Malware Analysis Report

2024-11-13 15:02

Sample ID 240314-erlrvscd55
Target 3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1
SHA256 3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1
Tags
lockbit ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1

Threat Level: Known bad

The file 3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1 was found to be: Known bad.

Malicious Activity Summary

lockbit ransomware spyware stealer

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (9338) files with added filename extension

Renames multiple (6825) files with added filename extension

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Modifies Control Panel

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 04:10

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 04:10

Reported

2024-03-14 04:13

Platform

win7-20240221-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe"

Signatures

Renames multiple (9338) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\8353.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\8353.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\cHpfiXA9s.bmp" C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\cHpfiXA9s.bmp" C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Grand_Turk.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296277.WMF.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PAPERS.INI C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\eula.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.LEX.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.JS.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222019.WMF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239997.WMF C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s\ = "cHpfiXA9s" C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon\ = "C:\\ProgramData\\cHpfiXA9s.ico" C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

"C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe"

C:\ProgramData\8353.tmp

"C:\ProgramData\8353.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8353.tmp >> NUL

Network

N/A

Files

memory/2208-0-0x0000000000CF0000-0x0000000000D30000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini

MD5 3d45a3d675c22e2cecbc0009d7149401
SHA1 a7bbec5d20a853e6ab80f0dd1794efc7815fdaca
SHA256 13168b3cf2a382b3f7115787313d800e64933e618cd30eca77b84eb477a580ef
SHA512 4927926a153184967633fcde9f4002b2a67326031d91e27eaa1c8223f8a0c9ff9b357d423dabe91d30baff0e3058ada46f87050bcdf2fddfcc6e52046988964b

C:\cHpfiXA9s.README.txt

MD5 3605fdc69caa6b331eaf96ea07e4157d
SHA1 fc6bce8fc36aa774fb5e02cc1b25df8b59c6fa44
SHA256 0ec8c3830d53015c531dd0d8c540bc961f67888bb44731f87af6ba8be1268df3
SHA512 8b3eddd76b231bf1cca7e26d83756d418fab432afb6c7fc46e3e1356c8a580b78e09f29ef3adbadf72a8258c29d4855dac9b4b5c4519535b93a982469519c226

F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\DDDDDDDDDDD

MD5 96649f8b0d95fb03ffad76ef4a515618
SHA1 28ac81089b41eefeda7da0b69a89c34d934bb676
SHA256 7c2219d049eeb477356a4df38110552dce1bb39d26176f132ab01ca70b67e871
SHA512 79c87da0340266dabd1dca6b84bcc717d999531921873923a3d7adf3522f03aee9deb8fd9aae8610124a92390910312050a9d3c84888fbd46c12931d62b42138

C:\ProgramData\cHpfiXA9s.ico

MD5 808afa42f285dcf66cfd572405a9b4e6
SHA1 a554caa2abb014e8e6c0855eb8b1d87cd066ccfc
SHA256 241a17958f0bf3ed293bd7395aab74f4e27e0c4cd1a61698941d9239dbefe0cd
SHA512 80f63b55eea9565b4e3fdeb83e4c4a4d38ded7331abc9b76c24f072b83c493e41b8d6245f2e5e9930422501ce815c277b8f15454bd8a8a91ef94b019557de474

\ProgramData\8353.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/704-13621-0x0000000000400000-0x0000000000407000-memory.dmp

memory/704-13623-0x0000000000310000-0x0000000000350000-memory.dmp

memory/704-13624-0x0000000000310000-0x0000000000350000-memory.dmp

memory/704-13632-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/704-13633-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/704-13634-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

MD5 42170eb01a5d68c5e8ffcdb296aec666
SHA1 f5c178247c075ba02f519175c58b4439b8b45315
SHA256 f79f2a6617fe3965b6292b9620f8b4096d778ae3d3934714e6bba8fc384a1e4c
SHA512 7ab108ad7f15a054e93e1509ffea8a1436b3160d3beb383fb79885ccd2d0d343c0ba522a973b66c225d874932145ecc6c6696900e9d30bb37172467b3f5b8132

memory/704-13657-0x0000000000400000-0x0000000000407000-memory.dmp

memory/704-13656-0x000000007EF40000-0x000000007EF41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 04:10

Reported

2024-03-14 04:13

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe"

Signatures

Renames multiple (6825) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_thumbnailview_18.svg C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_opencarat_18.svg.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Rotate.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ga\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\ui-strings.js.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.css.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\web_edge_permissions.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.CoreProviders.dll.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\te.pak C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\plugin.js.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldMatch.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msadcer.dll.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons.png.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p3.mp4 C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_et.dll.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\tr.pak.DATA.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\1x1transparent.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Road.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-32.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File created C:\Program Files\Windows Media Player\uk-UA\cHpfiXA9s.README.txt C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_or.dll.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s\ = "cHpfiXA9s" C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon\ = "C:\\ProgramData\\cHpfiXA9s.ico" C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

"C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/5020-0-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/5020-1-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/5020-2-0x0000000002E80000-0x0000000002E90000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\EEEEEEEEEEE

