Malware Analysis Report

2024-10-24 18:18

Sample ID 241018-cl4pdatdkl
Target 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe
SHA256 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6
Tags
discovery execution ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6

Threat Level: Likely malicious

The file 8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution ransomware

Renames multiple (6655) files with added filename extension

Renames multiple (7454) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:10

Reported

2024-10-18 02:13

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"

Signatures

Renames multiple (7454) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\df.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN022.XML C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0295241.GIF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Opulent.thmx.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\SkipProtect.mhtml C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Hardcover.eftx C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Verve.thmx C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198102.WMF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Clarity.eftx.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.DPV C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10299_.GIF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\PABR.SAM C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02424_.WMF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado26.tlb C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL.IDX_DLL C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPM.CFG.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignright.gif C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.ths.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2004 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2036 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1208 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\df.exe
PID 1208 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\df.exe
PID 1208 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\df.exe
PID 1208 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\df.exe
PID 2272 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2272 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2272 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2272 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe

"C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe" /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\df.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\ProgramData\df.exe

C:\ProgramData\df.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\df.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

N/A

Files

C:\ProgramData\Dominik_Help.txt

MD5 51f91dadfe4357fb7230949938d4786d
SHA1 b020f84574d8810a275ed4ae57e945df838316fc
SHA256 0d67b4686d72fa7f566443e4636c7f116f0e5716b4f9002125e359151139520f
SHA512 585ef6bae2dd2389ebb8d0cd2face54879e6589da8899ef446350c3175a179253006a3e035e34ef675087567ece327d70ca9cfc39092f92ca23598b4e02ce1f8

\ProgramData\df.exe

MD5 39728325879572ffe56a194319f2731f
SHA1 3898a219352dd3aedc54ff924b01317107c9ce2f
SHA256 8e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761
SHA512 7d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f56e9b90446ea7816c02b44523783b5a
SHA1 b24f4204ac23f745c2eceb942fbc242524fa90a1
SHA256 2e4b16fbd840b82457f25fbdfbe3a00764de90f28458151aee5d3d269f9404f7
SHA512 d93170d39e03d8f0e7f1993d7cfc63d3dc83dbb60dda9a2efd558d633442861af6b56db1b6d19de29244542e9fd7ad53d3406e12436d20a6b1681420e177864e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:10

Reported

2024-10-18 02:13

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"

Signatures

Renames multiple (6655) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\df.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close_dark.svg.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder-default.svg.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\move.svg C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TabTip32.exe.mui.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.INF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ui-strings.js.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\ui-strings.js.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_xd.svg C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\ui-strings.js.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\orcl7.xsl C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INF.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js.Dominik C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpoint.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\Dominik_Help.txt C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 1896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4676 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5108 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5108 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4700 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\df.exe
PID 4700 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\df.exe
PID 4700 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\df.exe
PID 4348 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4348 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4348 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 3824 N/A C:\ProgramData\df.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 3824 N/A C:\ProgramData\df.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 3824 N/A C:\ProgramData\df.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3824 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3824 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe

"C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\df.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\8c811b3c0ca435fc3510239e318c76c5978ab537a3c912bf74bbc60f182937d6.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\ProgramData\df.exe

C:\ProgramData\df.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\df.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1564-0-0x00000000028A0000-0x00000000028D6000-memory.dmp

memory/1564-3-0x0000000005140000-0x0000000005768000-memory.dmp

C:\ProgramData\Dominik_Help.txt

MD5 51f91dadfe4357fb7230949938d4786d
SHA1 b020f84574d8810a275ed4ae57e945df838316fc
SHA256 0d67b4686d72fa7f566443e4636c7f116f0e5716b4f9002125e359151139520f
SHA512 585ef6bae2dd2389ebb8d0cd2face54879e6589da8899ef446350c3175a179253006a3e035e34ef675087567ece327d70ca9cfc39092f92ca23598b4e02ce1f8

memory/1564-72-0x0000000004EE0000-0x0000000004F02000-memory.dmp

memory/1564-106-0x00000000057E0000-0x0000000005846000-memory.dmp

memory/1564-117-0x0000000005850000-0x00000000058B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_id5ccsri.yc5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1564-189-0x00000000058C0000-0x0000000005C14000-memory.dmp

memory/1564-248-0x0000000005E90000-0x0000000005EAE000-memory.dmp

memory/1564-276-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 008eec015b2f90aa0c19b83c64490a6e
SHA1 ae9d1a008fdaa442b222091486ae287780d68070
SHA256 36039877077c67ee1f4979b77f3ec445be2e848734c8f2cc13e5a2dd04d94233
SHA512 916027dc732c7aa7dbaac700af002bd3173caa82f5202e3ce1de970bba5e9bdf00dd89a7742e6100b5c8e21beba679ecdd28b74b296714df81e852457525ebbc

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 bbee108b419e05030208f847c8bebc7a
SHA1 7e8af3eac555ad5e8086ff573f653b4ce496696f
SHA256 4c0b820625c2c84c701bc97341d9bf89e2acde83301cfc6687403031245e3a2a
SHA512 76c95e77abb51c07dc0fdf2d08fce6bcfcd5223e5191099e09e2ba584907fceeb8476c19320e1e62b79fea106ded9230a60544c7e86cf8928cdd99dba7440822

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 b7d38ed3e606d5f63f1dbeb17f41a70f
SHA1 0cbaeb64e7aa72dcba30694b4b2f9e9e78d0057b
SHA256 cc371dd85f7da1f532aaf8bc50a834d7e1e6c131226be39e0be23e8e3611aa5b
SHA512 c4f2b47d53f608e63707aa861c257e1f97bf9e0010f9d410d173d242860ce888332bd465314d7cd806455aa6daa9903a5b10487e6318bafcac22c8381b22453c

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 f2794639f2a818983671db4b391f3795
SHA1 ee7f8f23722bdb4eb6fe7c9fa201481f0a245252
SHA256 74312f5026b9b0cac0a1e127922954b382008a967779ea69bff9eab3d3adf864
SHA512 c139bf46cee697cc701326780eb413e8bc7a8b40cd86afba36ab6b37e409487683a673efb8f23a86d130ccc13edea73b2cffc2909910e3a1c957e4e390cd9aca

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 1a3ba6418151dbf7724b5ebb295261e1
SHA1 bed92eb3824d0f43157adbf17439df971a0e3033
SHA256 77936d9a334e89799688306f6d46d3fb5112828580c8495d03bf5a07157d1742
SHA512 aad79289865f0a6b13ab474d2db9e5d240f1c8db0abe3f91e085e5a431addd675e33fb54ffc0e1a17466447545597d9c587a50c96e0ee7d0d6a1c7c849d8e3a8

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 4e24c48847eaef250b2a4fc55c75fcb7
SHA1 5bc5dd5f939a432afe2394a54a07bb49fb0de76f
SHA256 0a5424e2b52b35af866b4e5094f21ec9293827d6f72b92f418069bfd1f1a3b9c
SHA512 aaea865c9f8e0885b1778385748ed26416b72e6a9fa5fa416b3da5c21f514143143321fe60a45d90ecc5906b01cf6bdddb180ffaf4ee991d443c89872f9cb527

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 7ac656b8b7c9980762f7efe0bfc37194
SHA1 ab02da4913a62ff1c80ab0dd406c9b28b4e3d513
SHA256 fecdf93254bfddeaf71dd9c48fd36797787e1d43d0cde3af3ee09fd7e2d19d1e
SHA512 b38049cd0edc4fe95574875c145eb87a3d3d23516f89e53ecae98f8d21f1b046ab967ca7890df11f1ca6d2dbfb1f5e85da5b5b3a3c641449009ec3a2ceedaef4

