phorphiex | d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

Resubmissions

20-09-2024 07:47

240920-jmh8dswane 10

20-09-2024 07:46

240920-jl2ckswdpk 10

20-09-2024 03:56

240920-ehjadaxcqb 10

20-09-2024 03:35

240920-d5fx4awerf 10

Analysis

max time kernel
9s
max time network
32s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCCooker_x64.exe
Size

22.4MB
MD5

317c5fe16b5314d1921930e300d9ea39
SHA1

65eb02c735bbbf1faf212662539fbf88a00a271f
SHA256

d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
SHA512

31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
SSDEEP

49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Score

10^/10

phorphiex ragnarlocker redline xworm bundle bootkit defense_evasion discovery evasion execution impact infostealer loader persistence ransomware rat trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
x66x54x66x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

Mutex

VQd9MfbX4V71RInT

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Path

C:\Users\Public\Documents\RGNR_86266DD0.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

redline

Botnet

bundle

185.215.113.67:15206

Signatures

Detect Xworm Payload 48 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\24.exe	family_xworm
behavioral1/memory/1720-127-0x0000000000B90000-0x0000000000BA0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\25.exe	family_xworm
behavioral1/memory/2656-129-0x0000000000800000-0x0000000000810000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\23.exe	family_xworm
behavioral1/memory/2344-140-0x0000000000210000-0x0000000000220000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\19.exe	family_xworm
behavioral1/memory/2196-162-0x0000000001220000-0x0000000001230000-memory.dmp	family_xworm
behavioral1/memory/1512-164-0x00000000010D0000-0x00000000010E0000-memory.dmp	family_xworm
behavioral1/memory/2840-177-0x0000000000C90000-0x0000000000CA0000-memory.dmp	family_xworm
behavioral1/memory/2184-176-0x0000000001350000-0x0000000001360000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\16.exe	family_xworm
behavioral1/memory/2040-170-0x0000000001160000-0x0000000001170000-memory.dmp	family_xworm
behavioral1/memory/712-169-0x0000000000330000-0x0000000000340000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\17.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\21.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\18.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\20.exe	family_xworm
behavioral1/memory/988-144-0x0000000000D50000-0x0000000000D60000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\22.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\14.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\12.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\10.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\13.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\15.exe	family_xworm
behavioral1/memory/592-312-0x0000000000F00000-0x0000000000F10000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\9.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\4.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\5.exe	family_xworm
behavioral1/memory/2068-418-0x0000000000080000-0x0000000000090000-memory.dmp	family_xworm
behavioral1/memory/1792-415-0x0000000001380000-0x0000000001390000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\3.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\7.exe	family_xworm
behavioral1/memory/1112-375-0x0000000000BE0000-0x0000000000BF0000-memory.dmp	family_xworm
behavioral1/memory/2252-405-0x00000000001A0000-0x00000000001B0000-memory.dmp	family_xworm
behavioral1/memory/2140-369-0x0000000000870000-0x0000000000880000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\6.exe	family_xworm
behavioral1/memory/1556-370-0x00000000000F0000-0x0000000000100000-memory.dmp	family_xworm
behavioral1/memory/2632-313-0x0000000000EA0000-0x0000000000EB0000-memory.dmp	family_xworm
behavioral1/memory/1468-311-0x0000000001160000-0x0000000001170000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\8.exe	family_xworm
behavioral1/memory/2304-367-0x00000000012D0000-0x00000000012E0000-memory.dmp	family_xworm
behavioral1/memory/1416-366-0x0000000001010000-0x0000000001020000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\11.exe	family_xworm
behavioral1/memory/604-465-0x0000000000E10000-0x0000000000E20000-memory.dmp	family_xworm
behavioral1/memory/1980-472-0x00000000000D0000-0x00000000000E0000-memory.dmp	family_xworm
behavioral1/memory/336-470-0x0000000000310000-0x0000000000320000-memory.dmp	family_xworm
behavioral1/memory/2020-473-0x0000000000B50000-0x0000000000B60000-memory.dmp	family_xworm

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysarddrvs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysarddrvs.exe

Phorphiex payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\11.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6088-7850-0x0000000000C30000-0x0000000000C82000-memory.dmp	family_redline

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (2087) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
6108	powershell.exe
3040	powershell.exe
4368	powershell.exe
4852	powershell.exe
4592	powershell.exe
4940	powershell.exe
4736	powershell.exe
4796	powershell.exe
3360	powershell.exe
4804	powershell.exe
4456	powershell.exe
5368	powershell.exe
6076	powershell.exe
6440	powershell.exe
4512	powershell.exe
3432	powershell.exe
4972	powershell.exe
5516	powershell.exe
5484	powershell.exe
5668	powershell.exe
4260	powershell.exe
4252	powershell.exe
4988	powershell.exe
5788	powershell.exe
3268	powershell.exe
228	powershell.exe
4740	powershell.exe
6136	powershell.exe
5432	powershell.exe
5760	powershell.exe
5988	powershell.exe
6976	powershell.exe
5248	powershell.exe
6568	powershell.exe
4164	powershell.exe
7072	powershell.exe
6052	powershell.exe
4976	powershell.exe
3440	powershell.exe
4288	powershell.exe
2472	powershell.exe
4636	powershell.exe
1724	powershell.exe
5628	powershell.exe
6420	powershell.exe
6292	powershell.exe
4932	powershell.exe
3788	powershell.exe
4140	powershell.exe
5244	powershell.exe
3696	powershell.exe
4620	powershell.exe
4392	powershell.exe
5080	powershell.exe
4868	powershell.exe
4232	powershell.exe
6012	powershell.exe
3764	powershell.exe
6316	powershell.exe
3196	powershell.exe
3844	powershell.exe
3616	powershell.exe
4992	powershell.exe
4728	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fddd325.exe explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fddd325.exe	explorer.exe

Executes dropped EXE 32 IoCs

Processes:

4363463463464363463463463.exea76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exeasena.exeBomb.exeCryptoWall.exe11.exe25.exe24.exe23.exe22.exe21.exe20.exe18.exe19.exe17.exe16.exe14.exe15.exe13.exe12.exe11.exe10.exe9.exe8.exe6.exe7.exe4.exe5.exe3.exe2.exe1.exesysarddrvs.exe

pid	process
2712	4363463463464363463463463.exe
2676	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
1424	asena.exe
2556	Bomb.exe
2604	CryptoWall.exe
2988	11.exe
2656	25.exe
1720	24.exe
988	23.exe
2344	22.exe
712	21.exe
2196	20.exe
1512	18.exe
2184	19.exe
2040	17.exe
2840	16.exe
592	14.exe
2304	15.exe
2632	13.exe
1468	12.exe
1416	11.exe
2140	10.exe
1556	9.exe
1112	8.exe
2252	6.exe
2068	7.exe
1792	4.exe
604	5.exe
1980	3.exe
336	2.exe
2020	1.exe
1056	sysarddrvs.exe

Loads dropped DLL 9 IoCs

Processes:

PCCooker_x64.exe4363463463464363463463463.exe

pid	process
2260	PCCooker_x64.exe
2260	PCCooker_x64.exe
2260	PCCooker_x64.exe
2260	PCCooker_x64.exe
2260	PCCooker_x64.exe
2260	PCCooker_x64.exe
2260	PCCooker_x64.exe
2712	4363463463464363463463463.exe
2712	4363463463464363463463463.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe11.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd32 = "C:\\2fddd325\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd32 = "C:\\2fddd325\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	11.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

asena.exe

description ioc process

File opened (read-only) \??\E: asena.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-addr.es
11 myexternalip.com
18 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

asena.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 asena.exe

description	ioc	process
File opened (read-only)	\??\E:	asena.exe

flow	ioc
9	ip-addr.es
11	myexternalip.com
18	ip-api.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	asena.exe

Drops file in Program Files directory 64 IoCs

Processes:

asena.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Ojinaga	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Chita	asena.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.security	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10	asena.exe
File created	C:\Program Files\7-Zip\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar	asena.exe
File created	C:\Program Files\Common Files\System\de-DE\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	asena.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\RGNR_86266DD0.txt	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\RGNR_86266DD0.txt	asena.exe

Drops file in Windows directory 2 IoCs

Processes:

11.exe

description ioc process

File created C:\Windows\sysarddrvs.exe 11.exe
File opened for modification C:\Windows\sysarddrvs.exe 11.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5756 sc.exe
3572 sc.exe
5704 sc.exe
4748 sc.exe
4368 sc.exe
4340 sc.exe
7872 sc.exe
3172 sc.exe
4564 sc.exe
4088 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\sysarddrvs.exe	11.exe
File opened for modification	C:\Windows\sysarddrvs.exe	11.exe

pid	process
5756	sc.exe
3572	sc.exe
5704	sc.exe
4748	sc.exe
4368	sc.exe
4340	sc.exe
7872	sc.exe
3172	sc.exe
4564	sc.exe
4088	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.execmd.exepowershell.exesc.exe4363463463464363463463463.exesc.exesc.exe11.exesvchost.exevssadmin.exesysarddrvs.execmd.exesc.exesc.exeasena.exeCryptoWall.exePCCooker_x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCCooker_x64.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2792 vssadmin.exe
812 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

