8de2164834325847e9d31dbbb146ef600ab95311f95daaa305dd847f1659b3ebe5392b54f3b8a2920335e0e1e8b37c8debfe6adeef347d0d4e56

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx

Filesize
12KB

MD5
39eb87eef149104e0f2320ef8cb842c6

SHA1
8a66ee850614998c7ada65cf80b5841afe378bbd

SHA256
0acac8dc1bcc95193a282fb32d6c5a7100d8b68ba7637e05e349b87527a99f7e

SHA512
fde542cc21323691bb06aff66b41ff593270f57052bbc7efda7af18d289f193457afc87e194e243700c1f2b1d29b6cd6b63c4af2b1bcf9b7d9be14ad675910fe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx

Filesize
9KB

MD5
9d8c661eca4f2ef29a890ec6444b0c60

SHA1
ec363be90aee3a9a6e8795173f9c7ebd6dbc0c50

SHA256
0a8b2d589226effd18233c3c9c703a0219eac95c75119e95c9a9a5c8a3b4e95f

SHA512
251a7ac1fcc78b1039d3ccaaa2df3040f45ec53d153edeb7e80f9ea85e7abce0cb717868d1c72672188f1f86687df00c994a4424de665ee77b69c7aa09b5d5dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ProviderList.ascx

Filesize
9KB

MD5
bb923ed31db87e41afca55dc4104f047

SHA1
f59e7b13ce9ba2fe4750840b821078bf2b058975

SHA256
9675aca777b0db50320e5c54186767a377958c75f9e7c32b92c2cedc6456e453

SHA512
a07dcd2d55e4145beb109fcfea469a9cea4297dae5648daedaca66b4424bd6b429a06afb34e39b845fbac0b01257629c06db85e0734dd3c38d4230d42f4fa68e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx

Filesize
2KB

MD5
c3706f6a0a940f4845cfe1a790ca58cb

SHA1
f33ffc96b4d3ca79645d628322dd4f43ef65724b

SHA256
86144c6acb90afaa4a378a0d6a111e813ed4af65ba8e7d64acfae5550b4e998e

SHA512
5635ae660360e782d921f407879cf4213533a3f1e9ff191c84696a2bad98d32fc87a2ce556f541140e16a78267208592bf621ecd16a69b82213993680f9bd611

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx

Filesize
10KB

MD5
61f43e61838cc78e9a31cf2d5e4c3320

SHA1
22038348de040f4048baa2bcad66ac0d71c2fe35

SHA256
8e0d2385f4991d50f88e6fe7b48c278145cbe370d63e34293100c55d5747924e

SHA512
55138d9b570f138e06eb80c83acf8d351dbde6aa4c58c7755297093d0df7fd497f580ff6cb38837b2e72f990515ec5b962b36d8f76fe2db92c65454c17eed87c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx

Filesize
21KB

MD5
eb728a387e59606d43f3a593131b90b0

SHA1
26814c025e293891af1aaddc7c433ee76a85440a

SHA256
ce6185b4e9add318d400edfc5ca595c7e71ff95bf281f2920d7bc76eb6d7f4bb

SHA512
7fea39fdff73a3c30c5dd0f7fecab50ba043a7e95de56417c5f887a4971e7614a96913a04b23310e4d9900750750c28746e133d0f2b77b2e328ee18e33bbb7c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx

Filesize
11KB

MD5
665d28e86c8bf702043b1aa7075517af

SHA1
faffa40d247e8142e537ba34d573f17a82dd4e70

SHA256
35fe4acfd29854a4dc5c19ed9428812a91c88d1b2b9ff0737025fec0f360445d

SHA512
5ea81951ae30bb9cb8971d6ec2a8d7b18be798ea4ffe745c2d2fec42865861d94af3473cc7c4ed7bc4a1cd4460d90c944ad5b83c9ab26fee173856170b6a6fc5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx

Filesize
10KB

MD5
03ccf29e7768e8b4f94749cba5173a6e

SHA1
37bf1dafa00a02c9b93dcb64feecc2b6ee57a3d5

SHA256
4599f8a141026d7064683ad585ad491b41cd3a8eab99df5bee6fa633a652e9f3

SHA512
8c6ffb1101f66db24653ddf5d7580c61f3a4ec644258229206c693228b5d67f495a81b7c00b554873303de61dbd185356d0e50a54ccf45f8ae001a7e9990f93c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardAuthentication.ascx

