Malware Analysis Report

2024-11-30 11:31

Sample ID 240224-f2ddxabc8w
Target 2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside
SHA256 9b5f1ec1ca04344582d1eca400b4a21dfff89bc650aba4715edd7efb089d8141
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b5f1ec1ca04344582d1eca400b4a21dfff89bc650aba4715edd7efb089d8141

Threat Level: Known bad

The file 2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Rule to detect Lockbit 3.0 ransomware Windows payload

Lockbit family

Renames multiple (10599) files with added filename extension

Renames multiple (8896) files with added filename extension

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 05:21

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 05:21

Reported

2024-02-24 05:24

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe"

Signatures

Renames multiple (8896) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\A055.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\A055.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xa1Xx3AXs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xa1Xx3AXs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\A055.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MOR6INT.REST.IDX_DLL.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\MSCONV97.DLL.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\slideShow.js C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00297_.WMF.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OISAPP.DLL C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04384_.WMF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\meta-index.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00956_.WMF.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200467.WMF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files\Common Files\System\en-US\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Doc.css C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xa1Xx3AXs\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xa1Xx3AXs\DefaultIcon\ = "C:\\ProgramData\\xa1Xx3AXs.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xa1Xx3AXs\ = "xa1Xx3AXs" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe"

C:\ProgramData\A055.tmp

"C:\ProgramData\A055.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A055.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/1772-0-0x0000000002480000-0x00000000024C0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini

MD5 1d6691e87beaa21c8adf9594f4c3d0af
SHA1 2e967a200e3b2158dc7a962a9d0b9f2afc51cb6d
SHA256 98dfd1faaad062d5f42f672248a07c82d3c9a960e6d369339a26391c2eb22007
SHA512 c1013d5fe24b9c43468a3cf96e32f183ff852e2c75e25d9399dc7fe7149686ad0b3b27039035369c86618007642dddfc2b89c48cc31e5a3b265ad5a2c017d78e

C:\xa1Xx3AXs.README.txt

MD5 b086e40671776e1878d78e5b77d87b29
SHA1 afc25200704f5e355a80a719e86a450295177606
SHA256 c99243fd5b4b2b5be708c0f30d095e515517f1e26a01032d05ad5ec6d6e4e2e3
SHA512 e813443a43ec149dc783d8f41c7e0abebf79ffa2718c33747a8d4a5cdc7ea1f9cbbc7ca7b2738ed4b724f246b0c56fa9f48c19f941174ddfc976216221480474

F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\BBBBBBBBBBB

MD5 7e55d0713d2a99dd3e0e3c93e14291c1
SHA1 c3fb0efb695ee03f16c916f06680f278aef8b7d7
SHA256 b1527dd6a796428438df3671d83cef15cd9680d32d265f379ab8de5d3f322583
SHA512 2ad1fb384610ade840ca2e715d798ab05855dcd47841958f468e56089f0cb17c5e8ad8526c74d996a258396bf654b4a9392cc1fa9f22e808418f6995881eb1fa

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS.xa1Xx3AXs

MD5 9c4be4c47ca222f87ae5500197a5d6d7
SHA1 1ed5f5db250aa910d63bc180a42b516a9be15c0f
SHA256 7491411142cf4f9f4a3e429700b6ab2e0a568958d07e6a7b14a23d432fbf30d7
SHA512 609e6748b4d5e927d36f2826e65b94b16f4b7145604efe12868dc218dc75008a9f01cdfd3007376d24b2226fd21c1cfe6c6e570d4e0e2cae949a6a3dea92dd4d

\ProgramData\A055.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1040-12822-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/1040-12824-0x00000000021E0000-0x0000000002220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 d6a4432e78c98b89716ff4a80d8ce614
SHA1 1f7b3d1b0f9a77334c86fd5bf5a64b13ded18193
SHA256 38840f5925d2031231dc4efc85fa68947e4d7828a6d828bfd83c620d37bcda2a
SHA512 22bab12fe139640dec6d0e810cd3635fa6ac649bc5add1ad64f6ad21620b4d6428a2555366f3f452c6ab2510b3c697ac16d65ce89fa33d34b68ed831530c929b

memory/1040-12831-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/1040-12833-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/1040-12854-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/1040-12855-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 05:21

Reported

2024-02-24 05:24

Platform

win10v2004-20240221-en

Max time kernel

124s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe"

Signatures

Renames multiple (10599) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation C:\ProgramData\2AC5.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\2AC5.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\2AC5.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1392040655-2056082574-619088944-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1392040655-2056082574-619088944-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\spool\PRINTERS\PP3md5pf8uuncvm5hdgp12qd8pb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PPbkjt61fit5jpk7kfd0d_3kz7b.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A
File created C:\Windows\system32\spool\PRINTERS\00002.SPL C:\Windows\splwow64.exe N/A
File created C:\Windows\system32\spool\PRINTERS\PP9qhqwr5r950obp37hjk0xfweb.TMP C:\Windows\system32\printfilterpipelinesvc.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\xa1Xx3AXs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\xa1Xx3AXs.bmp" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\2AC5.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Extensions.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.nuspec.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.IO.Compression.ZipFile.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\1.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELM C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\gnsdk_fp.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\ui-strings.js.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Internet Explorer\IEShims.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7db.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\logo.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadrh15.dll.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-filesystem-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_el.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\CortanaCommands.xml C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\xa1Xx3AXs.README.txt C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_fil.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\id_get.svg C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker8.png C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xa1Xx3AXs\ = "xa1Xx3AXs" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xa1Xx3AXs\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xa1Xx3AXs C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xa1Xx3AXs\DefaultIcon\ = "C:\\ProgramData\\xa1Xx3AXs.ico" C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4600 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe C:\Windows\splwow64.exe
PID 4600 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe C:\Windows\splwow64.exe
PID 3952 wrote to memory of 4712 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 3952 wrote to memory of 4712 N/A C:\Windows\system32\printfilterpipelinesvc.exe C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
PID 4600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe C:\ProgramData\2AC5.tmp
PID 4600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe C:\ProgramData\2AC5.tmp
PID 4600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe C:\ProgramData\2AC5.tmp
PID 4600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe C:\ProgramData\2AC5.tmp
PID 1680 wrote to memory of 4456 N/A C:\ProgramData\2AC5.tmp C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 4456 N/A C:\ProgramData\2AC5.tmp C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 4456 N/A C:\ProgramData\2AC5.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-24_e544b3593a6441f9654839e11aa0bea5_darkside.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE

/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{27B701F8-64E8-4BA2-9C9D-60DD1023AE0C}.xps" 133532257653810000

C:\ProgramData\2AC5.tmp

"C:\ProgramData\2AC5.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2AC5.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4600-0-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/4600-1-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/4600-2-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1392040655-2056082574-619088944-1000\IIIIIIIIIII

MD5 5dd63f9a7bbbc4eddeae3ea57a196708
SHA1 a2c7a21b00ba4067c81c4fa0ef82941c28e2fdfb
SHA256 5001bf5b0e0d9eda02d6378813392425671a56f52dd7a00ee4f8c91fcdc75c2c
SHA512 f409692ea07066e4c6d4bed22f12a2288d8ccf73b96425ca3170c9e126cecd3d9b3d55acb0087f836d0ca616f3ed9375fab0fde67e3076ec8aa51d8f6f67b667

C:\xa1Xx3AXs.README.txt

MD5 b086e40671776e1878d78e5b77d87b29
SHA1 afc25200704f5e355a80a719e86a450295177606
SHA256 c99243fd5b4b2b5be708c0f30d095e515517f1e26a01032d05ad5ec6d6e4e2e3
SHA512 e813443a43ec149dc783d8f41c7e0abebf79ffa2718c33747a8d4a5cdc7ea1f9cbbc7ca7b2738ed4b724f246b0c56fa9f48c19f941174ddfc976216221480474

F:\$RECYCLE.BIN\S-1-5-21-1392040655-2056082574-619088944-1000\DDDDDDDDDDD

MD5 79c38ad796f508bbeba54b1a8376b085
SHA1 e93c3c254a822e0f23d88780b376258f844befb3
SHA256 b84dbe1f669c40f2c4c6393cb407fc7112d6410ecebc65cbc025e00a8012ff93
SHA512 9ac5b9aaba358954c7761dd3b7539b1d1f9254c0cb3547ef27fdef45a72d0bac05fbbb708cbd1b6ee8e6e8253e76e94b79aa3f3d7dec5e7454fe0c9fbe530ddd

