Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-deemcashjd
Target df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe
SHA256 df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9
Tags
discovery execution ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9

Threat Level: Likely malicious

The file df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution ransomware

Renames multiple (7478) files with added filename extension

Renames multiple (6632) files with added filename extension

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in Program Files directory

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:55

Reported

2024-10-18 02:57

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"

Signatures

Renames multiple (7478) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00170_.GIF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01176_.WMF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107150.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02388_.WMF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wake C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado25.tlb C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199429.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\DAO\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Matamoros C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Groove Starter Template.xsn C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105414.WMF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadomd28.tlb C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00516L.GIF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00555_.WMF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2520 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1276 wrote to memory of 2268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ss.exe
PID 536 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ss.exe
PID 536 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ss.exe
PID 536 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ss.exe
PID 2956 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1232 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1232 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1232 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe

"C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\ss.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"

C:\ProgramData\ss.exe

C:\ProgramData\ss.exe

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\ss.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

N/A

Files

C:\ProgramData\Elons_Help.txt

MD5 f84a71740c0c41fcc0e63ab1cc6d1750
SHA1 2e7a66a6caeac383afc8952aff89bb179ba8ba3e
SHA256 d365234eaf09459997a8ced335ef6659b7c23af70b3bd6be2e653c8d9160c8f1
SHA512 d6a5378969520be3f2f561a087de08d99e80cbe4a7c432bee7c6fa31fcb15736f5380c44a0eb447b00e0b5f95552a0f314ef23e39bb267f7812e5e8558a8243e

C:\ProgramData\ss.exe

MD5 39728325879572ffe56a194319f2731f
SHA1 3898a219352dd3aedc54ff924b01317107c9ce2f
SHA256 8e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761
SHA512 7d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6e7e9e61495c9fdf80d792c761e38b55
SHA1 ee06e240fcb36c6648b3d5e0ec6e6583af70b43e
SHA256 8ee030da8fbffe2b516fef68c01280ba2d73e8ecd7c87b4b2bb49640975a669c
SHA512 0ef8615fb1c0bbdf0695cde7c3f85711ce11f3c9456697536a18e3260bf923196583fda667d85a13587e27290a3ff6fb642216ec9cf30a2019ce789e54f31e06

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:55

Reported

2024-10-18 02:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"

Signatures

Renames multiple (6632) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\lib\security\policy\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close.svg C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\WPGIMP32.FLT.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\example_icons.png.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\ui-strings.js.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cryptix.md.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ul-oob.xrm-ms.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-selector.js C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\MSADDNDR.OLB C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\export.svg C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.boot.tree.dat.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELM C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\Elons_Help.txt C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp.Elons C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 4324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1004 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5696 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5696 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5696 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5724 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5724 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5724 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5764 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 5724 wrote to memory of 5996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5724 wrote to memory of 5996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5724 wrote to memory of 5996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1004 wrote to memory of 6044 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 6044 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 6044 N/A C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe C:\Windows\SysWOW64\cmd.exe
PID 5764 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ss.exe
PID 5764 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ss.exe
PID 5764 wrote to memory of 4284 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ss.exe
PID 6044 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 6044 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 6044 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 5812 wrote to memory of 5920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5812 wrote to memory of 5920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5812 wrote to memory of 5920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4284 wrote to memory of 2236 N/A C:\ProgramData\ss.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2236 N/A C:\ProgramData\ss.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 2236 N/A C:\ProgramData\ss.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 5748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2236 wrote to memory of 5748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2236 wrote to memory of 5748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe

"C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\ss.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"

C:\ProgramData\ss.exe

C:\ProgramData\ss.exe

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Update BETA" /F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\ss.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp

Files

memory/2020-0-0x0000000004760000-0x0000000004796000-memory.dmp

memory/2020-28-0x0000000004ED0000-0x00000000054F8000-memory.dmp

C:\ProgramData\Elons_Help.txt

MD5 f84a71740c0c41fcc0e63ab1cc6d1750
SHA1 2e7a66a6caeac383afc8952aff89bb179ba8ba3e
SHA256 d365234eaf09459997a8ced335ef6659b7c23af70b3bd6be2e653c8d9160c8f1
SHA512 d6a5378969520be3f2f561a087de08d99e80cbe4a7c432bee7c6fa31fcb15736f5380c44a0eb447b00e0b5f95552a0f314ef23e39bb267f7812e5e8558a8243e

memory/2020-121-0x0000000004E10000-0x0000000004E32000-memory.dmp

memory/2020-144-0x0000000005600000-0x0000000005666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvrlsb4e.irb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2020-151-0x0000000005670000-0x00000000056D6000-memory.dmp

memory/2020-245-0x00000000056E0000-0x0000000005A34000-memory.dmp

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 cb5fcf0d3f2f4d191bb4818d42b9e6ae
SHA1 e2031e661b05dd88792025f40c72a70f073c689d
SHA256 9dd4ddaee175aa94d7c50785c19b482e8ed26df658bedd508b00bf23a134dea4
SHA512 bd16fecbee3726764b6aa98087d91f78b1164e9363a32387a7578d5bd68ad72928e4060ac023aeae915a5bb873831d9fdd2ea94553a039d64a45a1af0344dd91

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 6941f96bba62374cc68c5c8e3f25a270
SHA1 7584069ef9dec61aebce83c3b01e2a39b8264ec3
SHA256 c8fa03177f4aa7244bd6d28a48b706b7982c921e0dd6c0bd8df16b052bc6bc8e
SHA512 26c5ce44dd53a94dc7dae7deb58d6b9bb4d3490462b8bedc1f34d1f52f3a5bde1d7faa20aee761b89878f35de11a4cde1cab6098347caa5d357c626af81550e1

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 07d6b32f82b0579ffc641c762ccbe92b
SHA1 93a1fe918d971818d5c03b82633040b10c34410a
SHA256 b557881e47d98ed313b3e5d5112d1c5ba94f3f7c5757ae86b5e280c78ba2420b
SHA512 ed09afbb805217a7442e06bd334ee97eca128b1de0fab1f299a8553748fab04c164236570234f60ee131d4eb6950de147c6f9e53e2f5bd044ce7f8d2b9cca560

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 a6aa12841e36bcfa6e78876cf8f52e77
SHA1 2aee545c5bdf830fcbee78d35cde7bcd1eeb9296
SHA256 48b47d1bf550cdb108b109f19f846cb963f41df1ef3f69ab5cd4f68db264a2b7
SHA512 c99c48d7faf8ef58cfa75c30e673726966c744a41c298970e5e1784415d1c180b3872988594341a09536db78a446e716906f5f4c7a5036b2479fe61f2b8919fa

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 4fccde9d1a84895cb0fce6eba8c649a5
SHA1 5e5e14baab5663ceb8ec22a3ce3bcec70251c845
SHA256 199c2976110bccaec70493aebeb93eef00857e80f725a2ce8f386418de0c14c3
SHA512 7f85d3ef02fd17910f8c3304c03eb341ca5d470edecef41dbc30dbbd99868df5b20e98228b0be172d58441fd378b4c75e37a62a63c2da124cee8f960049d69d1

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 b6acf3ae32272dfb0141b58a16467590
SHA1 01ca3783e546faf5fb67a5170e3da1594a405491
SHA256 b52dc4bbc7779c167ad46ad3a27bfb19d6c1e383f365b4a5a63ddd6b71a4e364
SHA512 bfb212546b69708f974709bb330801ea53d015bf9ffd0a6e10e6b980d6c27297203f461b986703aa55c9c67dca7231214a984dbb2af7011347f82c90299a3c6c

