Malware Analysis Report

2024-12-07 10:01

Sample ID 241114-qkhmeazejk
Target FileCoder.zip
SHA256 0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c
Tags
defense_evasion discovery execution impact ransomware spyware stealer neshta persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0461e6e8f234e00307331dae19d3512950bbf3cdf7a1ec32802dff62cc14c90c

Threat Level: Known bad

The file FileCoder.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery execution impact ransomware spyware stealer neshta persistence

Neshta

Neshta family

Detect Neshta payload

Renames multiple (11282) files with added filename extension

Renames multiple (11273) files with added filename extension

Renames multiple (11292) files with added filename extension

Renames multiple (9123) files with added filename extension

Renames multiple (9074) files with added filename extension

Renames multiple (11259) files with added filename extension

Renames multiple (9108) files with added filename extension

Renames multiple (11245) files with added filename extension

Renames multiple (9104) files with added filename extension

Renames multiple (9105) files with added filename extension

Renames multiple (6125) files with added filename extension

Renames multiple (10830) files with added filename extension

Renames multiple (11279) files with added filename extension

Deletes shadow copies

Renames multiple (9065) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Modifies system executable filetype association

Checks computer location settings

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: RenamesItself

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 13:19

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win10v2004-20241007-en

Max time kernel

100s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (11245) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Extensions.dll.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\System.Spatial.dll.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140ita.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Campfire.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\180.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.resources.dll.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\RIPPLE.ELM.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\STARTUP\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.ps1.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-200.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMK.TTF C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CursorResourceBuilder.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\DenyRestart.pot C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\x64\MSWebp_store.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe

"C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 res.public.onecdn.static.microsoft udp
GB 184.26.188.100:443 res.public.onecdn.static.microsoft tcp
US 8.8.8.8:53 168.233.16.2.in-addr.arpa udp
US 8.8.8.8:53 100.188.26.184.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\ProgramData\biobio ransmoware.txt

MD5 a7cf708d497dd6e922f91d33d14f7600
SHA1 5e4f3f5817004eeaf4bc14a0168d86ed7fcdf6d4
SHA256 20a5f1f3bb4614433712df1ffc67273465e766191502b8e932321f1f24fea65d
SHA512 d27a32dfcc0835879ed45e221e9857c1165de03a859980f0e29ecd6d5877d832577f7d6b584aa96e24caf7ab7652387d713ef2293412bd10b6b65567ed0bcd42

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 f70d67db9c8baf8eb24d901a1765599f
SHA1 1edf26f5215d0119040300eb1f2fb0494dd3d918
SHA256 b5b81e694e09491cde479187bdcf021dc899d421cc746a31c3908b073919291b
SHA512 c80802ea6c48ec029e7962d8d4570088622546424711e297a301bbf1dd2acf33e3776a8915cb9ed0fc9f2de0bbbfa15bace94a5cbf801cfb0daf6e50febab17f

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 cc7298adda30454a9a6737a8db835011
SHA1 748bd2763f3bf459f6138c4b4cea807eed97665e
SHA256 24c4283b0d8d400c54ef7aae821812c6e686f0d6892ee348fe905ae11e7600e5
SHA512 0ca6f7fcf26f413ef8efed5ed2def843044da4855ef41a895e2725cbf3815790bb128c6107eba89322f782454caca72bc56568b421b41534ff88403b1092e7a7

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 d465d866370de9725d0450a857bddd91
SHA1 272415feaac10831b1345df14d2783fa052aea2f
SHA256 d33f670755dc849e4d9ef2e7e183d3a276b2bba303c481965e1504802a5a7064
SHA512 ec3e516faa091412bb75004bfc84dae81063f8d4cbf9797f9a2a720719e810004df66d01814a9006496829b7847774e5aa85d6b004886c0c8dee386e2e306cb0

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 9a5a046946de11c814382eb96a0799f7
SHA1 87850849a3611f3be8eb789449abd8149a152a87
SHA256 747145237d9c1c2fcb568d389dcf5ba632ca6c5167805607b585d72c43913251
SHA512 260a058bfb8ae1e55790ba33b3b50d205aa2156be5b6dabadf03d80ffb8d95d57edf3538d60d9ef34bb719ca5ee2fed1c94496704684585cd6ec0d451c7cbb9f