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 7c3563e4eb1a3bfc7fd7e7af98a2e806
SHA1 0279dffd0c3b8e7c086e6bdf61cb14e01c00260c
SHA256 7f220e89f089a5906000fd9b3c753dbc310321b18a335864b234664d0b80491e
SHA512 feac8da820bece72b4d6634df6309f33b352416df1f7c885393bb005f025a2b6c67c4f6f18bb84261859bf0e323763ac14a3b3c75deca384bb0135fc085955a9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 eaf37ab80a232a911d4c5dd7de217c6f
SHA1 2d15fd53506ce68b28cb7396c132999b9a23a7e2
SHA256 1960366cbe11805df8a760d4f51755232a0fa6e7e0bea3dfe1860475b92aa0ed
SHA512 4e79f9ff91dbb5e0886f230ccc6403d075176bdacf2e349b92d26bf405b48e84ce2330fb26f706dfbcb0a35b1a8ef81177d7fecbcc21443f75fffd4ed86e13ec

memory/4600-12787-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/4600-12789-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

memory/4600-12793-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 067132ef6fe7add2b335fcfd55453e36
SHA1 8c4ef1bb8d040e7e554fd2aa02b92114bb167be9
SHA256 8d54ee97a169f48be43b1b81e69fa8cace89aa41451ee326c0c8a8e9b9ff1ca7
SHA512 b5583c78023bde1bd556297187755345818309bf4e4e17dce8d67c621352bc79ce6ac8e46b880fd970d830b9ef1a3beeb072108336a0a68c6052406492580045

C:\Program Files\Windows NT\TableTextService\en-US\TableTextService.dll.mui

MD5 587238534680925575f11439cad8cf79
SHA1 730d0a71ed8f441c318234a5c79eb97a02c8c0bc
SHA256 3624f6eab94e0b05e8a47f3102f5d877e43cc4ad8efbaa7dcf64da4d1ca598ba
SHA512 7d7a216755037d422c6b26f8be3ccff7d2bb22107b1ab7e2a710a4e95fea258b220c730156dd4ba9add60b9ec5973a46819e5058023d64f2e9144fae65efb382

C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui

MD5 009e9378146f0cdde1df51d9ab457f5e
SHA1 d3e88ae254aaba75bac8d0e2bbc974835844ae4d
SHA256 ccc9d37efbe9820b492f272b2becd54da5956bd7793084ad7910bee463469cd2
SHA512 a3ffb6b21c38229fc182aa3cb1b36fe5aaf6b4cce5bf6395eb6a51787e850f78c6e56f7519ac284bf74c472d022e3f6c827f55dec4bcf6195e234f4403bf47b4

C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 b4cf6db27e7c0dc8c6db73c685b32a95
SHA1 2f5c5601eb178627662ca5ba6f2308d9aed683b5
SHA256 16227ed2c3d72614618018d6af10c1b52a4c79c23ec6f47e3f977fb1166880e7
SHA512 83266f25e56a991590493df0cef79c23b8fe3012429a6c323bfe1ae40a154c3cdbf80834dcb55c2acf7fe4aecb3e97b773029997ce8b627bf618d505577288c5

C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 8041c469a3063cbb18e679d7379a3249
SHA1 366d5578c50f696654a0345e32e50d6a08c36b47
SHA256 03eb1763f63826fccf65383e2d9ed24e63a6f3b70fa97332c7163b5f22799396
SHA512 9e9dee53a414f48d75d49b0b02cbb53f13a99dce004ef8fb91bf1e144ca48633f30562c76d2eca57d34197ab3505b18bf84c1b597e011b0733a969a8f226cf7a

C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 3cf5a223b8427c10565f995a5c7dd2da
SHA1 5342ee9bd68fe06efdd94a6a2985e0d4de06862d
SHA256 14dada25d5362b248b148187f332c2b405904d10e6c798db0c992afe43055c87
SHA512 2720c482398781e5961e60d0a6a5e52839f11568015f737f9ef977be112766db67a059f5fa5fe16e10c2d25d04d666a58581abc0d431aaa5cc93cf066c74418d

C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 569b4e57f784b9ad10d8c2b10bc7ec8f
SHA1 3939bb345bdbed80d0e5be8ef8545ab6f52fcca0
SHA256 4a7b6fb0dffbff628b8c0509b4021ebc2f58d39df2880dda4e99db83985c1b61
SHA512 5082ed92920fe43546af93423b99cde5ea04d4c09963ff29a8799f5e6f8ab4312dabec0e6dba72938165912713071750939678c4043fee439ab3f59d0e4b28d2

C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 33d6d863c7016498160bca7ee72ce66d
SHA1 9eb498ca5b97afa23212546fa622d1a094f3ffcb
SHA256 f495c9853b484fc90909592f90a8c1fa4dfb3cc5536512bf245c1a7323c70091
SHA512 61ce48c6875ffc8840e88e9a0ed67bd80d05355a8f9364031e677d5c88f666cd5af565e7a5b523962f6ee6fe09305bee6ecc8ebfabeaea900ead5739b1e26a2a

C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 9cded9a15f9f929e9a9c0bb73fa461d5
SHA1 22ae0af60d030192f3b42ad9ea4e8f71f2570204
SHA256 bd2456195f71678265ce9e28cebeb19a35dbedb98118207d2d0c6c3b40cebed9
SHA512 2855c3baff13e025c62274d35b7f384b78fb492dd86a069bc0545907f319cc083e5d6049372602cf71fff84b5e083553f675fb63fe3e043afc5bf70abf797971

C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 d3b3a8fca63d3871862509c8e04caa39
SHA1 de1ec3d970f6609cad3d34ae8ee9b561bf71cd4d
SHA256 fe3f70ef34e482700ba9075a3fccd239584e4f270671ed799fb07896bc473b87
SHA512 a3d72e67f52dd4469964a955a03f8a4532c587613ededb583d6022994ebdc72cef9ed38f4d2d9ad92103e0031f59919845fe427fe413e103273ce79a32ca7d8f

C:\Program Files\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 21ed355c7db2394b9ad3a83c37ffb6ef
SHA1 a5782b51092f509b97ad46715426af8d031bfd9b
SHA256 03d4b134404eef25be67c79d537d88802bf2b195feb0ce1254096603db08728c
SHA512 2ea27a8b68ba5333314e3a37ff7fbee6ac7d4b9c0233cc6ecffce75e5cb509bade5880a5f7933a42a44fbe166c08c7191b1e2706bd8dbb0f6125597707b2590e

C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 ebd12c939c1fabbafb47445cfd3a2cc9
SHA1 97ceb83fe68de8b0ab3aad5aa6d0cdea721b4146
SHA256 24f4aa8d941b9814eb671e352dc41051354d36fd990d719b050a2613128e83f0
SHA512 c16ca2106a2003e8f10e2c56e1df126f362507bf5509f9a1145b634013903d5b64bd7822c5a1de87945e91b2949a4c7ccc9438d7ecddbaef1e798ff6db290611

C:\Program Files\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 7369f1273d1721444e890a1103e27446
SHA1 78b9b6fdde0dbcdda81c2124efea34716a667d87
SHA256 73b88677deb6f66f4646a825c85f9bd5e56abf8a968f93a004e6db71d8c6df32
SHA512 6f11bf072829732397dfc8d151ab0875c7369a6157280aa8c04f031dfd60acba8b84772ad2a1c613295fbdb3e479fd3602b991c2eb931ccdb3edbc9245f7b0b8

C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 36196ed86c6c2f169019cc35a2b12535
SHA1 8ec4f7ecba26758c07dafc5f213fa375c9cc9e28
SHA256 a921d7d389a6a661e97fb5141ef9efdc81669ef375230d1c902af154413ead69
SHA512 e0ec86e6e07c45296dcc821e8c20d6f5c6274b2501001822337d68d00aae5208a0964598fe43dbf58565deb1954e21b6b8a4d872d99bd581609b7e74600f0b74

C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 19010a344e64a0b9db86037e9dc9559e
SHA1 9c744e905b72b39848a169c91cb3cb4dfa898e58
SHA256 e8c927f6f742f18c085f4040f2bcb74d8f228b80969bca5f8d373e18d7d062e5
SHA512 407b7aab4ec7f3c875c389ee3e95db2b5614ba97388398d6d2a45d37ae53395ead0b8b9ac801c414e955d0ff9e1ebcdb5094fc8ea65875ed74b527e8507b46fd

C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 71f0fbeaa10558af4b50f406843e73d7
SHA1 f238154e2d8b326c73750cc992991374ffeaaf9d
SHA256 1c69e16a03d0267f78321ffbbae4735e2d0ceb6d3958d80519713f3637a4940d
SHA512 5f7246757818a7731297b57b58939ba7fe3f101503edbd4c67bdebb38a1e32bee79d27feecb7e2264e5810ab5bc41aae26e80995ed2493935d668d1c10ad61fa

C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 3f8f844308508eec00091351df869603
SHA1 e89dc3bf17980451bad7b155e759373bfef89424
SHA256 78c83c3fdd7b327697a6e8c7f305d266c1c9659d896569c5abbd070f76151ed5
SHA512 3e8cfca6640952f56c25720e7f262f14fa31c992f6a8da1708dd8cafffc90368711ba7c2cc5754d052a9df9814b6353d833d0c3290338bd89073c0d4fdc2c643

