Malware Analysis Report

2024-10-24 18:21

Sample ID 241018-dez82sshmc
Target e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe
SHA256 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c
Tags
discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c

Threat Level: Known bad

The file e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware spyware stealer

Renames multiple (7857) files with added filename extension

Renames multiple (7700) files with added filename extension

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Modifies WinLogon

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Runs ping.exe

Modifies registry class

Modifies Control Panel

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:56

Reported

2024-10-18 02:58

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe"

Signatures

Renames multiple (7700) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\ProgramData\LPW8.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\LPW8.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Phalcon Ransomware" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\nAll your files are stolen and encrypted\r\nFind PHALCON_RECOVER.txt file\r\nand follow instructions" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\LLKTP.bmp" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\LLKTP.bmp" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado20.tlb C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-150.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-20_contrast-white.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MediumTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\officons.ttf C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Paint_PDP.xml C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.Tests.ps1.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-30.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\GlowInTheDark.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportError.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_opencarat_18.svg.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMB.TTF C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected] C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\ui-strings.js C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_ES.LEX C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-60_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\LPW8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4992 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4992 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1244 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 5920 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LPW8.tmp
PID 4508 wrote to memory of 5920 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LPW8.tmp
PID 4508 wrote to memory of 5920 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LPW8.tmp
PID 1244 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 3320 wrote to memory of 5508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3320 wrote to memory of 5508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3320 wrote to memory of 5508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5920 wrote to memory of 3604 N/A C:\ProgramData\LPW8.tmp C:\Windows\SysWOW64\cmd.exe
PID 5920 wrote to memory of 3604 N/A C:\ProgramData\LPW8.tmp C:\Windows\SysWOW64\cmd.exe
PID 5920 wrote to memory of 3604 N/A C:\ProgramData\LPW8.tmp C:\Windows\SysWOW64\cmd.exe
PID 3604 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3604 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3604 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe

"C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW8.tmp"

C:\ProgramData\LPW8.tmp

C:\ProgramData\LPW8.tmp

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW8.tmp"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\ProgramData\PHALCON_RECOVER.txt

MD5 c198928d887c9447e7b03660127dd69a
SHA1 e627803f7213e91be0c7c9837c60053457dab981
SHA256 b743ee8533ae21c84cf460f6d595616169d7d65bd21bb26b517a26564cb97495
SHA512 5f79a890f4f0fd9b80fc25c0f427cdb4686cd74f5a9411da2703d0f2f85dba660dc37dbf104f4c85da4a9aef96e09bb363be0bb4dd5380c23dc82c6c2baa4f01

C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml

MD5 9ac620556334944b9821bda0aa1e2f68
SHA1 e8e9dfb95d68ac93268dbccb22d3aabe8c062364
SHA256 6427a37d622f63da190f58063936ed79869a5b6b4b89f7d321c5721a558f7ea1
SHA512 57e1792c7bbc926ae1db2e02a55dfe39cad1181f9e3f237136871e24cb94a5c5deccd4a8b8dd51c71acf397009953c7e05bbc3f9f69f39625937d69b6a9292be

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 784e6832a68ba6e9aad690d3604cf9b0
SHA1 5ce93f83ddc7df4a898bc7627ec9c78db563a0f6
SHA256 9a0a84ed2174d096ccb69c221cc83aaa7fefde3eae5154a3a9c5082b6951bdf2
SHA512 faf702a1f8fc682d53e057f458394504e7bb88804ecc6e70514a677be501a1fa8a81a395024190dd05778a1fe3be9e192b00ad65a22b8be2e73c936c73989c9e

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 c1b7e8e0a10c840dfbb8b609b35fd13c
SHA1 60f89db719baf0035cc3ff76378ee51a1d462578
SHA256 c7ead48c5d025fd51d7095771b37eb3f15d4ebe2371b487547c8fe8514749bf0
SHA512 cea9de4b2c8ac3d00a5d22819c33edabc4cb6100ecb52001dde549f304475a84128bb022740ffb0350b91ea73a41b02d3adec0311106f206a121a8c111b384d3

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 baf29d79f7ee4f6ce9eadb74e811b9f7
SHA1 d7d46fb83186524cdfca4eb7d47dae84fa0c16f6
SHA256 a5f440a3d3a60282e10260181c4cb2a79850acda69066e80dba2a10bd3c6f81c
SHA512 5c36cae89713bf034a598badbdad324c502a39518fce54020e7ab76b2d8ade58b1201e321c83cf4e36001290e8cafce76acca67a732f9fecab86fa66ca779390

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 12340dc6838e4d5dfdb891536f2ff8e8
SHA1 511eb245a2c4e4fd934c283d44ec715b6d410081
SHA256 bdc8c7312e4e20742631746a5fb93eeb79ff04769eda983de7cd7135279501df
SHA512 9b210840152cd3c5c922788c46375a8fad2716fae9c2a3d0befabfbd42b68d56fbc564b2fc9b9e27db77878ee0a54cbdce548ad7e4a867bc35da671cb5ae2a6f

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 5f3969f82a1f3da02d6bddc2390c86b4
SHA1 4a1de81fc31f3d4aec64552cc651cddcaed66d18
SHA256 35336351ac2df29006b624ec5cbb9c80940497d862d55fe2ba0cdf281f0f57c9
SHA512 49d3f09d156687225989159603a0b1a952c910e7c2367d4541144f6774abbfd3f6e056a40d0cab0e06a94d71651827aa15b97c71c298ac0c13781ca0d0c0f3f4

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 89f894a6780cee92dfc6f557ea9cf6fe
SHA1 48ec90b8c93521f7e71dbcf8561f8ae8259577e1
SHA256 3e78ba480b1f552862b2097f1249f7f3bcc685c95da69dcc97b160a939be9d98
SHA512 ae7270dc6b9d0d1031d109e143fa4c56892bf4527a22e0d7b644d1267e6588af09bf1a1a0b5a2cc6d8fe1e5fc62bbfbbe1332fa118a90ec0266e842738f2776c

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 06b59041008fb8231f9a8526555cb888
SHA1 634e4286b3bcb82f83c8570d41886158eeed1a34
SHA256 c9c0d7d027e521ed985523f5487438fcf1652eb5af6901a2eb94adaa235e8e3c
SHA512 33cfa9259e81df2ac3450b889356c09c7b661b1891e7a8ec46bda4fc916bc35e42c47bfeab2a37db0238b3a147d4b24bc3d714c9f725e9a01d801f101a58238d

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 870c8126dc2f0a2ad87849c59f05524c
SHA1 d69d9f95d0836b36a125bbb8f673a021c6ea5ac1
SHA256 dcd0d2c4560b9a33606eea3662f4cf752bcaf0c5bc7817bbc2fff2d096ef3d14
SHA512 eade4cdd46ae44b9ca29ad4787dd767ce5be5fd8ba3883e3ab1e278b3dbe69d991c292f93de8f6e5f18bb5a60143c0cd864dae62fbf4ecc2544e77ac2f5a1c35

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 0eab9a73acee5795ef7025482970b6b6
SHA1 c66881bacf1eaf94d049632279018c4406a80931
SHA256 d52af1748fec877c6ab14a714ef73ecd91bd838ae5449434f2d22eb4e525468d
SHA512 a4b67dd5ed01a618a341bf1cbff2dde0455c2fedc7e3a577e8f5d1b6fc727afc71d841f3500b9b8cebf47c2dac55f416f009c6b3a0a60d5fdc21a12d7c1463c7

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 ade93023e9167e2318007135564922f4
SHA1 50611af5bd1ed3c49058c52bb197cd0765551c2e
SHA256 a61cddd4e56d1e6f4808db603a857948ca01afab295ef27952f9fdf1fce973d5
SHA512 cb14a64e42bf5abe440d8a06137c9029d80af304f0158c123483771ad8f8aef5992d956ecf1e9513b4459dc4beea2529868bc8545c9509e4deda9ebc6de8b7bc

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 7dd1f7a8b1ba1d5490cc33c6abbd5d2e
SHA1 5832ba951ec223ec7e47755a8fa76fd5d24bad52
SHA256 f212f12b432ad475c0bd487c971b57c31be1c80550df041e0ecec2a72a08af96
SHA512 8eb715a689c60e2fc71f3ca70587f91f9c8bfbc8bb9ac94bafb82ae38af55d9fa8f709692a51710440db5fd336d2d00b2f7ced179944dafdbf06b77ebb5e6224

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 2a38511f149f94f00321b56686e81327
SHA1 c59cc24a3318d2a54e22de7254ec6b14c4d96a43
SHA256 00edcb8063ade8cc524a5bc5413317dcac0d2f6aeacb2dee74bb487d6112cba4
SHA512 55d5d355f003a27870600b5199b6fbfa44ac97dfe72c0ad12949cf4dbb29258fbcac85007e2a55d1657ceabf2107187862e04a82df2c0dc5c55ea56687211225

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 4d90e319e32f83f973e80076c1b8fe7a
SHA1 6e61dc63bb59cd18764585899f6ae405ca336d52
SHA256 7359d5ef88865a90bc93f47c26dd2db4bbaff4dd28dd02ca0c5a9acdd4b55975
SHA512 868449b1891ecac68df6a0b5691a158948a2ce492a75a6a298bbf51d2401712ca010d3b0a2aa5a0f22feb2b3e1b4e4b6f83c6f771335bc7f7a8d6f5bb369e36d

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 eeecdaca7a98c7f35700c4a3b856b2c4
SHA1 8e719e427559bc27a0d7259c0c6f386c9f3efa43
SHA256 9a162ce92cb02c0c7794fb41a2dc2eec74fe8bb3a0c7ce5ee82bfde57e46352a
SHA512 1f10d14841a2fb59249d9e1ed94e6a7bfed5e5d9eedb6bbbeb7a496dbb50e3ebbb3745d8dfc4c1e04dee22ffe39180a06ea40a2a2b4f399e0ad7d008e95f79d1

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 12cd12830fed6cc9c2d5ac743bd89861
SHA1 44044f6ea174ff56f3214c97564a9d5074601112
SHA256 0a6ce4d7b62e68e5c1f6845a5178cdb82c2f314ffa0b678fb4fbf986b56f7fbb
SHA512 af56bab03d1275ceeb009f745ef30a9ac2dd72ebfa3124719d8921800cec74568c74c6d03ca98254330539c306b7215e3fe364082584d63239b7f54efa2e48f9

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 8fe3f87d46e4bec4530e714dcd367c90
SHA1 1cf38f5fc926d2c4fe4d66b5867433895d741954
SHA256 dabb75d071e528c031bcd5461ed87e1dfd21d2de7f5161766b976f4186f03cc0
SHA512 f3f420b92c53ad69e56af4b9eb268e4f9543d845869d6d66294b3fc07873d67506fd77c6c10d9b95541c4d6a1972d0752c82899bbb30667adc66d313da5cbb5a

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 fcf49f28007bf437200a6bb02a932794
SHA1 35d6c566d8df5d796c5b078ab826b0838680c25a
SHA256 2a42e871da468c44822f868aab73abd07a28bdbb641fdb757ccccba88758d88c
SHA512 16587eac202b28c109865312fc4f8fb0d231a8908949c47edaf31be5225bd297d4134b89287c27050a70dd9730c91bfd102a3b2ae551db8174e5d678194a18cf

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 0ae9ba4681777942b03a5b7a98a3ee6e
SHA1 c309e3c4b9db8116d60fae6fdc5bfd6ab72b818d
SHA256 371728c35ac6f677190050fbebdcf697260fb774740a92b88ecaed972ac83610
SHA512 eae623b794276d7f6897b6465122016532dc055ea6aa5c29b385e26bad92d758e4c5e8ff31232e3182fa4bcdca9b747bdaa41e60232e4846da4e2b489c3febc7