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 da070f4f39b8dd43eccaee019e53a559
SHA1 2ee2954115683781f737ed2754e7559571ec816c
SHA256 8a4db17d3249220781469b908dd7e1ea3e2a69c771f8a009a74a30ee573b36e8
SHA512 f7fd6661c902abc9a76fc6ca98908d105c260348cde30f2b2dfdbb9b4a0f95ba0c685e9a81ff15535c07b4632786a77b246a6a6e8ffe3abc33face021c317dfd

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 e31d7a6a3fd880c0edfdd0684b1d44f8
SHA1 bd62a7fa06ef36fd5afe32b28b2d8ba83aff697d
SHA256 f124bdab2b620fdcabff397de656a4c41311113f4ba1585b554bdb818a2c3c3d
SHA512 b678b6a123c9cae137dc4b37719db606beedc375e3ad0d71e9b66465be2cc13f68bd533811909fe6b068357bcd8a752c3f07291da05305678308b39a9c306273

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 c8cc3629af62580eb7d600b7ade51430
SHA1 b500e625222b1450ab68afb21268c3c55c806d1e
SHA256 6f5da1d0a887a59edcfedb053cd5100fd4754d3b01c5024ac49f490fe8ec44c8
SHA512 40b572c1470a70c996425d4dab819ba1e9924ec86940a8e42dcd2d2a0f1c8273fb0073b608e021e2af1b8eab3d29cd26f316d671cd4ab5ffefdee8ac00702b53

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 2e9cc320021d106a3828698ff5131ed2
SHA1 abc034b5d6564d265740fb6a347da0256fd6feda
SHA256 0a105ce1b14487c64b7fc2687c2b7abdd30a2b4d256a40772b8f82c5061e4015
SHA512 65c5a6a68d0f34709a69bb9a007906d28d1acce13a10ffb5e9582fa8dd54ebe38bebdfb12136ffeb916be3b8753322abbdb6f3d68379ca03d34083cf16e9ade8

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 75b3971060db9324fb2bb8d4bd1f8ca1
SHA1 5e5685843491953f025a5896d4fbc514ded9b69c
SHA256 26199ef1a3d2eaf7c2d84dae47421eac7837f0a3918eb57ced3b1149f4fb4ad5
SHA512 1d776cfb93cf503bd06500e868f4bc24188e407104b7ea3a3c9c853beab61dbe7520f9ed510244bf4545ba365c183048acf0c7a01d287dbfbb52891ab8010c6a

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 db3c29d66d30950f528ea17e8d2ebfd3
SHA1 43f0c18b5ce5bd6780e2abf94311f321205e5f2b
SHA256 68da77e1bb64787067fcaa64badf8ced07156f9b835f9f3ef99678daf2ddff3a
SHA512 7ee116fc6c3071679f6715c7580e4ccb6cbe8f4a5d47806ef2e5fe5925f0fc34a96a7cfeff88d3df1ae3efc73f07fbe785cf4d57d9678cbcda4e407ac5f61fa3

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 780a3d43b4402e14a3c28aba9b1b9f7f
SHA1 accdac5429044b6499de3c6dced6fa047658f7f7
SHA256 58259d2e69704c6eaa14adfedab979c3da8b0606530f065748e92717cccf9429
SHA512 c2224419f7e79206e7d00e123b4538e2f36811441158903e2f248a14bac98cc00ca51dbe01600aa79860481b0898baf06e9ecc0a78a09fb64e3ddc7d8e76178d

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 02a4498da04c4bcf31eaeb09b4bd4db5
SHA1 7a285ad982c2a2081093202b65224447e3408c08
SHA256 7a4c004de5c545e9d7404d46cc43535a808c23a65bc66b184a8031e67e1630a5
SHA512 0a5df50eb082f8191c3fa4c6a620f7627abba9b47e1681027d80a909d9b5f99d9932a8d5b9157fced6505b376e2c38214aba31403884a8c95699d181a3decdaf