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 0e92071c3079c50bcaf689dbb67e2503
SHA1 5ea6ab396c7c9e41dcdd8b7ac0b8144dcfb51b70
SHA256 e15d46004e4cc9caec9d7dd7e7d499284bc96756a5b0113ab60430695432d3a5
SHA512 ea5153c905b4db698c3b304c8dd6788f30f2c582c0c7c30e9ac2439211d91f4602170ecbec26c383995ccdabc63bcb475b9a522bc6442bdea4d35def5effa14a

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 243cda4cdd739ea70e74d78c0411a068
SHA1 c2fafe013f63eb78a401547ae852d9e2c269e388
SHA256 bb6f11d53dedc61cdb5299a9e0c3e190f2e4b7d8ceec80ba40bcff8ca3a719bd
SHA512 50d3264247f08f69ead0b968c598840fb0377c4c4b5382a7aae5bbcb29d29f909e84d3b4557d0bc0b5fd9b70d3b040a3b2c41a09381da4697f58fe88f8d99f01

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 2cc6af4b20be3f03c68a3326d95f69c2
SHA1 60da06f9d2e2db063775e32503e50d3fc944221a
SHA256 ad56099e5fa184de737d9c3a89700bf3abd0c2cda3ae3256907443894b202ef9
SHA512 8a2aeb7912df4c35f870cae937198da1f0e657f22895eafa7be21d190290a1a84a84242b4bed25ce3d27c2ed045a2cfdf50a3147b751f25d98d74c2165a4582a

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 046805eef987bae705aebb99b9c99bc3
SHA1 5ca0a072f6a7b09544baf0197bb019b228b33b95
SHA256 0f0eb10d9813512a4ef4c3993dbac020d4d89e3d3b59b53d371caea3347bd3ca
SHA512 ee2bae517a179ecd7850b460fd65e8a3680f81b279b1bf556a14c7f615c9c0fb64196baae75aaca8f5436e8a4f27cad1b2074e68ef3787d6dac4969e5ecbba6d

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 4c62484913edafe7793722d78b72a872
SHA1 0fcf446bf5dbd2de8f77b7639007ebf6a117ad19
SHA256 4167a5b210881423f712395e4db883fe850d969cc61c09209e8a7354aea6db8c
SHA512 ccb2ad446360082fae5c6c8b110130e55d9af4743111d98a2ab3c480e33eb3acf4cb1a5fb381d17e2ef1b7733de53bc3d0601ef4f80de629f6c9be23ffa84e90

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 4da3d8e3ce3f799336b11127f9153bc4
SHA1 6de8522a1fb03173d3180895f0ee53fa726b4ded
SHA256 9fa9ceb66d6cff084a34db176ad0a51ff5ace660b8476bbd2e402be66a3aa1ec
SHA512 56c9b1185cdf8039f3c372f601343c00983fd362a0d8d2ab5b5199c148a50c86e982d3ddd3892304b2ae9943854af81aa18984efb3ed2841fc4e030cd4eaae1a

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 cc6e5fe2dbd8106a8919f973207d9311
SHA1 f5a8b7dc0f63e378ed2d82d6fc6a15c383df3370
SHA256 bc2e1271612e82af3fa1467f1036f435e2f131fc3d530c7f24db48df4b0d14a1
SHA512 4f70a888979fd195bc8858e2e508df621e693b4999b816e362a41c50664bdfae6027f5e8c24a6d38c64ea457ae764f974943963c80a2ee191839e3598987c7ab

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 35ff303d6745e93a3ea0bbdebea5572f
SHA1 bee2b1b562f0e91d04fcd53bed65c396f65fcfc7
SHA256 1757038f2f1257c1b2dc7353f7130d272f3170dc533465c49a050bc38b318795
SHA512 a297e5ea4675ce10534fc2ee1b0ab458e8c2a5df4968f5e3ad8c0f9082fc0f1951aa5425261f662a6226ebfe3edf316a49f33ba2933d25c9b3ca66fcde6cfe76

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 f3791a9fc0e45eab89060b655632bd22
SHA1 cdc6695609200dee605921cba63da125accbdd1c
SHA256 3d38692c338d1c7f77097e18522401fa90caaac7d71782ed82248010b1792ff6
SHA512 18a8a5caed4a1c4cadff2112b80d51db9940ac037065e155ae593cf3557c725c31dd7d006ed5beaa229eb0070a3727b963b1867a1ed8de7ad7204c7420bd4d16

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 786314e554fb30c16d767e1d9676206a
SHA1 cf136d067a5018ca6dcfa84a8f86712f0a76370d
SHA256 893b71da97ed92db8a6240be4d10ccd1cbfc0d0adfd86be3b32ba17f734d79f9
SHA512 63e07ce1feedf07e869855bf94562ceb5b3a31286e82179b8df96140970e8234380a7f0f43413d04c121c947a2b01426346eff1ba69e64b8375c6c8e01ab3533

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 77bc1fcf58aaa750b8bfeaa9e318619e
SHA1 fcf0e9ac50b5773c38aa1a749ca3e76c77deaac0
SHA256 278418b2f49c01615fe1698041c721117f77a3b131662551162d8db1df63b83e
SHA512 00913dea19d9e0fe48cc8fb10cd7525755fa3e76cc21be305d811eb6d4af1a49acb6a5479189d3d52a42e271189b73d146ddfbd907069d3f80364e99617f17b3

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 58192d6b5d797ed7338319457b6fe27a
SHA1 7f235fee84ca7d87aaaf791abedfffdef4dd49d6
SHA256 764456be70adf9046ebc675305fda03845695bc7519ef07a109f2a4feb3f6e4e
SHA512 0d6d04bcec0bdc536f0a508df39f75314d77fb0131f9fe10ac269837e9a6e34b13eb302d741ab69fcda67269696895896cfca4510280f3e3b1964bfaef31e21b

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 0ed0e27d8eba4f57a31daeefc9630637
SHA1 d03724575a2f1de28b7fa8da6ea6e36ad754a93b
SHA256 2848168ace069c20e27ecaade1d91919ce5e4c220672355667b287e62ca3fd61
SHA512 504332579ecaefe4e95849f677cd8e5e6d4fae4e343d8d41136c36d7863def3998baec850669ec369ba3bc93a1e6f879ab53d144c69a5dea12b9fb45e49a7897

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 c2497aa915e6e551ff0153886feeaf36
SHA1 d31e4ca22c3cf7d5c030d37f9ce669173c679c46
SHA256 d46bdb166209a4892bc05c3b064623653439ce5e293d2ea3ada2b1261a382472
SHA512 04ae38f982a7b0e524a136492e1b1eb5cda4c3ed273d94e2b82158ac4dd1d6ab85de916b129251d0cad0d96bd532f0df5a9a58dc132fd4a7c01758124e7f03df

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 943c21a73ba0bcbc21f24b4e5c86bea1
SHA1 6701b0df3f783e3fc77c47a9d6e0415889b29e84
SHA256 96640271d3a247aac3a12d82e910838d433532b4fbea9d1821174029eb1d224e
SHA512 1e389829ddd26a7095cb4ce4664ab1d0812f06f8d513d3d1715b014695b901a1c0e3d3f8f9fa62a7b86c8c741c3273b21e196362706ce836efe34e2f6e10d13b

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 fd274bdb34752f93d2a0ef98ead60df6
SHA1 e7ede42bd13908e1277ffe7271b26fa8b6820a4a
SHA256 fd3cf625861a2279b737d94d6400914038ac689a72d23d561dd5f702f635288c
SHA512 8321a779915d08dfdc9f7c972c2c2ff4f85db94d16bcb5d4fb18d8858444ad063b80363654e03e94a333d0aa986c4153da92bd94efdd02ecff3ec23b713206bd