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 79d064c89f2711c68e6a6893ba37ef6e
SHA1 6d2f2a3778349d7b30a9d43d85264dcd4e53f06b
SHA256 d2c3af675fb1283c96508af0fb5c1a7a58ac5f3fe063fecf50239bec9d459d7a
SHA512 2e9cfe80040cefdcb521dac4bd557ee93994ad445a11cae80abf3887a5fae3da5f16a55b8f73ac1c89b89729ab141990f9ec6b2b655ca6ef08fdc960cf11639d

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 6a66daaafd3e9eabf60a25507a48bc62
SHA1 ade9aa24e9c64363efdc45183ddce17352017e4b
SHA256 b835ee6a0daa224c6d1f8c6928e147e5859c38077fdb8a8e9e182f3fd5fc436c
SHA512 98c12562b745b44928c11602bb03383043b2c6b9b365b38e532c5cc423d2af48eb74f8852319ce7ed3b944a71ac3f7d1b016d5901d43fd2ccba3321085d72ab7

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 9e1c20b2a5d56c242c4e551b8950d5d5
SHA1 5a1cb7681f4ba2b1466b53b9f12bab0bd7199d60
SHA256 3d58ed7e70344652599521160f653a8cdddb84d927149a20ec565c7e23d7c73b
SHA512 79c8971a05896cb2ce9747c96c19a76b77576a93cca28a4054a0cd8bbd93a344fb4805e67f0c3a03cafdabcb3a6920e3e04a8f20b947248bb058b76c1caa9582

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 5720494d259c25bb32d390bd55c1721b
SHA1 a0e65017e216c77b35f8c25ad5786dd776630ae4
SHA256 7e5a7dd58de0f16e7ae354c185654690b6677fedfd79fd4e8c11f064ee3d92e0
SHA512 0fdc1a33080a16980e3dc5168b28de3e9dcd89b627474756d3b1e7e828b1761409228a39ecf3de493fd74f151e464ec50845db039919707452a0fcaf5da3b8db

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 086a330b90a5ecdad2fdafb27f1564e7
SHA1 5f4bb121ecbebae6174cf7567e1df8d34c1fb473
SHA256 d50251c5dc318016eb1a65f4e901e518f5aeabf93e2fc43a14dfde236db67dd4
SHA512 a2b46105e00dada03c9f69b52c487b1a63ee591b459e33115d5a542193c60c645d2c2ccfa016ba8e8f6e224c3e5298e6475124ae946931b93b9f416f6cc4e51c

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 4a7c5513395546d36d964dd2e780cb1a
SHA1 ac71b4aa6606f724e20b31b3ae58d30a4a11975a
SHA256 b71e728784d331a3d2fdf6830304f05d110b997951b69106ce9370d2305ac063
SHA512 4dc594eee58b2ace43f511e1a94e77d00fb10b2ffe5608959d574515e09066b93c61b4bde02233a916932414d78e1651ecf41d6be2fb995e87a49456dd0e8a3a

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 664b776a1b36b5c08f7f758ef02fd639
SHA1 711e83a42a8a560f84b775d0a8ba3811a810965d
SHA256 5dae2c5aa8d1f3dd17e6200adbd8a23410d3bfdea513dd2cb3ea2a2f81d7e81b
SHA512 df7722662565998cb9cb73e13e2a2d4bb911fe1f4784d4686a5470dbb0b8705b581ebfd0da4dee9e2a5ade4c186e4040e67ba572797e524d6ac7e039a9788e0d

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 290cd1ce9c87df3014631b30850986f3
SHA1 5d6dbe87ff02b49e85bf74452d2e3a83b9368983
SHA256 d6a171a78d70fa044ceee4523eca8d6ce355df68efdda71a2a6765654fd8b405
SHA512 bcfb35ad9b404048d75ad174ca0641dc6e0e1bb9daca7f5bca466e14ce9027dad991e208e1aca9ab193bb27fa9d1e8070e3395c9d4ee808f01dd57b710977fa4

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 02ab1a81b3b7038b30c7bc59f9c74f45
SHA1 f915d29fc86cc5a7ff879793c02b6a9d52f66245
SHA256 54f5a9b9700bc9d13df8508306be4e39022c5686c92a741c4924cfe03bcd0379
SHA512 729aa9aba7d7d6d1b5bba500377586cd8a1579849e079adc9640f3ea6eb8895b4c68d7532dab9c7434b2395fa77e90d5b33a79c5306d343df8048a2294f5b62d

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 f28b7d5a31d53975fd4f492211f94bd9
SHA1 d0c5717bb4b7d5725f1e22570aabdcef887f7219
SHA256 4a0fd8144798d56fdf65b2ee70d1ecaf0e67208a26497f2e8b3563a7b45c6387
SHA512 7068b7c5564cc649dac4d47edd867e8f07df783dd38f77ea1b3033e97c6a87b6091d67d01302ea806f83545577deca735dfa7f8f6f85e2e7cded02b0c23d8a37

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 92ffb2c6be03a8bea85af57994caf0f5
SHA1 38b158bd9cebee741fac867b5ce1e82771edb356
SHA256 2e9eb8958227ad400d5469cf1f580ec37e2b957f091b76ab112c2786fe5f5ef3
SHA512 7d56f09ae1fa6bd0439942e7704bfec3a76b221aaee81aaf2b110cbefa87d53d8c86619acf731e9f6302aa7ed7a8db22ba21c93fca1ccccf61cb6a515cae3fcb

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 dbc3af08976f1fa72865a367712a5eae
SHA1 da39101c027090399c5ecbb633828a366cdb1cc6
SHA256 1c6b771edd809148eff7188963beced7175b239e8eac01ca0f7b6df40b1830f0
SHA512 03272ac5080235a102bba1978a55bb69524e58b4ebc1f57b7d51b85f19ed12af54f4a29283d5f54b139f10f9fc2317ff302efbddfbb0cdcf7c2c7cea3cdd25f0

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 7ecadea3950ff0f17fc71ca968cb2459
SHA1 957791708306f1b608b2bcd36f14661621f13215
SHA256 525414451c093ad5d597fa13fa294f4e6d232117e31c2f0c1d8081fb030547b1
SHA512 e40920fc94d56bfcf0fd8afcc735f255ee080a00ee7560270d1132ec50e7cc775299ee78edb3d930a315dd8fc3c51db690b61b1f386b2035abc10e76d5b12b0a

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 eb5466b80a7fcef056101d49b4106292
SHA1 087b854b1669b8f40486866d6b6c068953959973
SHA256 d15fed911d98bc8e9a2067d39a846a55b8744189948801399470cc00ebf9734d
SHA512 c92265fc8ac6217c3275ab416fa47a7ef61b4ffff1b49730f2b3c3550f012334101a0a0b7b443f135b405900e63ae96e82d09dc84451ceef8c675faea0af75b9

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 17a88459b5bf4dd62770a52250b93e4e
SHA1 9503f15b03238379be71c1e819483c6cb3931660
SHA256 2f595f36f86c37bc2fa64f5111c2f943996465ab418329cf3e5ffd1397197c8e
SHA512 903dbb386e5c9c8ee663b652ae0131fa1a4981e9c115b516c1c730022d9afa75137a62b0921b248d8c6527ef408b96ae0b1782433da6575f83987f219acf37ab

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 5dcc305d19ce86d81391da191dd13fd8
SHA1 08bb5703f5daa1b6d6deea46a357092e8b59c24a
SHA256 3ca3346f3065418117335cb500e85ba3e581e3a3b8dddef8864a7f8013f8a234
SHA512 5fc53cc3c66a68a46bd1fa02a37131c237d2f0385ef8bd308d4233a032a9ed9226bbded10eee9b2efd7f44c298d85e8c6352ed20cb2dbcb721984924edde8570