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 d79d8059c844bab835a699f6bbc59e56
SHA1 d73bf628ad4c45bd25d483ebd11817a01f5759c2
SHA256 dc4d003e454433c5aa558fa4df63a8ef0cdc653b22e12a21f1e218159b26b686
SHA512 538a2a8c9ea322761603310e9e6157961e85c381aa3e423c01d39c5d301010ac64bcbac1ab765cce7782d388db76a9c8e250e68b59b61aed05fe6ec2d4f99a2f

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 9e373d008f7c177b81fc8f8850b7d427
SHA1 87cffa7bd424b5809909f0334465d1a595c5946a
SHA256 fb55987ad956a5b3ab8c207f8e7a6ee131ee9a4e63c5cff1c9804b8a5e121b3a
SHA512 6db86f59a3ee80fd19ee5e8fa39f24a78edfa130f1b0e4fa00777733b1b5fb0127faaee1aa3be1a981499d0922d162a8cec9d06a372a5828b3dbd77ae70ec7b9

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 fe0947fd108a1900096f10cfdf2e0d8e
SHA1 36b742c6078179e40bca24e20e2fef1e547ad350
SHA256 02736f7f614cf46b5204d86d6503f3b6ce3fe45b650d72782d529486cce106a9
SHA512 db454265f7bb7688ee5d58dd9a1acba0600c35e4bf04c78d5b4daa464397e62586bd9240e660562ce3fe8aabd0d4e427367fa6a11e5a06da12d62fda4936c474

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 f8d9a30635f3a1e979040789e08277cd
SHA1 f6177068db506031ccf82ba3cdc6b041678dce4a
SHA256 7453cdcbf9f866451c7145f3ec9406f083b02c108863b21c8cc07db94ef81a0c
SHA512 964fb77cec3d862c17bd7f76b63c3e521a2936928dcfc28d10e52f92d73a7e79c139d6f5898e656d37b66bd24cd733b19de1715a8f51cbe33e241d723031d4ae

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 e770abdb833e55a7e62d3c1471673b28
SHA1 a79b63ffa2c98c06933491d40b9d0f6e28dbcb50
SHA256 217ed7f835b6e45467d6b0272186b11b455aa712527fd2db9eae38e7ce62a3fa
SHA512 0381ffb9326f0408461581bbf07af995110e2969a19c2c322914381eafb7b2a33f9d5655c5eb98846b8e82e78b00e5a1a8e0fbd959619c2d1bd0a1692bc928a5

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 a8d393fa9b44f5b0ddd82808ca720bed
SHA1 4780570f5e3e55c471a273af4d9956058470c240
SHA256 3eb63b3f85f3ef00668cced9479856f255752d71cb6029318acdcf3454448ff4
SHA512 477e90e4fdf28e6fe88514409f165ff442611119f9911dde0b1715165103aa8ecca62cf259c5623bb6a9253ee13c8f4d800b33f6939553e01d35ad90d121c2c0

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 42ff0abdfc1ec964ad331d3f9837f701
SHA1 61b1ddbc2a91a736567dc675434f0a2372190d81
SHA256 223e1c404131c27598a6022328b8dbff25405a8378f71388f7c95bf180ca7ec2
SHA512 40371a2c46ff65374d674c1f5a85c56c7e6e0ca158302f4ec06733d4b6a22e10d5a11ceb0c4e3cb754f0cf4e13300d164113d7070524cab7428b1493ed3766c9

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 034cbc0eea5cd63ea584083be7887f8b
SHA1 eacfabaaf0bf338e2f2c5ee16ff6fb5a19c6bf5f
SHA256 ab7c80bf567772caf912f392d4c4c23de065683d17a2661c9b36f39abb7eff2c
SHA512 adecce7377daff00834ca52bdbd06e13672a9ab90206ef3e9a0c43123e1b5c651c5dcd821492cf4667c7ace0fbc4b7fb2bd90bf51bbaa42658862b315cd58983