C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 50f2f0b69b9fe60c594fc4dd8f145a54
SHA1 effa74e9077766da89cc25d6e18f94891a592d5d
SHA256 420d1659c8b9d34f2e693ded76f527f68b9f5f2e4ff0a74e6e094f6d6f71b3bf
SHA512 622937785968ff9def7c4a1ee0d1b701d490a0b00dc117db0e2e4a2e1c6552a61207d80121eecef4d62438b3165051086f66fffd9a8c8d4b0dfffdd883078ea5

C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 5c82d455bed48d86b59c43a985719d22
SHA1 69833b388f0cd521e034f8a2532930e1693da74c
SHA256 51053d01e0ec5b3c1b6273105ab5f2c4f95c4dd2fe0088ed92aa25fcf3756e58
SHA512 12f8eb9950c6a54235469b280e90e015d34551d7a840598d92de0f1b15a22c8dddcd9966dc7f9d82f92bcc14bee5199eefd09d4f5b8079083635a325b3f91109

C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 375d0131ae7291151b42db672429c34e
SHA1 5c5f320e47387e75aca8a4942d828ba3e87d48e5
SHA256 605551a0090c4db54f6574852e3b9ed853dcb08587601832a9219bc1534ce66c
SHA512 18c3fa21f6ef1e051e4f315b931639eb7ea56daa458c0afe1401c4b682a467376e15b3ac1222d470976469bbe2f76e0d6c2589aeb8ee56c22a343377b9ca73f3

C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui

MD5 ab651ab0b6ab71f4cb296375ab7e82b8
SHA1 8d2a8886170efb2053464cd52f1489ce76e2d337
SHA256 4ad2d3116093bbfd3c45a839d3d96a416dda8d11b008f027f9e5092adf903556
SHA512 02ffe784cacd7a54030adbac626b4e668e8cd3004ef3c7b02cfc0412d48e9e5293f311693192228d6505521e96f3a73d8174002a04f73b047530612a8e0087ce

C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 d3ceb62d9b3e4553877599339da7ec6a
SHA1 450b2c0b5a01e3a3b60bfe695b78074ae1233856
SHA256 a4552c18934336cc97243f2cc108362f856f041609d575a3c7f151813d8fbe85
SHA512 4bcfcc4ac3e0b1fb417a6c76454869f69fe879b27b609bea3f85e3ec40483e6fee8b1cc474e1a7c438a7500b6ff9be76969a914db4cee310c676e4c143d271be

C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui

MD5 07a716b7815c70926d9092c0ef39cb99
SHA1 d952b1f37ccbc57fa158095a541d47705e1881db
SHA256 1e495c99f1f4190e3bbc6637fc48c42230a340e845361d3c166ada2557b36e65
SHA512 e82a160b06762681e120027c4d0418585c1981eb68d8c8ab899f8c506353268d32a9779b4d87d21adceea372b6fe23f2d51ee81198403d29b4917908198e63bc

C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 def1f4e8e6f9114ec690a61691dcb27f
SHA1 b29b3b35886784141912513fe970f853fe608794
SHA256 b54ed93602727b494b29ccdd6a0a5644fa61a1dbf9e1a8b76db5d1d409186a0b
SHA512 c55637fbeaaeeb734cad30d12c4e64b4a0934a8e89389d37d510ada41a7fcbe3b274fc1406f158b136984a6bd2f8b545d6aab988f748c5facf7c11ac2b2cb4c8

C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui

MD5 af4e051ce9d5dbaab93d0f5c7e58cba0
SHA1 ed160378f55962950bb029769e196c42fb70e79f
SHA256 d389d395a626c78d234230d8b943a3b18686a3c88e4165938b961715b887bc24
SHA512 a71e11e2e7271375988dfb59162785a4d179db98d19b8236f9202c460083fbfe4490cb1f2a676ea8657429251c5e5a3d60148ec58ff82f6aff55d53e72d6e4de

C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 428a638c9f9b976272f948f0aaf895a2
SHA1 ae019794a2414ccaf12cce31d2243ee78aada8ee
SHA256 98e8a509d1380abe3de0dfb785f4258d6beced10cc5e757eb3d4ff8db042dad5
SHA512 4669bad5f463bf876d7ba91eccebde1d656ddff5ce7fb61340061c9febeaff2cfdf7b55fb5aba1dc5e9eb524826449a4365f8c4e98ca081cc43418ac88059e91

C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 db1248106e9ad8518d040d7eabfee9e4
SHA1 fc4803350763b40930d432f62392278fe3724256
SHA256 6be4056e643e4e99abbd67b849595c286517fa1f38994ad51eab05665e2a34a6
SHA512 5ea9d92a972f51effb537f70f7e6813c795aab4c9ee8692d8f27797f8b18cfeb7df33c833e5e0f5bfdba9c3ba3af6db79adfce4b5b232f2e8e8db071cc812a14

C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 9daddd22b91ea34cf08e85b88f190817
SHA1 a9274ece870bb459d7f8d5b7628a05f7d435ae9d
SHA256 2f6a1a4f02811ae109790f61537051e98e6a7eb67cea7531823e35dc37644fae
SHA512 16fe441fbbde104dc659c38ba81607722cee7a26e8a8c79882b54578103b6689fc6b03c15595e8464c22257c35ff2d62e5e29c7e2715bc95bb225ae1916837d1

C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 fa21d4739ad5a9a8841bbc5f3f1d76cf
SHA1 de119594d46f6dab00f5dacf014ca5d2c43c7815
SHA256 524206665bcb51b6c02a61f11ef58821890cf01e1239d7d1b7e5e7b765d6ebdf
SHA512 94d9c266f9ea31fd90727255653cc7a51d3d54b7d59568bd6998ed61c619e2be0e61d3d0e46cdbe7d0a509f89928e4cd3ff9d6c6004eef21b598b26ee311e1ab

C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 cbaed5d7a913396f8b54b7717c67ad41
SHA1 8abe2c275850840ccd58c8beac1dc2a19a12646d
SHA256 1d3c60e87f629291580b0d61e50e381654c0002d2cc1bc53374a6a0a763f70bc
SHA512 8ef8e51d4470114605ec8d06ca4fc538228910b149a439f2e773c49a9390031ad39792f4d946285d33cea740e5248f4b5aa10e69f01490e02d461401e09a72f4

C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 5382b8537948cf95a930399a37349609
SHA1 46c0c41890eecafc4502bfe48f579c00c76ceea0
SHA256 80eff1296468cec80df44aac61b8afd57782eef67f9d704e9e609a67846084bb
SHA512 542913abdb411a7d3f9137348c80a262a9a21809d17afbd5a01c3e7fd5418490305038d655e6606ffcae8154c8892ee1f85c6584d61c3ddb9ca2602aeb15de78

C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 094b98e68cdeaeac9650888e79433771
SHA1 ab27ca90bcec32b13dac49da2d38f8ff1f6bca5f
SHA256 e6a91aed03c2f51953c78bc9b48b3add3c14ba527f9bff6220bd518042966cbc
SHA512 47c710a0776c7e12323cd3e02be515a776ae41aee8dda83ea3dce678e7a793d3b95c4a98549e96fa49f5d95242f8e29b62f338ffb8c7b2b93437635e4b7653e6

C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui

MD5 7bd74715a4e9e7f2ee5dd7983326f928
SHA1 6ccb6c122d4070a82c8e7aa253dbb66b13193f42
SHA256 5774d4e5d1546ab001b461deea84dcc24df2d2c918e1c1a36b8ca6969d62f557
SHA512 bba461e34ac5298b29fad1b413da97e90c52bbb20bd1467ce182b83aa5fd842aa1abfddabd86a8648c8e899bab10bb668a747448e800542fb7f5e8bad472ac63

C:\Program Files\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 eb1c27eaec1e663d7f35b0a400e77c37
SHA1 c072729cc15d6434df89cc3534fb8d063979e518
SHA256 89d2192107bd65645990aa48e16f1148bdd29c8be759a04b863b54c907fcff34
SHA512 69d342099d2aa2113a4e76b514cff826c30bac7e7ae5bf7614b6e6dfd44110cd14df0eed6e3b40946e7cbb624316a951269796e9c699c6d005e97044aedf619b

C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 84c7b0c4fb3fd19416c5e0090071bc3c
SHA1 40e6827eee3c8284e1b51f46a4abefbca7cbde11
SHA256 8e13ddec051f4d6e8ac56b4b920638c219ab534a80a745ee6ba955ea03d06a4e
SHA512 228cf2254e7e822e47890569af2d23020b5904d1dee5c489b55d73f5793601bb043b2c5da0813d146ac40f50e3b04e54e59813098bfab55a4704be0983da57f9

C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui

MD5 53962f243f8028902564380eef484f83
SHA1 6607e656af5dec4bae8aee993f8294bc2cc6ca0a
SHA256 31e916f5c4d385f388dc48de40a2818be0ddf7e78b3e267006df6a1feb28828f
SHA512 5adf724c46a4bfe9430204f33ea0fe15d523c9408f694c2476b9e3186380a4b133e42de068c6da1079dadad635443f69ca88e5b626c3948650b8221c3cbeaa58