Filesize
2KB

MD5
db9c23d9a88f3d364490f223cc5814c1

SHA1
01700cfeb68e1d288e0e1462a544b685d6cdd29d

SHA256
839a1a3a44b65a47f92668863a9ff15fb943e486c6719d15d1bb2c3adc65f178

SHA512
96adc326c12b34b8b7067c13dbc03bcb63ba7a7d5f493ca73d287e32c9522340041323c96c2b414bc60378f1b87a076a6702feb9d607dd30241c1af146324ac8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardCreateRoles.ascx

Filesize
7KB

MD5
eef836afff622a62ff1521e9e4a04831

SHA1
8af7fa4e7d4af93fd2447915bfe25cbd88e0bf3e

SHA256
995d7614c17d7651055cc2bd194724710beaaf89dfa98c819afbba34ae98bbd9

SHA512
5df155011ab51c65cd03bdbadb16bd726dba1915d8dbeb11d4ef50b47180c6c42e34a3de8d19588db00edc73200a4432bd832a002081406db5d5929cc444b31c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx

Filesize
272B

MD5
31e6012a5172dad094ee151e2b8366ca

SHA1
d2db241c70e3600aa675312929fd93ea316453e9

SHA256
921788a7cf8df0bff75870027668c9737ba51e0436f8a81a9a40574454a0ce30

SHA512
fc5ec42d630a2fa9e393d2e09b5baded178a5a8fdaf7e514d15f828779b543a3ff8686538c39748f742103f4b0b7326ff5f0cb491e35cc8a7ca333e369c377c3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx

Filesize
496B

MD5
90b17a8f92695ec3448a7fd65e2b3d3d

SHA1
8a4f2f0eadf4611f146260477af31e7321c22bf0

SHA256
7845f57cb14943ace05235352b421931ce6281a9a0737678df2b2504cf5db7aa

SHA512
d4be2ce1d06464d486326090e6fdb37e57ebfd5ac5e0c8329c14cdf35d3b72aac6a134a189a543adac5a624e94eb7ea854402dbb757452aee0016319be476510

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardPermission.ascx

Filesize
24KB

MD5
6157e65ce0c03cc1d1ca4ec0398f9e79

SHA1
e25b5772603e2edecceab9b58ade6e544097db32

SHA256
f07ffe761c8314b8f9d18ce5931021f47e468f5301797679014c8a66847380c4

SHA512
6bc779ab30efa4bc77e56e98085a2005ab609ab785cc93e56ac7a86b5c39e0c11d0054d17ae3f573d740f8eaafc7614209098ce9b03d1d2ddc2718da73439e62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardProviderInfo.ascx

Filesize
1KB

MD5
e65dce2bf3e9df48e8505eccd198df7f

SHA1
4c3424688ed06cd087e5818d558ece48f09ea06b

SHA256
20d4410a2913dea4e0746b230e683fbdba9cb2660d8b9b7a5fdd5eef4564d081

SHA512
444e6d0933895e27607d0bfdda4016289c1aac9aece862c189d15f4516bdadea035cda12a3996b6a759ae593dec54747456bc74986528493241652a996aa6e5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx

Filesize
9KB

MD5
d69f9fe3a371e6930b627bf9e43df1ad

SHA1
c910aea5def57f08b1f5dbd80964b01cfcc9298a

SHA256
efb12e213f21a0ffd5bef62eabb5454616dc279b5fe84c6e3fe80d93fd3aa0a9

SHA512
d10a3d57ba560cfe6d0cef5bd02981c3ea6cb94d594f44a8a4f8ca1ead207b6b38d420e0456b30da7747d185d716d68f6ae3cb95a15bbad137a606e258eeae7c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx

Filesize
1KB

MD5
0c3cc1b5fd1a7e2adb6c0eab43aadfe6

SHA1
b5139b1822b00a41c58764d8173b68bb008e7663

SHA256
ec16652c2257aa86cbf5172e0837dabc8e876e48992db48c2e52eeea4ba087a4

SHA512
e42070e6cfd159b9347dedc68c66b820fdcbfda3e525712588f291b81b6a2e28984735fd6c71b1f16725816734f4f1fd8d3ac7d084a9e7cfeb3c2d052cacfe3e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx

Filesize
2KB

MD5
886e351459909efba22077438445139b

SHA1
e3430504f71bcb7a78962c09c3f89bec32eab493

SHA256
8e9de3b7b26034b28981bcc93d9311526fc21a0dd64753bcd1462e21f9aa3b66

SHA512
762301ccf5fb2c1ea5c40d1f12c5dc36e61a1fdbd27650ab1e1a454fed0640ab7253d2209ab29626fcd6e15752ab4fa2d3e0021a83365d0080ca81c91a31a6e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\default.aspx