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 bed3f3d92d0ed0e09f7526be02e281e6
SHA1 ab89f75b1b80372b8e15d01bb6fe21a96b98cae3
SHA256 a22dacd168ee22b769759ca79f1b00e1917ecb0dfec8370a9276a8d2bccb4d8d
SHA512 9967f190b4086a0498cca9d7975c3f68e75e980b616eda237374b739eddffb5aca07ad295d1e1fe8b2ac3646529fc9cd76703c1a36bb36cc77c83dce80e05f79

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 c1296e50ecb343207bce72f07c82b9cc
SHA1 9d88422919c5abd69a5f14e7c4c0659b0a75fe05
SHA256 5b50d51e762d14207659dd89da6e8844901ce94bf38374cbdf1ca44c3745b09e
SHA512 c8dc1e12eece825c19309d621dda6e351183b69aeab751adf59d4dba577c7f7a59c7b5f061155072730ce8994cb12f55a63c32e1fc1a0c77da0857ffd54d4b00

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 dd72b4cff81815cfd405f9ac5692c6ac
SHA1 7efa3bb8ee7f2de058925727dd8d784da63aa0a6
SHA256 c0b2caefd22a41319032bc06da8dff194c66efa2fb7886fbcfbad5673c345a19
SHA512 678d9fd758bb6093c7177cb186f7fac14329664d782eb57785fd1d529fad9ff5179513b65fc8702bdd40fae5ee67bc0dcc6c21925e34ef2d6f0a6663a3857922

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 6dce31a12e1ff67b8539ab8f29d392a6
SHA1 d21ffe3ce1068146b377f1fcf2b09767aa4080a8
SHA256 e2d3a5e5569ee40e935751c0904cf121c8c02ec4e70d3411ab5f6a2f4bd51f78
SHA512 9628ef13b9f67e41391adac58d164eb47b10c2e56a4b93bfff75851bafaceaece1688fc0636fc4e1c3dbb877d001b49141ff7ed72d69b4bd3508dc819ae16ad5

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 eae5db3e545328c7910e4ffb30cdd1ec
SHA1 22e95c8cccfedcff8945871dfc25330643f296c3
SHA256 ad5d53fed974b755583f01d47ae1d5fcf7c739b7d8f3e601ab3ccc2332a2c375
SHA512 37b49e97c266aca99111b6995952fb342704d3f2fec7c479d21153bfeb73bcf9b15db3fa9bd1befdd26aebd0cc21c8796e4cc2d1522003d2b2db3ae98fe83619

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 e9dc4da4299c704249008c5c6b4b22b8
SHA1 22d3a06bba573e9a1f991359bfef97dc51b2ee6e
SHA256 5bd18915c887a0ebffed12ff9b591169d04f498b3d6c44bd009aeb2bc03e3373
SHA512 b231313287676c8aa5dc16e60991d609876e31a27d1faea9b78886f32c227c6bccf3975ac8bf13aad09a852323dbc235f7ac399c974d3285a1eead0cd0e01b27

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 007962d63f6f12cf3a204e5bec106952
SHA1 20846e73ccc15e4de3eef9cb663b88cb0fb2dbaa
SHA256 61c61ab32af7edc3bfc37b242696196a2643331c020990d5885865f59b997f7f
SHA512 65f7d292f90b974a0c238ca3850a9d82b237ba7a1f405fde9dcc39eba544f58e9feaf1251f937c0889b12f4a24d78481e06914d1531b746d06461e20f9196216

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 94049d5652ae03244d4b3154b5e688b0
SHA1 0ee32e84907debcc1da3b3c3558a2648ad996333
SHA256 8c02e17d4fed3f2982464f72503b88e6ff3d3eff28b7ab6632343690d60bcf23
SHA512 7b87a985c39692d406e4c3382a8f417a4eab903b4b7f09b8ef19682639afe3bdbd0c655569369353f6411d1b96668277a2af67576fba7e1097b390fd4b0cad4c