4592 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

2604 CryptoWall.exe
864 explorer.exe

pid	process
2792	vssadmin.exe
812	vssadmin.exe

pid	process
4592	powershell.exe

pid	process
2604	CryptoWall.exe
864	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exe4363463463464363463463463.exe24.exe25.exe23.exe22.exe20.exe18.exe21.exe17.exe19.exe16.exe13.exe12.exe14.exe11.exe9.exe15.exe10.exe8.exe6.exe4.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe
Token: SeSecurityPrivilege	2220	wmic.exe
Token: SeTakeOwnershipPrivilege	2220	wmic.exe
Token: SeLoadDriverPrivilege	2220	wmic.exe
Token: SeSystemProfilePrivilege	2220	wmic.exe
Token: SeSystemtimePrivilege	2220	wmic.exe
Token: SeProfSingleProcessPrivilege	2220	wmic.exe
Token: SeIncBasePriorityPrivilege	2220	wmic.exe
Token: SeCreatePagefilePrivilege	2220	wmic.exe
Token: SeBackupPrivilege	2220	wmic.exe
Token: SeRestorePrivilege	2220	wmic.exe
Token: SeShutdownPrivilege	2220	wmic.exe
Token: SeDebugPrivilege	2220	wmic.exe
Token: SeSystemEnvironmentPrivilege	2220	wmic.exe
Token: SeRemoteShutdownPrivilege	2220	wmic.exe
Token: SeUndockPrivilege	2220	wmic.exe
Token: SeManageVolumePrivilege	2220	wmic.exe
Token: 33	2220	wmic.exe
Token: 34	2220	wmic.exe
Token: 35	2220	wmic.exe
Token: SeIncreaseQuotaPrivilege	2220	wmic.exe
Token: SeSecurityPrivilege	2220	wmic.exe
Token: SeTakeOwnershipPrivilege	2220	wmic.exe
Token: SeLoadDriverPrivilege	2220	wmic.exe
Token: SeSystemProfilePrivilege	2220	wmic.exe
Token: SeSystemtimePrivilege	2220	wmic.exe
Token: SeProfSingleProcessPrivilege	2220	wmic.exe
Token: SeIncBasePriorityPrivilege	2220	wmic.exe
Token: SeCreatePagefilePrivilege	2220	wmic.exe
Token: SeBackupPrivilege	2220	wmic.exe
Token: SeRestorePrivilege	2220	wmic.exe
Token: SeShutdownPrivilege	2220	wmic.exe
Token: SeDebugPrivilege	2220	wmic.exe
Token: SeSystemEnvironmentPrivilege	2220	wmic.exe
Token: SeRemoteShutdownPrivilege	2220	wmic.exe
Token: SeUndockPrivilege	2220	wmic.exe
Token: SeManageVolumePrivilege	2220	wmic.exe
Token: 33	2220	wmic.exe
Token: 34	2220	wmic.exe
Token: 35	2220	wmic.exe
Token: SeBackupPrivilege	3048	vssvc.exe
Token: SeRestorePrivilege	3048	vssvc.exe
Token: SeAuditPrivilege	3048	vssvc.exe
Token: SeDebugPrivilege	2712	4363463463464363463463463.exe
Token: SeDebugPrivilege	1720	24.exe
Token: SeDebugPrivilege	2656	25.exe
Token: SeDebugPrivilege	988	23.exe
Token: SeDebugPrivilege	2344	22.exe
Token: SeDebugPrivilege	2196	20.exe
Token: SeDebugPrivilege	1512	18.exe
Token: SeDebugPrivilege	712	21.exe
Token: SeDebugPrivilege	2040	17.exe
Token: SeDebugPrivilege	2184	19.exe
Token: SeDebugPrivilege	2840	16.exe
Token: SeDebugPrivilege	2632	13.exe
Token: SeDebugPrivilege	1468	12.exe
Token: SeDebugPrivilege	592	14.exe
Token: SeDebugPrivilege	1416	11.exe
Token: SeDebugPrivilege	1556	9.exe
Token: SeDebugPrivilege	2304	15.exe
Token: SeDebugPrivilege	2140	10.exe
Token: SeDebugPrivilege	1112	8.exe
Token: SeDebugPrivilege	2252	6.exe
Token: SeDebugPrivilege	1792	4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PCCooker_x64.exeasena.exeCryptoWall.exeexplorer.exe4363463463464363463463463.exeBomb.exe

description	pid	process	target process
PID 2260 wrote to memory of 2712	2260	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2260 wrote to memory of 2712	2260	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2260 wrote to memory of 2712	2260	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2260 wrote to memory of 2712	2260	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2260 wrote to memory of 2676	2260	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2260 wrote to memory of 2676	2260	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2260 wrote to memory of 2676	2260	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2260 wrote to memory of 2676	2260	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2260 wrote to memory of 1424	2260	PCCooker_x64.exe	asena.exe
PID 2260 wrote to memory of 1424	2260	PCCooker_x64.exe	asena.exe
PID 2260 wrote to memory of 1424	2260	PCCooker_x64.exe	asena.exe
PID 2260 wrote to memory of 1424	2260	PCCooker_x64.exe	asena.exe
PID 2260 wrote to memory of 2556	2260	PCCooker_x64.exe	Bomb.exe
PID 2260 wrote to memory of 2556	2260	PCCooker_x64.exe	Bomb.exe
PID 2260 wrote to memory of 2556	2260	PCCooker_x64.exe	Bomb.exe
PID 2260 wrote to memory of 2556	2260	PCCooker_x64.exe	Bomb.exe
PID 2260 wrote to memory of 2604	2260	PCCooker_x64.exe	CryptoWall.exe
PID 2260 wrote to memory of 2604	2260	PCCooker_x64.exe	CryptoWall.exe
PID 2260 wrote to memory of 2604	2260	PCCooker_x64.exe	CryptoWall.exe
PID 2260 wrote to memory of 2604	2260	PCCooker_x64.exe	CryptoWall.exe
PID 1424 wrote to memory of 2220	1424	asena.exe	wmic.exe
PID 1424 wrote to memory of 2220	1424	asena.exe	wmic.exe
PID 1424 wrote to memory of 2220	1424	asena.exe	wmic.exe
PID 1424 wrote to memory of 2220	1424	asena.exe	wmic.exe
PID 1424 wrote to memory of 812	1424	asena.exe	vssadmin.exe
PID 1424 wrote to memory of 812	1424	asena.exe	vssadmin.exe
PID 1424 wrote to memory of 812	1424	asena.exe	vssadmin.exe
PID 1424 wrote to memory of 812	1424	asena.exe	vssadmin.exe
PID 2604 wrote to memory of 864	2604	CryptoWall.exe	explorer.exe
PID 2604 wrote to memory of 864	2604	CryptoWall.exe	explorer.exe
PID 2604 wrote to memory of 864	2604	CryptoWall.exe	explorer.exe
PID 2604 wrote to memory of 864	2604	CryptoWall.exe	explorer.exe
PID 864 wrote to memory of 1964	864	explorer.exe	svchost.exe
PID 864 wrote to memory of 1964	864	explorer.exe	svchost.exe
PID 864 wrote to memory of 1964	864	explorer.exe	svchost.exe
PID 864 wrote to memory of 1964	864	explorer.exe	svchost.exe
PID 864 wrote to memory of 2792	864	explorer.exe	vssadmin.exe
PID 864 wrote to memory of 2792	864	explorer.exe	vssadmin.exe
PID 864 wrote to memory of 2792	864	explorer.exe	vssadmin.exe
PID 864 wrote to memory of 2792	864	explorer.exe	vssadmin.exe
PID 2712 wrote to memory of 2988	2712	4363463463464363463463463.exe	11.exe
PID 2712 wrote to memory of 2988	2712	4363463463464363463463463.exe	11.exe
PID 2712 wrote to memory of 2988	2712	4363463463464363463463463.exe	11.exe
PID 2712 wrote to memory of 2988	2712	4363463463464363463463463.exe	11.exe
PID 2556 wrote to memory of 2656	2556	Bomb.exe	25.exe
PID 2556 wrote to memory of 2656	2556	Bomb.exe	25.exe
PID 2556 wrote to memory of 2656	2556	Bomb.exe	25.exe
PID 2556 wrote to memory of 1720	2556	Bomb.exe	24.exe
PID 2556 wrote to memory of 1720	2556	Bomb.exe	24.exe
PID 2556 wrote to memory of 1720	2556	Bomb.exe	24.exe
PID 2556 wrote to memory of 988	2556	Bomb.exe	23.exe
PID 2556 wrote to memory of 988	2556	Bomb.exe	23.exe
PID 2556 wrote to memory of 988	2556	Bomb.exe	23.exe
PID 2556 wrote to memory of 2344	2556	Bomb.exe	22.exe
PID 2556 wrote to memory of 2344	2556	Bomb.exe	22.exe
PID 2556 wrote to memory of 2344	2556	Bomb.exe	22.exe
PID 2556 wrote to memory of 712	2556	Bomb.exe	21.exe
PID 2556 wrote to memory of 712	2556	Bomb.exe	21.exe
PID 2556 wrote to memory of 712	2556	Bomb.exe	21.exe
PID 2556 wrote to memory of 2196	2556	Bomb.exe	20.exe
PID 2556 wrote to memory of 2196	2556	Bomb.exe	20.exe
PID 2556 wrote to memory of 2196	2556	Bomb.exe	20.exe
PID 2556 wrote to memory of 2184	2556	Bomb.exe	19.exe
PID 2556 wrote to memory of 2184	2556	Bomb.exe	19.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe
"C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\Files\11.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2988
  - - C:\Windows\sysarddrvs.exe
      C:\Windows\sysarddrvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:1056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4564
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4748
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4088
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4340
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4368
- - C:\Users\Admin\AppData\Local\Temp\Files\bundle.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\bundle.exe"
    3⤵
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    PID:5460
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      PID:5428
- - C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
    3⤵
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\300216953.exe
      C:\Users\Admin\AppData\Local\Temp\300216953.exe
      4⤵
      PID:6560
- - C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Rage.exe"
    3⤵
    PID:5408
  - - C:\ProgramData\wvtynvwe\AutoIt3.exe
      "C:\ProgramData\wvtynvwe\AutoIt3.exe" C:\ProgramData\wvtynvwe\clxs.a3x
      4⤵
      PID:5072
- - C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3544436.exe"
    3⤵
    PID:6812
- - C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
    3⤵
    PID:6004
  - - C:\Windows\syscapvbrd.exe
      C:\Windows\syscapvbrd.exe
      4⤵
      PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        
        PID:236
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:6848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        
        PID:3080
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:7872
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:3172
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:5756
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        
        PID:3572
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        
        PID:5704
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    PID:4112
- C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
  "C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe"
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\asena.exe
  "C:\Users\Admin\AppData\Local\Temp\asena.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:812
- C:\Users\Admin\AppData\Local\Temp\Bomb.exe
  "C:\Users\Admin\AppData\Local\Temp\Bomb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\25.exe
    "C:\Users\Admin\AppData\Local\Temp\25.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25.exe'
      4⤵
      PID:5096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '25.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5988
- - C:\Users\Admin\AppData\Local\Temp\24.exe
    "C:\Users\Admin\AppData\Local\Temp\24.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\23.exe
    "C:\Users\Admin\AppData\Local\Temp\23.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\23.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '23.exe'
      4⤵
      PID:3584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:5364
- - C:\Users\Admin\AppData\Local\Temp\22.exe
    "C:\Users\Admin\AppData\Local\Temp\22.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '22.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4852
- - C:\Users\Admin\AppData\Local\Temp\21.exe
    "C:\Users\Admin\AppData\Local\Temp\21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\21.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '21.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5244
- - C:\Users\Admin\AppData\Local\Temp\20.exe
    "C:\Users\Admin\AppData\Local\Temp\20.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\20.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '20.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:5944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6420
- - C:\Users\Admin\AppData\Local\Temp\19.exe
    "C:\Users\Admin\AppData\Local\Temp\19.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\19.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '19.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:6264
- - C:\Users\Admin\AppData\Local\Temp\18.exe
    "C:\Users\Admin\AppData\Local\Temp\18.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\17.exe
    "C:\Users\Admin\AppData\Local\Temp\17.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '17.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4260
- - C:\Users\Admin\AppData\Local\Temp\16.exe
    "C:\Users\Admin\AppData\Local\Temp\16.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\16.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '16.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7072
- - C:\Users\Admin\AppData\Local\Temp\15.exe
    "C:\Users\Admin\AppData\Local\Temp\15.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\15.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '15.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:6040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:4640
- - C:\Users\Admin\AppData\Local\Temp\14.exe
    "C:\Users\Admin\AppData\Local\Temp\14.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\14.exe'
      4⤵
      PID:3836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '14.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:5916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6976
- - C:\Users\Admin\AppData\Local\Temp\13.exe
    "C:\Users\Admin\AppData\Local\Temp\13.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\13.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '13.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5484
- - C:\Users\Admin\AppData\Local\Temp\12.exe
    "C:\Users\Admin\AppData\Local\Temp\12.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\12.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '12.exe'
      4⤵
      PID:5508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:5660
- - C:\Users\Admin\AppData\Local\Temp\11.exe
    "C:\Users\Admin\AppData\Local\Temp\11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\11.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '11.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:4308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4368
- - C:\Users\Admin\AppData\Local\Temp\10.exe
    "C:\Users\Admin\AppData\Local\Temp\10.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '10.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:5176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6440
- - C:\Users\Admin\AppData\Local\Temp\9.exe
    "C:\Users\Admin\AppData\Local\Temp\9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:6396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:6152
- - C:\Users\Admin\AppData\Local\Temp\8.exe
    "C:\Users\Admin\AppData\Local\Temp\8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8.exe'
      4⤵
      PID:4672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:6896
- - C:\Users\Admin\AppData\Local\Temp\7.exe
    "C:\Users\Admin\AppData\Local\Temp\7.exe"
    3⤵
    - Executes dropped EXE
    PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:5548
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '6.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:6176
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    - Executes dropped EXE
    PID:604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6292
- - C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Executes dropped EXE
    PID:1980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      PID:6312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      PID:5032
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    PID:336
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    PID:2020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77-system32'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6012
- C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1964
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2074362305-1175842489942929453184734004918700678501482626064-886491786-154530542"
1⤵
PID:4340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18049691861936010472-1679306022889813632802950117-233900588612858215-451084602"
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
27KB