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 4cc8c6f051d136213dcf08410330c62c
SHA1 fd611bff450d168f0a17f3e8c28b31dab352819b
SHA256 bbb66d4cc853b5450ba385b1d50e08fb9802357853e70b0a3b7a98ba71a7840d
SHA512 ed9806024f23122a6ffde669a9df767440c21065d9462a3e1337e135a5beb3cfd63d3453ac5e01bf28973ac7b03502b69132099ad2b62dea2b3dace2c8efba20

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 d8bb67683ebb158e014a8f3f64720933
SHA1 82d7606b5aadad5e8bf015ab547f3016119b5ff1
SHA256 e9279a12d05dbbd8647d81c4250126b5c0922cdf561aeca895b1c6bef9eeaa06
SHA512 a977644303671bfa1da3b9fe8bddd7407fe8e112f4435e41a53907372782eb8aa18bc7f6f93cf017522600ffad38228663cde65480dd4af36fef3895f31b1d9f

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 e7bee8383a2a67a51d5c0ecfd906d04d
SHA1 e53d09fbde33cb69591255e24324bac2cba5bb1e
SHA256 88182de378bb68dc1ca18aa5bfa02142b4a7039601fa1efbda81f7b4f9100226
SHA512 3328f9d06338801dfdfa9a99619de36831d98da74bee4ebadc43775b412fc0b169a63fed4c44fce4e63c3e83fce191b31733fa7829bf63e3e302d9d7657d3def

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 8bf443c38d9c760591b544a7e73980c7
SHA1 9e4a2159f902adb511d48e8c33b79912601b965f
SHA256 a81d671fe3c66e306f6d4d58534a79e2d5fd6cd79ce29b8c619843e75eef9c6a
SHA512 ffdce633cf5be492eda03228076a3b730b6d970023f10116d4bd89ea8d437f7f4921dcd32201ade8927fc0a146b60aa9a6f9c818f7be179fb92cb7606438d917

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 bca40791b014b25a6e53eb9f7ce32273
SHA1 9b72f079049d61f11021cea13db1a87b3e453e9c
SHA256 a905d414f058073e5f1013b06bd407b1a9e4e3015c649d92f56fc7ce5e0aad21
SHA512 610cbaa58033fb9beea4bd4d92e882818836c69105cbc994d9ceb0d368ba12cd59acfae5de643639756a2817756e858d62f93900253df56a4907ad0f7ff6da00

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 4b8502a3d638737748e6dbc57ec838d7
SHA1 e2089033fa38ca43a4cc485a6d86052e98ba4e62
SHA256 a896f6b590a70d3ce5dc787aee972f18273ac7c8c1b13d5546204035cbc39303
SHA512 67e2dadd6c206bb18a69f171f56cfcf6b772d47ebc018f2bd824f1aa0f456496e2269b1fb285abeb2e16935a46a0ab7879385e1e8f0d2e49afed2d1d3c6fde12

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 7c9db956a57b487e4b5bfd105fa45aba
SHA1 d2aee6604edad5628524c500514441644e7ef265
SHA256 85637a5fd2a2a5194e535fb1cf8b3826d146ea4b6a10e66af244cc5abff82785
SHA512 edf21473781d773d09100f7b58e77e0eba166106bf1ee2005c351c35b34ee2b4ed2b23a3b4450647b90f8b15a5738a85f5b933f5af5dd2d7e0c2873a4af1a004

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 3ea09003ed1376941bf6990715ae189a
SHA1 881152e0962602ba5e5e91b130b4fddead6a4225
SHA256 755b72436aadc2f964e7f04c1d23350e584d554f0e70660131d5eda10aaf7816
SHA512 84e4f92e2ec7b80d5b610c138a035421327ec27200263d6c8aa0f831e412bcb967861e1836d2a23efcc9498f0566ad5b099fd60dce490bdda408364160f4c9e6

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 500028aeac05c42b3e65d08778396db3
SHA1 6619e71b91fb4a5975a13ba1700b45f0b33af099
SHA256 1bea8e076dbd7c1ebad14b3233f0e15fbd69b05b06f755933369652c4f7bb66a
SHA512 6fc066e9a994853eaeb193c3993aa87cf4938ce0aef6208ce04207721694e0b1824ab61e9aa96a9730c0dd1f62e3525042695e4400ad524a9deeee2c54df18a4

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 573b8b36369f4a92c7af94050a195dd7
SHA1 b1b19494fd4cea6def35fd164010b19f2b1a9045
SHA256 e3b54a4126ff2a7d3298bde1fbf4f5cb68365f59fffad552d08974c35cbaed2e
SHA512 6600269c87981bfaaec214734a36b11468a642ab3bca41e42acc4ec381ebf474d6a0484b7c0c3fb8cd5993cae80ca05a8fea1864585ef992adb58c0aa188c72b

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 6e8cf1493f0964209bc7ac5c4facd894
SHA1 7fe42112589853b775c739791a20a909f7350d38
SHA256 ac45c6058174e2d983b0f34d8d735e95867d953227816abe1399222f67520ded
SHA512 ab655ed8c3df7c9e63ee8c7173056c6ac3dd16ede2da9553ddc661303e9179193f2e9a3ab9d0ff2291a64a384ece7d0bbbf52b9e843d40df2bfff9e68580d3f4

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 e1ab449b7de065ff28deabfec079bfab
SHA1 10a7affeaa0ce2e792b3c8b672b144eb8b23e3c4
SHA256 2d9c142da02669cf09ce3551c7cd6df8b7ee94858e6dd34763fe4ef33e396147
SHA512 61d902824c438bcb681f34076ab54c97b322f9f044a2f91d92dde4b8a23ee6107a3d7785fa9b287665d39894a6c0311ec113cfd541f933ae4e548997840352ed

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 e090ff922dada4f54558e23323230307
SHA1 00a8c4b751953e70299f5a30f6132ddc38c0502c
SHA256 74f63bae5273774a1c0c74671b1df146a7ebd19fa094807846124bc3a4bcace1
SHA512 6e5dde47c8d864ffe17d78a94f2773f4035dd38630ee3c2b64596cc1548ef98eb8fc49d76207edd46929702a5dc8ffea49815e9cf57a0b5abd11c8aa6a76d749

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 1e701cdc8273891d8b0aadb47aa11910
SHA1 fe956f535a24332d1c486b3fae499ddb9d637fe6
SHA256 13c42ffb59e6fdbb7c4a3e6ab79816ec4ffa1c1e5593707833f721491a42946c
SHA512 43a169b490243c0bfd059d026482ccb21a84c77245e0372b4c5d8b2bd3eedb20d4e099dc656b7caf980b6a45723c9df2060533be5ca67dd9f698b22ae7409924

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 8622c6ed4d9f5d49eecb23a86e9054e6
SHA1 754ac2b7571e5b85fad7396b2c80854c0f9b578f
SHA256 d7349e6e84a305dfc72b95640bdc9c4029fac9a6b1e7d7dcf791c4d718e5229f
SHA512 016133a57e5fc070660957570e808dd6638329792a35b3ddb4ed60496a704ae3d4fc5eb9c9d65044462c5810a9b1889880b94d0a62b1ed5405ff11085d0824f9

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 e90904a0ca3b25fc33a6fcd9ae9e4d0e
SHA1 d32c027a8c54d1e821b1be48df30af9fcee46f77
SHA256 f8af370eeedf33da8d0ef86724fd51aca5de5ebddcabae1350b60d295d7873df
SHA512 b120429917fc862ea30a436a996cc29a6ef29ad738ffc3b26b3718afb3265efdcd92a5dd6815cf4846f2fda5d14d217c1b15f93d0d771693f05b936bfb88d497