MD5 6971a89d6d079c3f3e98ab77f73a66d0
SHA1 8dea859bdda5c8263ab5332a4f2ecf588cd64f9d
SHA256 dad08466bc2d57992488e4c089dd039e056c712c9076e0466b453f83ffeebc1f
SHA512 d51cf644f5ca1c2b95ebb7cf5ad37eae840f3e85428e7c63d90d790ba12f5b1df6f4f703acda7f69f6eb2a5845ab6b5079acdc071f49bc6a0bb5fb8bb826b732

F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\DDDDDDDDDDD

MD5 8e849d13f9c4f6fbae685e19e6590348
SHA1 15b285a5674cecf9dd131109eb9f3ea414053364
SHA256 33600cff8cb03b343b0340c0e04f33e957f88145f434eee405a6aca8830d2879
SHA512 4e085e928ae3a6267e5e0d625ef13ebdb7bb2def01319aa12152da1ded5b43697c698c1c16ccd31a0dd0dee1f248b6e9a40510e1eb6260025661f2005deee41c

C:\cHpfiXA9s.README.txt

MD5 3605fdc69caa6b331eaf96ea07e4157d
SHA1 fc6bce8fc36aa774fb5e02cc1b25df8b59c6fa44
SHA256 0ec8c3830d53015c531dd0d8c540bc961f67888bb44731f87af6ba8be1268df3
SHA512 8b3eddd76b231bf1cca7e26d83756d418fab432afb6c7fc46e3e1356c8a580b78e09f29ef3adbadf72a8258c29d4855dac9b4b5c4519535b93a982469519c226

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 afe45149324f704d12b56e51e3020930
SHA1 6291baefc7a459dfcd98339071ce9891718883fd
SHA256 72ea07d043d324a70ae59a9eca8bf00a8e3d4f96a29012e1efc5e5e0d6996512
SHA512 5c25f6d6b17289fb4297c7dcb231918aeb1382bc462a9c35c35025ea64e6e2e9238dc6ca31721500f00913dd2fcedf9e33b85a150dbcebc32db12f7b5b4e8a6f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\~tartUnifiedTileModelCache.tmp

MD5 aea85b93aaca31a2039a1b7b6e9422f7
SHA1 415c5956cee51e8080f511a6075a3b05500419f5
SHA256 533b9117de803213e367224f6a50baf55ee4b36a4d3b4735d61e25d6c1fa4c54
SHA512 241f488094e3122ecf3d210a880560e56059858f1e268e76f345f1f353a0b971c1dd2314bfe37d44f568954c5302850707d20340abb0fa95f30b9e87000b2389

C:\ProgramData\cHpfiXA9s.ico

MD5 1978e46cd7989b2260fb2bcbbe41cb36
SHA1 64f473ce4486b1adbe393804e214cfd1bf0072ff
SHA256 2659753f0fc79b4a99e702a8802e4c4177e2f6acece0a9c5556bad936e75ecde
SHA512 ff3aca114b336f8c55bd105d4b8aae63eb697bf3182d0f2a353fea6ab120a5c250619bb767a458270d1707b55e2bfc96627af3c4aba761f01f7133d9b7a08993

memory/5020-6657-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/5020-6658-0x0000000002E80000-0x0000000002E90000-memory.dmp

memory/5020-6659-0x0000000002E80000-0x0000000002E90000-memory.dmp

C:\Program Files\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 6a84e571ac796c48afd4eee046c9b542
SHA1 1a955acf21e291da0ebb3a8cfc65d469ad94686e
SHA256 92bc7f778ebb5c5ab663a4a5849aff00e2f809fbaabf5f497bccbef0fcd0d2df
SHA512 f2f5e950b6d6217dc5f590b73e4d4b2919bdf8b7acfafb4ea3a153b372afe611e18ee5242640eb9ef2e5c75e27729b14d8964ce0fc8755c909f1b5633610f430

C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 0887a7e120d098c8b60db006e363a4e4
SHA1 a8c43607d5b7d77cef1c221ee2f78871600bbad8
SHA256 3fecc26771722b95bd7e34261ccbbc65b55bbfefe6a56fac32e68c13c0c156a2
SHA512 f9d362df3d5ebb535a37ce6b0df56513305438164579a4b59b809c6fe99837105113ef7508069649258ac9fa7481cb0ca371589611ef9b26d6ff2a95baefed3d

C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 bf26242c9ccfef492922e1088255838c
SHA1 770a2221fc4b5d3c30098c79d05dbab69f9c1471
SHA256 063090fc378f6b351d6481f6d0e07e5b6a5e49ad7f6a32dca8acb753aa0d24c8
SHA512 59dd5bb2159ac5366e445ba068f4a1288765a7c556bc370f8b366d03261033bccd67ee7b9444698cbcbaf49dba26c1b59f52875407ec0da35dcd1a675b9beacb

C:\Program Files\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 d976cddecdb277322fa06e5a6b769231
SHA1 ff98e1b367ef7e7af37395b13d93ced1b40c3f3e
SHA256 2b1e354e27b906c0cab631384bf0f5badb9b584e93ed2e7f30b6d0b57062177a
SHA512 e89eccd813539eb791406dd9f5a8e83214d5abac9e79450321be9d7b8775a56da878565a52e39b9bc73c06bcceab6a869087195f57b90495eba64df029931de4