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 0902c16a05c37a8a5796e2fe03ca8718
SHA1 618447cd797f5e6ab29428ca61db3e50f1f5f4cc
SHA256 4d09470113315da88c88d3d0dadce4e653c9eb9a22d12df60f8f16b01a4e43e4
SHA512 94f6e16f794908a16e298fd6bc6afcd021f70f5ea9f31d84690a13c94ab11f44cb765f2b30f46e80e41b7ff176b6954ef8cda82abd35d067c058122b1db03b39

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 f6fe1d76e64bbe4ade321b2ff69ebfa9
SHA1 215f1501da9d1197ed78c78178fd16941c0b2acc
SHA256 f0021a275fae275d4d38884b41c0e515d7d461887738bf120ccc2cafcb0fdd68
SHA512 103d19c51ddba8d4d7cacc8167abacaef2d9cdaa7cb4232f4418565ca36fb9818f83072ea2a410ddb40229d068723d18d057c0a92a56564383538edcfc2317f1

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 b8845e8e12313bf055a0ea401c433531
SHA1 e08849a9fa8f36f99c6c9d03945c14a9afb247c9
SHA256 06b7fddb4c8e485b5acff259d505cc0280cd4a93ab5b08d2202c3b08526af031
SHA512 9253640fde5a9b16a488c948f9a188c5cebe3ccb9f3147def1d4b0377242c3c0f9b954f74dcc7e4f253bbcda40ab58a02a2594068d44120694f895fb44bf2267

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 c48ddb5d7ccb16407534a0c42cb76138
SHA1 db0a185175a04603d28ccb8a284a1fb6a2962e34
SHA256 0b9477602ff467a442f04c3da770900dbd12ac4798cf4bac74646a1a4df8a113
SHA512 dc7782f22a5d19a79fe09d118bd186bb968cf718191bebb3a70f6664d545a2e05f4153367661a330293688edc8060ebd7f9ce46891ce98582d557500b2aee1c7

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 391759d3db56e4a5df8df857cc31c71f
SHA1 55115bed680d6df2dab0b9b4f4ff96151d6806ac
SHA256 3c5ebba3a1dc861b1a5cb8b0258520c5b486aaa0e35880535e65d6c4759d32e9
SHA512 8fee0223b547a89ae12b4d734d154cb67edf82ea995ecb18da6e3a3cde5c094ec3774a329ffb43a65cf00f05d245db0e801c4f601eb5f04c95d0f36c1363e171

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 20f4de942979a020ca4e462b1b11e3ff
SHA1 55a82eab2df00c35ed740803e4c55ed11e91204d
SHA256 2fbeba84e1d0d2ce3739b691d6aad15a6343209249c51a08d84109fc7a941a9b
SHA512 ce2c6d1fa99fec06d71fcdeac116ed88fb14b3d9d46e2e52d4aae51a08a2a76e04cdc112e37e69802aa326e2f64c402d772b6ea2dbae926551fe3a364449cd84

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 5143206ed0316c4d3fa5efdd22c7dad0
SHA1 ceee929f753e5f0bc305cec28b846b95f25ae9ef
SHA256 0b195d52f6cc819201674bc4a41bf07738963a257de78818dd60f13c289547a3
SHA512 8055323d9b6c98e6c30446557e4d311ab670001138eef55e3986372fdd4459c59a698e6a16cb5a8a743ca7fb052dfefd43369623093cc401dabc675908ceb403

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 bcbe250bdb06bfc90bb811f80d97fc84
SHA1 1815f9d71ad478974bb42ffdcebd3261427969dc
SHA256 8c2857119d6f0a54165c78545cee84b69b4c13f23300d809393e079a84196aa2
SHA512 9881cb908dcfb38cfb09d88c4e490ad651612660958325e36850303d54857a9231ee7cfe43e69a30aec42a864eb0d652152d73f1df3fb470a1ac85d2e2bbc347

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 cdc75a1a886c1d35b079ea06139dd172
SHA1 f02fafde4fb408a40ede0cba4fc0e2db12d0e476
SHA256 2b776eb0b54c4592916ab9ab2dd942927162562e4f450c4890d983114759c420
SHA512 ccdd1fc9cad536957dd6dcecf07f13ba0b4a73a8ad345a0e94b694b0792f033627b4cde18bdeb09700ff721b58dec6999f136199e91b76145e83ff2b716ca7d4

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 1799b5dfc896bcc1c7939e230b4f8cbf
SHA1 613024fcac45192abd4a7b6f458963e4afa81b1a
SHA256 f7fb3cd6a9b26eef79c82df22c2660ae4d7ad69aca8f2f26ec4245151f405bad
SHA512 06ee05df16a2ba0d47884caab0a2952ea6a9d70579d0e649cb42f6b797cadac61777fe7aac77c19521a37ff347cb7be757f4b07c7e29dd94775fd28bee307d4f

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 d598afa7be1b95c2f3d319db4f5e0096
SHA1 46c9b3ba2ab4469d32e8abe05bb2c7bf1afc002d
SHA256 834c0cdd6509146ae639b2b0d55e9554ebe2776af21c8e81408d40b34252ee50
SHA512 3ba430c45a5338f953ce85072ef8cdf657528507b48f397200e70d306d413d8a0b9fb8e84351b143fb5912e6b4f626fd8825b1a2ce19ffb18ce1e0412ea9cbcc

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 5b39e263b96a934e88427691d0599672
SHA1 f19bfc866d043afc1b3feb90210e31d3c532bbc7
SHA256 f2ccb17df468c6ac9ccd518c74c54024ce0f67f89d9b67d573a046a085a22c5b
SHA512 34e0a2b81acd36cd5f6ec2e33dd7ac07347c08825025a33642172084acf92e082496d3429bc0dce9179acfdee8adcba5873fb33e408e1ee73c4e92fd4a0fa783

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 5ba41b0e838a3146f20500a52afc1a01
SHA1 1c802ae4619a3b9cf6846c035ad1ee5d4575e61c
SHA256 86bb7f0748f5bd871f1d9e7964e478d6122003d07ac819fdc9e582afd86769a4
SHA512 b3fac992bcec4ec57b44e98014c11b6fa9085b03593201544ea2007446fca1ce5aa816b2465bb0fa654b267e0fde82bebc8806baa1d50f0d641aa3ed53b0b3a4

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 42665581798a22c3a391c510c6dc52d5
SHA1 bfc5509807d1278cdb6cc315c0eaaa8f50abc5bf
SHA256 4810024e38d3237674beca7b13f1138004a6ce941cc1f71a76aaaa8682d252da
SHA512 d413d5f78a91d94750949e6228ce9dd9dfb1e3fd1be2bdc3f8f1e531f8c0412dae57794971a5c9d1aa810993273c426fdbe944779a40f7369fa2fcaf6fe530ce

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 0fd966f1ebdae2de9dc21cad69f5e8a4
SHA1 2177827f7d9e8ce98f6bdae1ff522d16d2e4a67c
SHA256 87a2a0dc2eb0d481860f673ccc8f9471902a6601e2b98ea9996c8a43c629e720
SHA512 f99f0b2459f884e1088252ea581ddefd00d7d7dc5eb192bf3a17a3832b3aea8e0b4312b6602399ca2b8c8515350a2c246c7b1ffcdb63596488dc613f753a7259

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 9bce3d5c773dc8b551c1c7e123c69e57
SHA1 038d96f89d2d523d3c47368ad5f8406e414264e0
SHA256 c9bdbba0010ee76931261b95d74de43be3a526065c349c29e854c25a86c1d808
SHA512 4d6feb43d88d743624ee5117c189dbf3a64d15f6c00a035150023e1df41f188e2df4497835b73265a4fc7b9f5230e8931e45fda5466c6c0c1855e0fc988e5a52

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 464aafc9ff11bc524aa5deb87da00fce
SHA1 05e9ac5bbc195279bae9a27b1f410537b3d2435b
SHA256 9db6e6a96b278b9c8800ddc4b1674e75b135c4c8c1c9ec3af5b5af51d32d8d82
SHA512 78534be09450e52275449b5fc27b4c0e4052f43bfa843bbdf61dd3e780fd8820349ff034890a80114385433ac90532d8d2cc6ce514775470d090f11d46fc7b35

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 3ad5f591357d444bb019e13d3f1d5a5e
SHA1 8796ccd4e872250dcd61665ac1edc9a021e3ef4d
SHA256 9241d2ef1dd276fa6265aabec1f79a97f4327dfefccc9cd59960f1a8deed3123
SHA512 8b6375df3163016783b9b307a1a975a9a3537746c0a2a774c8793aab4093c97a6775824f7bf5589e9379ec591f36003accfb94d0543d739099006bb0e5dae65f

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 b4fdc5047734340c351bf3a41ade1277
SHA1 77618251d6620c5289d9252b3a32f79b11ff0d0d
SHA256 73319b2e57700f94735060c9531107f88b13659cc2292483397b67752675fb18
SHA512 ac25bad059a492475514dd41690c3c75718ea9d71bdd6756443546aa2d15501e00a73c50e71d2e2d76a4add230babaeda57698b347de4609585c85bdedff2ba9

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 6b5301438cbfaf905b9591a517265a1d
SHA1 ae6d6cb47c845b22145912e48b6441a414b7542e
SHA256 fbaacf34aab064c784dbcddcad3e1352a86a043ad61712d9b1af676c9ddbc49a
SHA512 318e872326ad7c6ef386b20e74dade7f55051eebe22ab381a1176c30915c109f693072f697d8aed8ae1320e24c8580aca05d40d3a873c3cf942dd5cb8fd4b694

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 883c293c813038590980fa53b4094555
SHA1 70b0f0fa4f61aea0fba8d32a753fae7fed82c114
SHA256 6721a0ade1ba869c12d78606fe01974be931c7db2cef8fae44fec6c695a53407
SHA512 8cba2bf1022c2c1e36df608614522c1b05f57aa28bc5fdca59b2128aeef33d7dbbd2732011185c0b6bd021a8ff4131dd9a232034e728235916976b264fdd5845

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 9b69601fe779b064f0c28e93032ae613
SHA1 80a26554f9bb13eb0174c0ce2e8d0585d4e2ca30
SHA256 bbac65554a1a5369f7d975444aee06902af48c8b3b10582f1afbab4f27a7f015
SHA512 fdc88f62f43230515c876ead61aa177ca8c36d2e109824c835ed79d6c6088e9457882182f7db5b268266c2166339b9d1c6842854e4853bb0a1f069a4f5239f47

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 af7dc292ce0fc7747c11b036b691761c
SHA1 49c0d5b9a8b8d3a717c7bd8e6e169ee5da84c866
SHA256 e521212abd5b457c445fe93d233303b3e89b133301e3525a509826dfc19110c7
SHA512 f173cc73be94058b8bbfcc5151fce2c5baf145115712308aa3257775a6b99e9157672020e30eb0c8f3c15936b477b4648f29aea12fe082bb0aee0729deb78601

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 41d33c56669845b416d45f342a339718
SHA1 e5f7bb6c0a0eb78f3b1cbcf34cdff397adfeba8a
SHA256 a8467cbbd008be53054d9c1564c59742eb2a1fb75dfb18edb386c0a313a3b53c
SHA512 57bcddbeaef2c41e6cf7f979278eee86d4862846c2c91f73ddee30e02a7c7f4a419ef641640a5897c639ba62fabd5834dddc99df14fb6b07045dcca0a48cc971

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 152cdc13bc721ccb52c1aa78091307a1
SHA1 d1f49568f33fe4cd2bce38da122f9c58b9c1d6bc
SHA256 9ca9624d6dde8381babe024b0df5e8783732b810aac4b2f29afd2b2013ab9a0b
SHA512 37c7a2cf29bb7ace3561461e263c1547942491f536f4e33b1bfef46ef64789696c0c7aa8a8cc98edb77655c97013d98ee732f9bc2696266541ca41ba7fb768b7