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 caa62a235ffe9877fe649764c79ed303
SHA1 68a07ed7f823a5fe8875808a3f09b08fb8bd88c3
SHA256 402046889cd4267ee7f36e7e6f3e16e6be67af8099bd45bb052fe7a11996b2b2
SHA512 85b2c6daabbd19703cff726a9b57849ba12f004ca776d4eeb546a8552a09ef8bb0fcc57c7b0124d146d4d2df5e8c80b4397bf05211e12dbaa834b77c65942ccd

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 63e3140c47cfdd5cbb45698adbe50d47
SHA1 6db0e13ee1538052ab713dc2acf2013ddfb3492b
SHA256 674183538904ecea34c28f18fde8cd8b6d509ab8d196234fd218a63979a35a98
SHA512 c6b3e791e133efafb6ec67ffc8d802dea1a8b90e314d552443f5ad46eeea459ad52b0ff3d1441588535360141a7d6868d2ff8d281875df6d110ee021a5c19ad8

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 de8a03081dc498e1575ae596efb7ab49
SHA1 787a60c18d21af988aba3769c6d799c45ac60891
SHA256 aacf6605551cef34e24356e4db523403961022fd20b678ddfd4bbcb74d745b4e
SHA512 719e8637843779a4ba9807329077a180502da4393bbed1ffef459e194bde05422ab52798e26bd159aef3dda15f78a65505c6ed6049239c2562fc9fee63f1aaab

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 ba37573913c37735c809c0b8ddc5cfda
SHA1 0c9f31f7798d6d2850cf16b13c6cadcadd4222c8
SHA256 ef97d57c38f28972972aca2b70ba07b304e82e3bed5e8781512828f3fcc5a4d7
SHA512 d6147c2642b36f495f7045ba1aa389bc8a09395f5b0d0f6a8827f50b333f12a3f44e69d049a2c5fdc14ffb08d221e9009edb2eab150647d3f9576f41e5940ed4

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 f05d632b1336fc1936b3970415755baa
SHA1 71b76062d72fc65f6d82dfde6a4fb286703731d8
SHA256 67721e4b44f0b147666af74f3e548aa506c7ff96ad50189b672f1ea3c7b58cc4
SHA512 df738b881024afe20aab6af18d8796bf2277a29eb80d3715a5d7307aa25477eb5cfdedd9dc7544beec259dadbdaa75489f2eb9d9f2029780bcee5ad22a2005d3

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 6f33a51b54977986c840e1e9e7f4e012
SHA1 3f3816896d870741824018d7cbbe9d9497855a1e
SHA256 02d05bbb7dad1b9392615dd18690376387031078fb4c44217b56a77c8d2fe711
SHA512 0e7d71681b9e09271dbc693ab3cc2c6ea1c8b594abcf80375ed5fb9c91953e8b233d0b297efaafbdda61d0543e7cd2466777e26acf4a0261520bb28e46611df3

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 d1f5727b4a8d90d5af0c6d24572e1bd9
SHA1 de58c83548332073ed6239b4aed9bc424ce29585
SHA256 e0667fadeab1357d2f2d3ca117f0c5a5b09f5f8b4e5df24a65b0068a3b18612c
SHA512 2475c45dccd8d9af420c713a7aaacbddee54a999fb12f2ebf1d88cf9278da4aeb45b8966375e7ef357f0e5e0a4771656d1ad86b9408bd9dc52c6bf4714ea23f1

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 63a7d287e35688e29317217b67f43eb2
SHA1 db75255fac3e660d6d97929d7cce46e8f7a61f9e
SHA256 c1d0404d50358694940ffc20b44272643127a0243a0e9436c46e1dcfeae4f861
SHA512 36b603ca9ab03acbf878a0fc779fb165ec85ea1363dffaf5acd3d0e7308a2b75c99339d75ec6cb680933f989f53bd8f2b1cb1fda2cf155fa51ec5e744afee31e

memory/2020-352-0x0000000005D20000-0x0000000005D6C000-memory.dmp

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 c240c78f8b0223d0235cff8ff89c092c
SHA1 94e85a525c28c4ce3d66ef3301d1c5379366325f
SHA256 c809bab3f77efb95cc1a827b5e345783fb91ac7fb4e00ac9efd8dcd0c512d1af
SHA512 93a0c8e132c5cc4f9c64ce0b174312df9a4153f6e15f5763c1f7cedefa450fa748f534927401d230f7a99d9dabcbb158b3b870572ecefb30a1a506b1d0e10054

memory/2020-324-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/2020-1455-0x0000000006290000-0x00000000062C2000-memory.dmp

memory/2020-1463-0x000000006F740000-0x000000006F78C000-memory.dmp

memory/2020-1473-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/2020-1489-0x0000000006F70000-0x0000000007013000-memory.dmp

memory/2020-1582-0x00000000076A0000-0x0000000007D1A000-memory.dmp

memory/2020-1587-0x0000000006D40000-0x0000000006D5A000-memory.dmp

memory/2020-1654-0x0000000007080000-0x000000000708A000-memory.dmp

memory/2020-1738-0x0000000007270000-0x0000000007306000-memory.dmp

memory/2020-1799-0x0000000007200000-0x0000000007211000-memory.dmp

memory/2020-2022-0x0000000007230000-0x000000000723E000-memory.dmp

memory/2020-2039-0x0000000007240000-0x0000000007254000-memory.dmp

memory/2020-2074-0x0000000007330000-0x000000000734A000-memory.dmp

memory/2020-2089-0x0000000007320000-0x0000000007328000-memory.dmp

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 d71157d177e9978075259ee91cce403c
SHA1 c3ae6578497eddec957b1705b1e769a1cb6b08d1
SHA256 103facb5932f6ebab59ca6349b15c1e9553b02cffcaace0829deaab5ada850bf
SHA512 3804df3af0be58569a30f167e81bd25503d0c225f144350345f9c117031cab9b2c0a5de152dfd126fa530eddd4689457a7e70b6bc495b6e679b50817e838db7d

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 b92b86c50c6a5fa45f3fcea758172479
SHA1 8ab3594e0936aabc6a91683e3ba2192680b1bd9c
SHA256 4dd914f24777e54301ef67ce941f14947ca11030c37f117e1a7a04d19c1dc432
SHA512 201701897fd2f03cb6cf77ada049f9928b2b3c2ef9dfda24bc9b125800fad2370b4c0023bfd408feaf471c3c81c6956ce9c734745ebb79171a4dfee4449a4776

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 82abd4ca3b273528de79ae4de7cec1d0
SHA1 d381d3f578dc3ed827b51f15db6708428530aac2
SHA256 4f758195a3ba21a1352827dbbd8938ba0df7f0702177926016209560064bba6f
SHA512 35649a28003b0dcf85c50e567ca753f32a68bf22e2c644133815579dac458a477ddc67caf28fc90c27681c80c7881068fa672edecf91748a2a52df017fc5dd13

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 75148adb3ed1a240a293650a8ace2191
SHA1 d2b01f22049d87afd83fddc8ef0e631fed081ae3
SHA256 0ab0fc279a03b696400df023971b7f03b582b0031542f5da87d824f0ceacb0c1
SHA512 3f984403f70d429fff2bf8b2aaf757e01fbf1b8e84cf251be9d75ebad087bf5ceff48d1c2363f01d8000572e778564b92d585ad99e8a61909581d96fb7e96a62