C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui

MD5 e43a07c0e1a949c2bded8c7a5c910e46
SHA1 2497720e2956135f2553e4eacc8e71093221c79d
SHA256 90bf860e2c83ed079ce1e3282c63fb41244f479a3fdc1852628e10dae3e4ca42
SHA512 bd08adf6ceda9e3bf6eac572f5079572d3261003d6f6ad07de14d01fc05a575fbcecc2ae1c838e8aa25bf2744dbac3e2f3bf63616de329b775520780ec55b2dc

C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui

MD5 21105d1cca6237aeb1f7a67aef83d1bc
SHA1 827382cf1ca3de9469425756693c57277e381853
SHA256 5c94a007218c05f00b06fb1f95f693cd712472d2fd26cb66f3c7d1ab665f3f6a
SHA512 e5f56b830b0974ceb450d190bd84eb1cfb2d26d03bff433edbe316a9dca232efbc1d83b301ce7f89d1ef4593c46289b114c3b33f13b031f103704dcd286cb183

C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 af8a20b1de79f848e64f44d218e33ddb
SHA1 b13a77f153f10b08c866aefa43a71f2017156d10
SHA256 69ee9baf37f1065bd1b90dc4115403fa2decd4210956554f93cb6cddcd23060b
SHA512 9cd756efc41593ac5e9b0f9be3479b9d53ad389a49fbee8a4a6b9e1fc7d443a7e19eafbee3ca01c0a197aa0fc393e925ac5c3213011b229f757678059c6c84f6

C:\Program Files\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 3e39223ddbf458f13a919bec40e79bd1
SHA1 ade34c08d03340920fe4d10c5d36b9a445b01e15
SHA256 a511ab2843300741fc8d044571816a448314c1b585408e2ba0f652d6a4fa1240
SHA512 28472302c8f085a025c14e5b7116aef98461f3606e5f385277729eeff98c680d1dd7505bf2d734e5ffe20dae2b04efdadcd46f4719605bdc000797f05e0e0437

C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 068f71eec7fec5347728b339ae98dc2b
SHA1 93c90eb1d63c552932e0695df7f65e60b2333342
SHA256 1a1a78c64c6bd5b93444fc4948cd40be979ba2ed52949811f47301f31f4e6699
SHA512 1276cda9da8a2f8c00d8df9581bcfa5521d2af5631b7d3beb331b561b5445b4acaa134f30c5e1c271674495aa8f9d38615f8408b2a8eeea959f8e88329cde350

C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui

MD5 b6184bf5d382b559c657d1424c8b2cd2
SHA1 f68af00e1c12c2b7b9abc82116c2ce662862cdd7
SHA256 87825cc4eba8ddefe17e1c43ab4d486292766ffb56fbb50e4fb84c8ec289b7ba
SHA512 7f8ccda55fa38a16237a7ac1f5c3663449370b2ca1cc1ff7d1bdb3b5cfd9f7c8616fad112ee6f2bb2dbc9858480579b1e3b794798a2e3b194672ff0414717e79

C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 993f517bc558f8e88719cc353f32ecb3
SHA1 acca71d88601a41b95cf96c849edfc43a3fa290a
SHA256 1e52a98b8dcdfc657f98d84d3e977d7290d0ef092263b38bd9e692ea287cd705
SHA512 b4e387a36dfa6c4a7334e05d25868ccad62b8f95b6675dc1c923bc90f162576a6fe96f9b9c3cdf52a73b8bbf78b9874c851b6e89bf702b8ff5bde936ad22bbdc

C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 26556b1941fe6e865dfe4834f72b549e
SHA1 cb34f74ac8266a43bc981d40d212ceb22294c087
SHA256 4ee7613f74e4bbea9b5a7f61ea30aaa0a0b5a39e147e5ab3edc382e172763b66
SHA512 eeb8c80c235a2a063e67af93b0a99eab6d23fc16ca9f86650d08857a4759ade6ae4ab0c04ac887bfc74be7562668acb9ed851276b250f6c8443bd02b0126c1f6

C:\Program Files\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 b5378f12c74b023b74f0f48f4be88f48
SHA1 388aeee9121ff70dac0256c705239ec0ce885c38
SHA256 8ce28b959a5542e10346ffd2bb2eaeef387f54261547ec95327ab7aedcf88f88
SHA512 22e8e8dba0d5ac5a64fcc6b87e076900b4928038796e5c28e3d12c8833fcb95dc2dfa5a4d118ca7ba652b8c06b8d19b149ceff1c1d8c774c4f1c3cd176a00cfa

C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 15d2c85c9e384e840840d1abde58b1d3
SHA1 877e4f72273f4d5a131ac560b85dd5cb705dc3a1
SHA256 554c94dc2836f2a96a26f731bcce186de339f6af2e5171134720bd84a621eaac
SHA512 c5d8cd0d2bcacc5bac78eac905b4624d41b25aa07704cf2274c32d69943cc1f4c03b4933d2d5344193906eb04e8d7a06573937a45473977025de1f12e121153f

C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 c9c4b3eb0fd366d7f769924fb2a19edd
SHA1 7fae2b126c456dc5f9679329a4fb55dd215eb312
SHA256 5ce05f21803d7d5b8acdca4f0241e6f69a211716e81d71e9498622a1fc68b444
SHA512 cdadf394d6f469263be637f651cd626e3b4e46e2e5755acf33a8ff3192ae2c93b5e739b5c98ce6478c76722a5522c911a23697a83ed16aa11d84f088a258c145

C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 e9946a48c7322cfa218d80f593bbcff3
SHA1 66b9c5de1b4173c1d5d60b256d5bb04364223d51
SHA256 b3d3f46d32af93f675318ebace6c58cc4242df08b6b5e233475333468173d9c9
SHA512 5069c3ec8d94f834ce9e9ddacb485674ef958061bf904ac8d2b72763ff7082ad679f30a0e743aca58c9afb218ce0833f7e70f4d4fddea49fc1ccef597036bdd0

C:\Program Files\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 28e84479af61077677376747d30a5f91
SHA1 f556fa7f81f52d4c5105a77fd6192fb9050b301f
SHA256 91c478df444e9a18be04308fbb77778d099bffceb0a964379c0df2190965d60e
SHA512 db69b2f92fc1b64d93a62e2ffd096e39361134ca167eeb2184ebd93d85ea028c08a908cc1448da560090f339f937307b523bb5e37e6812adbccc9a1c02621e6c

C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 caa98dadc305e45534ef27c2f5f11f97
SHA1 f0a78d937b9ab5f93323b6bb78cfea370a180a50
SHA256 a304498203f18d95c179f26ca95c2d7c2c0549730a3a0dc94ea37b192f5c3b41
SHA512 550a85653379f8670b90f2bff376c23c395c907f3b19f1ce8e54d319d9ecb7da655be796b10a657cc24647831cf32886abf91dacc12d3f5ea4801aedae775e3c

C:\Program Files\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 d99da9ddb83cecd30f729a11e685206c
SHA1 08d01c6da029c62204024b4943410e16325696d4
SHA256 6ec2250f6eb4a3e738d68e36a0a89e867923e6712703d7971ab23f7b540f330a
SHA512 31bf2be9373cbbbe59ff87fcc0bfdbd64a22736c0a923215b2c557d96443a1329e9f823556668b6dd4dc7ede536bcd4c57254daf5af4253cbcd557459a8ea58f

C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 7ee7e27728e23622de4aa540c043e1f8
SHA1 cc7ef6eec32b2f95a80ea860c53f77c9cc2212a8
SHA256 0e9c582a59f185a082db0f07a82f4c2afd36c46ad1426e161b355758ee382b74
SHA512 ad822665029de6ab78b9a17087cf9cda0c09796d9064c799a721496fc6e587c769a18a5e39502a5eafc8efc32784f0b8c4558250527809703d3c5589565dc82f

C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 1506a65b1992be2b24b4ba9c143ae482
SHA1 87fb915ef55c273fb1c8259fe71d2f270b0ebcaf
SHA256 a228a0d44f0ad8f8c006d80d0fe1ae1e47ae7ccd5564daa70259883a751f131f
SHA512 88e3bd03a8d972a215fd87ad724a4b0159bbc984c8ba4c8f4113d8c38437cfcbebe3d16d8f9f71f6e432761fb7f318255a78e34691c4ab3b14a48f4d15e9aed6

C:\Program Files\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 2b1f4795e4d4943a97dd2b9818a56658
SHA1 4d829bbf1f0f9ec1c155a5332a0623572b8186c3
SHA256 efac8c15c97c59e5c73449d341fbb78895df798e9a5dacf090c5e29760b99df7
SHA512 a99d4eeca24fcc42aae58dc3052c8ab324ec2ca9e144bc6443e9f4676bac2b400d41383285ccf29aaff1d692ba9e5eebe92ec54e34b4e7d7768e943ee05f8b7b