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 45bd05136216f17e04b7a2c783b16982
SHA1 8e114438042284dfb7e8a15e57f3993b4ec9ee33
SHA256 f2edd86acb9f41f6b59b2ce2d9d8893cd0a271a92c1f91c8d04fa79f23cb7852
SHA512 01b0c8e59f827b32b5d17d5b93f3410d7bc4f55ffdbbb06f6dab46c8e503bb4d5884927094802d7fc4c0b13896115ad2b3282e7c1f975c5f8123b06df8da9740

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 4a0da122d45443685792c4e8f8567016
SHA1 f7e70fa516fc7c5c70d9f51c4d8f7c3a12890274
SHA256 10c58e5f786c1f87e0a97140dd7df9cdca52b4e7675e6b17e37ce2c8ffbb1357
SHA512 9e56a4591e9ed0713b4635649ec9f743d1b52e9b2cb33c23e5fc0f56f0575517aedd2f9e847e5d75a3bb7a300226608d9c0e1d3a1f5051c99ffa3d82be84a9b1

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 30911e3e5569e0686835b092b0c10971
SHA1 3bddcaa234c9d04b8616ae4d449f71d217d4e9fc
SHA256 2c25911fc76b3e825fb3cfbd62d61cef15dbd33cbc5697e2ef12b8f29bb21979
SHA512 78f78b3c243bf67a74db3f9c5c7b63050f434103841066c4ffc2fb4337048c32d55a080c982b2458ca9c77f59cc89079fd91a9c928a1fa6eb57b963acf11a6f2

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 833651a0557c0ca6f0f1b796ec998ab8
SHA1 bd20e4d361697e797ff054b8522c777c18276f25
SHA256 d8aadfae4addbef6e885a302837040fd01c65d978779dae5cb2bc86a9b7825ea
SHA512 56ab15d6c0728e6d6100ef890188637b46feda36f1a5c1f662b538388cb60306abb6b521c81dc6b0523234d546153efef4e8763d7affde5c7aa6f76fb1028a5a

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 acc5834e82be35e90799744df61834b7
SHA1 0382cc862532528d173505b8fc63990792f55b91
SHA256 b31324fdb7171e82e29482cbfdc2542f9eddd2f500b120278eddea58f04fee93
SHA512 752980a713fbd03881f642f97d423abe87935324aa029cd72b0ac05d962fdcf18d47ee647955757271561a0fb3b9212456687f5b148f76a2c3f38f8a203ae0e5

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 cc62434a1d8d734881058511b06c19af
SHA1 777c3040df79adfd2b29750bec0a4b4455e38a6e
SHA256 57b696ec9e0fcf53e9afa76e855cc105abb734a8933c251f41cb478cf584b453
SHA512 7fecc4ee7b1296a25f377397ff902c8d6b81d53063f03ddf05db5ba19862f4e8fd6cd7f01a27f142046ffab67b4ab5cf3277a843658aa5cde50ef54bb022b6e7

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 0180977d29ee5820fd12c4d20bfe769b
SHA1 8016d9e8783d0cf80cb9d9b7322198fd6a736523
SHA256 13fe848a2b0960b6fe0bee9d9e5b462898ad21286bb045b50b668e6939928bb4
SHA512 ea0b681e345413764868f47c213298a687d35fa6952c8828283d1ddcfa15d56b307d9e430e0aaa398a68493031e6f7bc91b8abe23963e0fae1979f46b633a1bd

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 5bb0af6f7e18011ed07a245cebb955f8
SHA1 60b30e292c3d049598ea10e3f0999931083eb018
SHA256 ca76efce6f47a2826c9e8c46cbbc0e993c2a75a9e8cf74bb22d6d74693419dce
SHA512 261c595436849b8e8edcd8435fe091b07da092e3b90b8e1951a6c434c6dce94bb91d8e91480234d95fab603639ce844bb7d77a79ba87fc29f96a5badd5d4f7a4