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 c436444cd57826f65d5c60b22ea0da19
SHA1 585df922964927600e710d9d4402c4c2574ceb74
SHA256 0dcf1a14fb5be44b64a8ed8a2e53e3df1b7850f0173d30e35cd86ee5de8733dd
SHA512 c83a23aecb5eff8f4ca37313da7fab8a2ee69765215122fe1fa86e3ec08932d278b6c8466180d3efb77f59b371e8a046242c61bfa67509bcad647841f664b3f5

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 3222abb3a051669ed1d1b241f4e981d7
SHA1 91bada0d61c743c7c3ffc5cf2426e1a95674c9b0
SHA256 3e33f5ca452fb426e4c355bab98d0626b80fa760825df0f03395a8f522494050
SHA512 ae4daebdbf92bb4b345eaa9b53c4fcaa60eb9631e6cc0e94e31f710c46a280f0a3ea68b203236e2631cfe005ddb4ec00ab800b2eef9bc4301d54e7963158960d

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 6a87eed1536c04f79b4de183f82809dd
SHA1 4cefe0241a4c5cdd3b13686b79ae503c22da5f17
SHA256 5e44fa097864c8c65a1382069677723291b2730066da5b711898e197311f6e0d
SHA512 190d970a89b58d8ad6fece50bee27bdbec6028bc8860f440fad60de6f4b83974c8e481ce53ad1bc71f4a745739ffeb3753b7398ab1bbad4c7ce5377b5c560055

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 445b699094141afcf80fcb8329104d52
SHA1 a87375212e3e426351334fc4e8368f96c416e4d6
SHA256 59fee6d6538177921fb7c58f87382dfc7de787eff4e8de62c2ec53238dc9a014
SHA512 f70a09286e0e4a492c726ec646948741677c01a9060e4a804b52d258f85eb1ea6eb6503d37f681d49245ac459b30a56ced637d4a2014c09fa56acb77cd04b233

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 de34b154901f52ba45d22aa017376318
SHA1 7470f8722545ad3e3defc748e30a40f1bc48c104
SHA256 157ff509a49960049409009cb5cb9d9b97b1d3b037a54c402f28f4fdcca4cc41
SHA512 98a07b808e40c3e6813caae71826036fbf3e56d88d933c31c5277389da058662c4747f281be763658e847266bb0affa04b7ec788986b49083ca7ab5894afe6a6

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 77ff239ebf8f09f27e550bb056a74062
SHA1 6622b1cfcec703e1507cdb13412c5817be485fb0
SHA256 e5aa809fccc5ee13b2d3f36b16f99f4cba5b70aaec5bb6803f71cf659f7bb4b0
SHA512 df48fcc84610ca1a5ab2f4a9f305e18e4f9b29e3cca70935b838a77b498a8ba489c980282e81a0760333ed5a7a52a6befa822590b690bd093f634533c3109c9c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 374873a2adc2d0373ce3b137be88c5dc
SHA1 8232126c93d4fe7a9eae5d40df8856b415c857be
SHA256 74b59476bcc6a263c783c82b62c5374e013fcde6fe152ca1ba91cb043b48b9ad
SHA512 135d51bb989bc51155d914f94ce916c83de516729582302e07ae9df723e1515ad6fe46ec961dec89b545bcbb00c202cdf3b782d405587ccc5bca26676dd1dda9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 04e20181322e5ede1a0335c500919bf6
SHA1 e70faa58783e817336e01a06cfaa9bbc723dd23a
SHA256 ff65c7bf972784e5fc7d7c5fd292fb30b64944a3a4a0f16e3a7beda00d11bf4f
SHA512 198c8b78857c4febca5ea13da79cbcebaa7c43db5a37aac87a0c9af253ddef30ffd4cdd1ac61ac02e4f7e2b48d1b8f65caa35e83ba52dd83c39a5ebd768afadb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 1593eca0c438b22e1a025cd599d06385
SHA1 3046ee3c811d9938cff7f13919a96d0628fde78a
SHA256 2e5725fd24521a69b43bb8cb1014f7c18af8ed9931ada427cd29af6e1fdd7524
SHA512 b2a6427ea0be1bdf512663dac2f2468294babd2f8c9598dcd76520b7967261000c1ae313e1815463cf20860fcd2c2683625e00ef04b83cace3b6e3beee783ceb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 54df4632c892768f20e38196b18e41cb
SHA1 71f9bcf90ae04028fa088296fd3eb8a8f8c13b6f
SHA256 f551d0009d53d6d8dac0a6fd1890dcd2b1249f1ef5ee835ffe6bc0ddb8b561f0
SHA512 636a7417d6bf6aca5919cafc14ae235aa603f376cf8774476a7d6b1aac9659fb27c4f1e28cb549ef559175ce3b1d29044ee5b11a3a0862da4200ddb573d11b84

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 2e9a69aba151990aa32f96e0c42d4fe6
SHA1 dc9cf297362083b1e8643cf85fde4ada506e90f1
SHA256 028ff88194c754ad4eded5f6b27b233e8dcc42b9058bf6454ad831ac715b4293
SHA512 b1db50bbe734c313434af551988ccfbfe27d9076b648664e36a38819bce22e239ff625c0252560b454e597fa520bf7d0be7e92c67b83adab9bf105a7f15bad1a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 5a21fd4249406f7e358a6cd218b3715e
SHA1 2f1cb9d35a17e384f4b6fd64442279df1c33c19b
SHA256 358f0108e4e0520953d4642b18b57ec92642f765686fdad9938cbd04d644294f
SHA512 14d28a65e0e043ed4a55853e8e90291649efeaf7fc97fa24fa14a35db75360c050fb973b1d79ddc90c1ee09a7331751ce92964ec7d386caa565501a2924cd925

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 48d1b1154520b40b4cd0d9e7a0b2dbe8
SHA1 4b263253c1b02a4b7034097d851846448db00f76
SHA256 48e412960b84c6af1e2b54b8dab2bb389d0505d99c2f9195745b5b65d6d0f49c
SHA512 d35cd117ba32a4fe7c7978108aa52d9fe239d1e5ae9b3dcf2e25db3854e00efd1a0cf1ea3507ec5327403275b1cdf00a6a2eab1e65c1b5a84f259ec41a328d22

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 44f31b1c3650705da49f79ebd55f62f5
SHA1 8ce9d905bfd42ffb92758c372d4a102cd62ef7fc
SHA256 28f82d1cabe083e325da0695266a250afc75021d7fd9b849240333caaa777a25
SHA512 63a6aa566decb4919e3310829c23bebc49b641055af9f290f725fb0b52f6cc5be960c3cbb573da11225ba262cddf2bff21e3c7cb35fe29d7a3ad56278cd4f278

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 4b546cd98ba9867e7e200d260126e2a6
SHA1 3c7ff0ccab234cdf445b6524abba3fcd4beed4e4
SHA256 bcac6e975ac5eea914f3f6c451d86d37cbb9cd55b524b5b591eb1f0b06fa4703
SHA512 ca268d79524016c1f0884165c8ae91805e845312ca7f8c363e33d5b24d2cdf8db3e2d049ad81bddb7b1533749d552ac6add8c140683792c40fc2ddff070f2077

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 3535072f3c3e77712981dffcb860bf3d
SHA1 92477126c56cf3c2ef2ccaa7c25433a14e9301f6
SHA256 30caa3245e43d5377dd6e9e0ec10a1fb24ae9c661ac75b97bff89a223cc1d346
SHA512 67bbe5def50cc29ee48612ef0214548eb6b27cfcf00eae9c90830e0635dd3d9b9d44fb32261df5aab47c6497b4276a09538c24f7de1faaef18b527899bb612be