C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 6ab27bb5429d6ecd56b8c186ed0221d9
SHA1 6dc657f96db51e4e74d5bb27b7acfe1846db4a52
SHA256 3b24811713310fe0518c8921c0bbb1dc59a8ad1d0fd638ba6c32ea0397925184
SHA512 7072aa1d533987df229950fccc73bc671d9e836553055ecd3b4f6c62f404789158202a6b4751788296280595f2336e73dc5a4c2e8986baf7acea370d11c40756

C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 e1bd03c90f514cf968ecc6078d4092ac
SHA1 d1c76710bef20b1adaeb9b4c0ff292d281652bcc
SHA256 55763f072d7db7014fb9f74143dc1b89f04f1e307c8614e8008294c13de7a961
SHA512 311c4deb04088e72d3826817a33edcbfd9ccb7e65c76fc041aa387811dda6c70cf6a95758ac68d8787e596c21fba4c28290089e1d937f19a46bad3626bc1805b

C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 ed48cd18c67cb5dbaacdcceef0aa70af
SHA1 e440841900b2bfde0be4238707b88f397c229740
SHA256 37ee93178cd6cd34d3d09af7f9f53e03a417c6834837be32db2502cd1a777d4c
SHA512 738b10f76030d229e1b66cb4faeedf0fa86f991b1b252b755e316db531af48b5049dc130c1ff0d63bc6e9dc6202940518f1701686415e2ed6eb9b8a0eefd2267

C:\Program Files\Windows NT\TableTextService\en-US\TableTextService.dll.mui

MD5 5396e2fb049314f580c9dabdd04c3013
SHA1 374347a76b2b6aca635d0ced86690e442ad7eac4
SHA256 def3144555613f1953eb2ef17d619d5f05a490c7d2f7c261a6b1ac69932ba9a6
SHA512 46e1eadbc1570eb299bbc0a31693feeb3822f35283cdf4373b0b8531859de0b128eb56b94565266cacb0ce147ea498fc820e5552f92d982b4e8da21880ce1c5f

C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui

MD5 a71ec6a1a7b0873f173e68203ec7b728
SHA1 f427ee580fbbd7a272015d3d5676cf212dacae86
SHA256 12a40d0f78584b252c1d66cdb95e0d393edafbf7b0bf321e1a142c7471516bf3
SHA512 13731a18d717f78a28a4effa958f022b42214219220cb4e515e1cef9e298b28eaad8c74938256cee11c436dbd7260cb4256c1e0b5c1a2abce2d538c590951ae9

C:\Program Files\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 7cafe15b5e922504300ab3b1063f2e91
SHA1 602d13719f0f5eaa81519ca7aa75785785d5b6d6
SHA256 3142d7156862c165657059f64be84c6670b07da0e49f828237e2a2d1cda65845
SHA512 41faa39e1f7f8729af69eeafe8990fccffbbe04a7e57a15f3195ea883f7a855f906ce487259f29ea6395d04019902ea77c8180b029571ae211684e8d9f02e9d1

C:\Program Files\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 800bc824702776eab6a20f463bc0fe98
SHA1 4b5e5e5fbd975fc06eb83bb158893e6996916f92
SHA256 b544e5060e069f7e5f277141766eb26a7b2c04d48a59feaa18da38695e5e642b
SHA512 cd02358bb83d50c408171a5bab3b6303f87a580f9047466a36d439299b456bd05857f141fe33ea6e217dbdbe80ac1d12cc9bdf512f4a64db42825224d65a22b2

C:\Program Files\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 33a4f51cc0ab80ca79f98ae9c4bb9b57
SHA1 36ad4f680662c506ef27d8ab80e3eb000f102398
SHA256 d3a009620da12b43eb70155d8a0af6e1807cd8f67d3635fc26a60df71c325987
SHA512 9caa16d01ae7bf41e315abaf78bf3136b6b2fa751c6d4edc6fab7da2c004f19f0b5677c7c8ead07b96f26be76082101486485429f039260cdec920fa7fb68aff

C:\Program Files\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 a908da232d6e1176b27da25e2856ad2a
SHA1 342e987aa9be61efa807dd8f7e894cb439b019ca
SHA256 810984edab79ce7a733786b9257cd4ffcc29a81a033a9bdeb51438ac86623668
SHA512 ce93b1047ebddb2ade8bc7376999291260f3228e6f80c03ac10ea97a04c428d15530ba683fd617da68d6e1709f7c81405efeb2f93f5f524ae7c121ab9f090a9a

C:\Program Files\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 6e089fbda4222fbeaf648eb2eae79fde
SHA1 f25bb692e511d1f7304eba2217170902c919e907
SHA256 f6c9c073c8e4e200c4a97a6e6e1f2d1a415ac8c98b95efa8ffbe6cf1ab6fa64f
SHA512 6921ed8762dbdbb9318676da6321948b033a655d2dd4d41079503edcf37128f21f4bec6711becbda05d749ef05f5c9b803d0affa0c3eebd1a8ff9f2e5ebda021

C:\Program Files\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 651c1e66b0c8c8a61d8ca5fc58128220
SHA1 dab23b900ba0697f8ed41559f01b225f2b7f7a87
SHA256 ef2b56557fc2dd6f4684b29cc1a290b4baefc7ae328975a8b00f3e7b837310bb
SHA512 947c55543932f92c630cf189332ecfd18b9c85c811a59a00a882917c4aa73af397bc40233b4d8e9f952a6c42c7f6442fd51b5e07c056f44a9d20c44730adb444