MD5
d8309807a2d692161e16e0fb08e63c60

SHA1
408c8b971ca024c68c94353ec08b542beebf08e2

SHA256
9c16c53c65f088eb5802d5066e8ff7a470d6aea999f43130bd7161c989d09f74

SHA512
62ab9f39494a8bd3fab28551ae41c1710c3e84f7d8dff54d8f0cdde82d7de5a21ea2acc21ea34253543bffab7ef88f1880a464f2f931b3b81b3d8cd091fcee0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
635B

MD5
21d7f767fce2829a8fc93e58771988aa

SHA1
f369e448307ad1873099a1466f2998b46f1ba370

SHA256
cd422d977a866f9a1ad2ba85e7b58616a07f5fffdbd3ef125d24358988ba2730

SHA512
03fa3a5c5e11ca93d974406245160748473cd6cdc1f6db4332115ddefe5dc22e8592de49519000ede46016b0e98df667a8c4f66a2ce81400ab2eb44668f00e38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
634B

MD5
fed07dd3322020e9c7854f833fd5dbec

SHA1
b72081ede91ca73006e73611e8aa473ec1df8f6f

SHA256
023854d5befb08188034c88a670f322ec6141d4ef28fc38df99d21b8a5fc469c

SHA512
01298ae5c2da1294fbf1ff73301a1e3382552ab9b9860f343f1ccde848238cd24182d4acb650d24c2ed11c87526a2623d28fdf87c87fa195d7def2f3385819dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
862B

MD5
9e4981e8e24280ee3ba4370621b7a9ed

SHA1
084a2f4c0c9d467c89aa31aea6874d39f2fb5ae7

SHA256
94dd32c1ad7e1a0508e1e5a23cd54a83cc51299c4c73b65caa84385983e00e6c

SHA512
4be870acbfe5f6e9d6deb94d5071ed3d08d7add5d1636974d40d34eff7305153bf34814c676dc5ba9a4abb33ed09e709828698a832d128bae0a82fe1343096e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
743B

MD5
6ac8659c3f5f389b41173f2a14f54f61

SHA1
4a9cfc34b77f9a0cce65fcf50d520538279d2761

SHA256
b72a172f5c3cbacf7e3f285c914cf2fffba6053f37c8ed2de2fb2d6055a77e63

SHA512
1fa6111f60c2d48c8f8fd232f5c3974294457aa70d98a4f5e9e325e8ffe19067bfd3c4829fd084b13fd24164225b0b127ccce5908e66624ee66f679684bff57c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
239KB

MD5
89d2a676425f598f8d9da80cb5aabbdf

SHA1
3a859700cb6c9329bbb72a8cc75ed3a5f6f90b66

SHA256
93f2dec73bf2f6ab87221b0c60d4b9b5174fe9d7e13a59a527f79d3a6a184b2e

SHA512
4e5b2469e688922018fd1c19ea62c602934c12a5deb1f5f51b467aaefbf988993536bf1e1a411f4cf815c6cd6e201edb7e11fe985399da50ce7b7e4ec7e5ce53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
2c47415fb405608cc3c4583ec5d4d1c3

SHA1
fae61c85c856b97c96d3cd8e0804802f4e1452f3

SHA256
d157266f320bdfea0b3d75991a40d7f6627754218df5d8828073017aa8358185

SHA512
09627197084f2f484abe10885f6cfe0e12cc01a5595e0e1cbd8207541017de5ba94ec500a39bc34ab708671e48843c60a0889e9cfb545a1e98cd4818218220ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
706B

MD5
3e1dc19f2597302b5a0f2106cf5a017a

SHA1
edc099c81ef2f62f73d144d448172a2492c0dfbb

SHA256
d3a0d8678682cdd1695658499c90e7754b0e8829fbc7974814b9088c8f2d46b7

SHA512
2a6832491454ce701b7165370c24148a03d926cc6ecf934c4664de2658401af9b27bdd43546680b765a443499403f10907b2bdc872f89958156993020cef6479

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
1017B

MD5
b06ae8be821a828f9d405895dc9d9373

SHA1
b7cce7ee725842a57ba0df807e90dd13efc39aae

SHA256
e96f5592a788154debed214d74d8a4134e6a59d03da9f7e9e0e23275de37d079

SHA512
273f9f41d6c098bbd6bd41420cce648ef77528501c118420979ce07f98cec76040b7120e698f143f824fc60e345bf4c0993905ff5c3f47c10aa74ff9c9d617a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
aaa504079482a591766daa98aa284714

SHA1
d47ad03844b5856feb36824bb0649b10c358ec20

SHA256
81f71b8c2c028a93e56b9eb3dc67e28332ff281cf3c9061bacf19a4e8808e684

SHA512
8a3ba59799167b7438e507127b27ed11bbc6b8fe8be78d4b7310d7799b57c7e103b4b08aec07b4c6be397a83c1162d65d332eba92afb3d1690d6793195483913

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
6KB

MD5
7151c6717118a86ab3181aa7510fb22f

SHA1
82815682c080dd8e48b2172cb431581c3e97748b

SHA256
e58d99273feb196a1205f4e7b0e726266338332d16480c79db08d20086e4f357

SHA512
b2e7ef6203d057396010bd8fa6f826aa277a2ab4f438a5a59b6049167048e2e0a5ee21af7500216fde91954eede21fa133f12843fffc60be3d7320b924de9005

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
333186881114692dd46b48d0b7c0dc07

SHA1
4dfc62c3b58fa0ee9a8b3586ce74774432dd4b9f

SHA256
bfff26fb2470653d82ebd008d2022a475ed10d7cf5752736d1fc18353c5d74f9

SHA512
01893f1aada49d3c4b10746c7c61f81533782dc6cb2f5bb9acaa11cd7a6b1e08afcaa4ca858120c02038e272b3423ef036e18017bb27fb6b6c58d2dfdd656fe1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
5KB

MD5
3d395d5dc6abde9d8b67d5a28891153e

SHA1
eb542a2a8f6400385fb3273234fda890d97e13e8

SHA256
e45e99f545ec61b9fd84a3be93a5abf89af9a7728c3905ca63a8c1c5bfcc16f3

SHA512
6c5b0be2a74d90ad388011d43e76d115ea105aa71755e9cfb2dc6e016024c08e8da5e8a6df195d6a6e646c684204b5f59c8e32359b125c91dc2678051d39400a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
22KB

MD5
b53a6fad2bf6c4b6c2b298eff0a0efe1

SHA1
3d88664aa623f662d5e73aa8694cf2bf571f778c

SHA256
3fbeaf9ffc7cc479ff4319535b532c5a818a6434e33365ff4f1a67a45e87e637

SHA512
f1dfaab7a55650d2220feb75079aa56aded7f33a5a8fec2928383e8caa6675d9ae735672f1c684b8125a00fc99b66bfb3ccc3b3821ff5f6df55b9fdfba0d8393

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
627B

MD5
cd1dcf2fc1d3eb9e092caee6e83ea2ee

SHA1
b6fd1bea5fa78c6dc307f884a97be54154c7cca8

SHA256
3eca3310ed5211669073330efd0cc17c88e624a21f7821cd93f64cb0892d4496

SHA512
c74734539a386f5d291afcb1d8ed86f73cb5ea7218dd391dc23a6ae9c7f02bafd883de025fe5c51bf051908756b94d3568d4d64d33cc85a155616f546b55c334

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
4a553ea60cf64cd44d0e9d226478cc23

SHA1
2ed48423b9806d52c70387a7bcb0f5e1c7f5c5d4

SHA256
7da6cf52880fb4bc8a909aa02bea19a2a4098f74c5d18700eec99a00d429bf60

SHA512
5a487ac6cc1b27a1cbc8ad6fb9992d2bae5d5db6a8636819e85026be4d1f95ca70437d3d93ed7a9a91ddd59e8397f62e1bee5df5bc0d45cf52c78b96ab2dffca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
41f889a885c1c7fec9ce424237fd9bbf

SHA1
2643d784cd87620ae108747b9d5d01d1c93cd178

SHA256
5d789f7216f5fae4aa2639b73f2f5bf0759fd9b5e039d56535deab913a7ed9ea

SHA512
28900766686bf94a81d156386333cd7c28863031b2431cd6c3f9c6b38028081af205794f3517301385251a67ff3606f1052997a7e2a6d70a2cf2ee2f85e45c4a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
320722cd7b71497971d6816bb9045366

SHA1
86d115040efc0b30a35968ddfeb42ce2e783644b

SHA256
9b2fc1852094341f7e3ff85911c69749a3949c98271b85fefc3e5efe4294e3c9

SHA512
7f5922e5ba8b36a337df8171ba5d570041651825bf3f05c39b652fc83adc069cfb54409345fd6053f2d8935313edf329e15d5cc990b66f5f1dd9ab8ea3ac9d78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
803f89a1ea9be0860aca593032188b40

SHA1
82b9157d0ec8bbfa6b0815d0fa1e6fc62b903a45

SHA256
825d5641535ca52bafbc0a102596ad37593ee5f9e7b025a5e099339b84566d52

SHA512
0ad6f75c73043e78ebf21e545031a1048944508d34dbe6cbb17854d9909f4b73ec230a707c1bcd127b0a0b80feb910c2aa3e8079a2422bfec195ba12254716db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
c98bfd8c6302d9db85fa1d9339576017