Filesize
4KB

MD5
8e98527d8124f1ef6b03c07ff72f3c3b

SHA1
1e30a27eafcc60c1fb20c555ce25277fa12d814c

SHA256
830f603d2ec86d551704eed978a77abe67154dcccc666d987599b9ca8b24c8d3

SHA512
345fbf20355f26790a9c373087539f924cf9630d37ee4d6a5fc1d391cf55cd65e9e8c7b5a707c74ced68bebb24cceef1735f1860412354f3dc0b0b496e9cfdcf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx

Filesize
6KB

MD5
332e870bfc7a2a5b29d9aaba227e78e1

SHA1
1a996c96f4d8750eadeed7039a79a697e4f65094

SHA256
3d4cabe0a1a2c595764cef87b1c61b1ad4b90160f2ff84b2623c45183e612c31

SHA512
e7af61f15f4b5886ea668f64eb7332f97c035165186fe7a9dbaa00a87e7505fe7c01a4f1419216181c51f57fcdf800dde6971c8f80da643636794204aef93f1a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx

Filesize
1KB

MD5
11aba17607a54cca8f580802e9d5f8fe

SHA1
2e4351d0e62947c85eddbcdc57dede214a8e5229

SHA256
b528778cbecc1d9b71314473599b9ef5c0ed25db8c269a5bd3237275a5067af4

SHA512
ef3469d2c723b5c9f0e9a35c88bbf365332074c74d792581f67d3dcdd95a02519f143be6a8023e9a02c77cb4bd74f9b66bd467a367e9230e967bd0a19a546683

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx

Filesize
752B

MD5
7155c112438522021ae73d4d72e25cc8

SHA1
82fe0448447b077080d2814aa45c9d01671b0222

SHA256
5619183169e8b493045577190eeff4208c3ddc6dc94eb230535e92b9aa14288b

SHA512
d59d6546ac19c9fb69d890ef3e0b036959bbb569e2a2485235367260864defda05c52079acb58522ea606ca27c1caff578ef20aca7299e2f7609e0f0c6d75f8a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx

Filesize
1KB

MD5
d6bcacffaad1bdd028e7bf8317f06a3d

SHA1
7bacb66858019d9c4a02bb333e234c959f73e349

SHA256
d9c2bcd3536134b5d82f0a62ef5222cb76054a7dcaac5ec751a59f5e9573dcc8

SHA512
d6efc8e93b80bddd2968f4ad99579ba79b7f236949fc1a99a64794c5914acc66878533ac50439cbc935ad2ba6aadf9ebb8bea710a8f6f34293f8a16ec26956e4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\navigationBar.ascx

Filesize
8KB

MD5
daf24860f7c6c68812a2052645c09f0e

SHA1
63877c7afffb226f6884e776c53a82068807a9fc

SHA256
31df988331cf91e88ec1bb5f914ab0fd46128d9d720526980b2dbb8b86288c9d

SHA512
7470f914f716395feaf306d633ec0730a96ffb60ec1b84c1b6a914e57f9bfa94db97586c66f664b84ed6f55ef3eb452d446aaeffe6ba163e6db7da953d820c9c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

Filesize
23KB

MD5
d8e0e6b3a8af948df0f178f08fb787ad

SHA1
293b2f8c24d9f3c36de667e8dad31da3f78ac777

SHA256
401a519ede48f2c824711a29902c99d8a987cb678b30c8fee69d7556ffbecd6c

SHA512
c71f786b8dd000a766508f9d4df40ef10dcb706e344c9db81b10d3b637ede8f8963c6d543f5527cf5f274199967f699b4059034e34680aa2d228a24f5fae41ed

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

Filesize
4KB

MD5
7cd636d48d9bc87bc8fbd1d23d62eb71

SHA1
434deb03c14a2335a03e15456343ace38b183dbe

SHA256
fd1e22250d6ee308448759dcc04e8d41f435ea64a4adb13c830cb8811fdddc57

SHA512
504439e0810a47def1c8c23c5014c5b91f353b52cdc5324cd1c1564115ee3ec7e9c120762a845bee7b8c705c16c358d130df927a619c3310f2d1103ac16d5632