C:\Program Files\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 63c4fd26e4adf9e3240375f4b9f4e23a
SHA1 017da0cff9feffe40fd12745a153569f298d5b80
SHA256 187d74a7c3a16f6c76b478f37e023b0faa83a9eb05b99079ddbe3c9ecb98497e
SHA512 a2b3d8c6566911150f24ffb4f14687370995c763dcb8de426c33387ebd96ec5bb0d41519b1d985e19e4b6d910631dfe117737e4cf46ab702af0b7fce496fc5fa

C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 d9266d1b7208d53bbe35ebd3a1a47695
SHA1 39603ba63651ab6674a549e8aa18e3ceb1e2d8c7
SHA256 838ecb732ae3095b817f0677da58c2d1d80348d7e485332a00c8c0e40f7e4dad
SHA512 6df89316a670bf19337fe414aca0eb9cb7061bc4ee6e4b01e6b2151838b944cd1cdeabf4a9100c09a6773b02885da4011b6b8b7e7dd4328b155e0c319374d197

C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 b812d4835fae8c3d836dbab115c89dcb
SHA1 55263276995de5dae4ab69c3e4cdb596d3c57647
SHA256 dea7b6191b6f932b7ac898216387f17d81bb1fc3fa850017bd76f84819426de9
SHA512 b80510583b60a6e6ae72e0466d281e901377c01746c4fb901d14768fa3d5272e2f85319a8c43cb6fd4bc51469816274d95bb5ed4f7a267cf9041d002e6b0cf4a

C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 059f84a8c4cadd11cbb29f438320dd9e
SHA1 dd7887ef97437e1f191ac1ee0ef84826f615cf93
SHA256 cc8c559103d795d3709560f0c8a5c051be4b56d2d81b1bcf498356ef74efee81
SHA512 ea449d207d96e640eabeb5e76b0967c9cd006bca1f11183cccebac9ad3b2153ec3b6c81119255018e0b75104b071d8f9e38003b9e764f748b1bfac18c6dc49b2

C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 a3fe53f7be0047fdc491e6a322b93467
SHA1 75496318b6605fa582b05727c2c6b5ad6fbe6dff
SHA256 b2e6100d220257aed66fdd5e00e479f16b64be6041eb7a5c0928b80697723606
SHA512 e6a45aec2fbfb826603fa315b6e6a5f3bf75940502734edfcefacb7b94558d848816b203ea11b20ea8e8778b8244e9dff5713149f8855546bd760f1b30d6a83d

C:\Program Files\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 c4711caa8f71f3b26bf3f84e16773ec0
SHA1 bcf4d5f8265b4649c14d8887734937d000330085
SHA256 a12280053bd32f8934152ad70090979dc90f2b163940b797d1fbdbcf0f160f61
SHA512 57b97f59c777c72525950d649ae5b609603f14816f991b1a6fff9f1a1b66eaa0c9260531102b6e019b17122ac1f751d9c9380343274ab9584a7b929ba6916532

C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui

MD5 ae5b7d8ce7862b0b739658d8c030b438
SHA1 5457825ee159ff64266ddd5f2d8f896f652590ad
SHA256 5b0eec4eb2fa0a564122adf1380c1314fc5d645f353161ccbe7e42a5502bf7a5
SHA512 9ad62fad8d4a17df0f1c1ae9d27f7bf95e7c07fcccec8e3fdd1550bc8d3a4f079a79aa75e6c16bab584e008228ea38432836d3cd47eb1344e43245cef7589c08

C:\Program Files\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 5124cb8ccbede94ac2056d4e51d1e5f1
SHA1 1a706369485b24f86948e8edd969aa3ff9ca330e
SHA256 0a128cc54663ec5ba5df7012820af75e64cafe55112e21e278af9b93a59ee234
SHA512 73511924c85978984542c7aa245d0169dbba2db608332b1ee4b045dcfd8ad7f2401d32c8e9f1e85b2e1dcb78e6fa48e8d74ead27dffa13ac72599e795b6137dd

C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 90ae8847332037bde169acff6b2a40eb
SHA1 5ee9b5a2f3c1d147e88309d56d23acc5a0be6b2d
SHA256 ee156915a525861d45a0da0a898dc046a77be64e409e2fefa9d5774912ef2518
SHA512 14e011d4fdb574f6afdd156788e6fb8b585eafb47b283b89ec95a292df572c8152c3034f2e8cad4d87b2b9398b9ad2adc780c93a5160c2f4d3ef8578881c6b11

C:\Program Files\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 53d800d8b909a49448dff36cb8831bab
SHA1 58e3c51d49102f5531767be684ca60b87abd7cd6
SHA256 dd76e20fc3ec30266d976e4b35c894db26370e99f1197a13ea9e9d1a2059aca5
SHA512 9f5c6afa25f8b6bc0b9ee7a77b7c85c338460219547b98ffbf4ebfe620280b1a2779a50f725aa62f3aa274dd88e9d47e7ccca88b937d3b8316ba182268c29f07

C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 2e5c4f0f2846a57aa2af72845843423a
SHA1 5d421eee5ab6d3f6f7887cc9b22a2578440d1340
SHA256 6378dfc0d04522bada8b3ca54abf61162c82425deb82b85e4a3e54fd5e39b91c
SHA512 accd55182f61537e307fcea7bb18571920289c2f8e4b1f1c960a55d2fd569918bd721ffa71d73edef4e9becba64c6ba99811c46f340fdeefcbfdb3fc0c2b6c13