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 72bc9e68bbe34f5482ba82a4074ff73d
SHA1 6817b10001860e816b1ce308007b45fa3937cc61
SHA256 cb427803d280c188f39503a800b51970a221e921b1f5268c04c48926692e7398
SHA512 c0d0e4660c1bb67c36a5144df20215fd96868bb4a968b9dde0691b34741f87d3e67d42ab2f1fc0dcbc135ff65a84c6ed9803a9f1e7b26da6e4efe6455dd6bb6f

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 3fbf0521b9b7a2b031b0fefe7737f05b
SHA1 91765baed2c270da297022977ddd2201a3090edf
SHA256 c868338bc884871a6501a49c0c8e131e5d7312217fd013c6108a65d5f417fc3c
SHA512 0d6d5d19e905b28bb5c3142f63144d94b5343e407b6a54a27a655d92b319f15cab092542c9db293b7e5fe1d57ff7ceaabb794ac44e1118632049545988dbeca8

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 9d39747d7f516d3e512596804547c279
SHA1 251f06d6a9a97f84a7bb36379bdbb9e7ddfae387
SHA256 46421b0fe4235fd56fd975bc8a952ca8e36e1de4dffe17c194df849f6b00c886
SHA512 86d14b97398c4916aa00bfa13c8d5ec3ffe5711df202bebcfb4c6ebe15a10cb9bf4e18c09bfd44f52db6f23d0ecc80656cd64806e55ba6aedea5d9e4995ad9ef

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 98bc82c6a25754d950b9e221d8038015
SHA1 90d94fe467b79021cf1d81436e2b07a9e6bfe239
SHA256 61e9433a5875bedd021c064886449564384a81dae0e88c60a7124233e51805b6
SHA512 ac8a3bc0ec6b19de07b30faab447125d06ffd1eb62a781615fd655e15aa1365c05a97de811f170d7d92caec9d7072f579beb02cfec9225921c04ef5873d6619f

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 7444b56b75801afac43470dc62b05102
SHA1 477d6d892932ba3f085ba1bb54bb912953d6d0b2
SHA256 97a9249b8bfe2afad82f2175da2ec2521ea7f6c13a4f83cbefce5a01cd19aa20
SHA512 d50a51771e4fc41b844131129d6da052f23b1f12d3ba100661d670892d86b3f5172b37adf34cb3c6634d29786c3c89a635964a1b255d904095ef6376fd4f3da3

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 fadd035efaf1db3c1b4a87a0c3ffeb52
SHA1 f2121c3ea82412b716f829ff97149d78ed7d91b3
SHA256 2eeb9507fdf5e4ca81fd0e6092c3ded989da03bb8108ae569bb1765923e6fb3e
SHA512 ad174d9fb83c6050f65e063abc36ac5d4141bf1b8db81ad1e139170a7bc592b9074b2393c14430ba8f0c007971cc03a516235c3e17483e5120f723c4f7ef4a77

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 bb4cc997129be8edd42d7da5135f700f
SHA1 c4f31c5838c2c508e7f496f5d23c212375f8f352
SHA256 c0ef06445d0884c2c0fe35f57a76dd35ce62f35ec51bb92dcc286ffb3401cc60
SHA512 a94bbed69bee8852dba7649090a8e9d837b327239b0b1f17a39024565946c089c62dc1f7e3ae514a1c8e09676d20a429ab06828ce7e9653ed0390100d9fe14e9

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 cd6be95c84da3115b37ddc407cd80a54
SHA1 7381fd596506c961c0b216434c700f6546b2d6fc
SHA256 725acbc89b5165d91fda714811d57235575d873f6930ba68f80e1020f3b59305
SHA512 a8b42e522eabddf2cd990f965d81587cfaec0fb6877c882a25b5f534377bcf8d0a4af66e8ea9be92e6582f23ff47cb3b33e9ab6f1c51e8b9c830d7d0a314a0c3

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 93b1439e910f26d6c6f48c7f28c90ad0
SHA1 5fc2b2afcb8c7ea267c0e067173fe3bf3d711a35
SHA256 be912d328940a3563dc208edf4f173c4c27d0ea89cfe9ffdbc517638c8a40fe2
SHA512 2e548ff42843e963f6ff6821da2eede7245ab8934f5e4c6e32724a349c003d5e3d6274b5f930f7fbe39261e03639b6eb702e5c55734685605bcf938c334746a0

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 044b19d3d2c7d3c9e68b54addd861568
SHA1 7aa15190596ded57b8f23e0c317eb7b719e93611
SHA256 6c8b0df197f79ca9a3345a011ed8e92fcfeba3b7d50a062ddff9f60f2bc5134a
SHA512 28af960064868e4805114d0dec7e104c5aa58c889b3359dce118f88d243c9c3d27b169443524675ea9cd4b6b1ac9a1b47a33758610251d4e7cd7b43d9b0b52bb

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 d42dac6e1563de2cdd2b7f8a4926775e
SHA1 3bd74ff837454f639ff8872c4317478b49e623e8
SHA256 fcdaeba9c0f6bfc7220f9590c989b91777d83685b2f738a1a577851c76d12f97
SHA512 f6be7727684c67ba7496269674f0b56ae74e20c8d4f400e2ae0ffcaf5bcfa479fd4e6396fd66620f0e071091b215cf2c980f052d3c0c153ae351730f3211bfce

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 68046e6d239da4f5ceb4de5f268f7dd7
SHA1 e8e0804b14e77cd6a71995ff4e68790ecf9e4ada
SHA256 61b4a5fc7665167c33c6e1530b68d1c1e9b72835883d0f5ae72342a8dc18ee80
SHA512 2e33def550afdf5f2ff8fa7d7b0fce57aed89f67de0dbe415dd68baa5942710fc1876c59b6447b242288536889ca0113e1a6656bee8996d0b2c2f2aef745c1e1

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 11547a594ca137ab6380bfc301df2f20
SHA1 fc257b21b14bd3c3ef1ddb3b78180c0f9e051054
SHA256 4e6530008050494376eec7c11fae2bbe3b2e5ff07ceada96085a094033f1f6b7
SHA512 3da66ea1861f8c936b80cfee874a60e57f0dd6a37fad7f92de0c093dc955ba241a36f9ae2e7cf02eea7a776d5fb9ac3d9886b4a3d23445b8c521ba9413f5aa85

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 8ee041412bad8269b1f4749dab238369
SHA1 82416e989967382a25462e724dc642d9a9006283
SHA256 55939bf7984c9f024767b18cb2dafdd5a10befe7cd1b282b3fd3276e1507aab3
SHA512 33aff6788f9a021fe92f38fcec104e15070fb72cde5a988e7b6c350cc334edc34760f77376801308631de790981ef99a4a4b0723bdad78a92dc335d930122798

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 c0ad4cd029d7b5276b4f8183cdd0da59
SHA1 775449b4f0c80b460b604d3b23e52110791d9453
SHA256 b7eef873e0f63d204c03ce6dc0f5ea4229f778ddacf37ca65efe2c3080d77c90
SHA512 f6b90d52872d78094a3180845b132fadb37c0ad48e28120e000802387b424ed17caaf7bcb2672120892481e407ebed409a503a0eb7cb8ae45a345c7053f9bf99