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

Filesize
372KB

MD5
7dab941226848ee50712017a3083f5d7

SHA1
02cbc7a6e6ae1974183debf1fadfbb71c5443b30

SHA256
c7f27a5766a90b6650a201ccb33b72f40d392c3ac6696f01b3650d0fa3a78ab4

SHA512
0e09944ebf445f737166b2b935885fa1deca058b198a042f2c6fb9fcbdb2e1c6009b1e832af3e3726ec3158b6841ba3e5c6ae826a1193059baa37731e8878c5a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

Filesize
49KB

MD5
948145eeeb3aa16e02c75bc959a88465

SHA1
9bef992286fb61ff100c1ae490a5bd2d898083a3

SHA256
163013306bfadc5efa1ac0aa500df5e89dc2694cfca2418d1013b4ecf08d3839

SHA512
e0721be8b7d66913c4200d8c0ea7bd5adabc75899e0aaaa76927700c888ec9509220c2151eb3b4606fb2aadfb9da6e7b30042288f87c1b5b9bc3cee465340d31

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql

Filesize
2KB

MD5
6d4d2c93ef4105e259131f6f978257b7

SHA1
e950d6119e5846b4432846ab3ec31a88bcc43850

SHA256
631dd33ae9f75befd9e9bac7a7638e3df5996d34d50864513041e3410e7fad9e

SHA512
17e10e417dcf61985ead0a462f6487fc50d0bf490615f5720e3b7b9e4f6a9ac4628672db6662623c29bb4d4003145314ceda304746d8c340d57a080008a35ed8

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

Filesize
13KB

MD5
7754c00614c2eac0629ae5156f31ed7c

SHA1
0185504fec4e69b8dafdc622c13106e5f6d7fc64

SHA256
0843a9fa8101607b57045ab9f3c35ced942b0661cc299386f41f5b4d6b6ddf14

SHA512
4127da84529e37334f89fd4554c9ed11f4db8082c92a1f27c2e109a2e634ac60eafd432f8b1d13b3d22a6ee54ca6c0332669e1ff223baca3a99433207ba43802

Download Submit
\Windows\Installer\MSI6B13.tmp

Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
\Windows\Installer\MSI6E45.tmp

Filesize
96KB

MD5
3cab78d0dc84883be2335788d387601e

SHA1
14745df9595f190008c7e5c190660361f998d824

SHA256
604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

SHA512
df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

Download Submit
\Windows\Installer\MSI6F31.tmp

Filesize
312KB

MD5
aa82345a8f360804ea1d8d935f0377aa

SHA1
c09cf3b1666d9192fa524c801bb2e3542c0840e2

SHA256
9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

SHA512
c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

Download Submit
memory/560-40-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/760-1049-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1072-48-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/1368-50-0x0000000001360000-0x0000000001370000-memory.dmp

Filesize
64KB

Download
memory/1424-1342-0x0000000001330000-0x0000000001340000-memory.dmp

Filesize
64KB

Download
memory/1724-1396-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1404-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1392-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1394-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1388-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1398-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1400-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1402-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1406-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1408-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1410-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1412-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1414-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1366-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1364-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1386-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1382-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1380-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1378-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1376-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1374-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1350-0x0000000002100000-0x0000000002132000-memory.dmp

Filesize
200KB

Download
memory/1724-1349-0x0000000001DB0000-0x0000000001DE2000-memory.dmp

Filesize
200KB

Download
memory/1724-1475-0x0000000002520000-0x000000000252E000-memory.dmp

Filesize
56KB

Download
memory/1724-1372-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1370-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1368-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1362-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1351-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1360-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1352-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1354-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1384-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1052-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/1724-1358-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1390-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1724-1356-0x0000000002100000-0x000000000212B000-memory.dmp

Filesize
172KB

Download
memory/1884-8870-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/1896-1036-0x0000000000F70000-0x0000000000F80000-memory.dmp

Filesize
64KB

Download
memory/1976-36-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2228-1042-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/2268-15223-0x0000000001170000-0x0000000001180000-memory.dmp

Filesize
64KB

Download
memory/2340-1344-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2492-1045-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/2544-54-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/2560-552-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2588-43-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/2620-1479-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/2680-45-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/2680-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2680-15-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2740-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/2740-1043-0x000000001D780000-0x000000001DAD0000-memory.dmp

Filesize
3.3MB

Download
memory/2740-1-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2740-31-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2740-41-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2740-32-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/2800-1047-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2832-8-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2832-6-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2832-7-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2900-1034-0x0000000000AF0000-0x0000000000B00000-memory.dmp

Filesize
64KB

Download
memory/2912-1040-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/3004-52-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download