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 cd466d31fa52a1ea65b5cc411b5fbc4c
SHA1 280b006dac8db9a61e8ff76a2cd5d2f1f418d77a
SHA256 eb535fc98539bd219f4edb611f2f4beea31274eed196bf4b5e64c7e885e7a70c
SHA512 79015af395fac76d7396c996c0d3945c898c2af44a145870fdea8df182756f3db9d07926543063bb36ee0ab945cff4f4ab964a32c342bc0f75683061fce1ef94

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 eb0fda2f7939059909bb04ad756f80d1
SHA1 c49c43a3e00f34bce264a403f02c9499cc5f5b64
SHA256 65504f415b5f333250f6c2ef8d6ab298da9a777b70616983e683132ee7431b2b
SHA512 f29a9829c4be04fbdb5e5ee69ea482138821a1b294deaaa91d3794b9a21cf65711f331ae700cd5ed3a8ce3af17ccc1029b96ddf1d767d7468056f03fdc3f0f46

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 6215e56b380289e2a01774cfbef8a945
SHA1 4bb4a32bceacf4c97ea0e24ad923444bd8ae4b22
SHA256 c8ff48a2eb3b23b85d3a0f43121b0a05e1917ab5c8b7250d5c2d5ad98dc80c21
SHA512 3fba062c411efe093374da16d7826edac973b90332f3d413d6f950e5c24d0cd842e1241844d13efa9714e3304fd652a9a52cc9c750e97e1f7639acdb72a204fb

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 849c7b81d037e0f3526712ff9071e062
SHA1 fa6cebae83942951edc4f979a7c300a1c817a2c7
SHA256 9c63e6e6150ec31593dd55da06673ce559f473c632e6438fcf71bff549ce1d2e
SHA512 c794db69b26468cdaaa51aa0ea1abb27987d0df7d2c5ae148821307526d3b2bfee65f4a3f9d2dc1846c84c81ac8aebe915a6c5ee53ea9e5a5fafebde90df27e7

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 811f1874a824cee38938a683a9c55b66
SHA1 d2d92e0f8490c1cf0fdd2b911a3dd94b07126e09
SHA256 aea6f82be9661e3a2a4b400bf4396fe1eb5f3aee14494658c2575d1d17eea1f9
SHA512 084fbfcb0a83e0963b18ab1852de984684111259219374c2086d48c52bfee94c36530e1d41c72921b5c13e774f0e4b6c9c306690f7493ec2704eedc95182ff35

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 c85a7bea8942c76fd4644bfdca46cfb1
SHA1 ae7a2637506d46b7897f2c9a086ea4cc0c706d59
SHA256 4359958fedafc7625590b7fc4837308452275ef7a27df8b21e78f8bb08734cf8
SHA512 05487109c576568d6cf3060bae6f3fedecef339182369ef60988418c157310abc2cc768fe6b6a27b7f390efeeffebf24c4e2e3f2cb111d64e5873468fa31599d

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 4ffc36a5ed5e3c2ac160952297ded90b
SHA1 7e5edd745b7da67027a373a0f3e1948745fb1131
SHA256 17e11ff22ddc898eb1d1b09a655421e275c9eb9fdf84e4b714a03bfad8c0c24b
SHA512 d7867be50cb5a961d14e3106f06018b1dc986ebeb372d40c40e934f7aee46cf941169cccc4ce6c6324979ab4daf6371dd94c285646254694355f46863a624731

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 ace2a04283cf42234581ec8c38238cff
SHA1 c163aaad8e40794ea640f7caab2ba7f7eb74b9c3
SHA256 c0e834e0ef6e9977b2d94f24904a987242e2a8652c34a0766d8c0189986bae3b
SHA512 7354c265ca3da2a02bca71e1394041c7f2d4007095e0305dc6c0d8744183b61b8a9d1d6c52665f39cf0eb4f726c7e3cd112cf160c5379ca313719e5623e1ea36

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 8c5a37ed89716e11b99316eb08f9c525
SHA1 75b09ba64c171bab2075d9a71d5ebe432ca91e30
SHA256 f015c0b2581b304f839ea05d78530a40b3c63254dd60ca9ccd36228e700d4598
SHA512 f8534933f7835e0886774c5b7aa4402c9245f15977c19b4a51279914aff03b952b43faf52d90dce622351f270e5742e3944df2b41cce1f05d2dfe4bc19658b62

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 8956781cce71f292dba7af608eb76ee8
SHA1 c14fecb8fe3ae5ee9aea938a5a08f536e07d1781
SHA256 c6dad8a86411f41765f9b5d6eb56067f3179901e2b39f803fe65e160dc8047ed
SHA512 2a173bb35d35502f2ff138582c25fa0ba72eeaa1060112df8d99cca4492e9eb1628875224da9c681bcfdac478cf92a13976e8e3617c339727581c4b7bf7c479c

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 9a6095729a46f043f96d0f93a01f5dbd
SHA1 37358f87c1f573ff9ee956b6305dfb59d896c4e4
SHA256 de4f458bc63e0aef5f03d162c8d3dce72f1df48eccb4d6efb8d6c469dda0d6ac
SHA512 923d3c7944c3e87728a3e9ed6286cc5aec76e93d2fcf4d5e0a213b2fe54eca719655d1100d71b89ef231f947f02c5865bf652cd7485d98167e1a83af3675013d

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 046c8bacab39b36a71e395ff82bbd2b8
SHA1 651ae4a3bb24ca781ea3fa2943fc5fb680ea1602
SHA256 6c15a222e9a1832b1412faa473ea268d9c18880baa3993772c45f13a3fbeeeaa
SHA512 56ab9ddfe85dcae996af1a081bfcaf120620e7436c5a7eea51aeabcb8ce931bf9a30c2c37aa9f0f24a8cf13cb12aae3536df3863525e309f1e539f368f587d25

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 7cab3cf568ce44cb3551420d433c015f
SHA1 26175b1c1c02bfcb87d0c7431d51eed1420c9373
SHA256 0181dcdd016f6ba25a89d7846a379354e4140bdb27a5625f13872b7d7e2d127f
SHA512 3f02559c20c830ea2cfe2346ba5b23ff77b8e6e767bc03e866e4dd5e4bbaf1175bfc741e2a912ceb920d1addfac57e47f17257f3c972b58ce40c3c9097dcbeb2

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 116af120860b155e2bbb30d8b64fdaee
SHA1 1e227a2a74d0759401e3ef685411e63596580eef
SHA256 6394855ec670d3475bc159a7c0d4fe53efe212940504b9eb9f1bf5dac8437342
SHA512 f10109e81435101fb24d4a621bf20f19128a519980779eb46f6e20951856cb3a83b6e6e87b999fd1205bcbb74c4d17f4bc7aae2203ffa70f2c2ead35f58232f5

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 63e94f1dfece3469cbd6559b0d3be97f
SHA1 248cf68afe7d681bc56e2c19cc5a09be40202886
SHA256 58b431ca80811ae62a76244e078c38693d44f540d87ba768882fce12c883ed33
SHA512 389f1d2163bf33d9ca7c86e1c6eb3430e68d20664c7fc3362ca7b25ffc76549fab8c03cb2e5a03d3cb5b7012c37c950f27d748c77a788d640c0e68ab9047dc03

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 2e5ca735b7663ba913535cf27f2713a8
SHA1 77fb484ff0c09badac3f95910d7ddf46e67f8a19
SHA256 1a4eb402423dcfc4411c117bc2704208f7d9c63b9cc14aa8ea85ab22c3f2cf94
SHA512 91099f8023f281271962885597fa24b8e7c8c36e9f2d11bb86dbc9daba9b5fbd5649d54d22ae95379a809888fb4f2a50f723351d44c96609613480b1b7327069

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 a7e8cd207ce7db5e321d0d44e68d4ebd
SHA1 4fc23f5c327be6de3667beaf76c3f08396f2ada1
SHA256 abe39e0b44256f300c244b46ac2c255ac54566cc923a6c050bfcf127d74e04dd
SHA512 40371d5f5a296a8f74c1e8846b27ecfd390c5591d0cb63cd78f6265ca8b72e32febdfd1dce91560e3313e1940a723837e4a44eef0349302289e346af104b18b4

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 d91bb8ca7e40b74a244fe44282aabad8
SHA1 cb4d6f7fea49364e78c337656a9cc0831e05947f
SHA256 b94a3577f03e6f77c4afc3f975ae2424952396f2a665ee27b57d5eaa355b6a95
SHA512 598e8e11e3eee382908873d9666185c836b8d87cb6a00dc2fce0ca6ced3fa5081892dcf967645297ada0b52f30820eefd216786bdd5ac8cc571f5ed8bbd760c8

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 c8378efac90e6e092c85908da4d52fe6
SHA1 4ba27d50ee601bb8c55692e59eba2dac45fe1cdd
SHA256 15ccbae36864fe615429f8bce49f860f4699ff0dbdadba7ea7a9606438afd280
SHA512 274364e64f163c7665aab5639133a9a0127178e4fa745adcd279a11ae92a29c9fe03de17c57744c2c335f9621ad7a81365e56b91356eda2428924d5f3581da62

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 962e4971a42056fef88012e1a4d4e391
SHA1 9d9c8fbf17a2ef8e28f0496a08fa959189898826
SHA256 4cef88e21fd12ed0665bb01f963803e594de8a57daaa81920581563beb2b6830
SHA512 5e8a7aca6c79ba89a3f4d0103f61ec5fba0a164fd53f118e1269aa5761a0cad85d365e1e24eaa8d1adb4d67cfb0f69fcd0833df662d38d6db13e0505135b21f2

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 938984b94cf82863f8c23e875846522c
SHA1 ffb72258b5253d48452ec194035536f70bfe8058
SHA256 52b5918c7d31cd1b76676a95472bc7785602a82e586db8194dc11da6f19f70da
SHA512 2dc35aeadfaaa2733090cc7d8eb5c32bfe957a0075d94e5b3244b711a8250daf2386242f501c3f982ec3a5e21ad7269768b34a0b19d7dae3f44cd1a11b88dd8f

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 782195c9c56aed03547e108297c324b4
SHA1 aceee0d3eefbec3c94ed84e9737bdbfc97d6d609
SHA256 50ed9e582aa20f2e0b2d497e2d071b42894423837b713a4f17112b10fbc5762b
SHA512 7ac35529406a0d21c7c79fad92484456ed9a1effb8c5347362c630b85b207257e644f78c8b1d4400acb798d705ff8a03e72b9260b15abb8cc5bf91fd72686148

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 8efe002e81c489bf21ce52f90e224403
SHA1 d163d5d46f66e042983da6f0abe31e6add82a8aa
SHA256 ea867aa17a10deba1013461400ebef5cb7048e11060a33074130c48276e41f90
SHA512 7b4a13aa5ba1a564fa46de02f56fb28b569cd268f97de65098e2bb923518efbf86e79a9cd4b8ede2cbd667495ec8f625f29f43e4271a85ff6be6197dd9168a40

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 9231329378cbcd9e8bc91742140ed09f
SHA1 5e937b8339db043365473ffadac9e5fe570ab21d
SHA256 544fe2cc4f0aa540d140fe9c35160248d8008b2db8aeced6aba19ffd4570cb65
SHA512 aeb082f14779ce6973f6904eead2bee0ebc4c797e84b3475a071db6b3b39fb420945dbcc2b249726323cbd9ea89836c549673a9226b857ee13a8fcfa82a94f40

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 7e2b11bd0c5a0181b4beb45479f16d3f
SHA1 0f0454f7ab22f5f3345fa0424af95be06ac78865
SHA256 b6300b81a69dccceabee661165dffd43e010267c20a12dc52d51e05d72f11a3d
SHA512 17204411d51cfabcea52bc48a8a46e706c68f11102ecef9352e5dc491ef28347654ada9cc5efd07f34bc5a0e448f5f87562a33534ac1d63a6a9b951d7fb8edb1