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 9dad3521ed396161c0af2bd3254429bd
SHA1 a3aab0147d48348a8f0b8a96a22b0ad831659f22
SHA256 daf60961bdb5ae4ec2c9aba7460d010541fdcd4e4a40ca8520d51168e69989e8
SHA512 4bef6dee3ac22359f097c05250c3c0c62c475b9159426d3cfeff4caf9b32fbf76a8b709d992cd8022611270969be2fe0744ec64cc9dd8f326c7cd07a7b9f7d7d

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 a9005cc76edd69d32b2337c41f6d64e2
SHA1 90b713e4d156b0397f2c11e19861e9c54d2fbdb1
SHA256 0e743d0b23349e9d3beccee52f22be3e8c2ca3811c1422d67096b78a0cbe9a44
SHA512 01f242f872bab775df261a52a102fbf2da4650b5145bfc8eadbfc238543fba7710dd8e43beca6fd0c74f6bf755c1e3e9cf0e80f433ff03d031417e88037d6e64

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 02200955b81726842ac5af826ad5b76d
SHA1 baf91095323d11bb7c0a726f7b8dfb7bfa1f9e91
SHA256 49c22e1d505681a099ef531fd75bfca3095f5e27a8e69a53086e4e090725cb23
SHA512 6797877213a01721078cc863dea65dbba02af187930c29bb2c8a6aa487ebafa8d6a9b6b34853f03f935d126c5b5215450eb6857b33e5c9b0ba325ea6b5c899ec

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 275d506aba0ce9222e871f88fdc52cf2
SHA1 5fe4ccdb925b747e20620299b6365c645bb6f390
SHA256 176060a70473ccc987e36cc4d5e16d7e15d48c36eceb87f15f789094fbb37aaf
SHA512 850768c09220cded26f408b09a000378838634dfccd3d146876022523099a0ac863aa7db2e729819d5e43d99f37b4c25c1e9ceb5d7f39fe7c87296a0e8031c66

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 8fae52b9c675558e5d45048979fe3fc2
SHA1 cec7e9e277c145b4f4a482a4f87cba6ee0c9cc30
SHA256 c0258445f1fdeb7980251d441196e8e2e6f8b95cc46fade130245f5647ed2216
SHA512 aa106270f6b5551c593caa27fe9af697b80e846f9c8b2ab79d799444cefcb6e907f0703a04588fe93f7b7ccac74f3b3154a38b018b22ab10c0d33b6a16177bcf

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 b0615051c1c4bd3a30aafa04ac26bc72
SHA1 db547c2950c50ea6924559cd642c0987dab8e0a5
SHA256 62d92a549bd37273150cae9ecda8144ef9e3e763dace76628af901a86a8698d2
SHA512 7fa01eb8120c622f1782e4568bc3a526ca8a35e625cd2a8ad02a7da436caf0c87dabcc93ece22b84fa7f1f09073a44cf99093c1533740a73251b512669fee3e2

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 a300cfa86213e46b11f74d2e22f72433
SHA1 a08e2e40af3ed0d811c8b2bb9a6aa9b9b4946ef5
SHA256 faf24c850d15a484f2feed6e921708d219425671d760e34c4481d257869b9eb6
SHA512 f7092c2abba5390e985ead086a23ac32143d9bc23d60dfdeaeaa626009d94bbddf25d149cfb405dc58d4a3d3fb9f24a77cb60024a3f7470327a088b8c8d80f9b

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 0bd15d733eaba62aa44dd931047e10ee
SHA1 71b8552db4187fdb6597917f025b9edd132b18f2
SHA256 d5119ffd1964dd4c6a9e377c2d660d7ccfd0a2ae9e2824e2733186651082afe1
SHA512 04571e3de7fc22079519f0f50a385e0391d42099173467e1f2905e9e7d7e72caac9d466d1671d2c5eeb75ef69e45487ddc6cf3ee0aaf4003ba296267e304335b

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 9d07a699ea3d55cb46fcfdad38238f90
SHA1 32d0d7c504787963b5797fece161af89f9d1b121
SHA256 1296e058f6b3f7095e16d98db1166817d373974bebb832beaf1784054f07d2ad
SHA512 8f4ed129a1e1ae369681a31f3b107df03bf29640839a5bd6a3a00b9e1d3ebd12e83ea389d8d278912496879beac9d7b55cb0760e676a726fbd4c3eaea5da5530

memory/1564-1506-0x0000000006450000-0x0000000006482000-memory.dmp

memory/1564-1542-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/1564-1586-0x0000000007130000-0x00000000071D3000-memory.dmp

memory/1564-1525-0x000000006F830000-0x000000006F87C000-memory.dmp

memory/1564-1727-0x0000000007860000-0x0000000007EDA000-memory.dmp

memory/1564-1734-0x0000000006F00000-0x0000000006F1A000-memory.dmp

memory/1564-1806-0x0000000007240000-0x000000000724A000-memory.dmp

memory/1564-1867-0x0000000007430000-0x00000000074C6000-memory.dmp

memory/1564-1912-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/1564-2094-0x00000000073F0000-0x00000000073FE000-memory.dmp

memory/1564-2128-0x0000000007400000-0x0000000007414000-memory.dmp

memory/1564-2148-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/1564-2163-0x00000000074E0000-0x00000000074E8000-memory.dmp

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 df81e60abd2d525bc459c3171a0349b5
SHA1 7d2e71ce44d7b7abaeeb6d455d41c3fa44b2c72f
SHA256 32a897220260323cd75c9aea69c533d3faf8a70fac68cff68b9fe369e8b993de
SHA512 fa0a71d4584f58e3369574398bb0aee7eca9b80b4fcddc543e02ec9b305728dc535463b5e444db988932070d420d37fa01db7ebdc7d4fc4f27504f75d7c66753

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 143c8cd0965f904f5a3cf9069bd9b653
SHA1 5afce25f9bd7f12542d5545f7284a6e7d8a9979d
SHA256 0606b557d28d7809d8bae871af4237b1b6242f6849294ef2681a940e8d381f77
SHA512 0613f21f17edfaa888e1be936079b1eac5f13e12a925e9563064ebc45813a334ba3b2baf32a896b0755a9cc0af6b9499c28437c9f57800124fabb0f5f9098827

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 ae12219929510ac51820b987d526bfb1
SHA1 e101d7728e8b0808111d23957086fc9c453daf1c
SHA256 ec3a2496aae73ffc05c825d6e5394eb1604ed57f685c41ed0b96dc4e3153d616
SHA512 cdac36b5757425f36fadad6ec16f9c735577553c470a28cbf4e66ad9c9709c025a093459ddd1d7cdaa9e5da025583aba56b703d54175260b6d648b7442b7e87d

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 1f8ce9bbb1d7813d2fb31c3fe112c362
SHA1 78844011bbf75d1b54317469e78b7bd3422c9132
SHA256 8045d14edc11f75059ac5dbde94facd11160e0e258bc6c7e9d482391052cf547
SHA512 f77353dda6c7a552da7b12f5080df9d014d6babe7a1d2a5ed3748a4178b9ffbf9e0466fa269cf4d5f1fdb234506b0e53f0f586db0adb2d5c2e8114827a05c7eb

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 56366e624999cf003a992635ba76cdad
SHA1 fb176b252f99d22622b11a64d817756112d90b13
SHA256 aa78275e924603c9c9ff3c3e0cb8b7dadbe82e5d9ab311034f25baa507e29a2d
SHA512 dfdfc1fe7c24053b7e2c31fd227b4225b68a3b563225892c3f8e2ae9491907aa2b5670ac717ffe9a442e71fb8a1f170ab7e69d145d523deac8b6de7b7bd2feab