C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 19d2d6f96384089a06765d929cd6bec5
SHA1 921c8626c56c55167656ec1b6da6a995dc5fc5e1
SHA256 63ece55d62a836fa91e8fa8157630ec485b0304d815f0b5cf0df59b71c8b15f9
SHA512 ba3531dd7b89c8d4d5c2b82eaa3c90464c1988e10482a7701f358806d1b7e0ba4818d5519fdb6e1a0a9f46ee271a13c67b6e9dce8b13806b907141e5e25af0ee

C:\Program Files\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 a39242ebfc2c0c19cff7aa69c2c21ab2
SHA1 7119d646ac9ada28868bb95b0289d08eafb3559c
SHA256 390c58820b171ea2f2c450f91a42b7defab6fecde4827f10ba6ab7e40b7fa279
SHA512 c39870ecc9d751ab50b0285c62a7a772b63c3e2e1d37a29fb3b366da0f17fd0431d5c966177f30141d1989948e27757ee67cd8002a274503b7a74d98a10f6257

C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 7d9a1402fea5e8afac0b4214e3cf5951
SHA1 8698309fb5284e7c211cc428a0e48cbfdb81d323
SHA256 df5261ee5df644a01876db7e97f3c24b7454ff96b45b1b508ac4bb603b6e360b
SHA512 a22201a295930dee49d6b029561eb607e9158de71741d2481335d01139a15df805bb14371526a332138ace0ff5a368ac0b774bb5ec7edea7c92f747dd335c9d7

C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 9216ded6875abbec6d3bacdc2ae7f6c3
SHA1 ae99f8e5232d57083040db5d28cca26122c7531d
SHA256 3e05fdb837954abf81d629e3e2ae80796ad9c3d6bf4ee00c601cf8390e2a41c9
SHA512 eafa03dc487552dd31fe1167cae1140c26310c794a9d5b0623b922806851d46d61c91af38e2a2d857ddd980ff13292ef8565196e1507c2d73dd27aa23a0cfb8b

C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 221ea3bb0d19ed74708e4b9a4c80067f
SHA1 cb417e0a074496d4ff13b4e642a06e95ce0ef73e
SHA256 48f62dfe7b9afd0aaf72a697118b8a8a9432970511c3fee08d22a846d211acfb
SHA512 4ebe0ceb4b2a560959399947c67743d299f73b2a7ffcf5e9b9e8f5c4a98171e096889f262bf0afa4bf3cebcffb3ea0f5a784cbaa5bcce42542cb3936a7e90d0b

C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 0ee9642db94fd738c7ae2fa78c9d0bce
SHA1 7793d0ee051c5cb50fce756f4d90030d62fc1f4b
SHA256 66a244b3fc113b7c451ea44a80b0acd0d0df3a8c94fe0936076043120e32abd3
SHA512 9a7a8a208c8bb5c9ba61ae69ca6070d46215ab17c2ce46b58255595a05c26c36e526b97e7395b55b864361f818a1cf86a6e30374cbfb416655b3109376ff72be

C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 1d355a2f82c43ae915c1f97f5783206a
SHA1 bb0128cf4ba02ec36fe0311897ae78933cb2b984
SHA256 a92d434e3dd21feab6037da7278a7c0df3d72c01af2c76fe80f86e277c6743a5
SHA512 e42ac90d74a2f145f3b6b14c2e2572f9ebd06422df8c8f46876779b6611e5fa09bfc042212e76e6e30db0f61225eb25a1d0345a7ce40fbe12e79fed615c92884

C:\Program Files\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 0c93b39c0c3390da00f27fbab8335a47
SHA1 f5f669291eb1482257b597c8ea1943ead99c7419
SHA256 7caddffaf4538970038361212fd234537e6d357f96565e9a21a0967a26369d3a
SHA512 136a658558973ea11d0c086319322917da5ce70816d9b0b578313fbc58c4e56524737c64ee0dcfa4bf52c9700db079c4a81427c984b4ab7863d571e491d83b3a

C:\Program Files\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 1224fc3a52037cdca0068179ed19d4f5
SHA1 e5314203cfa7f4caafa306ec6ac00be5f8b3376b
SHA256 4f0d1dd4df08f39fbca487cdfabd9ca06a0be0c06f6ff6477aec08a625a3886e
SHA512 c2715b8395c201820916002cf7e78b2dc37a4d50de074fd38f3a581923e95a20182def664aa8e9d7ff10db445fa4c4140e97f1f1a67ba726b9825310d13ed53a

C:\Program Files\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 1e9e8a1d258b02bff7c4061ad8cd2fc0
SHA1 fbedc9553d248d2ed20d2293413dfb84241aeecc
SHA256 5cf5390fb599ecd740770739e1ea88d6e35fcc6675fbd024f7bfa4b3d3038c71
SHA512 5c1530b96e1b6a0513cdae54b4f822b80e47ad55abac676063fd152065be6ef41ed3f2c8281ddc28e04d114a6f66dc5ee8c9f44a7bf7ba4d9765b8be259e87e0