SHA1
4eddfeb92f2d8752e52dd10a1ad01997940fb24a

SHA256
0fc51bb468516ff212c16536268def505073f1e45a54ace5379a4894f6760d4f

SHA512
63392155203b58b793f0cfe4b901a54165e46bcea3f60b4746ac13f5f36cc3a3b83559e124651ef6211fb89fd46567f91b01b5a43bfd5bb30f75db5759802aa2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
786c7d558393ffeea8aef19714c0aad6

SHA1
1055047ce1171664506533935a53922d2966009e

SHA256
1e0cb766506a95fe8fff45767086af62956ae3c647a6558e0929ba28281ad1e0

SHA512
08283e08c9bc450f62b0731d308ecbf1e570a9fb2b66e2a6b9323563ed2cb5769d11bada5d81c6e83d3f9f3a8295b3e1858e7870b8fe1fd35c3627f4c4dc7a8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
3KB

MD5
1fb32e8aaca95e7a927d5776c113f5dd

SHA1
5580c8ad44cc4a912825d7a04d7c72e1ddb21be1

SHA256
f0c6f7c6ab605bfa0db4f52537a5911dcc8144bdaa16c540d637b702ce254d30

SHA512
6eea1e4e6bfd06dfe9506130bb7630ebbe1d3898c046f8cb6c48f67e960e7274ac5311bcc4e678471e387ee2b71955d406b9b125ad9e2fb2b68ecc1040e5e260

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
6d3005412d51eeb65ec4ec5b0a2d9a79

SHA1
667873bad57bbd2c2d8b9a6cecf4c407ab25fedf

SHA256
9d0dadd1517ae1ea4c023327ea4c50d2bbcae24185e5067c1e7ee9afbc918134

SHA512
bd4921d1d236cb5dad2b5e37f9b22cd5743abd185197a0d0d5473f6bec7e9d07c691a5311e512ce53ad74f9eda7463755676dbf1c72c0d524fd46807b7345c78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
839B

MD5
2c6651656b6d85fba990e260cb171b8d

SHA1
12216dec3e3688da2bbb30fd8e23fd664d300836

SHA256
46fec439e9533bc9cebd89d4b7b64e3b806f08be2fcd0870011a69057323bd08

SHA512
90db526fb16aa84012a0db27eb1f399dc460bd78d9d4fd54058354f7bf68a18a42cfeeb539854d736d7bf61631fc18bd5215982fc30fd144df02f2cc5d9a02f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
bf92fad658b2d78cf0e7044a256088df

SHA1
a47850752d6316354a382dfe4119bbcc6c1dfe67

SHA256
777e5146d53c4232426ed710d6af061296e08246de1563d54427c7d0a7c0db2e

SHA512
40df984beae061494dda7cc42f11fff4c5f2caac44ecced13da5ab4ecde7bc2892c99dfc2b37f002ebc01e4006f53726d24e79ef8ae2cc5fc37d0860e9445f95

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
776B

MD5
f99efe78233ad67e665cdfdcbce421e6

SHA1
81424c0ae41feac686bd58114f55245d898aa874

SHA256
a3a475d24a36706910c416270f7e188dfe5610b5a23eefb4478d21e8ee545e41

SHA512
22d5b4458842a8f5d7d2d2cb6e8b0156f6d61392eebe9a136fd7777fda0a41b35e9b998c165da87a577fab80b8bcc70d583e7fdaa73e123dc4eb6ddaf585631b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
844B

MD5
291d50d8707ec4e0c625c0a98847fa16

SHA1
b77cddeaad98aef27697fffdb505f78fea35d883

SHA256
8bdd73891a55ed0a561264be03a1e07b99c8a6a7148fe2b3932a742ad41cce9c

SHA512
4ced63b339c90c72de93e6be802454a26eae03ac9f539a30b06ea1bf67251f01c29f9815d8e0de8157cdfe41a0a2370a09c7b8c0bad3d7a994ae5dbe28e9a16b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
888B

MD5
ea90ddf84e079f6e7f30154e7a70a2dc

SHA1
816fa0e48366d559dc33abab906f2aa9c9d76186

SHA256
75781eeb6124211bb472fc3fab79ea20ad701effa205ea266c57ef05db9733a9

SHA512
418bf3dcc062e2a55d578ecd96b961c4690e06485f10e0a16a54462d4c3f073d4b01f8752eb32a6075cebceca697136e7509ee6035a21678ff0aa7a208c83932

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
669B

MD5
70d08bb04fdbfb6ffbc4b24ca2766bf6

SHA1
ad4d21acdb545031c639abb4bdfcbc75b0f0df02

SHA256
e215bd64753063fefc13798ba7cc869c3d1a1ae0aa12bc6a480d15aefb439d08

SHA512
51956118867cce42334870a2936f79bd66e7e455e08f1b80d31932c628adcfcd4235cbcb5ffbc2859b348425917f4a34f0165577b4f40a55d2e9ae223f769be0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
961B

MD5
898af9d6f7fdc6608eb723933fbb5e87

SHA1
db39abc19028f664a7eeffaf4e66a218c6f0b737

SHA256
64fa43b7103a2d2270e3f7aec306cd32c9c8daa6cb0004869de0b3d4d3689695

SHA512
004090127e51c65704a4d41b35222153a37d106edbdc93176d0369971bb7cb88751d730255d70c8551005cebf68cadda26e7beda397e9fcfde1708910f97672c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
983B

MD5
769cfba2adf7bb378ee8d4bbd64ceec0

SHA1
789bc0b941138ba349fd673668411e577efa05c9

SHA256
7c7049167c80b97806dbf19f843c95bc31dd4048787bdf8cffb3b4d94969e48d

SHA512
2b015d855c044490b63085fb4ad35b3e789c6bab14574eee33fe578fb8c123b95e325a9116ecddf665d5246e86424e2752a228894e8003810eefcbde8bd47ab5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
788B

MD5
e4c7246f5a77f797795152b9fdf452d1

SHA1
37cfe0ce3cccf96690d78df89c9e8549c710cd72

SHA256
8dbcdf5d8d5ad8147a90c5ffa5d48363eb4df471c04ebb8c8271c72221d921b4

SHA512
47c9ffe3e2f017b052eec3ed8790aada39e38ae375628b903b6228cf1b26aede770a5e4d474506fd265dbe5c2f39aa802a4b1af25e409bffa385f2b934999e07

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
5a87b3e178f28f23888f8be60f873059

SHA1
6c6e3d24a245e55490fae730b12ca96391f6c9e7

SHA256
dfae9e35612ae702ad4d523ce9a7a63adf336f0c015db7046c8293a1d26b5d8e

SHA512
02389f41d6b23d93fe67796ee1a02a80c9be51d501979172b9a208caa9f3630ba9d6b489fbe867409054134282a076caa9a2faacd4cf65a43ffce6673a61a31f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
793afd4126d9ae959f5c7921ca104e8e

SHA1
430c99dbd514e8008ca307d8c5f6a681f12b45e6

SHA256
87c23c855eec12b55af02fa373e13889291cd5794c849a96adf3bbb28ce474c2

SHA512
5344d67caeedf24acda88e06080ac36c20f0dda9d98a8d99d02ba1a490ed0223555d44c427d3bc7b55f3668fd1cd142bc60895b1a089c1fee2b42e574b9dde20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
983B

MD5
da08835035a0200915a66488c7cde475

SHA1
b4ca4fbd65abefb444fee054ff6505c7120ec4bf

SHA256
f6a410f064501b97dcd718febc6ea63fb91bab1c506ee7239f89e430979de620

SHA512
aaa3cf4c7fc4a976e7080623a5c6b86d37c870e87da5dc35c9177ccaa3329380f5c85739f9d2b9991a54a6b3670ba62977786451b4252ca942388856ae2711f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
785B

MD5
444391b3d9e3ede6ca88a224ddbd5a29

SHA1
e203bd7a216620c7a0387be8e613102ddcfc193c

SHA256
1e29bbc62d9016d8e0a6eae2988e2c3b6ed4937929e141f6e03012c225b7f7e8

SHA512
a76190dfc9d6539d1d47d32cd1468434641e92e3dcc9887989300a1172ac4ae82a24c1b29cad11d760c4880159aac5f350ac3bbc49de39bd25cef7d269b0fea5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
754B

MD5
c784d74f6ee4ce3eced6e648a8d908fd

SHA1
0f43f620688f5938cac252c22783efad3c739bbf

SHA256
9a8a8560fea33acf234d852821c71ad7fa806ef13f6124f01d3e62fe675b2850

SHA512
b2f19910ad2f9ffc1633c5a20a4d5ed864eaae2810dee12ce2191a08a0afc7be1739d11e7f5dd45505d9e53839731d9933b37fed7ebc2c49517c19458aea4e49

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
885B

MD5
70d1d1105a7bb26266f42e8ff215cfc6

SHA1
27616d09f82b050556e4a48047236dc35d92d962

SHA256
a0939672bccb4f6eb3d3adc13071d277816f1ea7e9f16d6fb74b852e9a3b3cc8

SHA512
a99d83a63678a2dfab76d2f35864d183e1b3e9af876dd39038ffa2b412f6ba80396207996e822ae73c5494a5c0dae58790776935034dbe875ca7ffc5fedca57b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
885B

MD5
72fb9fde1bdec45be63834fec4a84742

SHA1
323ac28dedf92e64ff53541c12f6f1a55eb9ebad

SHA256
cc0960eff6dc5ee71908e8c8bf065fc632a5473c2e29e9b836d7e2a786a7ff11

SHA512
fb78567d50ddd78bed41bc4f78a676353501d35b8fbada9d63a58be2eec6353e917ce0ee2b6edcb4f544b5d9261f9d29e7a2630fdfbc27e82893afc7ac86b57a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
7KB

MD5
b15e4ec317679de35de5715a99a1e245

SHA1
8d7f7f611d5c91b06f4505f079c5c40c9c4fc99a

SHA256
fb12e4e445e0d1c9acac71f1069d15d31a3abe169f327a6c41495dc183b606a5

SHA512
4808fe267da4fbcafe0475dcefbe52c3af4a8242b73a81019608193c1188331939c2057649c5c7815a78f482a1ff9d2070aefe45be638079635e1af9a7996a62

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
949B

MD5
511666c5e98cca14598cc330eab15062

SHA1
9f0b5175a3f0da5236d464fe26f24d8f534a5fc4

SHA256
e200a1adc451a421072547e17d8f490c0351014bb9d7cac68f8713675cedbb8e

SHA512
80f3399f645b282154b043fff1b4d1911fe94323310ccdeed234743d4b62e6962b5e5e326ffc7fc3d26c08444793950c2e4dff0f8cb980264b5280ff05c3c230

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
b93c11acc858b27c7f1abc0f31e07a07

SHA1
2c13490ba6379044346a4e41782ae0ccf6cacaf3

SHA256
ae7abd131c37c67382fa415104de899e08b00193e222032d45cf6a29ad34b380

SHA512
5314edbbcb1f002f760f854ae0af0d3ce3158efeb881a97f99f88cbcb64595fc31e0c4d9a4e7bdd4120060bf10b9f8793eced8bfb349d78ed1f27bd1246df028