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 0d800333e47822ea3b9122dadb495ccf
SHA1 559831672146b74902dc4506a2ed4f2baf3028aa
SHA256 3f6190700a7d9b6549170350ff7ba07dff39cc3b58e0dcbab0dcb237f77274b2
SHA512 817e5f4da7ecc26777b3e5da1201ae1c48be66ccddf2cf45013889cb584a36cf9a96082da2a1a358cbfcbd6908d02ec36c24fe26cc4eae7404b0b88ef7e30ac3

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 30983c7bff5fa23e30bf31f1109f35b8
SHA1 ba15f3d8de9450062cd5d0a37a85d5db03baf283
SHA256 92e7a646aa00596d9cca62bc119c8ebd4194fd6970c8e3fc302fd35201752c56
SHA512 09e639a3731bfe9422bc4ba1f645dda530f239393e70fc8cd5ab423e69e644eab5ac63613fdd4717d9c819db7f4bab0bdce930d85792fa8bec65cfd9ee62eb45

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 9b358707d694c6df0ff14840ca592297
SHA1 f50e7f4f63e2934c87eca59018e51d5677828e10
SHA256 bac0291c1df6e2a0c529ea647518a227ebbb52bf325c01fa52ff289f16028aed
SHA512 e1174b1b6e6c90959ad3a6bffd33e2b4deeb945df949e2b60bbbedfdb964fe3c5b55fcd3b3241e8a5b4f7235297c64a4ab3332a765d161346b7b471140d37000

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 645ee813e6ca11fba34cb8a621a54a24
SHA1 37b14c13e45ff81ccbb17023d811f20ee753a5ba
SHA256 7541fc05434b3b34a2d15f58637aeb79a2adb7e15c7087c10339ea31d4e20fc5
SHA512 ef07dfcb314def1bc00653530a8b3c9362a50b5b3b50ccd453147b16c48d2611bb752059589047ff07093e9ec513a30124e62f282a74d69a366c4cd9e0856e4b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 cdac3fbccaa04d56fd6496f3ff28ad07
SHA1 442fb76d90ba852dcf3167a4766115dcd97634c7
SHA256 0073260292fbc877df9def6f303e7a052bb45ad4b783cca856628d9df129e50b
SHA512 ef7e7e912da0058c8499a87404439e538fdc0e795c919dda234cf0b039fe9d85449890cf42e0c561d25d9c7a9a0c550a94593c9bde932f1b8ba8a32ac1d99750

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 bf75bbef637d9d65398d6999cd6c2086
SHA1 8ead343024b53756d198d5317a9c790d08eb6d26
SHA256 b93122e1075a464bc9814abd53bcdc1935ecd4088240067fdeca297917f00473
SHA512 5b423783d63e4f8c1eaa7db4d1fc89f69e2cac1863f3cb9be15197ebe90055eee94bb6186feba26362fd4af38d7f73f5a7f614cfb6ab873016ef11892f4e8ec9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 9266693a9dfa0dad05e9e19835752d89
SHA1 5b23810dbed4252412b85bd45183c3a76bbd0283
SHA256 6c6389361c199f8e0f53cb52d68e87cacf6b8627397c2496304e4c924b54a78e
SHA512 142a2abbb645dde515fe8af8f3038454672b2b0d300e97a8a03d50891d1144d25e2482a51b3e812790786d78dfc960ef3af522ecb1bc4447b88725fde73314a7

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 70c79d637fbe8fc08b33b00e41ffe2f8
SHA1 84a2ef762633273ad9b2333a75f0dcd005cde7b4
SHA256 c23e1ea9d42b5b3771e89e3e0b882d8dcef22dc41f668f100c0c53ff34baa30a
SHA512 3e39494a8a7c024ae73e5c20cd4987d30738464a62894d1eb63d56b3ae88a59f94b6b9266807614e35d058bc8ec1c5e3a026a6bfa4d2af90103d7270327fd197

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 3796aa0bc4f5d390c1a03efcb658ae4f
SHA1 982244bd2c3a167930b075ba4e73cda7d090d0a2
SHA256 165bdf3be1bc660ce411e6b35588b87ec41f8116c54ebac8a08e3b26e4303d6e
SHA512 e74427ac88dad975223c601b8c3ed5d3d42d83c9d6844eb8b27a1db014b121b374bcc86e014147f4af23d844603bbdeb9512e27114fabdcca1a6302c274335e4

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 d57a98cc51615368f1733bdab1c77a78
SHA1 07b886ee8e79fa30089e02de3a356bc439e4fb04
SHA256 fc2ac1bb3704923d01b4fb20741f05aa7137673f19bf22bd44b129b4f0f88913
SHA512 062c0c536316b379c03c4df9c6b89dd424ca86da4694c094bb75f552d367de6b80e33cd2accd787120bf24368448c7602600ff04de9d67b5c93041057417534e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 87dbb2fe2593f94d47f2147093611598
SHA1 d167c9379f66f8212ff660ffade7fcf6dc7ac055
SHA256 3a060e514fef8108b58ee6303d3ecaba619b52ce3f68548f38677fbd123fcc90
SHA512 c5d4ac8e58d9cf3fc8bf697e7b2db16068abcff76a17719c752cdf340e2dd07bd414151a0a499358135b2541a77fb5521d0e5aaf3e4dbf5047c9c76c9aff8177

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 d065e53c3083859aae17ae5cb09eca30
SHA1 a11c1a1af0d7b5c89f6d2107ce54c3cf6cd74b22
SHA256 97838a7097bfaa9329122cf3f28eb86ba9b7ac32dfe18aa91f3757d99147b6be
SHA512 f5aa68807614ce07e11b09cc49474b7f174d2d542a1cefdfb87b3b6fcc662f1d35a577aabc5018ef9e4913b22cb7338c17a72b812f5cdfccc1a1dbaeab21342a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 6af567303026c2abe9402e93eac7002a
SHA1 77718b0d4e281c6c2b79721e88e4171a42a07e23
SHA256 dbd746a8d2c649232b16c60a887df66efcd7ca76ff37620d108381f3c55f8a38
SHA512 f36f8fd824688fabf481f3608ee8b21f9ee7621080afd353cf5413e318b8afb0487434499d47d8d6285493cfab7026c2dcd8f948cdb0bf6b7ad2de86c82f1d8a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 2e6cb1736b0f486bdfb6a98d750c14db
SHA1 f147ea470f0fb8616c8f9a98fa96e097b507941b
SHA256 3876d6c66e2f6fe6f019d1eb722a64824c5c4900bc0f1ab1042046dde0d8a041
SHA512 dd348920e87096874159c0730e56eacceb96496ae0076c924154d12c10f78d7da4a36a5901696ed6364e7853d3a31b6f1f67cc5bab31280a196847dec9e770b9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 a9fb962117d855f2eace98042cbb8e4c
SHA1 f703ec554e8f9cd9069552226bcee542ffbe8185
SHA256 7d4c509d3443da8523a300d4e5dbc77a08c0fdc9e0ce2590014bf57bf2fd6cb1
SHA512 81f1f208063f8bd0bb9e87f8562fd2d90d9385b035d7176d2ed772a789138c38fee2e37ce439ae75cf0424e04e02b83058c3bfb9b5ac414aeb02be8c80460223