C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui

MD5 666ddcb1516db79b7f51c2851035e9a9
SHA1 d9f5f3fd4b277e9176ae98370dcd853937742e09
SHA256 bdf9ba8bafbb6e31581f96f295332f153cb93b3cab6437f301fcdd03d59212a4
SHA512 1dc6a62dd01e8d5c1f3286bab603272587ca6ba80aa500f7877ac11956ad0dc64dce5e142c8845744c19fe7c36a0ca9101d6d7b98fb5ee5e4446b42fe8bd4261

C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 500a6e0408ab8d4480851552d8445077
SHA1 e410fdfedd9ec8d6c012ca2b7c64e4d1fd355930
SHA256 1e6340529355be1dc7d9e350c206b36e53f321a8d521d04e97e55d4347830266
SHA512 ef254d92b1c65fb15d476ff75172ce992b1b8915f0d5ad8ccaf8cefd60761b1db8712fbb7b9036bb2c1823ea7668d21f155df583e363199f64c15c30ab2e1bc7

C:\Program Files\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 8b2229bc02d4f15848093f8a884401f3
SHA1 ea92fead75b76de447a78473941c8f6df417d31e
SHA256 c6ab6833e0dee62e9fe886369746366db5f208ffceacddf6521ef33d97a37c83
SHA512 77aa31b8824ed239a8ae72cc2ae6a69e592230b3c9e07fa38d7d9f44a1da73463fb4b45d3832f33d966524ccc48303dca7965657cb19bfbcbd420bbc5edeaa0f

C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 1b95373c03bdf52198b5fe30df409463
SHA1 8951b1b6d4303d1ca80466e7c2723c0e6312bbe1
SHA256 b5b85651e4cd49355b9ec202fdaca481a39fca990e63d9ff5db7ffe39a8d44e5
SHA512 7faface157f30424035c5edf37649d3fe4ae2b0c31c791e975dab62828b88d19c80b622d9895ff15096bf807af94c4469e8079a8801a6ac6422b6e4e8ec38529

C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 c57b4297fd63da50c5ff067b0204edf1
SHA1 c2163b1298717883c25de2120f203a8aa26936e7
SHA256 d5425872b6d56e6382806244715d35d35b595497c76cb7fd04b092dc1d80235b
SHA512 5d257fe59d9918e5536d73bfaabf4887851d2dd6cb33bad27378ac6e1f7ae157388b691afe0107b095d151468f7d3bec92f4b73de2794a8456bace66cbc74d4d

C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui

MD5 14c9a9638561de52c266cfca071b3483
SHA1 062ddaa12e808928b6b390ee399e30942189d1dd
SHA256 12594963f541f8ac1f166db779bdef8f61dcfc96d3013a68f76bbbb9cad6a8e1
SHA512 1d96c7076393819353b6736a5962575fc5b5f4a6840f2a6202f3801a1b4a151393294136a2be903bd91b7c3345affcc921f100ff62e3b6d422408851d5edbfa5

C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui

MD5 cdac24a22c722aba8bf64d37c8793089
SHA1 6653d0b7ec7af646da6d95efd48c3e0469d17925
SHA256 3a111bba86c2fe2bc649697e1cdf6899d0897767e957c4f74243f9ca020bfdb3
SHA512 9eedde09a9d9a12d051d7f015627e6168725993c697f00b4f1ffb4a6a00a6d6c68f8038df100b5db8729ade486291c8dcafc2af861fafaf467d0473303f51e13

C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 345a4a4a024a637e75c9a8a9c9434ddc
SHA1 5e58ea117b4e295539a089ba77a211b65c5d203c
SHA256 2c9483f3fd1a16c3f8ff42f9f03d5303ab88210089ebfb0bfd2d9c6c803c5de7
SHA512 b6463393dc0573b660df699c41865619bcf2766d21784014cb102bcb37dfe99a4f4e1c1fc2727a3fe6c2512b750a037b4c24d70ee5fe464b61b98dc8a0cfa8f6

C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui

MD5 94307206cbfac34cb56fb88132da18d5
SHA1 8d246d954cca672b969994c7ee8d89866b24fdac
SHA256 a275efa93bfc52f24b7c401da9813d72a1382cb82bea63bc56cc8664cfef3f42
SHA512 989005880b3e69a2b5be3bb4ed6ef9572f7a058597f016b7fe891c3b6e92b0bb59d4df198bf9e9c33c9d946abe91da37cf94e7fcb268f52252cbf3f3772f32db

C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui

MD5 0d48daaffa1bca7cd0d718cf372bf8df
SHA1 30394e5312a2f44aaee71b4177fa6bf339350422
SHA256 a7f60000134693255f768158a0cad67a77c020a686ce693e9f04d720d6b3f871
SHA512 9405b3e81216d7fb8137119ae6932e756b5f05cadc778c6ec13e178fdeaefd088eff836f9582b8009a41f42cb22a74b568009d7dfb6e80885eeb0640820c18e5

C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 4dd40ec1f0eeae8145a1f3789da5dbe1
SHA1 db5b68c54190d9d2f9f5a0d99cc475476a245da6
SHA256 2e2ae362aece299637bf2cfbb4d25d9952049b14c2c0cea334479484d70a3067
SHA512 4a88c8cb71e4880cac5383786f4380c0e54f4ce13cd99c44b9a2fba881e4fa5eb60f3a4e0768b52910cc9b5a7fd881b65c4bfa91a29588a748d8dbfa75ba341a

C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 7ce35a9ed8c136c64fe5e7062e3b99cc
SHA1 d8c7b0c6663d2d0f015e7146324408d36c82ed33
SHA256 93b5fb8904026b649c5f92cd3bd4d904665166774fc5873c04becc634173c2a1
SHA512 539dee05f55d56f0137ff0b6b079abcb24c4ee5659663f284ccb3e1a7ec2d8f6d79df480b8fb36673d4ddcfb5dcf21559b1eccbb3802aa9ce493c7c06b9b338a

C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 950013c811d79b2561146df28f4e7e52
SHA1 1d606c775ff12b20f6fb75d312b055dadd1beb3a
SHA256 92721ca0341257db09d1d4e91717846d361bc7937e7a030b7b6887305fb1225e
SHA512 92b06861ec890dcf1c4dacd1cf82ff928309af0738a48d814acbb92f5ef9ffde227dabfbb4a697deadecea751972d22772aaeace14234f0d397e50796a651839

C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 8437e66f75791c98d6b851baab1ccff4
SHA1 9ba41d982347a5aa1c5ccfebf017da845eb2241d
SHA256 c6b98129c0fbc109b1f0f3362d6862f3b3ee32cb2c6740f2a0643b63f9c864a1
SHA512 99454fc51498eeaaa00e7c2595c87fa380d0cf53374f001ad0ee3ccc689c35c6b590aa73ff7abe9a68174fc7acd7be879b6684a89408da596e25125e92b46419

C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 be750383618fe37014803a0bc9c0109d
SHA1 381634e967e130c2b6423792e23f8b9ea1cdbf86
SHA256 cf2bb1b001008606848f24e9f7cbef17051aaff7bab84387bc96726f09107a97
SHA512 61dbdc12d7f1d95dbd16f0b146b27e4aa25e757bf4642d22451e52ecbbd523316820f03ac40e071a8f5663a11ffd7aa5bf1b4a03bfdc94206461e2e72c1b481f

C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 131abb98cf3374ec5f9bc97b59335bda
SHA1 2c40827bb67dd06e3815935fecdfe2f398e2526e
SHA256 7b68894213f014ae3cf430a0d28d353873aa74815e9f408ec293f2812c3c0891
SHA512 8f3bf9a1eb151809e41fba6503061c4e30b32c68ad6a3f1800ab1141aad5660df3936f9d23f9fc4781f806e03df6c8639e3fcbdc3c933234085c7ef15a92d92f

C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 80e0ddfc77d79586bafe6bed11031062
SHA1 b6413a40bd4d2d3a9eb75d22d916f74f6e09fcd6
SHA256 188a8ae30d8c5121894f27f99f405ac21d877e3004eea8bdcdaf0ec3bf8675ea
SHA512 b29fde92e9e8e310cfcfb8aa56fb88a03c92190ce6ed0d634940380464af121ed22665131dd215ed65c1e31cef46938a6d19a262fcf1dcd92aaf23140712f57a

C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 3ff21fb7fdaa057147c269442d1be878
SHA1 63c9799c0f1a67724eb5c4c269377b02c4f6db1d
SHA256 9263c0282e3c1f569b0bdc887a47b7ac7e6e847cf2a6dd49be8adef78a9f6d18
SHA512 8173be38c2de71dc3561a6d5ac6595332b4b84602a5b25d02facd580efc4face51da5fa1e123f3baa9ed361217632760b2d590e77bf87f8c3b8d5f7a563664f5

C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 7aff4baed8d8cbc8fd898508bcd8102a
SHA1 f267cc756ffa5454ef2b130f174eb3c1662c0db1
SHA256 8171f9d103710a3822286c6d7f3184520943da5d9e406bbd7929ceadb57812cb
SHA512 d1e6461d4efbd7b830a0756ad01b4168c4ad5fb0029970514d8f1584d3156e02a27dae64c0ef4b792feb4d75c0d1bb2b3fbf23ab7a7f6c535382723e48136f3a