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 015cafd6f55a52ff349db69e04cd0777
SHA1 0b055195fb09a6392075f0d15988d74ec41ff706
SHA256 369b0798fb1dde61f2f0ec36de8ed7c23ec86417034002d8062f9656535741fa
SHA512 06041ef4300bf73f4bf445b42b0c43c833ab62c6415575fd183303d2404e562dcc306439000655056f40b09c607125bfab1b5cdfe4ac50e4e2a65bd6ea9b2dd8

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 1d0f901ee5582c537db18743098ace6d
SHA1 efb9b597ce55acdd99e2dfd1920b109d1e4168ee
SHA256 f958a63a5760b743f343a61d4e54dd441d8fcd751103554994f0cdce5b2b400a
SHA512 a4bac2438b437d3736ab76fc524d9fd91be91017adbd05ff699770c14189c156a1d7389a59f3caa1bb533e84d0e007803a57c2981f9c6097c1df98f7f2fef51a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 d61fb114c36dbc9bec04b1802f6ed5af
SHA1 2d8bae20dad501072ba2ddede1db09a7c550d17a
SHA256 9669291f6cd10e9ce6a39af27ab61436212d1a2b92d7da5f795c0faad86659ff
SHA512 083cd81603c12e93c09729bf292e290f48670bfa2d6683276c71376c73eb086d7fe745f0c0902ba546475715bf190e29d7472390d6ee9915ab48e80d8f2405ee

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 6501c36d3f7a5cc33fc8b259e13f89dd
SHA1 1e95c6e744905de952715c61238545cf6223f0a7
SHA256 2fb4bb33f46d3944313f7e40b496955b833a3a24cdd76e61f765f56e592208dd
SHA512 1a6bc1322fea87817d3bf0867356aac25aee01527d49a0e3b6455d6ea643f43e42f7a161049a10dba8d790372952e239762556c7fd6ea4421b428827db356c62

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 43a0461ec68900810c273c967fdc97dd
SHA1 d7835405f635bc3e993abac396e17d71283e0be7
SHA256 6ad8de43e0d90fbce4bd24237672bbbc7bc40f764e73b7d862e638e3ea0a2142
SHA512 fbfe1c0c9a435e34249b21a0c166bc1c08e79f0fad6b1860beb53b366f041fd4c3df28e6e3eb32c70001227e31c27d5929473d97cbc163b0e3c0324e1583a05f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 baae7ce5e0c2b411b14d4b507fecb55e
SHA1 050bd3def2cdbf2929f12f639fce1cb2149dfb73
SHA256 91a08576fb89b14cfcffdf6f2b1b259168833f394ed391eef7a0520ee9f73ab9
SHA512 3bb020a0c570ad712e10fda5313f1b369ff98944e3fa4b2d583654c6fcdbebe5fcacde9679b6b173fc72259dc3fa88bfd15079512d9e23e709bcc1da62afc031

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 d09bbef9dfa155430575cae97366eb63
SHA1 cd2bc8f5d209f5e4399e48d54ccb3486bfb478ee
SHA256 eed4fad745a13ab9f0cf9ca16d79ba5a3fd9c1a49eac6af0c594dd27b637e60c
SHA512 a391aea226e1264fc54ee06d5cb78774b25f428e60522c8b45e78ce248b65c27ea5bc9a8526522540300cbc14f1427e26e173e2661bc7cd32e19aef29c4f04eb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 d8b0f09b12a7d101d8313419bc1182b6
SHA1 79bb48a97f9093129fca8a189aa7a34acdc0006d
SHA256 caf0fffb2e2c9957f371e4a3008d705cd4552b7f58a8dc1cd400d658f3e12a22
SHA512 74c088b4d2c542ec7836deb1389dae121974d2b92f6f2e1a89c735e3139fc5c96ca8e82d1e3443d231241cc9d5a8e96d12e7fc21c114e052d082d76ab3d3f31f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 5b237a5ec3228a4eefba010c8b5acc36
SHA1 ca43df0c3347402b1d86ceb440012d1fdfbde825
SHA256 eba983edf705013e61007da661d1e4f0bd3f157c809dc99319aa47c74c8117d7
SHA512 b6b56f566b1a95f8be77ece6f6bc1e1e53df618bac4b25a0c89c54d5e3fd33f8bd9bb4ade4c7c9179fa1b998a28a385d2dce464a99e98c2f28c3f138e0646f4a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 90b184c6a60689e16c75359a9a8b3f4b
SHA1 cb7acf77c2056d96fa489d0479da33500e9534a7
SHA256 0276d7f78594c4d562ad9e3d7933da6961a3df84dea5a058f231e87aeb6b2674
SHA512 294e55ca8b97cd8b798f243532cc6728002f618573fbc1cbd3b7914cddcd034b696e0065f79e37603efe07d687c515bebec022e2e4c1ee0d7fbc7e51496cf8fc

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 d304cc7b06dc52e97c96325fd84288ac
SHA1 37c6bdcda84c0b60f8f638d96fbdaa57b798c6e9
SHA256 a6b1f79c3f0b17cc12c48c23781091e6f55469ac0fb7a7aa488886aac70a19b2
SHA512 b5deb48f963b8809c67d63988bbd1f2d4df96eb9fd9d0ba0dc7b186da99e0f577a2c4731b52b1b2a664c5ca58452cb29ec01d540c9d52a04c6e1656e6eb0b104

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 991081fb54237a674e15113040cdd65c
SHA1 dcfe066200a11b9d55a3a5d7779f145c0ddcc085
SHA256 4957edad3f7389181ac155a2f97f1c84d4dd010b446db377b9a375fd8729e4aa
SHA512 13e2b50662d5385b76a9dad22c679f8d41b0f9920f1e5b2afbecef4bc8a9c6084baf716eff95c6140570168b7d0664282cbe56bcf5f58b3ddef1db2445b4d35d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 e19e36ac870aa5a0c9b6e4df3f6dadb7
SHA1 a27267ebf15bcd0242289feaf7735d9412be4da2
SHA256 5b5992b7d400450504c410ec986d3f25ec84a993bf97182b136e51d1e5139b7e
SHA512 91b31077937893434c0c67b0ac2d617d211c586f9fcb932c63bdbcace72470c31d07ca84552e9b0e28f779eeabc8264c16dc2429918de6e317d1c130df4f27a1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 723cdc02f4e94106878f70db3a90409e
SHA1 2704a0b9e09b804813d12c0d34933364d8767ed5
SHA256 d1d47c3a93fcb17392b9d482ea6a3182d2b45af685575e46e20f5b14e733b0b3
SHA512 a56b8a5d3bc61eafbd1dc2ce4027821ff3b92e929c2f7a96e457a357e7f32e33e7c0b379b03807b5df22a8ec39863d80723e7727dfc532e8c92beb7424908273

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 51317f1d2957888e7d6dc4d84deadc67
SHA1 ce8a6459447ced7e02ff1b9768b502fa2de5f50a
SHA256 9103080aabe3ecd305bfee6e29861a9c8c9131244dcf32e155447f36a83052be
SHA512 ca31b06bdea0cf33cc9f6d3449293caa9cf35f52e4942a6cd081c87f1bf5f328fcb3b2a118143a392d64a1e5c8e39527ef871979ed6038af123ab9125143f032

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 ff6dd69afa5ff30420872fb6e250c55b
SHA1 8079fe5b0694e70d2e30d38a911c76767950a038
SHA256 3ef9a926639e92b0f7055b613d243a88bb4e80be64b9ae93d34f515813bf3283
SHA512 f30054070edbb9a69f0aa637b5c4245b2af44d01b9a38438270828550a3e999e262a3ff96034ef1e2a1e9123e46288bcf75f1abee8484ab09ec37590bbe3b941