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 efafabd3b358673b50288c9fd2aab5ff
SHA1 0a59e472bfe07942dbb2bb08cb3cef433a89af78
SHA256 96fa3a291121433801f812679cf5515a5cb1dbb99f21956806fca2decfc05268
SHA512 824b03a1ac07e05e27d240b59c3792fa1ff0f862ea6efd561842a70ce5fc526aa7b414e1256834a8130fc620caca0da8bfdc406567c319226c6c049c18309dc0

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 57b7d6add039a48d85e865ac894157e5
SHA1 fc094b38cf232040b9d92b019e9bce108f0e001c
SHA256 98ad14eb9eb47325f23e7a3dd3520f059f1cc616ee0cc0bdc61e2068ec6d64ee
SHA512 8a58d3c554cf80acc747551be4c60ed1474249d66f15dc593045903ef035cf8459575274211a53924408cb53943e60bf050876e3c95e6a1df1fe50649bb37182

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 7585a2168886907c51488c9fb1d444f6
SHA1 6db2dd891c6a6e2693da4fedc9ce8d81b4861c62
SHA256 524e2ad12a36bd679707c4937e12ff8172a1e0651807a6dc642a50fc34575444
SHA512 de56c099894967a0eb4cfc53a70b91b0995df229b8323183fc4fa2721fd33ee3db92b18e97cd763d63e805b1cfc28f13d69b24b6bf54e6208c44ca8351ecf930

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 affb5bcbf9baf06e492ea6dffbf132c2
SHA1 2d17f9f25da32caab6842fb65c1c41157f48aca3
SHA256 011c9b9a4f4ea76261ed11b255b758c1cd4e40ed083e6a95ebd9f83ef07c5a93
SHA512 ec9ca9cb70adc97f3511cb3290e6eb4cd12dae7e6ebfb7392667dbdc2afcf75a2a5d81d7eced384bdb25c8f531f96e229ff1f4338b7fd41a03e6c1ab8b67d091

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 e809b36716bb566eddd54a5b3b263d0d
SHA1 0e7f02581c26dbd155467bb426f826d7efc03d2b
SHA256 74fbd55143035c289f0bd256ae1218f91e53ffb7c9683dfafcce4c9b4164d73f
SHA512 d53079ebb03b406362c2a9c683cab4f4078859afec5ab24861d324c3e0d8e2ff7ae95c42be5c0584d5e4def59867eecea818405745c9d064b51e6e5c5db609a2

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 dea1267f29bf814905bb94369ea8dba8
SHA1 8fade4a5477a7cf8c22da1f54ce9033c8080940a
SHA256 d46c27413f14bb629a26f918ad0202df4e561935734e97dccca417961db00f7a
SHA512 4e2bad82c31f7e7d758b43c970ebccf8eacdfdbc776db5ce53e258d8dd11cd56f9282043ff1c4f5c3d4ea40dc85abc23a741392512bb8927d0a09f70d131c60e

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 c72128221ab2b63b049bf1da6b6c218e
SHA1 c944e4ed550250c6ce6b64c748bbc9018d689cbb
SHA256 8d8822813197aeb76bc14cb905cb7376cfc548be1d39b4d965275a69d4f068ec
SHA512 51388aece871b6649d8a627a85d0dd08c0559cf0a6e6a51bc0fd9b0733569beb23deea86ac792b507dffd61c334a5f589f04f0020563ae07f6bcf867564e90ea

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 bfd80a7e05475abc781dcfe91bf5d222
SHA1 ad4eb815b7a59b740246f98c89951869fb7a7f89
SHA256 d0eb2a5f79be04a40f9938a46c923275a4355193f2023421a443a20434475e5f
SHA512 baefbdc5709e46973ad33b4bcb2e205dcc98a7890e5216f82c34f12cde807e72ed77a34d2592938ce1bbd96f495815f229b277c69234d5c788146a0199c5e1fe

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 34952ff88fb9b2bbbe8253ab4146c492
SHA1 1eb6602d79279cf703be93b5dcd08b6987aa1742
SHA256 41383b66964b4bf9bb570263005dc457f796ca574fa252de880f4b0024af6e8a
SHA512 9402612b705b66321132f5380c632ed904d1e05f6a8e0852d2902537bbacf8f1b1db33c66831b20839b23d1f7c3102ed43560e9b5c3ddd3fc63f098256fa41e3