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 c6460563bf196e6f011640b20106e55f
SHA1 8eb7b9388bf867700aa4c09931b17a297d6af1cc
SHA256 2d7e55ec755034a9fff53304344c579ec270f48165fc09a51654ebfaaa6dbde3
SHA512 2fee3423a936d1a76b7f262d0a22642d9e641225e4d90905df0b5db78dafc1ffdc24c50c04c92e45b45697d1d57a79311ecc387134dfd19e08e33e943e2e5f0a

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 92790a58c992832226b4b246837c8e98
SHA1 899a4fde4ed16ff16cc169be468e58e8e712c9de
SHA256 9553ebb07e3b92cb1d142f4a9de7137b8f32f3c3ab9cc791be674fc01edb2a77
SHA512 85236eaea818fbc18ff68f3259591c25df6c389eb8808415aef9c0f0a5279de7110961da8097d7b97f45c0e01ff02a8e7dd99ced58bb608037f555d5a0766819

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 f8effb9854a875283b0d014a8299a4f3
SHA1 2f2bbf64bc7ec8d80222a43aaeb3700d4960903f
SHA256 cef7253c53df4b3aca6766d4477b0823b65b1e95bde79a41bd030308124b4b0b
SHA512 39c2e18c864f64389f1a0e38751ed0ac0cc82f63115a832abafd8bdde401780634e19f5f47459eaa07b3afa913e5c57d44d8f695de8d54ffc38d05b4b061bbb8

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 4abd11c3007edc1fff4c7d0499561cd7
SHA1 4d472794279e714ad519b1d0bcbe8e4a761e6274
SHA256 897eda95059b2f4ddf598735e3a7fb95b5c99e745b013137ca10330900bdfed8
SHA512 0e6709edcf32c9d8034d155726803103ccc084720f45cf40ff63c8b43dce7e118161a506211fe5e29a8795a4cbbb02b0ab867f75e91b395a30f480c761d9ae68

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 eec49e40df8e4fa6fb39dbd5ca12176a
SHA1 c22acdf550dd8decc3d30afc95e0fbdef4176e9b
SHA256 fdc3110bc940902ff45de8d7fa103e1e6eb3d74af920802161e085aaff247c6d
SHA512 20b900560c8375c081a99ad212d225c38a44d35d412359c17bae55a5d7e3580c841c893faa14f042841b25d1bc4c09dfe3bbb36cbee764b4e25aba2dc79b9c6a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt

MD5 b30ccec336841efb29237040bd16848d
SHA1 deed5e029bb2e4da43898d29507e925c4b5d3f36
SHA256 680e17a69b00f125f04e7245b46f35fc30ebe822ff4a5750c1a6da86064eb55b
SHA512 f9a172767187223ccd09be83b237f1cbcd0af5a3b1dfb6497605ec6fc99141cccb5c8561b393d153d5447bec23d3a00a2686353a6a53fb548a298b03ad524702

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 dcade70c13586fa6ce709c34c82194a8
SHA1 177420d6ad0dc5b11718a41c99c54847c3e7bae6
SHA256 d06a42cae90cf090e75e111780f544c959bb4bb39912f76b179075a6de4bb95d
SHA512 68a876a604a8e9af330a0cf8b034801a8a280fe0b441fb70eca1e399fa2e2f2dcf95b9b42375100a8326b17dcaa11a17e148fdc488e52afe5b39a903a2c13f5c

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 75571aced46caf94b5a9d97c4cc5d870
SHA1 66ae56d1353115e59ccd424c865fd28e7f566a26
SHA256 ae2f90988682f8ee2e225215a71e209b288b3712ba65307d2c0118ee5aac6aab
SHA512 d5482b172030952149420c54fd40e44aa5c830b9dfff7bf9f944c8d4c277fb5c878d67c66efafdd6950967ede2dba744b413e51c81805e2952c80fd635cc4563

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 f2beb97f36a11f074cc6a03f896ce726
SHA1 eadeed496f8884e42d63d8cd6a06606813d3f830
SHA256 cb1b798cb1bd929948b87595505c8267ab286469dbd00abdaf1a96bf275b8415
SHA512 bca8566c38e3b3f8b8c24287939e27eaa54e3f4b9827b22fd62a909cad8e9ffbc7e8f0557b0a26fe5f24479f2f4ab3976fabb78500c6b01a7baa8f8df9d28df3

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 097932b7c1f3f5ee0d82fba8d2281b2f
SHA1 5010c84576937915e2f1194cb837c64160edaade
SHA256 41be5f1947fb621507acd69703ba1ffcf8bfaeacdc4ea34faafd84b9e9aab24c
SHA512 ac8bc5ec7ee3b730b180fbf3bfa897aa65d25409b49bb770a72d99c1fc3919826b52be4052615043d5bbc4a56a029f2c2920d55c70265c8768926ebccd0c1193

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 e0c4114a5c6ffb6aaba665d0a48227de
SHA1 8375a78cfd10da3b2179a70c4b2bde95afd43aa4
SHA256 8aa603ac7255c970c063d7cffacb04a3b9092412e897a197c4f69f4c4f3e622f
SHA512 e2e6c321203d3de84c8466608b27ae582d73a4f412ae179f17ff21e956b6c14204b8eedff6d2177f5677e1416b7fa20b7c0738fbbf715a4a7ceab7ba05b3cd4d

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 c870dbd329619f948b377457a52c7ea3
SHA1 550eda22582c83a121f7a2b0c7a6b96a03dae108
SHA256 3e80d6b690cf635cd21c638819efbb4c3d657c92c803fb92999d3cc20c5490d2
SHA512 349fdeae45d7b5bb6aacc579b168aa3f7e0de70e66b690d15a3ea85be9175778260b0b08b25ffd8cc7aac470c30f7abfe44bc0e89256940e6613c894e8ceda8b

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 9d96d1d61b67fcfcc643e8cc0c8e4187
SHA1 bf762e9ca5ed1e709b0ef1e280f4f1868124c09c
SHA256 985ee3dc7457fda9b32160dbecade259b74278290b76fcf97a89ba315df8030c
SHA512 9299d2ccbe4c0ad4502411df34936534de0012ec2016c9d1e7d3c4c764c27b3e5f2bbd490c6c423097aeb5d5fa6ecd3382efd4ceeff5bec7321416b9432b2a0b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 2585b88b29ba8337b33e5996c758258d
SHA1 6371d8577a249745a2e2dc14215d4b4b9cccece6
SHA256 4e35feec6f0f2d311d0cbb64a14ac7fb8d5696504294a27ce29231223af04b2e
SHA512 13ff81a948bb5d81cef44d07eaa33239c8ec2a3f0133b5971732436419b9626058d9f3ee679be8b1d7cdce14f96b56dcd8824cff28901821aef3ca80b7affc33

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 612c36d97dd1872b0e47e7750f7c2074
SHA1 74412c4a99ebba5bae48ab1bcbe8f0b66ae269f9
SHA256 2a9c5027566d1a356d8f71d113c80dd52601b97829b2e995610f91f1c8f0d608
SHA512 e0328f5bab7c2467f3d55b1f9348a0d73a48c76c42f3571e41bdf4e3c999fc607866b33cba9750a386c1acf728a2e8d2a9a4e23164556a4a25c493da3d6dc133

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 d7f99cbeadf98535d25724c9ae6fa51e
SHA1 173934b3e156134907b39aa86a19be1b96e41b3f
SHA256 c1918f17e58239d8f8879dd885e733b65e32977abd383409e6e4fd56ab8dc2f9
SHA512 2339e48d0221131f4dbf47df8b716e70f0f2c80170e3399fd2fc58a7139a741a7ebeed4a012db05553bc39681ea16cf359dc2fc9e295abf0afbb9b94d761587e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 d6b0946f668cf668ccbf8676c90750c0
SHA1 714256fc14637d42fcb62c7b9aec78f239ee8180
SHA256 dbcb2ecd2bd356850b3c57be9cce64fc6369a3ae30eb86e41dd2ddb327289465
SHA512 51e3b9ba063631e76927ec4023a4b1c6f23c5f8a724bc38389a8596f5474d9bba649cba6efb5c09cd9b1401c71bfe6cfc372bec81d6b3497c09231a4e31b1fbd

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 0a2af690f8f87cef453c17b590ff6adb
SHA1 b9d27207aa151efa14cb64340e7e62d4a338fef7
SHA256 5202ee4818a089ded5dc9a55939ef7c3e6f5e46b8b24077614166ee9ec90da27
SHA512 1aa422e41c233009c525a911e26d2a9b8aedd6ea4536a86a2cc2bde1e6a8f1ad451d325e8de06b50263286428de4dbf586f9da21a6840ad0d9b8bcb6819087a0

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 7e24d9bf6a270be9e27c48b05a2544f4
SHA1 79e5def5753c482cd8dcc91463d8ee5ef6dc8098
SHA256 b36b42a5c176bcf9d57385dfea3d78a049825cd3bfed4985644f4c7d17e73602
SHA512 048755911a4d6222e90ccd94776b2f3aa27fe30557e3fe11fef1919e15e30a3ff49aa2c91b499aa2673abca5453b3e2e5ccc2a33ef6aec1ab910747cff6fee21

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 7dadbfcc7cd3fea61f4170529d4abcba
SHA1 b954b2de57411d7ed87df177ab22c7e207dfbfd3
SHA256 ce103bb320e69bf1dee6ea29ecd70c2c0c23ca3f03608c1ee1fe26b6fbf0e94e
SHA512 1e477b3f41210b5d818da0ff446b144c4280f12311f41c9fd8900cc858da8cca7972c58518d761e6f0885fb8ac02aa60f633679044a18c786990dc0d84a96096

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 8d82b12f56b15dbb6dde63a99b5d2cb0
SHA1 7ecf26b33dd34a8e51c6a7d5f2e1bb8a5b35a745
SHA256 18a3d5ece39508f3b364025c34b8e52d35383380a71a0290a3f00510c1f76f8e
SHA512 1e06c7577c79539f3d24556cf5527cfde3d311318e5cc3fac6f8c16502da68a608e319a88df0ce0442f4b8498937e81f058e63d97d8ffbb34edc96eea0893408

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 a14e42763ec5efc86e2ce4d94d953d0d
SHA1 b3286f1a8f37035196c85905f2d30a5e0bf42bc9
SHA256 8f676537e626fbf8d06ff7fce0e305568e5db68e193889ca9dd869b81e505d32
SHA512 44af67e814659afe477f050bb9b350bbf00254f36d681b16911de9112b8af6b95cfd962d6be95fc8cb2c512ab81c097ebd263cce08d5e364d94fb77a171ddee6

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 fdb78260fdaa7ead88c84f9aa01e8607
SHA1 cd1757d6c753bd3ed0c578f0315a5ff57b2d561a
SHA256 e8f9b316faa9d2fd6e70b4124c6f760d2327a02e9672e4252dfa0ad878fbf55a
SHA512 9f75663105af98e0a8c5e7b6f381628706e38915261014a0a1d8223093a546fb748da68ff73dd82f5c033e248d8ce2a3c30cb74e501751b28f98552b997ed303

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 5ce3ee9cd26c1f72ccd9729cbfaede8f
SHA1 99173fb5ac5539299c7ee5788ef313c0279cf0fe
SHA256 33211699c5b357a9b6b47c51930a0167300d8c4899278f6df52fa860a029ecfb
SHA512 aa5d14d09716aeeb23c2e90d4019bc6a5029a331ac3833ea8f8c81a25eeb24a0889234ce0db85a34166c59a4c84404d0f73a66609ff34cd3154d91c551e1cb61