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 0020ab0b98d05847e866a88673e14d3d
SHA1 10887484cbd9e71dbbea32dc1b4a7152eb8da68b
SHA256 f92acfc6d67492e3089470a92676aecb1b6240b2b4b5071f2d516f47984718c5
SHA512 e274aa74d707c432d5eef3140e26d0db5993f1359082c7f4ca75c62d6fbc38776df410a1255f36e403476eae2fe3268ec9e4b40130733abd979e7cfb133f2f97

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 e40e18c0ec519e3075199532e219d452
SHA1 f18e0e90a834930af8b1751bf3bdf64966ece2e1
SHA256 a245177bea8f00c2310468b40b7a28dd3460f12d98dcf20606e62ed9f3f1a244
SHA512 0693eaeb3d51136b778ae0b9fb527b323754d00e574cf99c0a8c28a8641b21c5970f8c1719131add14391a9f9039f8db8ccb6cd9c75a8917be8cb92bce6ab1b5

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 4712f7883882db5693ed977ce442cd55
SHA1 d67181d57e39069823a62d3dee1533c48e395615
SHA256 b271c1d086a157b1acf688d933ce68679c89d8c42fa937e2fca198b8738f74fd
SHA512 822a0fef8e549f93d94583b49d3af2c0dda72f1f3b4c893836c51a9409312faed8001d4e95696d0a014b9ba3a59b0e118580e1210ce0f20203d5ebd5e576f4f4

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 db0204555462ff5d02c70df059fc8f4a
SHA1 c380cd7380f9552013333c7b70e43371a54d5ce0
SHA256 2c474297888a04052c091fe331360bd8d95fe7800bebc8b08925584613604fb8
SHA512 b5197284fb8605b0ac1977c34913a9b804de28bffbb3ab6c47cdf84df60a5930ace7662fb7859306600b5c472b99e64adb655df18f872d45d8dfbbd3370efa36

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 33c7da532d37b3023e76b8948188d135
SHA1 cc06a8c1c5f2f5a2852039f01b2453235a0c0ccb
SHA256 6f5b35fdac9dd81bb6047de80c4ed5dc97f6c9d662b57fa878604b690f7903d2
SHA512 47582a52e84d657d099905d4d6f8c2da541f5a0f267c3f4e74871c538c320653ec72b5408f85da6b962227b109a90e3e74e36fe54fbd4a8882ff58b8c2e2f7c3

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 f1e3535de684cc0b2a60662877965475
SHA1 7653289ce02ff17960c5bf0d57c738741d3400e5
SHA256 282c5a76858444e43f3367970079ad59c6824472f3762039c41ca28c53a920e6
SHA512 fd5355dfe82da20ed4fd9b60ddb7a3f7e9c4e79c42eab2b1d295b79ba9ebe997c82b372479b6ef010aab5807de29102ac32e719a19aece559e960de784a686e6

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 88c0330914da28ad1f22449a819b742d
SHA1 3bead7dd58ee744f06f45d450af7f702e142e99e
SHA256 b45396a6785af01eb8f4c7f68229b4522e6d6964807dd64a756fa328d698a01f
SHA512 22b898e232b0c0ff6f9dc233d1c1cc41c65d4ba11e77ef4fc6225ecab82fe53aa9b94a3ca5e63351c3d3df1dc7d6329f07f90a3dcd070001d4ded12d2bfbeee7

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 030daa6fd4b68eeb69db6529899fbe62
SHA1 4052aeb0de183a7746e99d9209e6e0cbc90685e6
SHA256 bff4a3e257bbcb83a93808ea7637a8b77f6b0001e207ae381ce92b9579c372c0
SHA512 a822ff99fe747d448025ce50e2fc04250ce40ab64df8e49546521f3841603c3b16d895eb1eadc295e2e8c7e71c4d47aa304575da050b7e8fbbf74a27af38700d

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 ac39fdec9e77c6bd85f6619a9bf6d6f4
SHA1 228c1c9b8decd442e2d3c21ef960d27dcb9e7cbf
SHA256 d0b3815f216cd2107b71539f5df5c00eb0cd0af15a501e9d36a45d8563002c15
SHA512 7b420bb28ab7029a020495753f3af874aef3b0850d7f9def8aae39a3dc9371449f6d822e4209f93adb45fa53488e6c0450cb6e0a03497015df17098ea5eb772a

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 e95b67046c87f5cc71a052c71755be57
SHA1 eee7efa566ef3ef2627a4038746abc9a76457f2b
SHA256 d7d764e8a3a8592827cd5cb7d64e71ca629c8f1657d471b7ff0bcb099b357adc
SHA512 58dcb0f1cfd6fd5dd3e969897d4c178949506d4ce28421b90fc3d0d6acdd379e552643c724e0ab179dd93436feccda1f76a04a7fe584def6bc444d1d28758efe

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 c98450ebbb82ff6c932b700672d30e51
SHA1 62259c1cf7fb99fea6b82a389df0a5cd349fb01f
SHA256 0a58d6e55e7a2bf7ed496593e6e032bd4945e402b5997d53a8b3cbe94fdc9a47
SHA512 1a3e231a8c80b65379376c10fb1fa21705889deedb69b7d8b70505d77797177c16e492ec1048bebf7281cb80904dd5364d95cc6e20c916127e0064fb89ff60d7

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 9529988d376833ccc9e073d044aa8db7
SHA1 fa5e9563f7939278f04c3e2ed5ee594397984799
SHA256 3c59528de9ad831c1cd70dc4ced029176307d45193fb428d1822d405c7235132
SHA512 93673cf4e5d02f1bc58a7ae2b4478a7f07cc841acb0809a8655e7963eb900c39e7f3d2d967f3037c4dfebe866f073ca6588f668476816efe0f3c35c55a85fbb0

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 80ccb6ca523cad8cafd256685b559da3
SHA1 99718c32543f82e5d8e8d68a7d6ce01c7e809730
SHA256 c546c61aef721781e1204cbd466908e2ff2487da254db3b15a718930d7af217c
SHA512 ac09cb573f938f980d211c2c9840128377c3a9eaa935d4ac40526a1597bdb3a8d3fc16a8cec46fb90bbba32208c584f921a593b9a3c634304e8ec0baee51c6c8

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 032eae9a1c16ca7754a1b50f9f3a70fd
SHA1 ec144cd2a77a46fc30f63d3a5fea31e9a822555b
SHA256 24f34528135a3b67dc66b9a06b10fb7e94119d675db8e3d8686b2c07730973f8
SHA512 eb87833f8981710882220f9d4eac8fceb593027191e6b7560ad4a636dea5b842ec7ed7ea8c1929dd16e35316568b13de976a5455a105ae5e431f23e4f3dc4894

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 c83a65c179d0896ee20a3cdae5745ae7
SHA1 161e54b0e9b524333e97759e9d161f5bd20767aa
SHA256 7645310444c05cdb9c4c0d646898b1b0f70d1cc6bc1e0a28f5944e5f63cbb386
SHA512 6ddcdb1db722b773a2ca0303023997d0b24a7c5f86275e229051d8b1827ad08a9d5063b96a791162ef7536bb04bba51428967065c88b26d35125ba0af3eb91aa

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 647bbcb23aff185e6b988999fc146d54
SHA1 02d4de29f2d68aa1d653468558cb82a5522be034
SHA256 2f800ee6205e968d099ce3f0a32874597067c351795332a57c087096695e67bc
SHA512 d8ec77d908cc3293a542fee796323e1f015d250a6268e947141f16520afe85e749b9a9098668920e1ec22183a2030626cd875e91a1c0cd729bbb4cf6d4d02e16