C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 e3f74f4fc08a629381a95eae28ed8932
SHA1 0e274004fe3c9780e48d9a8433f53e5fc5e5c9b6
SHA256 44f407b6efeb17d5d8bd547745ee17b9e0cf5f25ded706432760b4a236e51fd9
SHA512 e26266ad8ba0a8c8b8635a67645136a855000b4600f2af5e2c648f88d2c3e3e152042fd02f7c946e281c3db7c40121e1f27d96a37d4a05f92df33cf23719b428

C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 373ca68418e945c0e131d0a9b2e265a4
SHA1 67242759cd453d2617685236fbd850966e2babc9
SHA256 8140b4257023011c12ded29603960d6a3a3a2466fef595d53c8e217a1cf58720
SHA512 9206720891e720c0ce25413bda21ea10b1c38dfa9a83965dce1f7b8cc5a720d35f18d382926ffad51f77ab085dfbd5635c51a7b50d6ffd119a3bd5d67fa7ff09

C:\Program Files\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 4f0321b9b949211ec22bda0a9284ce43
SHA1 c21da004637cb40310aac8e43851fb9772c2813a
SHA256 17cbc6e9541716a6ac13cf0c0d4454bb6f2f5be6502423bc51050085b9cdd7fe
SHA512 6678bdd589963ae6630a960885aa6340d3ea732f7eb8953d046c931e39dcdeeb1b65bf51055ddeec9b43b81187fc3065188e15cf92673502455acfff1cfb2809

C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 7664511f75279cd2eb613fd62689f9cd
SHA1 3b55aed487502c29a44ccf739e6e3deea07f463b
SHA256 936ae57d6be3daa2f6ae6c896eb21550c833b4bfc5092907059b00c3512c6912
SHA512 5cdd94d7e1b945cc72b84730a13b750da2bd944b277074f92115c879355cbe8877f0209a72376888311ea400b5babf7a746e5c692ec6edaf196e9c8e004435e5

C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui

MD5 fcb5307cfa4ab1571afb8932ffd95d4d
SHA1 b35dcd4d241836ce9371021d34d97943cdcb1c05
SHA256 3b0d4f7a7d82174a90a7503c72f495b5b1bb94f98e7aa89f4951b6ff490ef7a4
SHA512 42f62125c1d98d6cfcfe5767eb5dcd05cd49594aea549d76fe290b0f147f22a690c60d82af273e8119fa92b3bff9846e5a2a4e412ef15babeb614dba2f605edc

C:\Program Files\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 2b3ca0793c444fee1832020e1198a6f0
SHA1 43a2bca2c145335ce14a5c74002d0c397a3cdfd9
SHA256 fce512823630907ff9f33a28f3b0d6329ec2d0814ae33032c5267bdf88a3d9c4
SHA512 aec2104de1f2d980c822edb17bc09fe6d0c0f69bf01441414e38753bfbc02b736d162b92da1a2fb8719baf22412e0d48df477ff02223fa1ac8a483b940ea0014

C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 215c4a0a9a4b41cb9169e9305f70efdc
SHA1 1831f45f335395fc3d1f26d2f4f63aaf1f515de5
SHA256 591bdbc0ac3c7ab03610f518741214f31ee34367b3e17d9898fa20b97ee9596f
SHA512 7684fff09fac635de9726bc5bcffc7ce71700b2b63b0a567f13348a20eb787b597f398be5fc912ce360e83107ce8d836b97b547b5b9f2c20056cc40ad02b669c

C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui

MD5 ccd6422803020a1bd7c1ede98bc68d13
SHA1 4ff2dc498ba75d342c12a1e797d19af0278f70a6
SHA256 4ef384ba8ad1b4b1bb4aa1192e4fd63fc1714ca14c230915c08c22b45da6c114
SHA512 0c5c4db936ef69f92a9500f96884fcfb16f7f0cafbd4a4b9ff120abe788eeec8130cc0e6b68a95884047e8f159d5cd81757125b44a619015947408d4e54673f6

C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui

MD5 041e4e10b0781e01122059f38e21b8d3
SHA1 7300c1663ecb1643870bcada3bc92ce56d1af0d5
SHA256 ba29941ac0a2609b03d6557a8e4f0a629c6ef6d4730d58b3087ecaeb07b5cc5d
SHA512 15ef3a997bb4599737e023d12e0916e3126fd98e61dd1205916d4084ed0fe23f8d4d9d793cc9ba74b3f203e2b3a3dd81bac6ea68d2385a523c4d80d2b734ef78

C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 a55d8d836d5df0127c521fe74cd40ae3
SHA1 9e4d160c4543ef086358d8296d2b5219082634ae
SHA256 2b73b884115e7642161451d4ef7be0c8b26247365d3967ba5f882db648bfe1f6
SHA512 b377bab1776f62a9ae071d366d07dc789e53345e4f48f20cd308ca6000c21d20828ee5a4880fca72d58d58508bfef40a495d26f577cca40a6d37bb9f07673590

C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui

MD5 10cb5287f507a140a1ce5d20688a2d53
SHA1 b52e012d85c2730a455e82dae0ce491d045fb6cf
SHA256 7f4d5c5177e0eaeec401c4a8d79260deb71981bd076dd46dba58a8afc2e5aba9
SHA512 07d671830de51fb8c4cbd1fdc75e701fd5e6e95fc20b146ce5924c1dd3bad2dfe327039e45d5c8b3daf9e1404f0d077587ce849b3cd3874fcfe7019beff4c0da