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
1KB

MD5
4a492a3e9b141bc20803caa10f9b0635

SHA1
66ef17039f1262469c1a5324c44c2243dfa77c47

SHA256
6017017c185f05e1b4afcd95d852e3b9b5f50e781389560d339af1ba55a35742

SHA512
6c20ad3ff442f06e2e3a3673a4f9894b4254866a7df986ab5691707c2fc6928e69f5c62ee2fd8ae06cee35fac2233ae5b6ae29a722dea076fc7697c12486a778

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
1KB

MD5
9b4d5067f72a4c88ea198b67a84946e9

SHA1
faddd669efcf94d6134916a3e11640173a06d7b9

SHA256
d3ffff032628e2d71a0743565d9728c7ee9c79b2995977526a92305efea245af

SHA512
b8da5f8ef32fec331ffcef4c302c65952e996623d916a40d1de7b1a3ae4f36ed58ea9cf856ab008c9187dfaf80cc86f8bbedd81bf0c21a5e578ca6c92f259189

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
839B

MD5
da31a9cf34d9afbac378a8d92184aa00

SHA1
6d680dcc9cd941eac0a0a4494449c7782b7f22be

SHA256
96b6f00b6c3ef01d3a580333a3d4982f8d628ff1954c2e196675d44ba8a40bff

SHA512
03e5484746c5e58dd436371a20a9f47a4bae1172e069c77a63fd4ddcccda34ccce8473a2258bef59e48b6e910069e1165fe0b4b9dd15800ed04b006271126d33

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
69f89fd00d65773c6ee85c857c3ed1ee

SHA1
97667b22fb014eeabcc16915e9ab25778c8fe8b6

SHA256
4579db116b3dbf804101eece82e6a260deaf811fd12ef6e0e7be935f8555f953

SHA512
f5bd812629e7d5998f3beeb9742ce9eb6e8e54d47e8fe659d76ccbc9298b7afab28933a58e3451a4ea9092f893d7e15da04bad356caa5f3f2a50a4daf24d566c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
3KB

MD5
3fc15186467a2e8aa17f9fe3228d4631

SHA1
5beae2b74bf1294abd09de884fba7c1f546d855a

SHA256
8a15d597dc81b11e8706e8d13c15cb2f46554f9cc926b05f393f62fe6ff17001

SHA512
534d247fae9a86b2758305caaf290f8662a34cf318a0deb0929770a0884f4c3df81e5607fae805dacf24c64c43e7f462d9bf42a278e494dc096d64e5c63d43ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
20KB

MD5
a364aeea3065edc8b3f6ce9ea4e45206

SHA1
e435981af4c84693990043c5fc5663578d5e28bc

SHA256
1b2335a4150a69659ffd8e54aae892923fd587f272e8b7237b68a457fad19a33

SHA512
5c269ce76dfba92cbdb2ef900b2eba18184960ae6398d855d906e298158c09e572e6dca6b25d0aeca0d91c57f65dd51b77307da1947eeafed3118b4d18a64f07

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
1KB

MD5
06d4b5780b66005cca3dc2ee5a731192

SHA1
611e17656275520bf8919cc0ecccf0ffc2a30f40

SHA256
55a69cf699adb87d6d8fe77f022d28d270e4da52f9e44bc7e7ff3c67666031c2

SHA512
a9e5f0d4e7e3a987586a0f7e4697eca25b6630172642d582b0938ad2e1390f3d6b42236ab1aee07fc27aa9014e1fa935a2e745de3cf42b6c02d5a2f3138260a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
1KB

MD5
9940c182f55827ff89ac8ad402924d8f

SHA1
049b9216030b96fc50726b234a89b872406be716

SHA256
17c2e211f8c5822e19b607aab3bb69d2d00c4ba9fb4baee08c1396b93e0e53cb

SHA512
551b6185e6cbd6c30bcac5ad7eac8636f2bc9419d79de2289ded6d41405138c9ee192b1f493566cc877d83c4f8d11e592767c4c5a7040edd976cd55fc4d5ed46

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
1KB

MD5
25ca07430d272af8b5a82589dd3cbfbc

SHA1
e2ea17b7e127717f95c440cb8059751cacbe0200

SHA256
696f7099897c353c5de1cd348b7930c6c79c172422142848e6452d885c5eec21

SHA512
79897e24a5f30e8b17e4fed675c1291bd665d8858ac3b858560f8daacbcae41a78b4d7a104a21684d0cdd670e822ba97cdfbdc9a103a8c53892393ccf423ee3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
1KB

MD5
38c71e78985437c211e2280351f06d66

SHA1
7276706448289c233ca3309d4aab96854a11af29

SHA256
76ffae838b381646c6ea0c811fed9e7848a80e7fc8cb936861ef0d2a64009b26

SHA512
f4bf61b575d4e82906f2a6cbbd18ed5ec09a734414cd0ebca8a7729b7a907c595c7facf12cda929897b2a1ab48a636dc0d3eb1d3fc70e7daded441230a0670ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
1KB

MD5
ec22cfdea6bb631314af95a756889543

SHA1
5022c530ef7ddb1a8e9ee65165680807c9f679e4

SHA256
b1a67fe4e7eab1b6a2cab473be54c3c4e7183ba63360bfd504c24b8fc656dc2a

SHA512
3ad01a4cc88de5d5fc3667de3ba071d5afaec8dd385ec702d8bf607705393d45cf0532289cbcc04210ab5944ec7de7ba9a0e008d2e4699351c9a5282fa3974e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
1KB

MD5
8932b5ce4e07abede099a6fdca919217

SHA1
e4397f93752d77fd69a384894a9c0ff1b271ff2c

SHA256
d9c22f880266ac39d4d46deb3be0329a1a6f4dfded37d7f30f609a194eca4bcb

SHA512
ea3a95355dd601571456bdf4f29c0b9f59c7d0939c7c5ffd54828d49d7474413fa7b5cdcf06b564cd9972ff255af9a7b87df129f390eb70ce2e61fe1a005676c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
1KB

MD5
12e655d47c10766497beea6601b2a13f

SHA1
f8b52d84ccf18b23b696482bd8ddd228f6346dbb

SHA256
756a56f3829d05ff6ed1638d89300a5531a7846149069fbc36b0cb96cb2db009

SHA512
ea3ddbf71f7466948f20f88effaf739a9a6d45296f5097abeb1edf85384ca7719b81cf3e1a8e1e22efa96e001e5ecb3e68e819ea6c065267cb425d5fe3ce08f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
55bf2dbd91633c07c399a93b33fd633c

SHA1
e12eab3c1c3ff174f76859cc505fc6b96fc300e6

SHA256
57775bd7d5d8d8ae3698624cb042150754e33dd717d5c443242f1e0cd431ffd9

SHA512
a47c37f7690aee3f3051b623fc9b5ebe4539a3f513c68dcc92b784522487b0dfd3f22ddc6065ae271b771bdfb66902730d4639fd983c663a8b75b711a1b52560

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
2KB

MD5
48f35fc081733ef0b89ebe8947c4c52e

SHA1
9d1a3df2a8f3caeb02139ed03a27fa230f9deb40

SHA256
45aa58577c8e0d69fedc1b0fd4a641df763da6a2ffd7af915da3ee4990982e41

SHA512
1a406a471266762b64cf053f5ac518bff590178ae812eb7e810fb1a9a366d396a07bbb55af6086cd63a66a6304da2b5ff75ad37020e0c40a5d5adff2d4c58639

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
1KB

MD5
16d25744615d0badceadca3944e93955

SHA1
3bff65978c3866717da8da5fdbce61a2919ba146

SHA256
c793740d8a5a1b69e1929cdf1ce965fb64407c8d41d4b851d584af0ea76bd8cd

SHA512
1484514b4b9b8b11ca88587f56a5aa370efe944eb5a26430f19d91921ed54d271d9ec5ea68d0ac5641d65c21bacddd25c5a2a1bd0c8c952138409f111f78fd2c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
1KB

MD5
21e9bfe34b75876bb69a6922011a934b

SHA1
03630e54a4c37874e7a6598bd218ddd8c37b268e

SHA256
2bc2969d5cdacba69ab2df9d91a27a96c30295644b2bc8d5dad57ef1ab4d002d

SHA512
9a5654649611ef8ef71ef96c1f6a61c50d0be704a9a2c2cdbd96db7766812814926b4b16892d9ef336929a8607925b14e94817e49e52a53413f970dc34e321cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
1KB

MD5
aa0f4bce6220f357b508b7cc015b1e7a

SHA1
22ff09b2b6be19d15ee46a00328504403a233a15

SHA256
d85f7f2ae24bccc4c44bcc918c2a157ac4277c75141f120ecdc325683d87fe75

SHA512
4af7014160fb64b7d247fc9cbe45ecf06fc15bdeba1ac8421724b9a238d2ae50ecbc8329f5138f328bf3fe67a619ef2ccc81ab78bf0819d919d09869e9b3922e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
1KB

MD5
033097a48848077fc6176caa6cb9f837

SHA1
3c88a7a76d96f985affcef8999d16b718f2ceb03

SHA256
7f29d944845ad9f3b409f0549d291a5cdb2fbd4224023f21c136c131f2f2dc3d

SHA512
d9ca180a6a9fd48d053ecde1b8cc85787760035c90221d01399677f0b09cf9f9627bee9f96aeb01fd49478ded412a9e4cab0a387a3e19d537995dbf5e7efafbe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
1KB

MD5
def6b153635fee7b065c14806c975b9d

SHA1
25806a89a979a052cc469955da84fa33acab24e4

SHA256
0ec8d6c3b7d583d26d371c7b26d4c7878eb6023fb84aa5cf568f325eea5d436d

SHA512
e0a748faa438f636de758669bbe4d974c0b280701f722d0a46a1eb16fe7386b2bf18f00a2322a1d9c831b580d9199bc904d7c93f4150437abc80300c594b6fc2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
1KB

MD5
40fb58c1d89d39f22d957bb22058c69c

SHA1
b4462d6885e80ea3a7e72242d4480eeb630798aa

SHA256
97a961a34ddd4656e3640401ac5aeb57a108df8daa0fd13f6c330704c7b09ea3

SHA512
ce119621643dcda2307e5d7baf6ab9a8a4abeef65e58e999ec5b2ce386c7d8f933448f0219bfdfdf0b741849bef56c8f50d349b55bcfc916e84bc9bf93d0632f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
1KB

MD5
5975dcf26170907b2c8f414b58056c0c

SHA1
80095cd5ad56dcd5e4f327f803043d5bc53ec142

SHA256
6299528f2dd299b9bba40956128b4a60e5bb4de1bbd890e0f82d6d96d7e804c1

SHA512
2599eaac2f9d51c46cb7986f4ba2388cd13a1ecc4b7e949925ca0aeade24597290264975ab0507342d4e2bf5f2dc49b34cd85899e9019b96efea7e29a097bf6f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
1KB