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 ac553b04ca0bce9956d01843adee4960
SHA1 4b50deb2ae2cb41a9520a778865ff71d8ca6337c
SHA256 3bc02ba980975c59db5b2e1ccf04c941bcc461406b2b6121957a52a0d2d99730
SHA512 a860ecf9a3af223cee2cecc69485aa0e00f439487096fc9eafc1c4a085c565e97241a09d497ece7d5c36eee3d617222e095be8de72e48178e606d3f9c16331cb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 ec5aa7e8827fb577a99042647c260fe0
SHA1 3b5c6be317972bd8376d55521ee234009b61db37
SHA256 4dea9192a3865eb49391c315ad50689b191d51d2cfcf6dd2bb80990c7a465a02
SHA512 1703661651581a10f879e154888c3b6be63a9fc70d5fd780d2f8d3a6ca90bd08c545334006e8fc150b171451a38a6e3ff1d776fabed4777a19c0402e00d4c19d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 233ded2c1b916c0cea174d9ccd3e50c6
SHA1 151771985919e5cea0260b6f14b15ca352e149e9
SHA256 6afe9b93c96f0d5055797de7ad59674b97e096cc2a74a251b6ded3d9d1b3ae10
SHA512 afe95243b1105d3aa56dd2865bfa2994e6911741399b5123b63fa27ffef053f72521906214f985b7ee0772cd37083b24086ddf31934f7388d10c4e53cf346f05

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 18d1199e20c9cff531359c0fe52ad38f
SHA1 1e5d35af0d81b3c51322a1cf32e2d4833cd0ca4f
SHA256 557c563e859674f8332d8b9253a5b95de81afa39bd54042e0777c79043be7c67
SHA512 7f010baed8f0e2197f4d500fe45ed124cc7fb89ef04d910ae0a5fa0c05f99ce2eba93f0bb83654a9e608362f1708f12f1436d4ac2255e45c7f732e99d3792bd3

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 50c465b6c0744aaac44ecfbb1e7fd2bd
SHA1 61f82fa2b78cf04d82e9a189bf73a726e24ee611
SHA256 0c5d8c51c50b2cea849da59629f163b005c75480223e86f7e110afe256a012c9
SHA512 6490c9fc6a2832f94916056790eef6052b13f89708140b08851f16f76fcbe2a8a1a1e5c94cf4d29999f9d3d30907efdedf84da114a4eaa09a5b856790ca58e78

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 d4fd6714614f465d02d4c803da976e2e
SHA1 b9cf3bac10390aaa67ed5a5af81e1a649803c512
SHA256 755a7e6c3b0d313ca75996d6bdcd5acf0dda2e57b519b1039b38481fec8a0bfa
SHA512 02297b98aaa38d41a604c88eee0bece6891a18fc4b305d81d4c4854229a5d1b527f62011c291970a3b6b7548225d46033d4ebeff7cfe34c75a5f15ad9d1c5fb8

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 a542b762fbbe39d39be6b6d385294694
SHA1 0977bb7575fdc6701bbbfeb38d65ef4277d4851e
SHA256 0714b89cbb05b0c7c1529bb1b82275db2e5e248edf6165037574f6367efe2e3d
SHA512 4d4112a4b5d65ee322fe5cee3f618d0c2a7cc8490f53cbb5f9d00396a35435cd2adba73b362c662dfa0528c0c8119c9fe864e5a2fc99a55faa2530b80b4ca3df

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 37dbbbd01f7e0fdbd60884546f9c5c18
SHA1 2a6958b9e552e77814e0631a3f6457376ffc48ad
SHA256 2fb9559496d4d18deb61cd36dfd1cdbff6be803ef0945d7812134694ca57faa9
SHA512 57a452eb0b5cd510bc0b9a51d4e90023a277396e04427f6903abfa57dca2eecdf580a22a1b4efef698a06149e99c76e2116e9b767dad39aaa52b597c636d354a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 b5470d11a88a49e8f8c938096d50f828
SHA1 3c5153d6d7599c3fdee24c226b33bef2dcc15ba5
SHA256 ed7cceeba7b94bf9183fb190cac629d46aa30abaeede32cc175712660b5570e6
SHA512 80fb1fd2eb243157607e1f6ce23bc5473783d7ff4c55d88a59fba4f8e1c97daafe1224fea9577c0b2d9af47239fd64c0f6c90023de96df4d0dc4880759b73c82

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 6483429840aceac4907c35ac848289b3
SHA1 6c63d7cd2a84959f54907400184d77b0423eb164
SHA256 67f31ea6bd876f3d5df02448e9e0eee777eafe1c2ffbcd13751f7a83f4774166
SHA512 a68e583d73785531b86bc9ecdb43fa73f04612b5322f7e844247eba551a35db6244c656a5f0a2ae5529de70f02ba15582d7aa680b334c4c90114fc1088d78082

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 e1bb1cf23a3cc608355f63b8d055f73d
SHA1 bb61431b3857e4efb95307981e59204b4aa1033f
SHA256 7c5af0af5c36cd2b380c46da1283ed5178868cd9f503dd801d30e73da5939f2b
SHA512 1570d4409b5e3f2fcb9729b5aba958916ef4b0f82fed3386d0e3ae22213b66c5e3c83bc3c7842b93da42deafb3f45c37647ee8c10f009b1413096ea8dffdf92a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 e29acf053bcae0b4309b740d25d34e61
SHA1 7a365f19b59a5efd9d48b82cf2e434a0006875b1
SHA256 45da19785270e60affad3540b7f8b6e1ab5dce77b23602dcfe2aca86f6ce2694
SHA512 c846e11e2d458551ed02f2d8d3441151ea9c822f10e7df4ca9c93272fd70b75f78cb5ed7b7b51f440b9150f1606f8653f3755dcd4037376ccee9969f25858465

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 08365e9d3e5813d3255b889db51aebb4
SHA1 dddba16f841b07578d89ab544e573d9b3db8a414
SHA256 50725cec1299d1b418a1c37de38bb903c535d6321608fea484eb56e5642ebca5
SHA512 ec3b0cca2639a1027918bd70b0afcfa4f995b814dedafe98dbd618d7fda6c86821b646ca5182c5f518a4ce077f90bc5736362c2fb6667dd5e74faf21483c45e1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 633be80327be2691f475d1e42e610016
SHA1 e9bcc05426420b519b3b2ab120d6247b98358abb
SHA256 afcc42b4f5527eaaf4fcbb769adf13fba87d5c09304347c2eac4f0d8fcb05e4d
SHA512 5c90c53fd6d79e8fa00afc214a9652b9fbaa2e3b32a27aff51e5722afc508626ce9b7ecc2b8b18385ef7af5b74efa3780d86caa240cb21f912b320c9ab3c7434

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 5ca9efd18a0505089bd8d6f7796a9e94
SHA1 e00cfc54745896dea9f13ec68fe6c16891af80a6
SHA256 9f3416b2fd82baffadb629b6fc3d79cdf050a8304814e9d4950ee632c859ec91
SHA512 2dd23c7b4aa0874266e7fadf9967ae44fae460f0906f8b84a7ee576dbdf985a662099e5e871c4a9c00fcc9f53888e0b93a780105909e922db36c73121acf8bcc

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 dd8d18357a8ca26a7ba592365b8475c5
SHA1 388c0215a17c275ccaccd1f68bbde29606045031
SHA256 07f5457e68d5889a2741ac774b8b135d6ed1a8bfd50252e35efdcef4d4811704
SHA512 baf88161e9bb29690e363c335b87becdfed98ce77e3d837a10a5331746f5a70d4c6aa09cec07f87c18db67cc677a11976ed8a843363bce9a080266b454e94191

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 ffd2a9015cc8e9ae9f8a70f75d13f9e5
SHA1 24659e897bd00a0db5c2fa6eda999792e4b08a01
SHA256 628433129174fafdd8fc19cd15436524357920c7fbd179fbd721e99459e95e94
SHA512 2736836952dce4405256074a6eadadaf5a67457c206e5653746610a7396197f36f394088e5a9ad4244f161bd71ea346297de36860884c786567c55865cd32c28