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 b998ccd747e1728546d15116544722fa
SHA1 ac33e575acfeec8707a10c6dbd6c565bd6620b14
SHA256 59e7e0b65fa0d87bbc40aeb6988e923e7eb81dac26b4f1f348d4a073b4419da5
SHA512 1533ef1c4c36367ebb46336ac4ffbc33e20240d5757640454be9a10bff00270eea43b79a1ded446f8b743234515e4ca1283e8aff5aad8cbbb48646f2790dd597

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 4d39ed8e8aa8988e31d3ef454ca337db
SHA1 efba11268d659900c361f32f5d9519760076d073
SHA256 00e2b31fc3f0433a66bf5c56ec7b2cdc476bafbd07eb63850c94517c78ad754b
SHA512 3e47835c91d0258a345201e5a57a64ecd00e6e7b54acbae3d294c15ca802251d8140134a3da8ee47ad66065e79dd6999dff3a6d55701b6da7dd97a09fc222643

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 eedfb5d67ad57c8579fa55cb77a62b69
SHA1 25c379b74d2025d559f1503185a8c065a223f6e1
SHA256 4d7202b4bdc7f8eba5b484f5570dc538c072adb54b7cc7bee5bbcb04f456471f
SHA512 cdd66b24c2e1eee32a87f84574780f70018ef3ffe4cbd0ef0861bfa99aff5603193d406abb48ae0c1a5397b28f11abf37d6c9d188d241ade864305b0c9e29a74

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 5124c840053bce373c58a44b73fe15d1
SHA1 7014edda0dcfef5bb208a969e6880736718f602c
SHA256 e9fced1095672b34feac28bff5a83a00d3e5225b9f02ab924bc1c5fb9d5595c1
SHA512 3aee6ce09504160c5c2707684f3c9060569f16eeeda20de4b575e96ca17a92cd4c181a66c1be2100216a2d867b4547eb2aa3ad8eef502c902888a5e144125cee

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 3c3d8db18da51e26e5daf565e43f66f0
SHA1 b59daf72cbdb67ae80c95f65959af48baba66119
SHA256 38b24940e43cdf82f7a77ecd1b06096c8db09bdc280df5ad2b01a745f1dd11d1
SHA512 1e4ffb01b8e4b597d5172cfd753f6fa7a081713f0a4c80981e19defb12876335e6947238e4d4995126f9ccfeb51ec4a1d6e058b575bea1a9ae3201490ae268f6

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 4e4b6b84bc5ac68c4ab92e22393ff574
SHA1 9d5dee9f8693d63d7c928d2c7d34e3d3199b649f
SHA256 9ea63d58fd78adf2396580ba1e05b6b1a10cf02bd347bdbe75e7a48c9ec98436
SHA512 63ca69a4422ef76c686ddb1f22d4896959b5c078aa5408ce5de4f4ab3ba327cd03a3166f3c5ac34adf23e0fff3eb979f9c46c5879613391abaf1fba5681b5c13

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 ce1b21e1d5deb0cdaea3111a2f31b385
SHA1 49eb3ede8a16338cd108731f95c74173a4af0bd7
SHA256 eaef62f7980fc48530320366f6f7eaa8792a1f5982fd6d900d0a34dd0a747ce8
SHA512 aaee4022bff84ad46c97081d4be5dbcfe405ac8f7ac0c2bbf40649f88f36e9529dfa2d7470bdd03390e492d1c9857f6dbde39f72d78fee07198061282726acfb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 33fc96fb6e2c1debb25ad870960af1a0
SHA1 b9adeaedec2294160a370a4f2e01d0ba1c8f35b2
SHA256 866aebb84f48c7450bc1a063e4e84964c9808c0801ae4f18871fe23dc6ebb722
SHA512 04e55621df5c2b04da217a1794c563093b454c59ed7a2b911db7a793c1830a368d8e3a606119cff906ff9540d10e593cd6ee92de8395bab9c91603c7249b4976

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 03d7db21972a90c88255ec28626066b5
SHA1 995977f3eb7e979f1e5ea18d5cf6a5403def7116
SHA256 8b4264902e68f20b73eba2b2df0dfffb407df4a76ed391cbd8a264a84ad3901f
SHA512 2a3ced93c062331884c3006fb1e92bb17762626586970e2ca42bd8bf39eca5ecb4fba6220235ce13a8dfcaaefff8bafb878682323b775718f8901ac458876983

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 cc206fa7965e9374ce5ee37bb8ceaea2
SHA1 92b7e9254a940666d7cd778fe00e7d6cb4a8069e
SHA256 51d7f8d9276abefab5375f24dfb45fc16893cde1ff5d21a4931687e14cc83c75
SHA512 2760e77f660c23168bfca929f476a3d3e30eba226d5cc30b4cb97c093385c680b76194ae3fc3277c0e7e8b354062da665f55caefff0183a2d4602ec48c5c2b06

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 70b6426733828d4f0474c64e0cf38f76
SHA1 e7a17611119f90567c918487f3ebda0fec014457
SHA256 fc043ac1dc2c36972cc709466e4e874e3ebf3ea61781c40bbe859f352790f923
SHA512 a62fd22250047e452097ccab673fbccf08bc38269d1819742f8777f508c8798e26154398166b468a646ec8d919b61fb973b8de0748a6d3ec28877fd51c632d3c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 8219e2b8895ddad774236d2257f009f8
SHA1 bf9cbbd10c027a4977f5b7c23e5b30a1700d8668
SHA256 834179a4c6e27cabbd3c8ac79d0a50bda05171f4c6cbd2b35a4a5e4a73c25932
SHA512 f02dd099866cfaf3d47aee9116b80d29b4e2c113b6aa14bbcc52069d6058308709fce3c039a2b07ff6a699dd11f3fcab74144c756d332599f2d8f31ecd763996

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 6e7cca4a075df5d40a255cd118f9cfbf
SHA1 e9f952b3be5827435d6c0589137c495dd34dbe69
SHA256 ceb3035f7ce1d81d2b369bbad42bec43cf02630375c94c9126a2626f88a42420
SHA512 0657e3ca1e0df5a25551571ef7c083c9e71b524e582c3cdef736b25fb127702790d57e5279e41e76abc405061898c739ff8ca8c0f16e195fafc4dcc8403a307f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 1c08507beb6608a626e70fd2b4277d24
SHA1 c65aa9e85fe6fbfd7c5a544fd11b38a872ce72d3
SHA256 79af39be05ed05e73beb5eb183240da68b7b287e859e653abcdfcd8ecba8f83f
SHA512 56bbddeecbeeefd097f1d0b23084b39652dc0e65913a54c9b8e844dfd4741a23feb1b60362377d125faee6b1dcbe8b65ff06c8827734ef493373d125a14ae352

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 57446e34de9a4cd0b40c18e5c4903ff4
SHA1 385ba49df1f5af1506df0227cfa866608e242c85
SHA256 045faec409efcd9f0bf0873ff8e649fde815db9b6ac54873752becf7e1bf9a14
SHA512 573875a04c3ddb74142453a44c7985b28e7565f0d3b64590cbe58ad9ac5ae917fe93040609a380db7f1ec2364cc09baf1213312e10cf786a9b82f76e23f26cad

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 1f79e371e1ba78034bf39316dcf249b2
SHA1 6c3eac159f02ff1a782bb772cd8c0c31dcaaa67d
SHA256 cd7a5fbf9de00c19feda57758877f6d31a1859106717530cac9e40b3edefb08a
SHA512 8ddb58afd445245d757e6fd6eda13f49c31ce1d2e1ca638a564ce2b27e174a9fa5e1af4c750f3290b67f5199a3b4ce0ce08837fe1a9b3136daa66c97ec1405b6

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 9b4fcbae569216bd558cf6a2f3e25e69
SHA1 772f07326039a128fba9b84716b603ca0d4c4e55
SHA256 d5917c319091f4a43927cc17e0ba71757c5c761d7c3e19fd15dc4276906a621d
SHA512 763c1767ed82217c7a5280dcfd2cbe6d188eaebc552f0b44efedda3e4013d02bd091a0508ec508dbea97e28596e4f12c0c0731d51b9e7816d5b9f2d5ac9cb94a

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 37432e5b3b16f37009fbd9b83e00d3c1
SHA1 164301e840f49fb434bdba6ae61be0fb5467bb15
SHA256 744351c6a1b8e8a3fc8914484545af9ad40ad184f43675c49fa9e75320bddad6
SHA512 1b335ef2704a6ee8db694f8d2ddb6438b54998c164bd7a20ab9cd93269935d17400605fa0010649e29a07e374c6e2078ac7d58262ce4c3fc6d4ab60642d2a1cb

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 128e5973786a039be4e29813a34cf2bf
SHA1 173d582a18f3f2f93021ce730e0afb25f7cdd00b
SHA256 eaa0bb05d556014e71ced31e866605f0f0c0f4e393bd5811f65f9354ccc3f2fa
SHA512 63edeb34944cd333c0fd82454f12a3c3e634cbbfbcc8c00dd96ccf2e6db73b3156907aebb5b1343e6d04bb574986e83de2404864b33e1263ca4beb2c780d4d09

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 8698d8f46da658d4c5320722ca482953
SHA1 96d06660d17737d835effe1239c48c22ddd23cb2
SHA256 fa3872b94ea88ddb205c8a345835bcbb5eb1c03462f957588ee7ac6e81ed3ba3
SHA512 7e1f56b7fa63f589fc4fcf85171a3b622b87eebf4656c82b7f275c59fbd9911cfdd42e1dc9fab9bf2adc3aee52b3c529586620696ec5d925fc3b8be341f3dc8b

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 ba4365aabd524e3d09d9b28eef9b24bd
SHA1 4f868e81e2428fdd9612b56ea15cbfc78b3620fc
SHA256 7e429f0fc764853595cb47d64a4054716769519ca453cb883b3087a5c56f66c8
SHA512 b040431a4f41e6498768cee174797142614277585d179509b35bb6b5861a5ce700096d9a76a16411315e63e10269e3a537040050e58601538b4425be28c495cc

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 94e67e2e2ef8f62211ddfe084f073860
SHA1 5ad040972d0051a32ede20201baaadf9424cccf1
SHA256 771b2aff81148ede027084333e91a9c3cc62f956f1f613132c6e31eca037ebd9
SHA512 0b4166a1761a7bac0c55f197f1dce354ab352f155393aa642e164b72a221d6ed72863760ddc1abb40219e54a43aa5589fa062396dd622d14fe33c8e235e4dce0

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 cc359f8b46d6517a64a7bbdf91d2ce3a
SHA1 8bfe9e3ea123bb38c457aa7b09b698bfe5c2aabf
SHA256 3d9cfec909ac69d3329ad5cdbd8920b853600802959f516ca509d6ae8a26cd1e
SHA512 bbe700430f0b439fdac851eb6816c603c7ba46c97d65133483e6c8ac6eec742030805adaae4115e9cef7ecb9ac4971f49fc60034c9067b74fd2b1fb03128b820

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 65de2c8356531913c30d38aabb56afd8
SHA1 8b7d0605f117ca087ad8886f89e34dc9be51d88a
SHA256 d56d1ca86669d1ae4adca327f047dabf84d8847158a88a8e253d338e20d6d2da
SHA512 0663869d2c5f190f804032a05a7ba6bb033f8ab53b09e7f9e9830030ac306cc5f2c81ea90b7d861dc057902d3f1a8b855949f61487a092bce3467679d53c90ce

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 d3ad9ce515a30472d3284a2e46edc7da
SHA1 3b864ea6983393a077378fb1402f082b21816355
SHA256 4d4b8dc8b25c59b2827c4efea31eeef56b2684480cd1aedc46cb53e86a2403c6
SHA512 63b20cd1ba931a57fce31981e81355dce067cd2a4821e15f56e4d1953be4eb36beb5e019e390a7aa9524254ba4998432145917a9b999a5f04c6cde80f7b11501