C:\Program Files\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 d700e0a963de68fadd6aff0e2490bf09
SHA1 ce296e9660eacbdca393c403e071af2fe9cb7f06
SHA256 349b2f05c1a8a7d4f1be0459617de1d3ea6ef5a9d14f951816eb260b94d9a67e
SHA512 b2fcdf340de4a78886c2a2d5bac5346c0218f0370f0fd7a371789ed66f8517413c1e5cbf73a64cee8cd0c2ff12e67fcb9ea91d0d63864444cbcea6d56965d6f1

C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 44072e9b1e57232d0d6b7258f65c9faf
SHA1 406a0a15a0a882517662b833dd13e41b57148ca4
SHA256 2dc42a928100647537e1d9e825d9f52091f2e87422aa148a2a660eda31fb32cb
SHA512 c983c017953ca3280a7f09df0716ef9fccb5aab6fdbe24a645c8c29df416612b447ab647db9e1e00c51ad33ec2f9d1676d4df0cde8ebc86ad67d37502c50dbdf

C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 810edeed7d1917efbd4e1341a3b5dfdd
SHA1 dc62f4611ef6cd568a0f024afeeb86157f980ce8
SHA256 ec7162d1aa9368597788fa3434286727517ac274e229b125efc88c63bb6ddbaa
SHA512 a1c5192aa2da1a7e1e90e7ef57d770885cfb658fd6070606fe35839d02da016f82ab717f2f6f1107c5e19ad9cbdc5a5f49c1457ad61510c2fae80d9c07f19f13

C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 abc9af600be6838945b3914ae4cfb43a
SHA1 ff2e8f07647ef0eebd520fac694d05c73492040c
SHA256 8807fc16a1e12685cc9eb30ada0edf0b2dd2a8d0520fd6ffa4568f942ff0ffb5
SHA512 2aa3ae9140dfbfc877880f7538f9a5e9d33eb68f354c186102fc0969c34db641775417ccd22a528bfa3daef084caa5fa51c7db5777251de7dbc89c601fcc15c9

C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 3dd17bc6be1bc4f3a159d64075555ce3
SHA1 b066a89154adc5e52a9ebf6014531a189bd67bfc
SHA256 463d6f1080d5a15483c2d335da85625fcc81749c320ba9a6f5a56c57e8d73c75
SHA512 eb1c944624017c2bae6ff93d69383477931afaaa6d3d380a488407aa443d3eea5cf06b07f896bb75a2f0a9829bb87f29bd1e03ac75239b29bd534b7fba0d1adc

C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 70ab8199d42d3c1f97f7a26737ebcf4e
SHA1 d5984ca8db781266d0be8889eda93ddb26ee9649
SHA256 78fb25f03955f77f03a5f1192d911e5e2fb15a6b74a9066d6ea0893abdb1544e
SHA512 930db2c29a4d5dc49f57986b0448659781ad62f4e1f6ba4a99961ba6b67093b1ad234bd8129fcfa71b3517bdd2df9161d1fa11939a15a6e9bcfaa6752ca2ad66

C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui

MD5 02b83a6e3969d129180ac5367d78fa7d
SHA1 9c0848d1a61c354b0046690376c9b13eaac8ede5
SHA256 2c6694b775a095fe622d5bcedfaa444d19d4aab101e2ad0d1c420297bab9ab5d
SHA512 2da20d1d1f4ca5475fab9b8cf35dec0832f15fa736a18fa6dbcf764a127af5533c61ab4013d002072d7b4fdffcf32dfd48b396e11380177a432f751ba8f20ef1

C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 5a049f4d9a89fa6d2cddbbbadd9e0b50
SHA1 19f1fd1fd4e0882420dc8554015aad5cd075e902
SHA256 8f2bf80559679589062d3a6a795fd5a727f1329b016607697d34d4ab84dd2def
SHA512 18afe81ef758f40dbeee9640c5acf1cd92a8418e705fb849ef0a8e9730c9b1519963f307a3125977082d3936bb22d7ed0d73362d7797ea4521a6b061c0a612f2

C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 d6449f55e8afffb11b65c421822a1ed1
SHA1 9027fa96e18d7071c0c8e43b7d41e5616fcd7a33
SHA256 79df15da38c75cb4ab47aced09284f373e7387a3a8db511b90a183b48539a2a0
SHA512 9e731e6c769dfc41842f4286c721a06c5befe4367ca1cea87178d618dbee1f6a4cbb133d25524ae2311da15b6419542747d0717d9feb3b966d2184b750a200a2

C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 b15fd76f9f8688f2c8633ef4ab885c5b
SHA1 3bbcb3b38ffea4a749b3edc9bfde30db40e784cb
SHA256 c4eaec97bdba8419130d4310d1174b715c00ffdd23dbfdb0b4a8ea9f768f9c1d
SHA512 627189ce832c2fa93a2045219084240eb97f8e00696ebf1c9f12849136e60bec3f6040eef75264309511b0036ebb5d592cead1686cbd04f8acc9469a141f2da9