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 56f8eb1f74dc38f116b251000e307d2b
SHA1 dca5542c87777a142cea25255be5de91b4e25efd
SHA256 b43f4b5fb2c5bb0374ec0b96669d1e3081128ee8b9eecfc5ae393e18363c2ab3
SHA512 f5a3496b0f3f4edfae75f9811fb9fca726907bb3bcb8569cbec469b42c59cfd76035eff200dbcd9ad403b3ec1b5a0feea849e79772893c93f4666ac712a04048

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 704eb88c5d00189a3e4e05d16f25d6f1
SHA1 cf511ca0a05b3fbc52ee9de4ebec3ab5b37a9d1e
SHA256 81a77be6f1f985de458911fd429a4f7607ad63430e694eec24540bb020d68b1b
SHA512 7e41acaffe3c0b019040b11d09dd8685953622cb305608bffa701a11b183bc75626f189c8141ab0170a6373752ae2ab8515c0910cabe1bd968f0df5bc19abb95

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 f9796147368027a5ba11ec92bb6d7dff
SHA1 42f908943ae1522c55ee358e6a66a9e06b97581f
SHA256 58479ec831e5acf4cc0799e8999ca6963a6e412608a0df6facf8e83e6a12fe80
SHA512 7b2e67cc760311fc9f791cd4425cd5ab27a5b14fee64c27728c33cf35763a01d68c363b57c43c881699e6f5dcfa0dc29af3c8c6277ca2539048729836e0d2f0b

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 a921e19e28dcbdb81e27b4b54b6ceb44
SHA1 5a643b8bd4941ee57710a6be1ccecf2264b6078a
SHA256 0e66290db964a62206769915810375686cf0cc2b14a755719d3e564daebf6f5a
SHA512 478d60687e8142b3b0f1aa60c30bad1a9b2d39fa8a5210bfa54cbf700862c6d0e2521b1996b74cc1613db4d92dbbe79794f489ad5637d363affdc3d6ce4298a5

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 c8b6dc7c3df986efa190e44fc13b3f7f
SHA1 7ea03369e6802edccb92eaf281ab81e84cb8f52b
SHA256 f47c322834ac4317cc42211b29e0e40641888c5bcd63723f329a1d535a614a83
SHA512 e2974957d3bf67f3b503eb7456a64c0a53037c5bdf350b42a024a2827457e953c9a81c6cc11b7a6ff112108a96d31f3938575146a92d78a93d72dc29f4d542d2

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 d1209495a9ac3de278fb948c0071e785
SHA1 39d683e6ad7408293a2d4ef3bebf651ecc5defe1
SHA256 936b16f73fb2236f899bd8fb7a0432c2e7053a32840a7b03b0423a18aff98def
SHA512 edd4ddafe898c65a7c31c17faf0383bbd33c3c2a0e19b0bf1209076cbe5eaf9a57cecf70cb05dfcefc85ebcc5e112a5906d252a6c23bc4e2c34f349001f46ff4

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 d911e42b0bb8df2086b13ede813b9c9c
SHA1 0f880b50ff8b426d4a3bc4e63f225d965a22a841
SHA256 1afdb8c94b3813710a859b88b9e56fefec88246b2ddb916b5f4ecc5928997563
SHA512 4b5c56b244a698866d49f59a2f40be84a53810fb74bdf12be95b337e40f8838a208000ebc9640cf81593da099e98f866461030a3953c0e4e12a82c05d473a41b

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 b529a09c970d06927559978f03e7b572
SHA1 b472764de4abd2c7718eb8fd957b6c66a8e955ce
SHA256 df34a3325e312604e95b545a5d05aa4af3c64f883fe4d3bf1f8407666936c867
SHA512 6d83d68ecdbc96f5d04edbb13f7af6735d0f298c5c8cefc54ce62e02ef09c1a847d954870054030c0c1bfa39cb8b15c38c00227ef4707801f42741710307b49e

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 6748f4858cb0f689001e503314f8839f
SHA1 b4a9c863d443308aef6dc0b9ae7eba3eb83cf711
SHA256 f164766681936d9d558abe3398c29618457a38ca262c08f3fc919ce20d75d393
SHA512 f3043d0a6961b1b433bc99d9433b9453af8fdf528f54ee4b0a3222a86364e1c170f3137bb131a7cf1ad8bb4c3bc6645bd2857617794b9dc91c4ee841a36e2484

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 f375943a5753106c51b5f43a17db629d
SHA1 f2c0b86953c98729cd82fa494eb28489c04af1d4
SHA256 b906908b379392f272a57e8016e3ce41266e31c12e931c9b9f9ae71fa9c22499
SHA512 013800bc9a70bede3575783117f8edf0003cc771d2cd607db8ce79151c1e448011d1cffb73a7b49e77a6e3611e1a335a5777db1d2ae1cf28692b42105ef0d6a0

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 ffabf673243ef1d520febe383968820c
SHA1 4c1169130f1decad4d50bbdefca665a7a274bd5b
SHA256 39d4f15c272f944456c1ef2ebced36bdc2ccd9f986763a1fdb16d667ae4600e6
SHA512 d7af82b085ade71f1bba73c9090220b298d2fe92669bbb590ac39ab80c6f0e3909a0f86b019a6b225b2be079d2db59a519db659b513c89344677d59729835f95

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 8f0a7df2ec8d72a93a7f0f68ca5a7be7
SHA1 df936edd76ce58fb1e82d2190ba94b5c7b86e303
SHA256 096b61a5bc173955fbe7849dfad6cd588a73c7ee5d8107ab7710d01796461c81
SHA512 782e3db1cec24e834aee70065d3d28491b99f564ec323401c56f658c3d469aaab86846583a88611b3098e362cffe739776e38bbce087291fa24f2b4204fcfcb3

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 82182727d50aebfbfba66f3995c2c2c4
SHA1 39619e2b8ceec2c8c32e9f03aaacb4446dcb0481
SHA256 03d18e78f8432505d70ca179e99fea9620f01c431e6589116f9f63004b4f4a38
SHA512 d01012d1eb97a4c3c6c875eee0828fb394dd53a7da064b91bfa9c1c1c7cda3516de530cc96bf1511eed06058e2d5a919982ab599d1ce00c5fc80a97fb04a2cba

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 701577588527494a144ed09d93233e5e
SHA1 256546a7e6b32b4caa3c6267b6dd799efaf0fd41
SHA256 5e0a2c1e559ac3bae2e7d4ee8c1d31b54f467fa2d878bc323a223540a6407e25
SHA512 61280e6d467c0e5728f27241dc5598d773604eadf220e03778aa07152cc04c49fb62b89ee537c20240a333cf2f95eba4c2f6d05b30661f2e5bcd1d68e7699342

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 1b025d6bc0aeea1ba6cc5b75102fae84
SHA1 351cc1335e1a09e2ad1292f2490a2bb275099dac
SHA256 031cf183314568d52e3a2099be7b65bd404f6fb26b56887cb04fc11f7ec5f109
SHA512 afd4de15b420c6fef0544ee9ce7ba968c64dba79a081a82b1a659d15b852c6d151bffa81b3f89b0c8830b8e5e290a7d53c005eb425d253766cdeb3fb8a035c52

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 b618d8fe2220d1b7af5674a43c5b8607
SHA1 667fa2631d30caec4305c7d1c091f769370e3470
SHA256 1ce0cf41d0a334e974c9d16361376d92b0542646de91c2a3e30ca7a646e4e49a
SHA512 6c7ceca1cdf837abd14970a369c358367b566f3e5fbf6388b22d7cd0dce05ac4c00ce572afc0b4177ca4d5399a9ed2eaeda331b991f185fee7a724314e742244