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 27cc6df2e8d45f1af3806125a0449820
SHA1 6c034e31b163e04b7516f9941a42d4571386584f
SHA256 bb68061a1673e430f87e01dc0d58a4ec8a2ea15d181240d2d91c641b98be1fb5
SHA512 59847c624e097783eb50c3ce3a58c7a2ef36b1b7047f1208f76ecffbf2977e3d2b3522e82560f6b5dddc62a566cef5dd7964748f52da1dd6b509e5aa5728ceee

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 de041a9ac5e2ca1bdb43a10eb595ec6e
SHA1 82a24fe8e85980b2a6d54363f1c727c9cf11144c
SHA256 fe435768f7953ba2c5aaae415179593f3ae8d6b9a7e2c261f58c13e70cb1cc2f
SHA512 60987a863eb7934de62fd101871f54d9b28e36bccd976dd46cb3576346a5df7df6d17832b0d6b5de954a71f86c507192c11e9498d871804ff9ebe3ce1a5ae4d9

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 979b81495358116afde8858542a0b07c
SHA1 dbce94f9508261ef9267f1e86b77c7bc01ea32af
SHA256 1b3ba2f403edab4d27fb3c6eae262a59959c9ced48275c952f1521c0a5fccaae
SHA512 a5eb5749d98de134ed7c1ad3d987728a6f8c8db1ad4bcb843fbd424d169fe03b0948006d606bb3335e0b59ca34b6c7cdd54a30a1f580da914c4c65a253bfcc3d

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 7b34a3ecd1befb7b79052324694cafe8
SHA1 f36d7a37f81d7a6e55776c49cd9a2e8ead3ae61b
SHA256 3f1d61fb7088d95aa965bb98ab2adca5dd2972bbc43d32d634053867a7a81d7c
SHA512 fddd63f8bd53306766bf93d079498ea3c40c4422c15b6ed32ef9b5ca2165eab2e3ff032e57f5e5d0b9614801fada33632d1d13defeb75632ca7b1cdc80216330

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 cebd4e87854852d3fa9433576fcafd49
SHA1 d919fcd368221db797d46dea1387ea5418b8163a
SHA256 1d2c0d7053ede64a3b730fc382eebbee74d364e45f65db8b8c6ddbc2d32caa64
SHA512 69b03e53866b2335a6c044ba6bc7cf6f74f152b6ba922a0348e96b2e9e82ef131f9bc9e61104f92598cb6b389a43a9a9d5d4f2678447ad74e3ebba7928f6eff5

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 b31d5ad811760a75f6c4be84b5ada73f
SHA1 cb1a16ea17b74411fc3df89d812e6395bf22148e
SHA256 1235a7c25d286a1b02b6431fddfe783699d7e0a6f3d008aaeb7cac7a9d322af5
SHA512 388fe5bd9e310c84ff4c5d9134d6649b44ffee22511b6e6b99c2c85ce066e8e677dbe5c2807b4b74078461dd2f336359ff12d3ba66094f537dc9bcb0e4eb001d

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 f4d82682f247e5baceed7c02bbac340b
SHA1 d07bb1d2380b11cbe5820b5c9a0ce3f59ae1afef
SHA256 109e76427ec2f5508807e13a1ee96caf638b95e745646029631010fd50842f0a
SHA512 3839d062e05b6a1574583af82d130bd7ea1ecb3b84ad838b9826d1edb36445c214b2c84852863690a8d6976d21d03a3bd48691a790409bf1698530cd791a7977

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 c86262ed79dc82e4df03e5a8621440a4
SHA1 01e07312829fba4df737f26561fd486635eb0bb9
SHA256 90dc7fe36fefecc9ec78639faeed44dd31cb25949951d2772c121cacc7ae71cf
SHA512 23d59531552c0615cd63d3e7554a2748e8421818d30b6201d2a15234442701115560145938ea9b5a9aa21d4b33812b69dca198d0d7a6f73e951719dcb2062f19

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 c93efcad7ab1117adc9414e4bde8c69a
SHA1 ec2a2bcfd7fd45c563f83405f1eef487854f52d4
SHA256 d0d83a5de2b9140e4dc72b09cd42143270657305bdb322536cd6677efcb7acf7
SHA512 52fe0344aa1639183e2fcf8628e7a6dd7d173530b32cee8bd60d6ce605fc22641d6fa168be4d1f5b9c688ee6fa049d5fcdbd8208a3f15357fdca73e4ed6808f7

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 2c59cb892d729aa8302426421bd2a3ae
SHA1 011968d0654dd656c5d56a8ddf2cf362c86c5b78
SHA256 fd3b720273f427ee38884018ed5ed9e46918fbad435f8446251e4e7f8ec0ca4f
SHA512 e348aa95057955a33d799a428724c4fe7aae0518fc72ee3dabeffd2e6b65eee7a572f112d490ba1e837180664353b7cb540b6111dc88119157164dbdff821d3a

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 367f2ff78db37b9b2687fa60825bd2bb
SHA1 769b78ea92da140fdb76a218feea3c1f537c1b97
SHA256 c08eea5c9afa73052d5d9a4716ff19770fa2fd8c7b5dad0e7707563834ef140f
SHA512 b3ff61299a9466986f257f5e384c74d58cb8d83dc8b1206fc1e73ee5b99a2be6e35827b39edd38d522df19d52a9c647cb4852a86260b12301e9297d992c61425

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 d0daab84e3c22dfa719f0c7f6944fc46
SHA1 82b5d9fd2f52f36c25adb6593025ca134c205244
SHA256 55b8d2b6e98170269dd794bfede6e8e931ee97a4861d23f96738718efb20f0a0
SHA512 6a74038d251d60f54b2fb6cb277a32e0a7660519b06bbfa0e962cb838701279a456d9c05bb1a8bfeace38372e4531ac557faa804e7407cda199208078ac5f2d0

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 5e4aabcbf01b3ea24c834b3242bcfa3c
SHA1 fa2b31376efd6dff4f1b752db8dbf1a21f0a50f9
SHA256 7a75935cc20b7341b8bdc7d90878e3b8de299e90b2b7d9c8c3eeb39de5ee191c
SHA512 257ad0024dfa10dae636dca05c1152c04e15e39c3f5a2ac20ba19c943ad3c6d4075e9d368505cfa0e34a92f3133c279d5392d37a2f3af3da86bd1d36321f97f7

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 6a9e155b1312103f864a39c5e0816fb5
SHA1 751e95e3ee565415117658ce2b1339f9c49317d6
SHA256 16052c254d9c3466e89af80a505ed98861309570f044eb65c53384ff67b5e4c2
SHA512 983c0fcb3f5d5ecf45d9d6d34f9f7f4e0c1168744c8171755bcdfd4c31737b046f132ab04ec83716a9752afcd60407a30e1da284d43789309ddcce0f4f1eaf65

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 b5f9d99b3e75effc3d785b7709375405
SHA1 3851387ce1d8a812f2ddad99925533d130cd06eb
SHA256 ef9941292804bfe24a6f1542642f18588bc001f257c53ffa780a0422f6a4e503
SHA512 33cbf39955515fa858d6b8de41e9e81b4569212a5039198f8270a346d1495e1451364ee22c17c33cf5071db1a19651afab68964d5af3021eec33466e1551577e

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 6cdee9b2298f5ce4aa98c51c69392169
SHA1 4da0190ad25498aca96d4469883d832007d44125
SHA256 4ef7024fe3fc9b0831791d15f73d7072b0c3ff56e3dc642d00014f5e23825054
SHA512 e7834831f346ace25f158eb214a551c1e5a276851b34cac06a42f4dbeb1a53a794435dee3571b188e160876325bccde6c884ec42c9692f6f32c713cdbf299479

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 c69fe5c5e573a73eb72fe66f0a5bdffc
SHA1 23d01306f4fb9b13c3e14e4fd377bd6e80ce1347
SHA256 e0bdad9717273e8562368ecee39b4dadca43759deec9a2e3aee7e6f586b555ce
SHA512 ab7bc030a97d01f7a3595a6caebc76772a8dbb652fc2a6dd7e85511835b03f61011228e1f9296b9fb3dd902e8b5a817250ab5db2bbac5708f61173e085e4846f

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 63cf8085c6fb692b5d62b71e39bd889f
SHA1 9afc09925cd56390a8c5e24e4f838391e9524dfa
SHA256 a29d6b06ae40ebe6515f2cde922535fce26175e0ded2b4a5c034c5d387ff3041
SHA512 7ce7751c6c28121d45b1047cc92c27becdd2e450637ed9a48fb2a6861b1c30beac24517a53a2e08d441a6dea441669011347c66fa40bea1d50b206e3c4479b05

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 7f97c45fd597a585d4902498b79224f4
SHA1 e0839324cf191bf4761e94d8b67fc51f43951e08
SHA256 5861f464f0372190933167def661e96ebfb571f0f0d38d18507d46373b67fcf1
SHA512 227082d9faa2076992f75c181d7ab364ca63ce2619d4179becc8978a8eeab49e23a4dd5514f282423e1f3122e5de296acd8f82f3703093daafc0b9ad3ba0c647

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 136c2ba7f2206cd9c4610ef93f1e8943
SHA1 4b30038ee9a1f589900433c0388cdd0c055849e4
SHA256 5f410fff21e54b164b07e95a3c59773d5874d08696c0757c2a49e8d6d3add562
SHA512 e81ab9a82d3b1d3df680d599731180e729900699545df2d7f28d128819a9151e9df5621c67f756f2fcf7a664e59ddf0a40d64a65bc1c50ba27a712f7f5790130

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 d6951bf1d47114e8a22f13e8b71cdb5f
SHA1 f0d31bac873dbeeee5f2cfaf051230476335f53b
SHA256 df7e8ea0a2e9c71fe9704606ed09fa16ca3245ddd3ce0238b4a168e8b54bd1bc
SHA512 2f88f6cec92047b023916ae471a4ba3b32831b8070f5c774737c4cfa57a29786f0d860e848f234e0b6b11c1b0e4e2ffe4d34c211392d24d30743e37f61e07144

C:\Users\Admin\AppData\Local\Temp\wct53C3.tmp

MD5 0e7c0ce8448c17010a3ff6164f738f25
SHA1 a2c29c61d4085ea00f21fd6192fe5675198e529c
SHA256 ffa5ef718304c13c976bc353740d941a09106fc9ca85ec809f0cc06490ae1732
SHA512 b2ee1392851c810e3c9cbf2e78ff8358074cb81e75ec855b55c5f6747511d36a215658ae84b562774374a8a0051c2fe1f4a91e739a7cebcb4daab63fa109aabf

C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md

MD5 d064964e35cc074d45232f022630d6a2
SHA1 4853eacd7e3cae8f59f6a5c7f2603d27786d13bf
SHA256 06ded0cc29769a7895ca3f68d976dfe112fa9a9462bec38cd0fca61a41300a35
SHA512 0132106ba771e58cdaa29359952240e282c8ab90343e886d51bac11a86fe5cd4e0cb1df06f049555458c43ad493038b91db3cacd13145281929095762356a842

C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md

MD5 8df4c96601df9c675d05303dc0e35794
SHA1 6f0dc9ca7f5b2b30bc895dc3d78764c7d54c3801
SHA256 4c5142cabc9f292bfed6ce501b71acc1d40ccaf51772bf6fdae672df3cc651f6
SHA512 e1cb71fa7d3748edd6180647760bcb1ec01d3afeeb399a9835e750dbbb44b04d73a0e65cc2c298feba2d99ef6808cab3c17562766c1f9b55439b91103ec06e8e

C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.Phalcon

MD5 43e8b6815f627a14fe52134325d9c112
SHA1 29f1e97d3c62dc3c155edeaa41dd391d5fbc57d2
SHA256 f9de44d4ba70329c77ed6dcf7468d976117c085082f60867feb27523c93a28e2
SHA512 27339307631270351954419b648289a9dcbd6361a28fea2d6718dd4f740b5ce0db73e1ea9737d12c545138e06b15a42353446fe5107ab88939d82a26ba989da3