C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 97fdabd0ddf254a36ed6f75fb8411307
SHA1 29a2e2baf8d95b36e9b5760c201e7fd11456b5e0
SHA256 c76468ef0c3ffe00439225f03b5af37b3b90f9eb1f6631cdb7a0df0e5aaee7e4
SHA512 7efde131536b294202e3a762761b80ff3e1e3447053abe51595617e392b6b09c74f6c3b1d0fd3d9d7b705abf42ee8348e2e846578d2147a70cabb58373e3ce86

C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 a4a9d859aae0c07d22e318ec01984314
SHA1 a80c04f0697bb01984f08c9452b724c6b13c48c6
SHA256 853f777d7433a15bb21309f1a15025570b7991082d66ead3c8fa2d6e0f80e22f
SHA512 10076f48c0ab91b16576375eada7ae267067ba351e233316ec6e6ef44757ceafde251ab98817d494ac7d26ffcd83c2409c062595b46391a0af24273af3c5ad36

C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 ac6d9ab114df4ddc46decfdfa2d0740c
SHA1 bb181cb0e2ddacab6cb43a3de0f46911d77022a6
SHA256 db48f4a63b250dee86bf4db461302b2667835acbd23065b48757de3f90c33cb9
SHA512 5e638c5da0837928ac9af7b27dbb6448e91aed16025c9a9d952c7adc0e9ce37e3a28daec02d9ec4e374466007e759e7a31cb0916d2448bcda820acfc6ff308ae

C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 0e0e9669bd36835b7f2d5e2a21ef04c9
SHA1 e56f6f5834a9b8f93d023c241c89ff58f94cf710
SHA256 7206a59abe2d8a8a84da38bf504df1909757473d59fe27f74139d4e115fed096
SHA512 6234b280b0f8662fea61504dd6343c0b0acb7511115e70f5433078faa9ee829d4717d4f44531998c0ab5d03aec774faa080975fcb2a80b73aa8b510c0214dea3

C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 c346b8748cffda2edeb7d86886af8ce0
SHA1 197cdcd67c1e911373c2cc5b863d42ce055c0cb3
SHA256 5a82bbb6ab59d748d5ce8eba2df9fb981c162c5ba477eb8c1da61955ce8eee28
SHA512 c56c0f1c5948227e5c19db1dbc35783b601df6bd45290288997d74b275046d5aaf45784bd764ca6dc2d397bbd05a80a7b4c301ad14325222bc1536688a4ea5e6

C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 115bcac78089d686b83c954066285f89
SHA1 276f0e2e4636f7910f8052ef441ceff3fd4bd81a
SHA256 b176275ab6f82ff962aa38f69fd4ecd499ae84f0ce503a5d2aacdfdaef3ef90b
SHA512 48c0b6001a891bd9e11a434542590ad50a45cf50ef992fe718032f5d0866675917c59e612b03dcd36440bd2e84d5ec75a05b1d03da04e902393a1b6d5cb1784c

C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 f2bc8c41c6800059a41ab67e072e4c8e
SHA1 f34befe2702d13860e2adc982b95b238b6a91242
SHA256 03fe7a02d06ff12065189fd484f5a62be91af44d6f31edcbcd8815d345d76239
SHA512 65164080de1a843b9a3be049105fbccf121787beb9d7ce6140edd93c7ab2944024ff5eee63f255b0c02ff318af6b8256c9116a2936bafd8f4a9b153d7622453b

C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 7d3ea09333e3da603f10a94e37206672
SHA1 3f21ef5a68d115cf3da7352c71688c1af4c51335
SHA256 2966c265fb6874ef2e08bde6748e174a67b4f11cbefe14236a99ddc306fee6cf
SHA512 488112207d1c1bc11950c48c5fd6b4ceb00b09c4ded50e19197c92b0aba6becc2752f4fb3d0ce3091006e7b8594ef2cec2a65d55ec6b42da3d927867e0031604

C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 e9662645f2ef0ed475ca5e756b4da23a
SHA1 848a3e11f76d870217e64fa4170e68ed82d8ee17
SHA256 4a2760a48015a2bd2f557f8e5a6a6fd02a7ea7d54f8ccd1257f7b0b5567fba1a
SHA512 996109a14adbd4fa35b1369fe9d87d9b6b8887719c9be0583bf05a007bb9aae527d51c5ca5ed600c4a39eddff4106c3aa796154db316d87691073fa4582c1ce6

C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 b594f092b233295509ba32ae9171df18
SHA1 66581e1e6f237f8e8696fa4a40ca64207c308b05
SHA256 2df520f0558bc354e716c129ad991f8456dce559ae348bb584aa74563538e049
SHA512 1ddb0790b725a1b20bd28d0c4b42bc8cbb4f8bb5674321b1d37e4ab4231f272d61cd572a1c66a751f321eeb4f8e74bb6ece665f63c5ad8b520eb6c36fb82be80

C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 512701a3daba7bdcad054f8e169cd89b
SHA1 0f1553e55c7139955e4bfccccb6e419464bcbeaf
SHA256 93c4995675b3e28afdf07cab3ae6cb2d329a7ae1915f62c0445ecb93be1f262c
SHA512 126b4bc63385cab9f27d2fb6c46be031d516df1fc74c60e34017ab74541d4b657e589a7a0ead3eedb72737a28c558b5aa67055d5a4652e457e05cb967f0c1f50

C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 b4e82e8b904532b7509be190cd4da4ca
SHA1 11057edbc29305690a7021b5a72bb8934fc438e1
SHA256 18bb685cbd921c53ec691de95ecfff898b485f0fe433924484f1506d5e69e298
SHA512 c1b64fca86eef5d5472e2c9d75cf0374386a6a8c95eb79167fc3f0bdc3923ece64b94a943ec2856f4319f66fe54dfc7ad997efdaeae65d7c7c610c8b35771503

C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 8d39043ab7a0c87157d2351b0d0089e5
SHA1 e41b9522d4a6729ad796f4a2cb7aaa1f35ba453b
SHA256 bf33d35cb9843e2efa98a074c139ea8219ccc4acbdce721fc1f643de2a59aecc
SHA512 ee778bc7e74e3e4ca47c808047cf8c3c700617b44ff2a65e3fbd6ec00237f493d5b12a23758d5902999fe07dc2458aab6815ab8da9075cf959a5b261c9059b06

C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 ab912337502d3537f082ef8e57291cee
SHA1 3c3b58fd9ee9beb06c4f80ca863e95462db02f26
SHA256 5e3dc87778457a423ae397c282ecb6820e0765262ce0315bf8c61d9aa579e12a
SHA512 800717cb35a2ad4e583a229518aa244dd4b3aad1221dc19f682dd1f646b8f909a325dbf7a2ec162e8a910cc197e62becb29eab7b3e6b2a8e57522fbe146b312b

C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui

MD5 babfe29adb82b92532076644dc473734
SHA1 bc5483a2c2a22e88b2e432d50432b738344691ee
SHA256 b1293708a4dc63d0bf03141ae5e2f9d8b15cd78c90521e229178bc644d30d58f
SHA512 f20d29546b1015fe3214c0ba3ccf34042acdbad5035532afcb6c3c698657a6a391e54b0ef8bda2f736d8dfb0ace573a52440bba3d8f15917d93963e5a1ece08e

C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui

MD5 a1e20b0850018fd5828beaf9dc3c3cb5
SHA1 5ecf35a0e00876cf800c884fa74749dbb4925609
SHA256 016394b13b44e6dd297aae2b3fcdc5a1c3e1ab20a4a45a5e0389f7a4ba59dcb3
SHA512 288231faec8993280d7c224d10df4aef5a2783ac7f7b9ca9ad32d466f1549e75cd1aad73ed820316db2b327e3410f00fd0ea6e59c559349e99c3ece7f9ac133b

C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui

MD5 787c0f5d7f2c3e7504fe313c832cdba4
SHA1 eeac71bc1242046447e35fd77fbd18a488ac2919
SHA256 54b60a0c5328c96f909ae1877c00995cc18b435099a0e0623deae8a75814fb36
SHA512 a854b60b77006619aa140c04341a3c98c0195b143bbf204ca800ace4b1b1ff568b55467b2e1113558d6c83e91844aa47f41541eb38b74ac146e00adf020c4aa0

C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui

MD5 97b4c56685b9e10afaf1339c30ee2f46
SHA1 48743a9d7f190599d52070dde768c1533b7d6ff1
SHA256 31f5a1c31fa3efe50edbba7b2e0648edd07243f9ec88882f6a8381547d2f7c2f
SHA512 e0a67277c66f489c40432ae23dcc575e661474081e79ab261f089c27bb5a6ed54ef9199e0be602ee4702cc4d8e16f836b008c2e511196860e6d579b8de4593e8