MD5
562b794a3edd9d35e093131a60ec1ad1

SHA1
47fad266861b8f2a9f95ee176f64724954b00697

SHA256
fa4bf2b6685dd5d72da879806387ae89ac1f67b4fd287ddcc507e7eef93d0e29

SHA512
3954a147472c4d1e9332f4cdfee43be127ae1d2b91571fb37b4d5e0bc8dc7392573b8c6ffb9be169761b50197ca94a1fc5eb547fad3c4ea98719c34ed776055d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
1KB

MD5
8a124aa31ce2a94bd21b07fac3e2c30c

SHA1
d002a800c080f51afa58ef7a80121a3262fa24fb

SHA256
b7a89d543be7839da1daeccc83a835e8e9d6c656a5f1dedc50330d5a33205379

SHA512
e2bcacd7ad3b9c984dcc22cac979815d4b4a118cf27bb006a26139a3c1464c52c748caedfaefc4f8afd35c20647fe4b69dc99ae1aa77a29d8d9f2085fe5330d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
394c3e981c39fdc4969d636016e7b7ba

SHA1
1dff21e05d82fd93b794d4d4018df86593a1ee58

SHA256
60199d8c78d30e8fcab2a8c67347b038b5142dcbd32aab078f1a8bd83235f8fc

SHA512
0821c8d8815da054cf2ac2b2db26e8802f5dde4b248073a224d7f53bf7652f499e0fd70214cf5fea298324079e78697a104ad96abbac13ee26d28e217d388c66

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
1KB

MD5
e61687b1f01b5429716898c6eff54bcb

SHA1
e4ab09121da12b8f30283c743f465e87c1970889

SHA256
ab6810846985fcec2a3c5c18f3305fd2cc74589e5676d5aeaf67b90198cb238d

SHA512
e69ced5c73651fa9ad66aca9684eeaedfa90dc766fed020f0e7fe3c95f3dc030014cf6cb48590e163f4452964051af5e3d47c2eeda915aba761dd9a591f3d7d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
1KB

MD5
b8f0072361664337aaf96a8d23a3b21b

SHA1
c18a52fa86e136d6edd31a08206ebf4bc3dfeb8a

SHA256
1605d03bb1ab620f78f299e1292207919473e480473ab4dedc8af03d2ff93df4

SHA512
d08639a2f2c220b006d32dd0288f065984658a0b94e57bc63167f9d5307a20a75a5f6f8b08aceb919fa075d7eb28c8d5db1d7300fe80feceee9a0f25330279b5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
6KB

MD5
a9e2ab81a8952761f52b552236a7e9d7

SHA1
2e7781f515687e47d9f511e4c624ab70bfbde28f

SHA256
a06530fda7a225e07179b520665c35225ca3b9ec296bbd911751219f558c9a41

SHA512
9665259aedfc5a42ddf6d034bf5345d8e4454c522064f81fbc775a5ee8c2bea70ed36d42956f18ad81e98f21cee0dd4865ef6d8b89293d6f028f066ddb4ff2e8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
674B

MD5
d496040bca8d72f77fabcd7414aa6158

SHA1
9e901e8bea8aab6a0b24d6fd1a814fdd4b97ef48

SHA256
e2e6b2a2744138d14c7988969d1ab45b3d50c2b3a741a2345f46e31cb4a0a9a9

SHA512
e13ab67c16d4a94755fe454468a0397b88ad91c9033d7cf23368e814bf4cf10f15c83f18d677bf405d3493317f7df6d2a4187a7d42d8ce991fbf7c74b21f0780

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST

Filesize
548B

MD5
bbf2950470f6bca2791d51cd415b844c

SHA1
e42d1f1a55ce49fc0b4fb3a4a69e1a1c0cfa66e7

SHA256
93fc99da30b1a3f4ff6c18c86cce2d92e425e3e6f57cddbfa561bdf263fdf7b3

SHA512
6aaf3c7adcf626ae138841588ac9aa4dd2b43c46e39f46e7e678fa810e14a4816e42bfdb892534a1783241e23e6dfafb08379267a4d1a6a7c3a91bdfd82916ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
548B

MD5
c93cba316a0b7c11308d5e20fe1ca5ff

SHA1
2cb3bf026e801734a08672dfb704751fffd5a836

SHA256
f45165c8de5a03c4452e48353d23552d295b61b492ac94648181d6b8e11a13dd

SHA512
4accfb14cc2eea87bafdbb6864c98d29bff05c5fdcaabe642c2fb19b7ec51eba7fac315318b50443a37469e245d7c4fd452884202a950bdb474ef514133e9641

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST

Filesize
548B

MD5
4ffb949a432f7820c34314d21723c3aa

SHA1
e7284ed809ebd1bf15f3b3b3bce48cff72859c14

SHA256
68e55e76413a8d16e1d71523c6c08a187aba2ddb76ad620d8bbcb908aaa77dcd

SHA512
14fdee6e1e83c5cbb8f751df9d1d06914532b628a50e26cfabf4de631f451c4f36f547601e2cbdbefa3371bb95650f1dd1582d96f0c4cdfea17df68af5f3bb44

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST

Filesize
548B

MD5
ebfb3775e5389af6014c6be9dbe16fba

SHA1
2c3a469a059cb099860d4703c2fe511206e77d35

SHA256
1776c8813c0db6acf6dfcb8d1341dc482835b14c53be6f42c31b253a33237257

SHA512
01913c6e727972b220c2776929a6795df8577747551ee8895b12e09c29fe04fc93ed6f8b0e1151a8eb8003d4c37976b0e6f18d0ec47a9d66694fd988df604de0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
2afce00b03847a21b770bc6c18baf76b

SHA1
5508a2d4c2dd3df06c6da6a21d1b1b21951cfd5a

SHA256
ae8115dcd2c37964f6cd13b07aace6299eb6a432768fe389eb8425c668a7bd41

SHA512
c48f4df2d9ee2e88b421c17125b33913768e7f08ded3c0f20f2d9f849411a42cddeedf427d0574fd42826a62d7530e126c3f0f2f48d5451f01e7a532207f89ed

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
9KB

MD5
0c42300632e32288ff570ce483d9a0cd

SHA1
7adb981252487ae011c23417b36c30d7a6639b0e

SHA256
f05aa8c043aadc7de0b705c283fb0ba0cd47a0bc3c004ab6a4b6a079d45bc069

SHA512
90bc3501a34d83538dbe6e6e678fbbef0eb61f01215920937a01a3c61f969b97b849035aca477298943f22fbca8841981aa1c9616e59c7da2a2a0f73c0b02e5f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
578B

MD5
28ec3b3fb91ce01fee4a23afe6d495b8

SHA1
62791ca6f6776f622afc2130b91ec656542b0e26

SHA256
50c49c70f876fcefb2a02d0b4bb0d2507334d85d33e82a03f4642c5ef28e0c35

SHA512
2fffc98acbb49e2c4657b9733ddbfa497ad755c61e23011efb83bf09d82d670553d5029ba6ae351cbe54d62ec323d238e205659cb4b0bd4f6205c8b0be0af9ee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3c906c0a4efe19a7db03f7573d7a1c07

SHA1
38239ae6caac94859ec6777a8a736b53882a2fa2

SHA256
fc84b08b005e45462274bb193618522eae0e00de6b6e2a3ba541b127f33d6135

SHA512
b70d3909e888a9dda89249187480abb482e02e321388a79a74cfa601a479aab9459f7a6247491d88c78d8d2f134f0ebd72f18783b69218f2308c09597fc9b708

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
cfd8a1cff61f1cea25d87d7554a7dffa

SHA1
a2cb7fa2f315b19d9b812efe1bb3e040884168e2

SHA256
a01266c2fa1bc0dce1c58b3164986aa741891717ecc876007e7b53ab77c22ab9

SHA512
df89c201ed7f3820bf9445f08f22f98cadf8baf0295f1017d75acc01a521884d59b19e61741e46c7fe68171835d24d63a6744d481516b2bbb5d4282faa47f7bd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
77f6d2bc64ae913f42ab4fc665ebbbe8

SHA1
e641034d06a4a54009172345b7951eed065fcc34

SHA256
4a692c9f48441c835620b59f439e904046ea28d96cb4f3d489acc5371fe4abec

SHA512
6950df12c8c11a6c44517b45ff4fd7290f28140b14c5c5017ac115e2ef291516545909bb6eced0bea20aaf01e76b993ba8e80747eba05e8df18e8bf7e6a56775

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
654B

MD5
ed612172a4dc4a355506afa9ac14242d

SHA1
1a7c8f60daa14330ee4be00ba1d48979c8e35fe0

SHA256
2152771d4d86abd0413eb72ad1360527254c2ac01baccfea3c4e5baed0090eeb

SHA512
a6e0dc5ec82f90269f69e5a085f42eb944fbe0823bcd73d788ef5330c2faa6c80ecb40e7421657aa760de4f94a0f50e2c166de104c355fac50300e876e455d7c

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
75542d5e8185176c6f791bcc45450455

SHA1
2f470e6a577bd12920bd71eed2170053e558ced4

SHA256
78183f799de19631f41b3ba64683d86fda933007665a9281ec149dd6d679167d

SHA512
e2fdd03b783e9a70dd29c0bfaf3e4d1121939a98b4f9c8a16c5778a486f27b5ad3fb181a4e5582374fdf419c73d2c7a721653fd7e180efa278c09da21ed56ce9

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
562B

MD5
2c8dfb153af5030a6dd2d18ccf404b94

SHA1
6b873f29351dd6c437886c23af39188e5c5e89f2

SHA256
94be1cd1b9d530d47e26132165c58420dda2f9f3fb54ce0093399de17608741f

SHA512
b6e08b1cbb2cf85764a4df3c1131200c99810418b4103db7e15b4c3a5bdcb992ae057e38dea0234e332f00e1f19371ee38c958e29bbbf850ac89b65f263d03fb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
643e4f30b7209212b9ab827908c678bd

SHA1
ef495e9b5554d191a97022e617c0516746e68f77

SHA256
fca1bf2db55a1b30ac62a8ae66fd76332f867e560136faac48d3e76b20192d34

SHA512
2d52abd7bf3f135c0d8962907db7906b0c4b3e03e742c050ae47d63dcbe318a4730f1debb3e0cbccc2ea2746c6709f75dcb80667e64c3abc3466ecd34ded732f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
b6130b62afb68defb21c8b9d166505e6

SHA1
c154e7340f79473a8e41e181d6ce93ce91b4c129

SHA256
e38687c022c655b9e25aa0e2809e156f51481f2c987e4dc2b382960dd143d307

SHA512
a1e5a28bfbfa94558d9444c7f310c7a75be06a6e2a220e41711f16d59834046b52947fef1ff032073e61dcb2c2147743462c6c1293dff2c06bd626a77cf5cfe1