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

MD5 eabee4153a4a69c859c6e65b065bcfb4
SHA1 30cec590356e9c4a5a89d04d61a9f392f3be8360
SHA256 602ff9b92a36c3ee13a5e5e68fab76fc7e7119849e48021e8dabb4cc02ceff4c
SHA512 dfd0a06c4c9798a88b9a769005c87a453e3c6448fea462d36594ed3fc6c784d1e961a721e37e61bec6b4f61fc20df3cbc3cd843ee525cd3e13d35b5ab855bc51

C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo

MD5 2a74c6ec586a060c28855778eb8e423a
SHA1 7c4f6adc657200c499381767be4cadd6721d45ea
SHA256 bcfb17210401d011dd9308f6555ebc886b7102425c5b60a9373ad6c3f571aee0
SHA512 7b134b577dcbfc65dea87d6b4b69830622c780f96aac86b86f7d60e3a1c492d61026293f4860263d6e3007642727fa5113f7b01a555cb17dc9f16bff59f63cad

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx

MD5 af6ed8797c220b10766510b6ae0c259d
SHA1 edff3fd04b9e6d4fccccfd52aef33e76d73cf490
SHA256 b06e176e56d97de376f8515b263d75581faa87c7df3c3c0aec479f82c3bfd478
SHA512 95a1dfa69ca6f5cb72a7d5810ff037117ebf2a276fadef6584d484534ffb40cb32a7b46fa65c75fa74eb5e17c1e113611260f7a9a270acc9765dcc87baec7c8d

C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

MD5 bb250fb6c7afeb9515005c50a43a7621
SHA1 d05c757e58b395203383167c6da94bccd3620929
SHA256 3bee3d9e055c4a592111c9c8dab7c6201dac75a75b511e08351b1eb7b1192df6
SHA512 bf841d9d33ee640157829168e9618f7e065f2eb345edc4c27b43e1e1d77ec37235f1fa89e0534e3acc1f14239501ae76ff75f2a5ca76a32d97186ea7b9baf3a9

C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

MD5 92658d5d33b38606a3c611edc90064f9
SHA1 93655aecee451d210c17262b1e5d147043286300
SHA256 1af3d5a3d9c731685d9f89d097a0d21cf60b3de0a3c3851a4db21d13c5f1e58b
SHA512 b82758d6c24e62816b0a3806c5e67ad689da311e090d2c64ba55a37fddb31cbd99665437b5184eae1fd526719e0256216efdca0fbe24f101d65a86601224f679

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 2d86716a6dc39a2ba398ff5662b9de68
SHA1 1f53735a13dff7d2e94883f5fe74cae3bf247137
SHA256 24e32c2f7420a928c54103b8f9ef2e4a075ddeb9fe7482ce4272fadd23d9feac
SHA512 cce7efbd6de88cd49c4b41af472f0128e811aab98fee8a1fac446351a052f1bf2db8f6391cd3d9e9397f1574ebc6c461927a1133860fb0118f62ada0994da703

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 67cf77c1307e4f93d0391154a7253c39
SHA1 845455ba88ba4a061af32f7eee2bbddeb56cd4fa
SHA256 8fad1cd7cbe56c9bea36e7c7b36c2901c492bb8e8ef1a3f9f00147fb48b05fa3
SHA512 d57fdfaa5ad3cb400207bea5d1f1f5635709821da7a1d9fb5f5ea600803a57a3fdf4c820cc36d61545476aa6b45164a5b95ce4c780f7dd99c518bd8b5815a547

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png.Phalcon

MD5 2213e0fc03db363b99e06cee90b13650
SHA1 7a45628d6249b6c118c5bed977896ca182c579b2
SHA256 9bcbecbcb9ac281ede9c18c381dd84000dfa208939f032537d90a095089c3626
SHA512 f2641cb8d82fb629408d4bde11a952b6385d4acf836ddba5b8fd155233f4b9207c0dda9d0a33b82509ea817b4b97698266d8d70d76bce63bf10451f8da90dafc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js

MD5 7320e361deb57f13b3c280ece9c55653
SHA1 32b85cbcbd429796b7ef034b906b1473a7b6029d
SHA256 dbdfec2ba0260a0a6ebaa0ffd62b6608721c393e5623b5afd55c19c3536e6fce
SHA512 8f69e48015a07f6aa8d7302b1e0cfe13a188b0977862191314947df0a41c080c2a232119bbb48b193f0abf8838b607e52c35ea3818c01bcf46ad43ae94574742

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png

MD5 a541fc2df4b3c7a48e53c0d4bf1939ce
SHA1 a176b3de29fef1a81a5c3afdc769439aa06bbc56
SHA256 7e4b887ddbced6498670199a76dbb55d98dd37a23ed77e60d961f162507ca72d
SHA512 4b870d54b6e1ea4edf5a3c9ec83a7b5e237396112672a312e0f782cc6dbfbb31a2d68db69e1d67ef7b8547f216ae00bc238d2b13673bddb66ecccc1471b9a3fc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif

MD5 0d3f3f3a1122dcb3925b6fd7048851d6
SHA1 c31f6c574df743deacd45ce377203f108d947f1c
SHA256 3e1d2030118b5577ab2de8d4fb119a8b4b6dccbeadc209533552c5c87377fee0
SHA512 8bc117b3db946ee91513065a733e636e8ec0fc2c0b2834b85488cbf8f5989dc6dffd3e36808810e4480bee52b78f4156c5bc33ce88ba7cc947b486e13f795b92

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png

MD5 9f4f5a9205a68af8b8d8592096b8c644
SHA1 957ebde2a35465897a6c6054932f883f31b7897b
SHA256 20e0de886bb175e9308c2831e21c752f5d139fe79f55c8d341d6f813ed397afd
SHA512 936b587efd48eeb8a6729726d2745b464aa137cb02fba9d3436a196496eb25b3439a7b01e861632b70f12bbbf4ddd49f0d265319df8d1e6f28b30502b0ee6780

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png

MD5 f845b4a54f59804603aadb1f10e8bd95
SHA1 bb30776c7cd4f8830a04cc1487e01fa558b8de05
SHA256 e05477e0fe6a4b5a58262cb7f2346ecfb95cd9d23e59c312dbdb9658f147a440
SHA512 b9ff10bbaa06f9a2c9c29d224bb573b282e8baf6717c1f8854a79a2446270737687bdae21b99a1433402ddaa5b9b534886411fef1c5f33f7c9502a406f21adf9

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations_retina.png.Phalcon

MD5 bfedea805dbf3a768414800eb371b074
SHA1 f2557b2197a38b7217e089dfa471cad31c08d6c8
SHA256 1204999f1fff68cfabe25b19448f3480853a40d3ab36e6240058ed34b8b76a77
SHA512 4d9818691405392ee7f03fdc8dea967a934eb45ec78c4ca428446ecf3ff2c94d7f40649d4f4a280c8b227881d1da73784e6d24860aede55315ce9e6ec458217f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png

MD5 81c811b1516b048824675cb7a995f124
SHA1 415bae2f27bd3ec86118ac8bf504204984ac05b8
SHA256 c335a1ca2f0a0ce7b28a8849cca40cde4247a134add7f9c12de003390b4cd5b7
SHA512 f173dafa5dda45d2be960d4283b6e5afc1b38e74179ce0f13a9536b44adda617b872a040ebfad65845fdbf257a6518fabc6c8c39bd8ee6004dfe27628c04c514

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js.Phalcon

MD5 d027fdfc84239540387f8f5fbf548b98
SHA1 70ff3f61066a70035e42ff1c91c411f03b1ea44e
SHA256 455b648a1e1c1e3f6fc2076345b97ed55e682aeaa5025fbfa76962b3d9012f4a
SHA512 9a416e5d893dc03aa7f65da3054f748bbe62f7f644b0bfa8c9e78b0d685e7aa936fc8ac854ce138d96d12a523370a60d634008eb7686198e5f62968110b23dd8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js

MD5 d6927d55077467ea7be01e3a0f7b51da
SHA1 c76a13718ee3f7aded22ece35db5d088a698bac0
SHA256 bf14ec3a0e6b200b8a366b53d3a5e14435a1c7cbc648abf5db67279df57aeba2
SHA512 569dd9f7a770a729ebab6e8ec9beed471a7a39ed12d6a46fb7887af56fd7ffac40e690dc6f1aeb122ae5cdf7b94b79681f371fe53fba94d0f9cdb8c891e097c3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png

MD5 d1cbee0de92591c927cc68e27a6c97bf
SHA1 91d3e25883fd3262b0a933a7e3a90e7b1154b0cf
SHA256 1b64c09ac54798e19ae7277a1c3ca0ca1f78820f47ca487adc9ec6b27206710d
SHA512 bf18a62c95c77a0e4c97d9aec02559e1469bc51d108d9f15baa89bbe1aa8bb4fc91d956a37d54931352e7280508a9df05312e200e6574b2ae173b6ac540d5176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js.Phalcon

MD5 942564ed6df9b9534d247708a49914e7
SHA1 f4d594ada5d8dbefce97dba0d886515418e3403c
SHA256 7d53386ee7a725a390d976ea88d341f626071962ea146930b9cde550c579e5bb
SHA512 1386e61c8f5f6cb5d9f31e01826f7dfa198026b3354baa55f8f7551364a29e2e84900e4ec0c78fa3156efbc158cc6b7e9c89ec9667667beed843b4c9a278b2fe

C:\ProgramData\LPW8.tmp

MD5 95aa713c2b8369f92260e6aabbfd30c2
SHA1 02118ff95b20b61ae2014021fb5caf93b4c78150
SHA256 29ca68ba176300fe7d0b1ca13293bbfcedde3cbce60fab214979422738b244e4
SHA512 65e7bf55f4196510db511efc3e60520e098e31e9a8f516691b3ed6230d42504ac3d6f744f4fa87097ba3f93a7834f52d1d36af5ca42a5dec84820b7983250df2

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:56

Reported

2024-10-18 02:58

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe"

Signatures

Renames multiple (7857) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\LPW8.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Phalcon Ransomware" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\nAll your files are stolen and encrypted\r\nFind PHALCON_RECOVER.txt file\r\nand follow instructions" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\LLKTP.bmp" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\LLKTP.bmp" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18192_.WMF C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285444.WMF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\PREVIEW.GIF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_italic.gif.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\resources.jar C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB9.BDR C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\WET C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewDblClick.js C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\PHALCON_RECOVER.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00145_.WMF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dili C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Groove.gif.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.ELM C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.Phalcon C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\LPW8.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LPW8.tmp
PID 2908 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LPW8.tmp
PID 2908 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LPW8.tmp
PID 2908 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\LPW8.tmp
PID 2156 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2988 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 1928 N/A C:\ProgramData\LPW8.tmp C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1928 N/A C:\ProgramData\LPW8.tmp C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1928 N/A C:\ProgramData\LPW8.tmp C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1928 N/A C:\ProgramData\LPW8.tmp C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1928 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1928 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1928 wrote to memory of 2052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe

"C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW8.tmp"

C:\ProgramData\LPW8.tmp

C:\ProgramData\LPW8.tmp

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW8.tmp"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

N/A

Files

C:\ProgramData\PHALCON_RECOVER.txt

MD5 148b9eb0a565c2a9226ec3285fc116da
SHA1 c1e0f4cdbc93c93d61ba641e18491a8f1abd1061
SHA256 8837381085f30e63714e45a07a0b2bd7c590e1008bc4b23b19db71034d89ef63
SHA512 65cc0f8720d0639271481c867c71214aa5fbbe73346ecd546ddef676f7ce0c6f9b36cd79c16d207efffa8b55468ef80dbf86d9c8ec01c8e6c679acf844b3262f