C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 80991f60e13275f5ba242d673a1c5523
SHA1 d707204abf5e965485dde065a2b9ef1931a085db
SHA256 2ad694d49a796efe017a2e0e4cea78b5fd204111c60b8d6cb0f17982994f8563
SHA512 e0675b437538c16002d16442a7c9c5db85332bc568d5b553e0c8a6d1dd6da9c53457ff164f240db4324956e3aef719805f1e12473162d9cf9f84e15da228d864

C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 1f3e267a5c6711b6cfece7e8810511db
SHA1 ab018f6cca500b6e50bd1d59d7ed660cff6c2db9
SHA256 727ea514825b5ad7fdd0edb5f3382f7eac72d72166d5958a8747b63677a8b55a
SHA512 415b61804878da365758960307ad602f6648b1681a649ec4e15e196f551a70e3e830ecb88879b2da025671c6e3cba920246bfc65f7c68c1daf6db144031daf60

C:\Program Files\Common Files\System\en-US\wab32res.dll.mui

MD5 2d5233478339d572b45ae8f2f3b3d4cb
SHA1 5ac055ff6c56a4daf611c01cccf54854d8dd04a9
SHA256 4bde649108870d1331ecd1d6ce223be4a4fea331e978fdbf7517e72c7c5b34eb
SHA512 46b245ff351162db831094f86eff3354567b90a645c9d36506715327001d8f46d9624d43e5b5f92264b357a9c1fb24fa92a659d09e495c45d75f3e0b8653639c

C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui

MD5 69948bfea53c5ca43aed7a39985f0120
SHA1 650c4a92e9196856503e5e6e035400fba9bdb766
SHA256 5565d593aaf1a89a23c0afd5ed4449fda69e09c5cbb8e913d84b02286b7145d1
SHA512 52a740a6605c06421e5604250e6291d1b84b40fe7cfa541f8fa2ad1c4ad8692a38047c26f3cd85862de900b4502c03385fe5719dc0f03dd27a590701213467e2

C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 2aa801067bf2955be51b506575d707c7
SHA1 df326a3152880d8bd130e46dd39901ad3b5c5f6f
SHA256 187530cbf821489045db74529dfd1de655a8f986e56b178830e4f4dd2db35509
SHA512 57422a752534832520c4c52afbcbc57968498c681ad7dd1c2122ff354e399faed26c4134757d5d612b105309284bf136609eee80fccf0812116d336ec5563c1b

C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 c8ee0b41b5e62ec0ae0f0a323f02bc10
SHA1 c5cdac9fa75647d54270a5209bbed12deb0519f1
SHA256 591ca576dd890b7cc32d8233b51166a306151b8216adadeca0ab68f99b8765b0
SHA512 6a97113acaaa6865cae574d95f00e466e086ad8acb62c73170667d14aa0a5b770f52c536cef77c834ad2ff4f234b9222d4cc1ed28e786b8346798706a5f9dcc2

C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 db201c151e3e56853637f632730d1ca9
SHA1 95c2a5d5abde5418042a9aac59c6d4a08fd7f396
SHA256 f77dd838bddc61fee11cbdca72fdd63cf6ed3613d9486fe2f250c9ce69ed6396
SHA512 9dd7aeec8bcd5b51dc7f9c7c6f541239d4205a428facdd174efc4709f720c778acb4fe6f48ec843a9d285fa932c92f33a3deac81c9596001f5e20f21b9a76eff

C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui

MD5 1f922d1562a53fe58cfd599c8fc2a19c
SHA1 40072e02f1cfe578267725ae6e06cd79857ef056
SHA256 6fb91d15d11d62ccd2e8e683b9cc92d05470ddc541d17589766302dd0635aa9b
SHA512 59b886c11b8061da423ac8e5b1f985446c9efc85da3e21d09bd7886d470ac55249f65c8f73c6a9652e085c4991e8fc9db92c43a13b6d31ad5241b0e539abf023

C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 6d4d59b3ee8afb7dbb602d3766a8c4de
SHA1 909aa558b79c4bcc05c716a0e267c3713ee5c061
SHA256 299367fd344bdff9812d7cbd878bb66a7e3f38898fcb9a195a0998d5d960ad75
SHA512 170c513c34f53e24646618d6aef40d4aba2a6b783ac08f27887cd1dfa0bc5359f6bc81236512689311150afa2fdc0b127aa897c47701504532e2b419422931e3

C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 c57468d7124c82420b4f3d525fcbade6
SHA1 d94dd1be5fe33d94104f933ad47684529ad3ecdc
SHA256 ddb75f6904afdd1bc5436dda63cfc3e819aca0580be05b4b639fb068a7076725
SHA512 ee57792d2e6456ff4338199cb56392bed0d63869293d1bcc5557cd96fad17d993fc8dd695c3af32babedf2263dda823a04d6fde8de7d4e071bc0639ebf1172a3

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui

MD5 92e2c79e3395e6365c2f4a0fecd42a37
SHA1 6793eae2a59cd8e608f5409239c2c94d1c5a1968
SHA256 5caf6f06b8f6a242eb4ca6662e7ea1f7501aed0e0e0a1869ca6f2256ed014237
SHA512 cdad2c8ef1d184bf66a16e1bd9d1e6cb10b6e182f06ab03b3831b347ecccee81712a2365cf7f16aff67f6463ac950e0044ef2847a34fceb58801a168459ba63c

C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui

MD5 e94bd8ff9e64f8444eea70858960c82d
SHA1 1f7e4b97a185871b69465f7e866209329cb428f3
SHA256 3b7b57f4fcb4c72edb30910614d1d08943cd115ad278582f453f2e008fb2fa0e
SHA512 c26cd5db5bc0002fc3d0edef61ea0196d291d9d4f28b10006254c42c1ac6875bc903ed26dbfd48b447f1e45110ad88bf0eaac60cd147d194f6be283b2c00345a

C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui

MD5 fc185467acaf275ac53739d630e2f6ae
SHA1 d72ef7cb640c70795d2fde35b972d4f2ff843dd1
SHA256 edee14acbd4f98f3838dce69b3276edc6efaacd4182a27a83786bd5599cffb83
SHA512 d085fa182d9002f9a376383ce8e29d2751eff3a6a4ba731ba026d97b5fea78907d24139be350efc1e245716e15d2118a04a5e2d9794f54d6e3e6544a5e0a3b1f

C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui

MD5 938569cbd8f1127a3d8318081b937dc9
SHA1 ea21de48f55aa18fcc6051dce3a3c41e6f713f4a
SHA256 758fccdf7763d5e182ccd112f798d287b16751fd0a9b24e774d62b5c9a89d869
SHA512 76bd1fc7e513e3dafe05b7e000ba3542398ecf2d62764bd7f3d2ab6bdd3a560160f98a15087015270803abab419075f0aa16f50bd9fcbc3393cb902bab5f1cb8

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui

MD5 d2808cda347f224f96406dcb5db9e810
SHA1 2803b54269a8cd31ea15c2bb3015f8486021c6cc
SHA256 3ccacbf0eb950181724cd1c120e0d320dad2cbc78abdd6b520c504f69212e4ad
SHA512 0ab2588019a8eaa0e4056eaf4727d52742191f1d19b9b077fa7b8588e46e3f39606f2d48c9266c36a49acb1dcdd2f981f0c4cd383336907c2f0f63b4c677b228

C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui

MD5 000339e37d3ae6a7ab686cdb06ed4d34
SHA1 dc2172ae4d229fd63dc6a86cabde86e301729fd2
SHA256 7b78a38ec3a4bb63bf0541e85f86572478607dcaa70b3c23745d7b7eccae6eeb
SHA512 b7bb6dc4f42c1e6ee410ac57b0f42ab58bfb9445a2ead39dc3439e770bab0bca83083693c0d31c32ffc5c0533d1dc69aa4c94c6ee55db767ba7c110965a6cc0a

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui

MD5 5765262d6c799847c7ecea9032efc775
SHA1 f43f30a9d6267e7f68ec70d40ff6662cc51a1613
SHA256 3000610ef45ed3f3152356a862c8c59fa4d78b14dd4f553ef47e3bcaacb55ba4
SHA512 622b23b8c397ee745df0ab1cf1f8630290218c14816f163a0ae5429f95663d2f9ff5e31d3dceb2de2850bf4d1b603f2606f257c7721c6f599741b253832f465e

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui

MD5 1459345d0a224333258ec7c62f6bd2f1
SHA1 0d8cb7db5527cd009643646c71fd431286c39caf
SHA256 8cd2cbd66e10b7faf3cce0198269dfded6fe375ce72d9ade90d536c39d0a0276
SHA512 93029b9272cb9fa3d825efd2c1cb79b690ce0f3affd2b6b23eafbd165803b3c46b81729c4f41eae74b461ce683b0ac507daa8e7c3dcf7df8422a48a62f4ffa2a