C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 8624b182e1a05c487ef5d11abe80e974
SHA1 d6022abc0c3b28415ab6d4a1f2b7389362cb3ef7
SHA256 3317dcb5da6d6b6bbbb2610055dd35edd40839fa6b6355567179995115f94aad
SHA512 6b853ea6c4be3bde59f712f031659f8c2ee1ac74306b921d014639d43a62bf4f64521cd2a8bcf8728d9534de526aaf1521e9bb7990962823a6991f9427b5f765

C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 2e6ceb29a4f74700eccc5204931f3db7
SHA1 37f60bc5d8836e4d602c1981905587a7bcc83beb
SHA256 5e562f86b55d5908ffe81431dc6ba835a87fadf7c9f11ecd48beb07c9aab8002
SHA512 39c21679c93581bf803cfd9c89867e67b015b36c6cc6397e915167a8f9758ccb617048ee40d290f9387c20b2c10bdb756873576e45a72fbb3ccda40fc68a1b77

C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 2f62b6586c1f0507373b4d9e88d265ac
SHA1 503ff4c867a62a33e51a5618265c456b162f69d2
SHA256 6bd39ce154d8bcd1096f2e62eee4e5350117d314354c498a3afcfcf9ef44b9bf
SHA512 b87c7979f65cf00da7f276e5cdf3ceef2a394ba477558e88ab0c131e8af9bd6beec217a156f67ab2129479721f8203dbdf42be281713e35780518b06895e0768

C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 bd662791306a5500622ac92987a58ad7
SHA1 f48b63cb152be5c42957167876784a69968307a9
SHA256 b27aa3aecbeee5cf45f1247f5925f12f8690f44a8e20debebe134780d99be890
SHA512 4b945498efa51eb215ee266093e5314d2bc58d593759298c67ec8fd9cac5e6971eabaa8dd35f36a9e92cea183bb21440b757e5e602e8663f06ffe3f73251119c

C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui

MD5 6c609839a7e7a6ec23833b46301e7d46
SHA1 107228170be56098431d6b45784e3c40f49db8af
SHA256 8d1f0d3f4778095c2e8ac8cf9aa9898e7a361e16bb4acd52fc3a27b7d99143f5
SHA512 4f000fa5dca516fd7a3a603f96f493c00e9b6ace1d9a3988fc83919514213e6aa2554ac410b815f25b0cc976550af2a0b7c3a88516c057babebfc6d93b051e3a

C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 9cd83ed6e4b71fcb655cbe502e9d6a14
SHA1 df870d2bbff27082eb5c3467193b8d55a97a3391
SHA256 68a6f3fa3d4f74c6b9b24958ca3b74ef21ba3216ad8dcef651dbe6ae961a9984
SHA512 3be584f4f43ab5ef5528f28e425ba82bbf9eed4cc2e52c9d10a2f4efcbcd8b4cb2687be35371221d4441dada9f74701499ac0c41f920b3e19cfc3ef8bb0bcfac

C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 2b4dd2b4be2e30d41f1f28a71222e69e
SHA1 04399dd0dd9bda9057523a0cdd5370a45d0c8560
SHA256 6ad833df3874ec8443445998d452fccb9ca1e37b29484a81306a949cc17b3a82
SHA512 a56074a37730519dc390d966d6fe39322aca9fc4405b88e29a05e47a4c3f7c73c7b947dd17c8969bac4ce8cda5c50cd523859785966cc8c1faa3ae41e07f82e2

C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui

MD5 28cb0c2295ad8a564857d70ab1f88f0d
SHA1 57d6d5be17132f75900c9baffc366f45b597c091
SHA256 0f03fb7fcfd983aaed84ab62847530bcaadc29b5580e49891cc2619cef220bc2
SHA512 48fcbb1071997c61d209d5c740317f3acb8e7aab176d85173eff40e49a87055e5c7ea1c14c67b4ae4b92dd5b1da4596d12a8101888be0680caa65598ebf39c11

C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 8f605b57c9850930bb3fc81267244b17
SHA1 4d9b126b65713e7a81bf49a5ed5d98ac04514c56
SHA256 c70551d36ce219bcc02e3da19f36c5caea15c672b9af471adf5f7dc8a2eea792
SHA512 40a843199fb21e579a0ee4efe79c94b3ff93a73b20353c027a403a927f00a9316f7fb7a5240d3015f30456e18f099e7c2851935e2a836cb53638ef91930866c8

C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui

MD5 6f4a4d0b204440461557563c9a385a55
SHA1 d0906f021fd8b491173a54e783599c2a311cba4d
SHA256 73136b71d49d6a7d696a6e3a68f7894f7586ff574bf6959a0db05f62ef9f774c
SHA512 a473b6b24e3f232b9221fbffcecd150c9a88e777336fe745eefac0576b5417a82a239110390f990b5e4452107c1d214148b76bf43cba7cdd1104c94d9af7b3b0

C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 f1b1bf6c726c9f1aa768f2570cfc3fb7
SHA1 788fb7a2561308b9493c3b32819b0aa87d4c77ba
SHA256 2a4d6ac2b3ffa1c58696f1b486fdac71d838920416da1cc454b2f5c931d99c5b
SHA512 3e58352c1ac29c04d8974519878029f1b5e545209b828e77fd3f1d6bc070b8b993271f656c93f2f3b57d49422e82cdf9cc3948fc6a510f90fe1c7ef89b185ef7