C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 5bf436650a24b0f5feffb876595a7183
SHA1 43f02a64f16a6f52c971506cb867a8205fef3999
SHA256 14e51ada0c428478e89484801b65b04f8d01c57fc57ef4b5133f9047cb7450be
SHA512 f7d02cfad6eadab263dfe0c99e26386e7b404ee0272b8a49b3d38c1b6cab330ca1b516d844d0a93181c328eb2eabce184456fd977825503ae125dc8b4cf776d4

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 2f264164229787a132d04cf2f7a3bd9f
SHA1 3ed497992090f5d804d4c64c7d45bfed202b0cf1
SHA256 cd9a2b28bf438925e2460d8b45f951d7e2ba40f9e4426ffdc41c7cfc86cd0041
SHA512 4699707fa10b065ac7743b5327a1e2ff81b5a8104c71ab82bc5203b27b055ee0cf353dc45f10b64874963c359b137d3ec5e0ad1333828235fdc1596f69e7a321

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 c7c5bad6ed6d89e0b4101f3f26dbf6fb
SHA1 cdc99af5e41b6045a08c4c1049ea1bdc300721d4
SHA256 a896c8f31b4189637400836780614e8d82b223903cf36ea30e901055cf1f43b3
SHA512 3e1ad96a0d38ac1e2e032502796cadb460cb51175fcaf07c31c05c6e92a15b4d7ac8f7dcb07fdf17cff4e619e6eb3ad869e7d7295a11dbb783a55e8386adee17

C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

MD5 96842d552de9382667682d8a9fb02f7a
SHA1 a9e7621ada9156a923546974797165b657d96c80
SHA256 c4144a2c5481fd7b9788a4fec031954ff9ca12740f95b242b95639b8be6b50b4
SHA512 fe2a93393988bace44d10b1ff6ac2575a469a67e6a556713c875edb9971e544aa62e5aa640151e6a05d2d70b4ec112ae684eda58ed75fdb1feb122fc85501fdd

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 02065828ba0bbedf5f46fbefe301e8d6
SHA1 6b464e9ee775636c70d80a00f56322642b9657ac
SHA256 f23e900f115667442d606c2b0d33aed32f87bd9c3f80347ff2175590694cb7c5
SHA512 3bdf68b156882fe8ff28021fb900b43e9acfbf54d73c3cff2830508daa22c28fc6a26312962a7cebfc188b8148c64cace4330233b95c481b03c42ac69d1dc2c9

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 abea79a749ae9a46014dba9a6f22027e
SHA1 c1b5a4e7f8a2e8ad8512dcb090c3940cd3069801
SHA256 c1c2875ca756c0452922a1ccf27e2c1cd9ceac092224471ee63c509101047cc2
SHA512 ae5de7ac45562113fd07299790fe4fd5b43fc9127920921c90803ccb1aeb7c8c1a31ac61566495425fe39b1ce02278a96584bbf6824ae6e0aa390e05aae00cfe

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

MD5 8ecd5e07508a52708628158df22f58f2
SHA1 ac0be020883068a9a0558894aeca7a819a665135
SHA256 ffdf1a4238a6ca91fe45b8813b893e13b0b388f25c6683a162e6d78e93cc48d7
SHA512 0c8af790112b6fe5991528b415b9ee653cd49eb41f241178ca6231c9816129062a2c10d83d037dc51bebc920fe29278ee44c1dc9dde78e712063e1e5f003dacc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 06d9e6ddaeb9ea8a2439adc26ee12128
SHA1 bf74e3deb3388425447aed9c71939f13e1736a06
SHA256 9d2680944c9c4feec3a7f73b98d6dc416d29848e403f1e2744dc2b94db481453
SHA512 74dd5ba9cfb2191e05b6c22bc0203c99b70e16039663ac79f56ad01e28ec5308b0aeb2d1d621519e46681ca5b0fe91f9e84d30f4d95c546d55abce86b6ba3f4c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 3827c6d965edd5a8225ae820a38c8a26
SHA1 cd93c09ba69f789e6816051f31658fb7e520fdc4
SHA256 b87bbbf25c888e529c744215347792d8b9da15c29d628a6b762b3a3e6257aa88
SHA512 ea86611c1d112bf870c2cddd58e876fbfad6d4c03a38b10c04dee19758ef31c00ee69b7b4f58058e3331c40ab3f800dcdf0500168ba9bea08dade61a7796f340

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.Phalcon

MD5 4d0b67208a603a024db1ae788e63fb14
SHA1 aa2dc30a6a6d4339c311eb6c5839dfaa0da5cac3
SHA256 45150584c575d6eec736ca309fcf8933661cb02246b8fb93fdc52e1cb3a4d622
SHA512 9d932182ad18d193618937e4385c390b12720c55a7a0662e5796da004c8ba5d062929d429ca281c1edaebdc47cf9d3586f08505c09574315776966014eb2b67a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 ac9ef9d119fc8695c9272020a9880aa8
SHA1 f4dc4a31909bb66715f08c22ead7e7775d161478
SHA256 c47426050d3470b10be7327eae8c0ae3f7d5f17836f121152eba2b20c51ea74b
SHA512 87599d3554c3ddbfda2cf82ecff51d6e2f994e7019071528d2cac30f323d730264b4b9c13588e84ee3ae97eb17a37aec7da1e92449bd5ab02348bf14020115fb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif.Phalcon

MD5 eeb25c04b38eb818cae5d8073f37fd8c
SHA1 1eb82ac97f010672706c3637240fb1feeb154709
SHA256 f4deec6c4a19d0a8b3c6ed46ff51e61389c670ce5599e323329da8fe02354a29
SHA512 7cef7df023ffe89b015be5098be86ade65535bd18880c87f3df4670a9b843c6ec9927918978ce31b8de93271b8a2811ef26871ba8f4d94cc74ca107f101471bd

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif.Phalcon

MD5 1791fa50e74c79bf7670ac053240d237
SHA1 78919904c6dbf5c4886bd1253a0e25153ce28699
SHA256 a43b68ad56e3398349f78c5222542f361f75747a5d1b26d609e2214c37324bf6
SHA512 70757818d8df277a8c5847e3120a17284403989531afa94d8d6755cbb5ff75de49b409b8f0bc0d9006691683b075d53e03758dc39335b97516faed5288f739d5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.Phalcon

MD5 f3a0d8acec6fb8b311030c1e3704c2fd
SHA1 d6e7333b3943d9738da859deb5cfecd9db94ac98
SHA256 62d7aa071f21f8b65392db9a89d84281aef25ef8bdb7a28ab0259e94bea0edc0
SHA512 d0455d6a83e31948ad13d4b228d37ae1b6c71f81ae52e10631d0598081f89df5794bdb2a0f8fae29f481aabff4630a865655f61da620e4246f42d1d80ca2ec55

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif.Phalcon

MD5 630277ba9988629b96dd62b0354c1592
SHA1 0e86f721b092cb1122b5bd9a48d07ca6a50ac05e
SHA256 e972e127e0d4022f7f4760ea6293a96c1135990d6460b16f651b3bdf9893ca2d
SHA512 1c259eb0e00bd7c969c1afbf9265101c0b6dcfc8836f8d4a36e851e3941f45f0f2d679ee3ccbaf14cfa781277eb6a6299dac892ff97cbcd7842da6b895e44a33

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif

MD5 12ccfdb821229f29dfe2af18315034bd
SHA1 695dd90e0de31b41346941cf0c4185775d5d4f0a
SHA256 87925c485a1e618f17487f544562d4d2595785a3c79fa221282339314c28a285
SHA512 7fcf137815d81cbb259f1ec0b488937025f2bfb2dfd09ab10d707840df28e25b53cd0752779e32b9c7f0e715cdbe904767d358e605a9c81b94de5d83614ba4d6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

MD5 6967037cd6f4c9324643fb1df0d07808
SHA1 0a989c8ce59cc9344af677519760c432cc4310be
SHA256 81301fc973d68b54bef0c76a7e17248c3f53525fb9767ccfd9d2adfd342d9c32
SHA512 3e25856df55381bd28f0a40f74135aa83d67b001fcafcb224ad0170232d936662f624f1ea1d2090035e4a34e56cfe84ce65ecb7bf39ab575882956eae21b7d2f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 58c7d2fc36910410902be705811088a9
SHA1 49f37954cc19e8c43bb85a66b84693920932f5a9
SHA256 66477f3b012ab3ad905d8c41d8804a62cd4ef26fd23d04c77b6b3c44f17087d0
SHA512 95945dc0a33f191cc0da2de3679589b15def364bb2d98368379067cb4eba1723219a600aae661300ea4bbdce1d4cd4f8f5596bbec8e24203215db163603f684f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 332de38441a36eb84549a8a34a019523
SHA1 30dc15c09525d1e84fe8f2c6cfb250e953ea218a
SHA256 68ed6185e8aa5db3b8c786eb665182337610132fe241159ef22c46718db83a01
SHA512 e2bb9d52af25dcc94b3fae5c6969823e3eae2fffb6f59211d4fe0f90b3a76908df42443a34e672a0444f95148ddff3480281163cbe6a49f4aa4122bc76fdc78f

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 f2d8654312d2660842ef0b37d4339381
SHA1 7ae59d2dfc5291eeae73c139d7b25aaeafc0002d
SHA256 c4d3148109beef331f11bdfbd264d70459eee8f59d9463efbd4e9c5dbaf567e4
SHA512 b2f2da30634278870d588e5efd2346d4777907f68686dc204813a890813e60331c71b28cfd592ec777d673147c30d695bc8080971df4967e5aa219fa91c8e233

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 372672697cb4fc0ec8b95111ee9b0bc5
SHA1 2f80ee8e7dbb03068159fedcaa464f2a03d8131d
SHA256 abc14989960d78120a3b8ad8cdb8c84a21793a32313cb60e3e7aa98f75ab600d
SHA512 2e49e98a9c08564a840dc7229e729029b93a9a6f99c9c1c0d21cd814e660daba7dccb987207a649ccfb6450abc4dd31734042e9d7f7d97d52622832095cb445f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 83732b1b7e43d182ca11890ccbbe184f
SHA1 8c3e3e51740cc7c6a4a25efc0fe25c3b2f6121a1
SHA256 510fd6e2a7238b2710cb91f7dadce04f3e5581192b4891240e5a2ca74d431a38
SHA512 4b0680aa88224604b65a46fe0334beeb77130004d826c1a6543fba967d5699ca24f7001c2aa575d75ef948c4e7abede5d11aa4d843a09758920a1204ebb5ee44

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

MD5 4dc0faf87f8a78299fd7a6c101c109b6
SHA1 dc236911925b7df73280c2ffb042757a94f1380a
SHA256 1056f50c402a531889f075504c39ede2534d86eb041154f9c49b08323304f81f
SHA512 e16ffc89e56bf95d12530d9cffa36876cd593c0799b5ede75a080758395ecb8a06fe47aa17087657d1d5d1b602425a995fb309f9906edfea726b81ee82bde14f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

MD5 d2b03ddf71347861ee32b5bd9566b66d
SHA1 2d0d0cedead781cf685b67411a4acea42096e3d4
SHA256 6b3ead336965f194c36db45be4da905cf61fd96b668791dfcfdf22f9e4c67647
SHA512 e9363bb94ba55b3404614b2f42feab2a5f44f06082e611d86b8f7698db399b96938313dbc8ac4deb9a520084ca85eaa0c3cd9f9bfa910051f6fc0388f2d3f0c4

\ProgramData\LPW8.tmp

MD5 95aa713c2b8369f92260e6aabbfd30c2
SHA1 02118ff95b20b61ae2014021fb5caf93b4c78150
SHA256 29ca68ba176300fe7d0b1ca13293bbfcedde3cbce60fab214979422738b244e4
SHA512 65e7bf55f4196510db511efc3e60520e098e31e9a8f516691b3ed6230d42504ac3d6f744f4fa87097ba3f93a7834f52d1d36af5ca42a5dec84820b7983250df2