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 3423d166ff04c89a834ee8519785a0a3
SHA1 824500eb3da0ddcf6084df3b23be0658bf241777
SHA256 dc1c9cce046a3644240d4c57b5858ca0b73500be7fb347c62c7c11a81111e315
SHA512 92d59a8fa27fd787112daa06bb609e4ee8c24ee80d27f5cf1dc789adda4f44ff90f745ba1509db292b6b6e316201acc7e3ed6655ac7e4bff106d5aef894ed700

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 abf6f5407adc92ea25d0ca4a6e057edd
SHA1 ca5ad84c2c009a1c50e369a80d0e16c7a0a2fd98
SHA256 accb453c71d26faf8f23d3bc413fcabd59d209c90345d77c4b0e163560acf982
SHA512 81c8655b7de8c21a99ebee0e3532c39dc1fa994486107dfd4692e417c689b29323e47dc1770e5f426f9f0759fe820618c437ccd50b8c6fdf7b7924841d25b4de

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 4ffe10c9419d5b8ba38a524b60c21817
SHA1 3c54c03f17b4902c9b02eba4e6b80da17ba96931
SHA256 6b58952b9a0833bf55815bafacc52541406578bc66b255659c240fbe08e03e8d
SHA512 5712ae1db94d48307c2dfada1d67ea956555d320e38a553616736f690bbd6c3b64b2e8c74f461b234bf651344fa9be904b2b7f6510b9c6a66a6f52ab2c827db0

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 93fdc079ebded8d20eaef82081df006a
SHA1 0869a09939c882be3aeb00cba81ddc86c62102c0
SHA256 a3b9b4a9e81b155f3d1632cce6f1962ce1f35c2db1cc206fb74f6991a804451b
SHA512 5c9ecd38d853cfae4b3b5a57238d7985e1c6274cb67d7d520ab694b9d0988f255fa45dbbea68638575ffd614e6aa77d65a168a2cc80ba4695efc58adbb45e798

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 b9b337357bf4cc915a3c2621dacf3790
SHA1 7e15d90226c2c7567c87c88ccb1dec9c53ecd700
SHA256 d9daf1bab626df6d5265d3f2611052e6f4bbf05c55b53b694d54ddbb3f88fba5
SHA512 68afa523a605bac55704744650c80ca40cb320b44a17f90ffed7c6071aa8f9f09ab6497839abc42a3ac2fbe29aed442e8eee05c98746e9efd0424874e6f2b442

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 85d353eb16c04e897c6b1061b863726a
SHA1 9aecae86c36cabf4e050d8fdfbfa3144e9ceb9b9
SHA256 ea5ee5d2d99f46b95039cccc9061fa84b8c40aded5bff37c4ab0ecb07bf20014
SHA512 118df5cc4e7b712533f7675d740169c78f86650fb1c0f76bffcc94d421a6caf8c23d16edba25ba582e4348729846c19971743bc5e52908f2f0337c5f3dfedcad

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 109a6c1468880a367d7ae26c679df7a9
SHA1 ac16a225d108dd54b78858faa9f98fac71dff77a
SHA256 c33504729bc3b30ba510ea5b01df314711e8a5cbefbb26bebad4dd33d0f42ea2
SHA512 442551086a2a8e3d31f4a6b837dbddfb3f970f5e5ba92d1aa535a63c31b837a677ad16d671cf0402832fd428f6cc64b8cb8f42eb4222a18b352572feeae01b20

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 ae5e6678fdf420ef0fc5e758a62eb4f9
SHA1 ee3f9dd462445aab159bef27751945dd0ab5551a
SHA256 a7aed301eaec4ffcb6fa59945923d19f8b05c4f5d60b5bbb380c45d9a45ba586
SHA512 ee32cf763c4a000d75da3938ac247fa3bf1f5c608ed9198644add628aaa2d791b17be5d784a4204622564c5108821b6231d64c3286addc72c3b8f781781b48e9