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 33ad5ce8777c33694206af744c7ce735
SHA1 a3ec8ae0d2074a07dd70751f0654248d76e9852d
SHA256 03d97561038b7dcb50ab567a8b8fcae790ed3df9ebc810077e6777ce4491c224
SHA512 ab9039348e87404a79f81393a8db4fdd61c49a1b48f545b0a1adf539562ed8435afc4626ea221e2c1298549675e38e97375ba331e548f1865e2b4b06b8ed63a8

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 90983eee29ff30ec71288a3692a48387
SHA1 0a658e5d6b2682fc2d8879b0ae0b609c240191d0
SHA256 7485201ff27072fec798f7e88d93e4a7a66d3d58295936bb044c73a7d3e4d5ed
SHA512 5374f9afca45e6f8c4b781097c2e945c9fd9b4815e33f9b9ba4a6e6d5caaa0f405494d25f7db1f45c218943e5183bdc39d78e03d29d29356ef48f970c73a83e5

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 fc70e0cf0e1dc9d99109b7ac982231fd
SHA1 7f0ba79e3ffcca37264b341fc0944ba090ad4efe
SHA256 05cafc58b624869661864fd0d03a5c5c2bfc54991e5be889d02cbf71594473ec
SHA512 477b8631095a84e6486d5e4ece40ec096c0e84883c1b130de4990f74012c3b2c6afc447c5a795d3d88d58dfa957e8688b7112265834b041f423a5e9db95f39e0

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 d322a2d2b1ffe6e7d38d516d529b56d6
SHA1 be53cd69ef3092cea2dba8c425684e85081b7cb8
SHA256 69d66bac5d81e994ac68fd9fe4559666eef184b09923dd6c96354ede12fa69fc
SHA512 e6fd11441421f49ae19c71c27762dbd4f931a4ae59068a7dfa9d64912a6ad7289d822c1d71880bec69044b5737c323468602927dd729f02fa258e7c01a6669c1

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 8b50850e29cca7d98326693ae7c4a43c
SHA1 ac281b3a9752005f494291b63a818bb192bc8fc4
SHA256 edd750fa1f4e43d929fce8bcc4ea29d0b7090b644528d6c5ebebea87dd0789f1
SHA512 0c1aac6e0d7a9209e1753d077a916095478c8a885dfa22014b29987db72e7fb5920778a8604cfc45c64a30ced6077247c49d5aad4b69a93cc7fb20904b825653

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 497097c154025d29a789b6d40578c59c
SHA1 d6fbf4cf35f11e044c5441c67a6f4f683096388a
SHA256 b6971dc8fe01ddb8abc9cbdba40f882b3c1e7c4a928cedec94ff43fa57fdda4b
SHA512 ef973eb68df9271f6b7cc5f5025ab32225b5e94c4549b1ee155e50707de82ee8d24f73ba115052cde09eb4a4a86ca440f646d37ba3aaa5b07ca22463857d5d4b

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 203baae88dc99a998d3adf3830e2eb85
SHA1 f17f7ea6ea062479860c22903bad69c4b33e6779
SHA256 325b8d3355aa7f579c367ad439166ae2551bf52cfe32bf21b290be2a7996b1f7
SHA512 c33f8dad2296a3c8d7bb6c0fd13f90e6f7838e54470cf6e7ec87b8f21a16e091a792b619e61d989135894b251bb20590f7694d8e42f37e093d944971d6982b9d

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 bb058eb467452d33426145f18d01447a
SHA1 7d5a9b4023a05e5ede1cad636ac811a18bd70a4a
SHA256 1327f67de3addc65f41dc18f33dc213642b630e6b243852a4eb2c182db24b903
SHA512 f8666e6721005711611baa12fac0f2b2498f120ffe13203bf637911c620ba8da66cbe3778d94c8659050f3088fcb5d464bafe246ed7ef392d19742bb183bcdd3

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 46297a926aadf0978227ef9acbfe6bc8
SHA1 49532bc7ddcf3e1f5164f3e7998ee23cc22622fa
SHA256 6f31783ba72122ff850648c5109d2934334037531e4a638a702d68d542ba264f
SHA512 c6377ac293175e8fac2037e82a2161e8cb1cab39249b02e128e3d1d1bb2b402091501278198696c860aa77159a7a75137afec0a5d12ef5426382f8bb99b9bd19

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 15b90ff2330578ee66c537f3347dfadc
SHA1 f86f10c61ea28f55b9307fe29b8f14cdad5ba718
SHA256 e6e94e5589934096063720a4c52024304af3ffc145b4cac3424a940d4e11483e
SHA512 10c9424fd67fb4d4b11735bd3086442f507430ad522389291e0c19bbe9ec40f02795f788d83fc2a4da9bcaf96bfd1a6a7283852e45f992d121c31b4e944ca4e9

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 587c5d5f57f0747fbc7754065e8e4cf3
SHA1 a279c360eedea5700beb5b4ed4cacc76f06994b2
SHA256 cb168999a6b264d8c7cf41379a4b0c31e4053728e62ba49a32a6caa9f47d7b20
SHA512 148c71dbe036a58fdffe4b938b197b18ac7550e7070535452d067f8ba60d7de2ef88f7500240d971b2bc23a36b28766749c2e2bdde07ef811623a1e51637bc37

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 539259ec763c28ea2a8ae00a502d57bb
SHA1 7c723420b19b586d7f4ced340f1553150a4e10f3
SHA256 6001476a0be9a4cb47a589d9019a6f3f61e89d6a72807f09cd60b85b867216f5
SHA512 32e4bc7d5734601d3d073d0ee9be6b0a8aeaf4835804222f670369fea56d05daca270b759909bbdb5b84bebee57b08be0c02814fb925ce75ce725219658834f6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 e30a90024fb5d2689a2a788523783c3d
SHA1 669bb4c3ccae7934b5bc129da1703338ece5f344
SHA256 f3690c626887e31071b1a6b9a98e511dd0653d2160bd552464acf278044d74c7
SHA512 8d636c87b5d541dc69c2fa683b696a479a9a433086b5e00b5c1c2d663c350380f7a5e70e44145228262cb9dabfc6935d611208ad47d3dae7504ddbb46f89161b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 2aa6ced24f1da6b5041592d9c4ac425a
SHA1 23d77a272dc42217d24ef15f3bbd2de04625bd25
SHA256 7d7753c0d9090da3911b701a1094c7f313dbab948784bca584b62faf474a67bb
SHA512 846717046f3bd8982bd82a71dad3142c21970305dc949b2a43080259b52003fcedbba905246612b8551a8e345fc1f97bd3923443e5e17b9ad9d25c6fd876fde0

F:\$RECYCLE.BIN\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\ProgramData\ss.exe

MD5 39728325879572ffe56a194319f2731f
SHA1 3898a219352dd3aedc54ff924b01317107c9ce2f
SHA256 8e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761
SHA512 7d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b

memory/5996-10269-0x00000000054D0000-0x0000000005824000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b227ffc5888bfd98b410133d7a1292ef
SHA1 9f6cb0856029bd683a808099327f93df65348bea
SHA256 0434138bbc9532c66dc17b2e19401f518ce699e3de8e9f8804daae0bad884941
SHA512 6442dfdf85083f261f75e8e751ae4ab68819eb1304c510b5e133332c4b6fdeb4095a2ab779ff21b3774b36c786b071475c9fbaed7c8d0af050b29d65b6428a4d

memory/5996-10275-0x00000000060D0000-0x000000000611C000-memory.dmp

memory/5996-10276-0x00000000736E0000-0x000000007372C000-memory.dmp

memory/5996-10286-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/5996-10287-0x0000000005990000-0x00000000059A1000-memory.dmp

memory/5996-10288-0x00000000059D0000-0x00000000059E4000-memory.dmp