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui

MD5 945c015914ee9ad8281e7b6ba753aa3c
SHA1 fc3e69529a443bcacea6e588a593d7c7d860ddaa
SHA256 5786974b525ae49bc553035e6463f64ecb1e8eb2b85bda3bc905fb57d22e612f
SHA512 893415c50878c7a0e4e2d32a4238602ea5377d608b0ef6ff95ebe731d38db6027d798211c87a673da2b45d3d951f88d326fcead399cf9de1f71c3bf9a33b0275

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui

MD5 b972b17d7fc58802d9705240567b739d
SHA1 b5fe069cf5ad726b100c5db9b88d01db191a222a
SHA256 f7dc5f8ec8091dc48c7781b3c3a31feadd714e484baf0d37e7927bc2acce8ab6
SHA512 3d8e0c70dfec6da352ab6d3b3c26a0fd68e2690e097a4c4080b4cb248e6befe36b1535fce043f2550e92fb5c7ada11b12f5ad3a97fe3e02d43c8ace91ecbeadc

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui

MD5 558cc9f3766667cf7270f30aedd6f464
SHA1 5aaac5ed0e3e3366b5caf6ffaea91845b288dee6
SHA256 0e2883d257cf61dad0ae52d257b2f814a688a1e501702295f923ea83aa8c039f
SHA512 996ed292696354cd87ac4dc3181b8edda49d3495e381d349a7be23f7a42c206ad09cc06e8a9977c7b8b4ec8a4b3237a39fda003aec40bb02085fc1cb58dcb5ab

C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui

MD5 73ee7203b1ab80d15538288ca59a2992
SHA1 1b8b615348abbc8f7220f2007989e540883ddf14
SHA256 af33101e1036d9f1df421a6709913a1e7174767100fd9510ecbbfb383592620d
SHA512 48eb41c19c6fe79c13236226fdc3b6d89eea8880d3ecf0073ce62af352f78afa0be2fcbd106b9f1abe1c77e038457fb3c6da488696bfdae06058a9065e5f2528

C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui

MD5 0d283987fb4e3b3a0855d116e5cb4fc5
SHA1 8f4e307b9a1153a7b453a88306ca8a8ee5d06fd1
SHA256 d25718c6b8e109d291a141732e59367ca03a66cb248b1162440cdf9e1ba2ea11
SHA512 8828ae668ce3cfd472c12e124e8f5ae1e83fae967b8fe4f7201062aae0d2cb381ccb74bfdda9aa6767d9683fd36bcc345ca59466d0dcec7159aecc16589216a9

C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui

MD5 42d5661ced527dbace9b133acc2e603b
SHA1 ad274bfd2d5e5eaec6d7bd715bdd2daea043f0c5
SHA256 a3d5739e9f4c8714ebaed8c3018a67de95ce84f3888d58c7aada60af6b3f0798
SHA512 039acd4802081ad522bf651fa7b8910b8fb357ee21edd41330f660330ff82df5b8d59773d48a8e62b5719cf42fbc6f526747c5d175af9fa44f7c2dcacbf0441a

C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui

MD5 03980f512315b255d29dad46bb32b33f
SHA1 f2224e9af87330e83593494601742fc7f1f59e0f
SHA256 b4a5037d3a84c12fa69281f5b06cba9252a9ac3d82ec2562bc5426d539b04679
SHA512 d1bf4e7776a625a574dd3de33c5d7825fa2e86009bab5cc0c1589d4d8e3e48de982cc3d509990e3c5c91c37560a4998050a692f6b3b9ef89d0cb01243402e3d8

C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui

MD5 de138d53c3892eb1a2428f5b92e63d29
SHA1 1ebac15182db0660140afa78da03ad6e8239f039
SHA256 7e25d305f94583dc2c354d8cbc775c54842d7e441ba492cfc5238c49cd6e13c9
SHA512 693ce86ec65985145597374443ad4e2d572298dd2de039f08431384727992da6f8c2dba0de9b5fd7f41141aa1c7d58cad1af1bb06af68bcb2557b3ef0aa4679f

C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui

MD5 d1b8c6164eabbbe840cda66be043be33
SHA1 2bf2e08b8c9c9bfd79e678d7fd53ddb3fd58a91a
SHA256 518aa5c912296cde4f426862e42efd4a566f7116e052ee6667d1e81834b2f9e1
SHA512 ae8946db4cf128857693f0fa9e43bf4e271f46cde6a6c9b33ef327bcc9ce6a469b2ee0d2929d8bd0aceb7c35384ffca43a0de626dfd5991a66f952f8a758fa2c

C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui

MD5 80f32588b9dd19b00bd05e8bac46a3fd
SHA1 2afaaaf50e832901faf5e166e8835de04f4d7fdc
SHA256 3786c43c0e15fb39307c75bf271ade0f173ba078330d917d0d0f8bcc7f367343
SHA512 d4efebe598e055007ced3251ab54860240ad7c41c21fa8dd880e3324311e91b92b07e32538573e6e3fe1a9c867e470046a9b6813042d58b2181db8c6914901cc

C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui

MD5 eabba4835340ba99f44e359efe676398
SHA1 159ab669b1f2dfde1db890c091ed3767989bc818
SHA256 528c9ab69bef1cd05582b7b5bdbb49e2af77a6091dcfec42ac03f818724017e1
SHA512 8cdc5fe64f9d6aba2c961590e46da91e13563d65e6eecf363cb28478eb922b43d790d0e9553c6c9836d250924cf14f9619ddc993bfe7967e848a67f8d5003cc1

C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui

MD5 18d0ff19d1555ab0266d5a9aac0ff651
SHA1 8212333be604104b2262bcca431214cacc289807
SHA256 89bc6c386af98a3e76760b72d3d458af693ef3bf333ab43aae0fe791e5ef7b42
SHA512 4c2d6c596febecb8e94aa80bc63aaa272f9117801a4f27f36854449318d494a97ecd0566499f6a9f02f387124b5a27f7876c6f6e4fbc67cb5cdcb25be5cac60b

C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui

MD5 d1e60a28fff60ced8588cf52394da073
SHA1 3f92073cb6d21d245f1040a63a73c1b5ff113c6a
SHA256 ece4f70e5c58f9df38aeb06be57faed067c26d17c75d4281ad802905d8f158d7
SHA512 a887a791dc82765ebe1f0e92f9f9b35edb080259a125d40f914bdac96fee437a31daa66daa81a1560d3ed1a8f190b97dabd658f864b46bb2e1d99d53fad1ffe2

C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui

MD5 886f2aceb28c9e0ccb31e6a8866aad0d
SHA1 a9d088303667be53b70d79a720557d520edf7fb7
SHA256 f83a96330b70779e6f3090a0a4eea3c5bae60ee071ecaef00e0bfcb55fae470e
SHA512 822ac887f61de38564b9eb483ef5b7094435780532ff546938dab3a317a938027bc8551479525d1c881b95ba01faf604d956e5d2b0c0f61b3c51b0c20eb5d16b

C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui

MD5 b07f1f8ac554b83216b22347e05a09ac
SHA1 18b57833c2567c174664c5d3cc2e094a0ed8acb6
SHA256 e599f98e863b3a10be339c47562273961ee4b0b19d7dee0aff5327732efb3551
SHA512 cdc4565f3b4c9ef5c7f8f645ea39a2b3a504db0803bd6e82e85dc30f7c8fbb824e48bf8bc5bf98397fd3836e8f4028725a937254e3d15202b70c28f7e3e2ced5

C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui

MD5 deef4505320870395e4d1584567062f4
SHA1 df033fb99d078aeece4c651938ce42b888bdcb26
SHA256 99e286b82564c659046bf0e75342b86c7ce8ba4023e95b16d6470e014cb125bb
SHA512 30a8e66fcc758247fe04cd29b6d849241612a4d62a60103e86b8f8ec4377b5f242328edc0568e5d8db58509edc0b3332ba49ba42c1e6a40c0ad52ad23c5fd8a2

C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui

MD5 fda0b464b97b57c57a8deef3e8965885
SHA1 f85356795ea8c3280c76496bc6ada40d5732dfc4
SHA256 bcfd7290c51f852946e5e0494f47e0cc59ed3aa513086e8f1ad140aa68c71552
SHA512 690ae5d21ae6d0fccc20c32b293036573cf5b76f9c080741d5a1d59e0a9ad53549c6582d329b102b7739841cc9b8843ae5049e56e68805a5e7ae56cfb3718a3d

C:\ProgramData\2AC5.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/1680-22254-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/1680-22253-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/1680-22256-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/1680-22255-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/1680-22257-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 c67db649da3f180c15e59ee4b8851e9f
SHA1 260edfd619e39e2410d0a4351a5586e439b972af
SHA256 77d4a27bcf895afd737e66246cc3694067d1a6e4f486115d8bf21d35996dd6b7
SHA512 d7514520213a8e41d14d39e4c8c734fc967deede4bddfa8c40b51b6740479221bbfc6ddfb9057c9cd836523d45ecc221c590301de26a0504b1f9eee6d6b4e5e5

memory/1680-22286-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/1680-22287-0x000000007FE00000-0x000000007FE01000-memory.dmp