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
4KB

MD5
fc72cfc5f60b45c1be45954bc5f6cea2

SHA1
e0b263e9695ac6200bc86adde545c5ef168e2250

SHA256
1d85a6b1ab39f30d902e82b94c705a771b00a41a7398b604fc7aaac67a890a5a

SHA512
19e989f01a0c0f8e78a02fdef16ce4807c9c6eb8febbaf53e45384980af21e1605278cf614bc8f306262f48dfb298a6d29396f166ccd53417ef6049f23e0754a

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
548B

MD5
fa5e196dbfcccdef28459d310d523f63

SHA1
b5e299f4812e71183bdb27cbc0ece85160fede4a

SHA256
7bfb18ade5066e79c1180424bf0350cc13bd6ae946046c392141e3096a3450ba

SHA512
47c2d4d302038fa66d6357414a09826784978476afdd584d20e91a935758d1ecbc4252dd2ba698d0ac3c1f345608657d0e3de81ee453795cba90db27bc139432

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
ce99d8dac29ae43bfbaa64d4e5d08978

SHA1
d2e8d7e6a3544f5141d0630a701913c583f887dc

SHA256
629d49f4d841b7b15dc40c10ed7985e2c246c53da33bdcb6c2d4eee09cb16889

SHA512
98a329ab22aedbb650c80a031f246e3a2a3a5700d1737a76e23539f668be8f9681d9c6ee377a85e574de7dbc40c244f923c620ede0c9110ea7f11255bc56b661

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
548B

MD5
513bc457cd0cff85385541a6e065d16f

SHA1
2310260ce88067c47e206fa0c0043dd5033c3244

SHA256
02fbb1f6e102c414fe48ce5de516b4b50e5241397dc824f33f95576fb76f3c73

SHA512
26d395584926259211d003b5e63465a60c0cd1ab6fc3ab8fb10889d55146e5a9a4463314dfed3f08f0369e64af5216b8de6f44fece4d5decf2ae177c1b76be9d

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
548B

MD5
44b328328c3d25263c7809a5d4d0428b

SHA1
14f74b73fc255f9dae4a05b6e2c9e17208ca68d7

SHA256
06da58dbc6a6bb81c83b6f1cc3d340cf8747a45a4eb2e5d73c5e622bea9bc940

SHA512
cba315d61056166c4393f28135a09ff8b97cda24c22564ed7fe4de18040d4b8aa09eb7464a85ba76c804c7e26be1f003615bc3cdd1f9a439f2023328fa4c3dba

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
548B

MD5
782daeac711c1c888d4770778980d36f

SHA1
185689ba3febb7a911fd70491548e9f03f6d7c4c

SHA256
08f026ee3d1c331302366269f3769be9842048a569af7be096759ad94141a415

SHA512
78157419bfe20e25e5b567c0a9c5f1dab06d36ca7ed6ade3d71a2c36906d0d465e87e53e4cc33312c3e616c16ca4471ede65a06133965335f8d89b5b0b0805c7

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
548B

MD5
48a3ccbf61765f53850aced246606d64

SHA1
414af87606283bfcb2e98543407d2add4978ff94

SHA256
59f90e04ade3388a13a7b1bc5f69c12a19ae7e4a736d9f9feee7d4f2bc921edf

SHA512
cf27c410b58c1f5308e3d6b7467decc958bac45b7314cea3407912760fb354a3d8c5b103cfc77ac19f605b5a874f9372b3f980fe50b759677d3fab1c32470944

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
548B

MD5
ac2ad0f1a444d0ac2df0e6879e4491cb

SHA1
bc9a405cd96d05046dda6ef3533e274579017dea

SHA256
9dc8ff144bd511869e35fbd60dba3a9024bf01b31c1fc0a3db8ee7d4a5184e16

SHA512
640d4e325f2dd8da285204b5cfdcb2ce66b05b1d4cf02c4a0d9df4692ed9ba23b32273d94a9150a1cd0d67c6dcdfba3f4c8574df9ae403025bf4a06471b242cb

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
548B

MD5
925f9a9ff69723438dfb07ad22206e14

SHA1
772c0e454613ed42b2239cb1afb0363ff14c9885

SHA256
0054899494fe2047dfddb044e0190f1c335bcfe567e1ab1dc2627642d7cccd08

SHA512
1188a9e757603462b4bdf0eda3723ca1e65fa1371490414c7264dfd33a55e25c756ae92f7717750c284aa71eb096894ca635178dcc7da900bb4d89c41588cc65

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
3fe35d0e8eb190305d26b34386895288

SHA1
ec0758f9b2b270892f2f0aa3a97052044ccea58f

SHA256
a4e345b021f597f5df6ca9e3ea8c073f58b75dc3fe37845137c0a673535579ba

SHA512
5b522dd77f48540ee5b6f8f7efc46be75f97fd3ac5d629c7b43b4e640b38dd28db9215b2bbfe07d44eb1720cc224d71e43ff1a2294489a95b5870b875bea0b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

Filesize
28KB

MD5
4baa5ef0b3ad3b35cf617dd8d1365ec4

SHA1
b8d2ba18468a7b6024c5cd54282264463a63a210

SHA256
d7f6e3d0d751e88ab963d61025687d652b277a28c05254d7be22367aa904bc5a

SHA512
8f4558166ab23544427d16a40dd53a94f4c89d66a31771436d62fa32e1743f989bbf374711306a1389eeed30d700d95c1f235d8fa4aafaa3c23731fbd2ef6f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
37KB

MD5
d6f9ccfaad9a2fb0089b43509b82786b

SHA1
3b4539ea537150e088811a22e0e186d06c5a743d

SHA256
9af50adf3be17dc18ab4efafcf6c6fb6110336be4ea362a7b56b117e3fb54c73

SHA512
8af1d5f67dad016e245bdda43cc53a5b7746372f90750cfcca0d31d634f2b706b632413c815334c0acfded4dd77862d368d4a69fe60c8c332bc54cece7a4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
37KB

MD5
6c734f672db60259149add7cc51d2ef0

SHA1
2e50c8c44b336677812b518c93faab76c572669b

SHA256
24945bb9c3dcd8a9b5290e073b70534da9c22d5cd7fda455e5816483a27d9a7d

SHA512
1b4f5b4d4549ed37e504e62fbcb788226cfb24db4bfb931bc52c12d2bb8ba24b19c46f2ced297ef7c054344ef50b997357e2156f206e4d5b91fdbf8878649330

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
37KB

MD5
7ac9f8d002a8e0d840c376f6df687c65

SHA1
a364c6827fe70bb819b8c1332de40bcfa2fa376b

SHA256
66123f7c09e970be594abe74073f7708d42a54b1644722a30887b904d823e232

SHA512
0dd36611821d8e9ad53deb5ff4ee16944301c3b6bb5474f6f7683086cde46d5041974ec9b1d3fb9a6c82d9940a5b8aec75d51162999e7096154ad519876051fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
37KB

MD5
c76ee61d62a3e5698ffccb8ff0fda04c

SHA1
371b35900d1c9bfaff75bbe782280b251da92d0e

SHA256
fbf7d12dd702540cbaeeecf7bddf64158432ef4011bace2a84f5b5112aefe740

SHA512
a76fee1eb0d3585fa16d9618b8e76b8e144787448a2b8ff5fbd72a816cbd89b26d64db590a2a475805b14a9484fc00dbc3642d0014954ec7850795dcf2aa1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe

Filesize
37KB

MD5
e6c863379822593726ad5e4ade69862a

SHA1
4fe1522c827f8509b0cd7b16b4d8dfb09eee9572

SHA256
ae43886fee752fb4a20bb66793cdd40d6f8b26b2bf8f5fbd4371e553ef6d6433

SHA512
31d1ae492e78ed3746e907c72296346920f5f19783254a1d2cb8c1e3bff766de0d3db4b7b710ed72991d0f98d9f0271caefc7a90e8ec0fe406107e3415f0107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
37KB

MD5
c936e231c240fbf47e013423471d0b27

SHA1
36fabff4b2b4dfe7e092727e953795416b4cd98f

SHA256
629bf48c1295616cbbb7f9f406324e0d4fcd79310f16d487dd4c849e408a4202

SHA512
065793554be2c86c03351adc5a1027202b8c6faf8e460f61cc5e87bcd2fe776ee0c086877e75ad677835929711bea182c03e20e872389dfb7d641e17a1f89570

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.exe

Filesize
37KB

MD5
0ab873a131ea28633cb7656fb2d5f964

SHA1
e0494f57aa8193b98e514f2bc5e9dc80b9b5eff0

SHA256
a83e219dd110898dfe516f44fb51106b0ae0aca9cc19181a950cd2688bbeeed2

SHA512
4859758f04fe662d58dc32c9d290b1fa95f66e58aef7e27bc4b6609cc9b511aa688f6922dbf9d609bf9854b619e1645b974e366c75431c3737c3feed60426994

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.exe

Filesize
37KB

MD5
c252459c93b6240bb2b115a652426d80

SHA1
d0dffc518bbd20ce56b68513b6eae9b14435ed27

SHA256
b31ea30a8d68c68608554a7cb610f4af28f8c48730945e3e352b84eddef39402

SHA512
0dcfcddd9f77c7d1314f56db213bd40f47a03f6df1cf9b6f3fb8ac4ff6234ca321d5e7229cf9c7cb6be62e5aa5f3aa3f2f85a1a62267db36c6eab9e154165997

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.exe

Filesize
37KB

MD5
d32bf2f67849ffb91b4c03f1fa06d205

SHA1
31af5fdb852089cde1a95a156bb981d359b5cd58

SHA256
1123f4aea34d40911ad174f7dda51717511d4fa2ce00d2ca7f7f8e3051c1a968

SHA512
1e08549dfcbcfbe2b9c98cd2b18e4ee35682e6323d6334dc2a075abb73083c30229ccd720d240bcda197709f0b90a0109fa60af9f14765da5f457a8c5fce670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.exe

Filesize
37KB

MD5
4c1e3672aafbfd61dc7a8129dc8b36b5

SHA1
15af5797e541c7e609ddf3aba1aaf33717e61464

SHA256
6dac4351c20e77b7a2095ece90416792b7e89578f509b15768c9775cf4fd9e81

SHA512
eab1eabca0c270c78b8f80989df8b9503bdff4b6368a74ad247c67f9c2f74fa0376761e40f86d28c99b1175db64c4c0d609bedfd0d60204d71cd411c71de7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.exe

Filesize
37KB

MD5
f18f47c259d94dcf15f3f53fc1e4473a

SHA1
e4602677b694a5dd36c69b2f434bedb2a9e3206c

SHA256
34546f0ecf4cd9805c0b023142f309cbb95cfcc080ed27ff43fb6483165218c1

SHA512
181a5aa4eed47f21268e73d0f9d544e1ceb9717d3abf79b6086584ba7bdb7387052d7958c25ebe687bfdcd0b6cca9d8cf12630234676394f997b80c745edaa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.exe