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 3dc19bc738c61779a5dd25c88938fd33
SHA1 154251131b9c3bbae13c8a9eb9ccd9d0d3512a6d
SHA256 bf780b92bd732b4c2b76688cd39bd07e079142ff20fedcb7abed87d37e6db5da
SHA512 19728fdf247492479a6ba10aa0cd1ac7cf1c004b124f2c5db33fbc99452f3dd57ac98ea060167068885b3a5ab3fea6d97169dfe4972d345501977982d5071d59

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 873d6c39f1afddab3deb07f90856c6d1
SHA1 d8700c665cda89efa88a423acd44db8bc151d4dc
SHA256 0ef29e85b8530e5dd03d6db32e0bfef44181b6b41f6ddc4ed048be428497a2fe
SHA512 7eb0f071c36304d9185d191bd813bcabd45919b6e746c1896d9ae54287e76d155857694a4cf7e537b2bcaffd6932df760d7538db0518243011f5918b8f7fad37

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 39ae514ce5ef779054d1fdf78e0bfdd3
SHA1 96ec0f6af6bd70bee63bd077bfa13eead6a4bf37
SHA256 2ac1fd23db45711c749ae9f21aebea54720a631f598d627bd7f9ca31d08404bc
SHA512 e4d0c9d60316a6c8d7a473ad0d712cedca8b006305db5c2eb6d4488dce6f35d24c19f63327c6ff4bb61c25ee41c0828ee626fdec7f3bbcee6197adf7ee79b9c5

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 8ed4dfc3bdfeed49fe17f761cf2b2390
SHA1 9a9933597ecb11272ce49373ef934ae59b808b22
SHA256 20da68b461159b4abb91b4051f9dc53b05fd920c84852c26a4c7b2b6d9e5ad51
SHA512 19a4c5b9b3549f0694a6338f198fbaf8811aff5826256908f4ccd68854ea317386868dd4e08278f6fc4bbb9218c1adac2bb8b0a0b3c747b3628277f82c3676bb

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 3c40e692f833afe46cde1c4ccc48f581
SHA1 e32639dc37631a80e5e65c9544193dfac4e6ea0e
SHA256 7cd2b00fd75d79c4a10c2954709b03bb8d8d06ac5ddfc35731d069ba1f5c3035
SHA512 d1ac96996daea8d6decd4911510e52636210214a47d5e8b352f700906bdae11a229226cf4d4b6f0c91126e6d5c6b8f3d2931f052b2fff778cf1ed99c52e918bb

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 996a8a1285cab8ed36df1367b18ff272
SHA1 daa7fa0a63a6ad9c9ed891fb140912a4db8fc481
SHA256 f525b49b63306532415506d7b6b83c6dc8b4dc919c9704c56d32167a948a29e6
SHA512 e94a673d25c996ba495f142e8cc3a57b641899519b9fbb2499d30374b3dccaa65317f9ec101cbdb2570dc52e503e84260d86a14c96cedcc30db78cf39bda33c3

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 5d6df6edf79e6d403d1b996a53fa12b9
SHA1 0a1e07db17c6fb148fc1836514b196e268cc5cfc
SHA256 a9457b29ea5be04ba80a0963c62e8d5ecfa1218bd5eb7f2978b1f646b8ad4a3c
SHA512 46a991a4988c674f216b249a9787f78d903039d7e45a423d1f5aaf437f13be97f6871ef2db5e1b19c61d2e9410a730b25b21ec125a4203ef2346c3dbdffb9fcb

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 4f6b5ce277d7164085dfc37100a9a872
SHA1 dd6c7a00d7aec2a59c656fb19ea1af224bccd2b7
SHA256 9343747ef3ebd7ae01031fa85e043664ea90becbd7fb99908e6f818f47008173
SHA512 a27c3bd5d581f0a217db0471b1173697f8613e071813efdf6c4d0ab9a136723cdb0b710e5871e8bfafc1e4af2e92e3d19a6e74e60ee1136bc209e580c2b901bc

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 d11a37f277880320c9d1afb0fb6217f1
SHA1 818e8093db13db56437fabe2371c50419aa776d3
SHA256 eb75e5432becf46c26deba15a1c47a703b6778a895840e0a599f5589fd4e6b7f
SHA512 6e7aa963c87640d498f26cb3c4577cf98f288520e1cfaecbb895e251364bce60fe645d59bb1eff11fa9a8ba91de99653fa9a3a8f35d5266a0be67e843ea1b4d4

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 0ad1e5dc22abeaac45f0b912137c206b
SHA1 ff87a2eaa34d539ebbd9d1ebc5873c4716d970e4
SHA256 c3183f5dab0930c8508e10ec0b11521fbb615ee11751b1c3474affaf3ca1e5f7
SHA512 b5dd15091d10ebc7eec124f83baea5fee9c870af2f885675e93a16e2a6665fc7e69d31099cee6183898cdb03de415d3c8df931ae36648362d6c4e5133cd5bf69

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 992c5546ea6db4ae6394118bc28ff234
SHA1 7982a2f29284deda23c3040cd50ba340842ffa83
SHA256 ad089a7c9453ecbe25b2267c4d4915e1969b82b18d4c5cd4c92a4af4dee056c4
SHA512 c9dd88e4c7267e8490b5b3155c6848539f52ca29dca6cc4a027a754c89a64bc0083a47f55676ba65e04122d35dfc88c3ebb6613d1bffe1f52396461b66979a7c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 0c37841e2aa89a228bec5921b3594cde
SHA1 906a9d8aab8e23073310d3121e50c76957708e8d
SHA256 907e942ecbb4c3d42bd239049557f29af0c82a2ae5124226e809c85691252a2a
SHA512 86c7f6e55da141082d78886d179442093b5c26319d99b6a084d464258448f8ca19a50efef9c941ddd775d4ca202ca8c6a4fa1611ad9c7903e651aae54b5bea23

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 dca9c8e4431068991e98b75431c4c1a3
SHA1 b425bc3f77b070249cf5bb93ad542918413cc103
SHA256 0bfdf73a3b8b4ac06b456394b86f81c24d94e2e7c00db54fe07dfb404b66cf04
SHA512 61877771b9fb6c3c00de9fcf3212d469e8a25f81fbf428c58cc2283735b5b6a80b2774ccd7159e98b3ec900f3a17841e10a2b42da672d07ee53efa8505083996

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1468-10335-0x0000000005EE0000-0x0000000006234000-memory.dmp

C:\ProgramData\df.exe

MD5 39728325879572ffe56a194319f2731f
SHA1 3898a219352dd3aedc54ff924b01317107c9ce2f
SHA256 8e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761
SHA512 7d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35f621229b8f3872b9b1ce7d41e21a6d
SHA1 8f8df19457b81422a9fbff9ccf159efc9217be11
SHA256 a80152974d944b71549deb23accbe276c62f32bb5c82c226b7a71e067f08957a
SHA512 6f36a190c705d2c000b64358c17ae40cc11289cea4bc82347b21deee789668603b39e425fe368e5d02f5f846446480c18286b89bddb34690e7983ce848235727

F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

memory/1468-10350-0x0000000006750000-0x000000000679C000-memory.dmp

memory/1468-10351-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1468-10361-0x00000000077A0000-0x0000000007843000-memory.dmp

memory/1468-10362-0x0000000006380000-0x0000000006391000-memory.dmp

memory/1468-10363-0x00000000063C0000-0x00000000063D4000-memory.dmp