Filesize
37KB

MD5
a8e9ea9debdbdf5d9cf6a0a0964c727b

SHA1
aee004b0b6534e84383e847e4dd44a4ee6843751

SHA256
b388a205f12a6301a358449471381761555edf1bf208c91ab02461822190cbcf

SHA512
7037ffe416710c69a01ffd93772044cfb354fbf5b8fd7c5f24a3eabb4d9ddb91f4a9c386af4c2be74c7ffdbb0c93a32ff3752b6ab413261833b0ece7b7b1cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
37KB

MD5
296bcd1669b77f8e70f9e13299de957e

SHA1
8458af00c5e9341ad8c7f2d0e914e8b924981e7e

SHA256
6f05cae614ca0e4751b2aaceea95716fd37a6bf3fae81ff1c565313b30b1aba2

SHA512
4e58a0f063407aed64c1cb59e4f46c20ff5b9391a02ceff9561456fef1252c1cdd0055417a57d6e946ec7b5821963c1e96eaf1dd750a95ca9136764443df93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.exe

Filesize
37KB

MD5
7e87c49d0b787d073bf9d687b5ec5c6f

SHA1
6606359f4d88213f36c35b3ec9a05df2e2e82b4e

SHA256
d811283c4e4c76cb1ce3f23528e542cff4747af033318f42b9f2deb23180c4af

SHA512
926d676186ec0b58b852ee0b41f171729b908a5be9ce5a791199d6d41f01569bcdc1fddd067f41bddf5cdde72b8291c4b4f65983ba318088a4d2d5d5f5cd53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.exe

Filesize
37KB

MD5
042dfd075ab75654c3cf54fb2d422641

SHA1
d7f6ac6dc57e0ec7193beb74639fe92d8cd1ecb9

SHA256
b91fb228051f1720427709ff849048bfd01388d98335e4766cd1c4808edc5136

SHA512
fada24d6b3992f39119fe8e51b8da1f6a6ca42148a0c21e61255643e976fde52076093403ccbc4c7cd2f62ccb3cdedd9860f2ac253bb5082fb9fe8f31d88200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.exe

Filesize
37KB

MD5
476d959b461d1098259293cfa99406df

SHA1
ad5091a232b53057968f059d18b7cfe22ce24aab

SHA256
47f2a0b4b54b053563ba60d206f1e5bd839ab60737f535c9b5c01d64af119f90

SHA512
9c5284895072d032114429482ccc9b62b073447de35de2d391f6acad53e3d133810b940efb1ed17d8bd54d24fce0af6446be850c86766406e996019fcc3a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
37KB

MD5
a83dde1e2ace236b202a306d9270c156

SHA1
a57fb5ce8d2fe6bf7bbb134c3fb7541920f6624f

SHA256
20ab2e99b18b5c2aedc92d5fd2df3857ee6a1f643df04203ac6a6ded7073d5e8

SHA512
f733fdad3459d290ef39a3b907083c51b71060367b778485d265123ab9ce00e3170d2246a4a2f0360434d26376292803ccd44b0a5d61c45f2efaa28d5d0994df

Download Submit
C:\Users\Admin\AppData\Local\Temp\303376803.exe

Filesize
100KB

MD5
b37046319a495742af2d1d9e5ccc0ea9

SHA1
d13ca92d5a17068773a58d167af40b77813be532

SHA256
7c60a0bab1d7581bbba576b709837ef75a5c0833acb584bca3f7c780e70f6c14

SHA512
5e7ad4b7d55f0d5e4c7a17cabccc54d9568cf4b98a8e0566607f253e238d090e111e5f6f44b23617e9d1a9fc2370a10fa761cbe50a9d17a182da31dcd8ad2b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
37KB

MD5
c24de797dd930dea6b66cfc9e9bb10ce

SHA1
37c8c251e2551fd52d9f24b44386cfa0db49185a

SHA256
db99f9a2d6b25dd83e0d00d657eb326f11cc8055266e4e91c3aec119eaf8af01

SHA512
0e29b6ce2bdc14bf8fb6f8324ff3e39b143ce0f3fa05d65231b4c07e241814fb335ede061b525fe25486329d335adc06f71b804dbf4bf43e17db0b7cd620a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
37KB

MD5
84c958e242afd53e8c9dae148a969563

SHA1
e876df73f435cdfc4015905bed7699c1a1b1a38d

SHA256
079d320d3c32227ba4b9acddf60bfcdf660374cb7e55dba5ccf7beeaedd2cdef

SHA512
9e6cb07909d0d77ebb5b52164b1fa40ede30f820c9773ea3a1e62fb92513d05356dfef0e7ef49bf2ad177d3141720dc1c5edceb616cef77baec9acdd4bbc5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
37KB

MD5
27422233e558f5f11ee07103ed9b72e3

SHA1
feb7232d1b317b925e6f74748dd67574bc74cd4d

SHA256
1fa6a4dc1e7d64c574cb54ae8fd71102f8c6c41f2bd9a93739d13ff6b77d41ac

SHA512
2d3f424a24e720f83533ace28270b59a254f08d4193df485d1b7d3b9e6ae53db39ef43d5fc7de599355469ad934d8bcb30f68d1aaa376df11b9e3dec848a5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
37KB

MD5
c84f50869b8ee58ca3f1e3b531c4415d

SHA1
d04c660864bc2556c4a59778736b140c193a6ab2

SHA256
fa54653d9b43eb40539044faf2bdcac010fed82b223351f6dfe7b061287b07d3

SHA512
bb8c98e2dadb884912ea53e97a2ea32ac212e5271f571d7aa0da601368feabee87e1be17d1a1b7738c56167f01b1788f3636aac1f7436c5b135fa9d31b229e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
37KB

MD5
7cfe29b01fae3c9eadab91bcd2dc9868

SHA1
d83496267dc0f29ce33422ef1bf3040f5fc7f957

SHA256
2c3bfb9cc6c71387ba5c4c03e04af7f64bf568bdbe4331e9f094b73b06bddcff

SHA512
f6111d6f8b609c1fc3b066075641dace8c34efb011176b5c79a6470cc6941a9727df4ceb2b96d1309f841432fa745348fc2fdaf587422eebd484d278efe3aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
37KB

MD5
28c50ddf0d8457605d55a27d81938636

SHA1
59c4081e8408a25726c5b2e659ff9d2333dcc693

SHA256
ebda356629ac21d9a8e704edc86c815770423ae9181ebbf8ca621c8ae341cbd5

SHA512
4153a095aa626b5531c21e33e2c4c14556892035a4a524a9b96354443e2909dcb41683646e6c1f70f1981ceb5e77f17f6e312436c687912784fcb960f9b050fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF71D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe

Filesize
100KB

MD5
ce554fe53b2620c56f6abb264a588616

SHA1
77bbdcd30e7e931ef95c913406faf92fa70d4c94

SHA256
93237a51bb710bd488b0e5bfa8288751445eafcc795364df7652535f3c210431

SHA512
2330b9bdcd3c4d5d3f6a65cb277dce7d59bb655cce6285154ea8153b2b7df41c9a51b0bb62fa218e7345032e83f3b7e738fc1fea5f56a8bb4690733f51442982

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF79D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2E52.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\asena.exe

Filesize
39KB

MD5
7529e3c83618f5e3a4cc6dbf3a8534a6

SHA1
0f944504eebfca5466b6113853b0d83e38cf885a

SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OSQP34QJKE0J3CFM3FBZ.temp

Filesize
7KB

MD5
3710d5a5cba8b714dfa6ef011259f830

SHA1
f17161096dccc9b848aa05516397998ec90c5491

SHA256
228a2b8ddb1243cdc60d1a94b78139b63becc58ab80913eea7fa98bc146c1852

SHA512
d58b3562054033a2d82caaf9a158145ae8b0c213cc9e741d2389e6b6d252b7defff6af6e5b2d842c5ab325229df7a6f1a078b7e6e0efc4bad005cdaf9af909b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLC8P6SH0CTXD65OYUJT.temp

Filesize
7KB

MD5
5249c5a1a9b890de4b56738c662ee0cd

SHA1
b4c6f03d95ea9da0e3e72e12c319f8433f38a7a7

SHA256
aa6855342409b7eec182001b3d6b45363d8eaf33b214332398f361a2109d688b

SHA512
056af8fa02a32432820ef2d4b2087f13c1ebd54cd9bfe0df22ab83671a45ee4843cfccd55c8a999b66e959dd52580c28f75934b57124e4ac3f12075d166a52c9

Download Submit
C:\Users\Public\Documents\RGNR_86266DD0.txt

Filesize
3KB

MD5
0880547340d1b849a7d4faaf04b6f905

SHA1
37fa5848977fd39df901be01c75b8f8320b46322

SHA256
84449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25

SHA512
9048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91

Download Submit
\Users\Admin\AppData\Local\Temp\Bomb.exe

Filesize
457KB

MD5
31f03a8fe7561da18d5a93fc3eb83b7d

SHA1
31b31af35e6eed00e98252e953e623324bd64dde

SHA256
2027197f05dac506b971b3bd2708996292e6ffad661affe9a0138f52368cc84d

SHA512
3ea7c13a0aa67c302943c6527856004f8d871fe146150096bc60855314f23eae6f507f8c941fd7e8c039980810929d4930fcf9c597857d195f8c93e3cc94c41d

Download Submit
memory/336-470-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/592-312-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/604-465-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/712-169-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/864-45-0x00000000000C0000-0x00000000000E5000-memory.dmp

Filesize
148KB

Download
memory/864-4572-0x00000000000C0000-0x00000000000E5000-memory.dmp

Filesize
148KB

Download
memory/988-144-0x0000000000D50000-0x0000000000D60000-memory.dmp

Filesize
64KB

Download
memory/1112-375-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/1416-366-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/1468-311-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/1512-164-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/1556-370-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1720-127-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/1792-415-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1964-61-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/1980-472-0x00000000000D0000-0x00000000000E0000-memory.dmp

Filesize
64KB

Download
memory/2020-473-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2040-170-0x0000000001160000-0x0000000001170000-memory.dmp

Filesize
64KB

Download
memory/2068-418-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2140-369-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2184-176-0x0000000001350000-0x0000000001360000-memory.dmp

Filesize
64KB

Download
memory/2196-162-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/2252-405-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/2260-21-0x0000000000F30000-0x0000000000F6D000-memory.dmp

Filesize
244KB

Download
memory/2260-5645-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-1-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-2-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-0-0x00000000743E1000-0x00000000743E2000-memory.dmp

Filesize
4KB

Download
memory/2260-4011-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-20-0x0000000000F30000-0x0000000000F6D000-memory.dmp

Filesize
244KB

Download
memory/2304-367-0x00000000012D0000-0x00000000012E0000-memory.dmp

Filesize
64KB

Download
memory/2344-140-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/2556-49-0x0000000000040000-0x00000000000B8000-memory.dmp

Filesize
480KB

Download
memory/2632-313-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/2656-129-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/2676-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2712-48-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/2840-177-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/4940-5644-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/4940-5643-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/6088-7850-0x0000000000C30000-0x0000000000C82000-memory.dmp

Filesize
328KB

Download
memory/6812-12142-0x0000000000B20000-0x0000000000C7E000-memory.dmp

Filesize
1.4MB

Download