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 a2f3679062582c0133b66f708e2a3fa8
SHA1 e3409630430eae87b08e646cab459debf0671e54
SHA256 19228fa5a7743a610043f7c87b2da8b6834066ae8b8d59fa97ee6bab3469985c
SHA512 1817c0712c384e3566325bffe684480fc43bc7ff3ac8a25080bac951d36356f77426ea3411219a941ea70af810736f3dff712ba29c124709fd706a9b2df631d2

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 7cec71b580c9cd8ea17b09b2b6c4e173
SHA1 6e7a08d4ac8cacc49cb0c627039f799369fe5fec
SHA256 79338c1e580403348828a521ef13395b6f7bd43c7a39447f1ee77e6bfca0446c
SHA512 0088ce21cefc6c438721ca7e97319d8305dc9eb76d51342de3777b1ee584f458c835b147a09c581f205a1d6a9d967feb5a27d50180fa5f86e6acde5b62625139

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 6d53b4a683385e750277431dcb295e6a
SHA1 26c0ec496d28e0c638b04b7dc5dc576ef8dd33dc
SHA256 e186d6ad61f7457a811a9112d9fcc7881acc99af785905b0959f6f54ffa0c49b
SHA512 358120761cc5d261283869a69bc2c85504d9479f30160686dd04cb67a6719d6f91d14c8fff38b8acba960bee02abb7444e15c9862761cc9193bb08d9bf0bc659

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 0f2981f22134483697dabd134991af0e
SHA1 b53aeec2757acde09e4e47e795cfbcd3439beca7
SHA256 84e5c956eb481458cbc634802ca67fb1efd702bcb1624893ef313a1f31f9706f
SHA512 25dd4a27bc53374bb1ddce1940650e5bd380d525585a68d7411d668205e6a3b859390f027a855de774b035d90c3fcb601a165e73204b1da27a25f6884bc36085

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 568dce1e21331471bcb016ec23fd5762
SHA1 a0b5cfbbebdad56431510a9debd7139f460eeb86
SHA256 e3ef5598af0602ef1f7e163643ecebe4fc1ab46b6287082dfb950fbe3fc089d6
SHA512 0d0f2a2799e798b84dbbf16c989eea89e1be9535becb629ed39e91f0f15b920be0ba408b84eb222c53d4d5026a5cd00de2d78b495c43c26d2152646e78b6426c

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 48d74229210e2d20edfd5e3c3925bc56
SHA1 80a5f3a819ff202bba350894ac8ff308a4e736b5
SHA256 5e00c186070f3180421fcb157f74abe50cdb780d970b823f06bc2e47f16cad6f
SHA512 fb47d1c652eaf5d03145dc4dd963659d606cd65ac31a6b65733d2417b8353340e30010b7d058bc28c08699c2a8a2219d5676b9c3cbda7d0bf7a47428f8e1ca4f

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 a81e7f68aeaa08cc0f9eb63175fed097
SHA1 fac503230adf09e8809288af13c6529ed375c179
SHA256 56fc15583223007f073ddc58b0550682bf92189d26379b1c62dbe093cba9c7e5
SHA512 8201fb6f504aee7567fa1165e6755d7eea57a98b633ec987b7bc36875f4d50d76e43fc1961ac6f146e82b45492d015e3e0e8691f4c68384f80cb5cee2c7122da

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 6ece2d9853bfc20e9dbfd672e6c33c89
SHA1 db60c35aed601f98b6d714a17d8f2b2d88c5d2c9
SHA256 c545a0de41e028173e11ab95c0a6f2018653f2bfb91a52c6574085a1591ac1e5
SHA512 0532a908b7f11606b71335609e7b9439c62cdda0bf83a74432e14bdc1759eb33ffabd77525abcbf5c7ff4d6574af708cba0881ad63ef4b68cea5217f42213d18

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 5d95b3d51da21befca2ba5e2eef3a40a
SHA1 6776ea4413efe7e2102720e61d917889d7ead166
SHA256 2536dae229ddf6abef47e8a58fc5d40176af1d444ec2e8dd36e51ea22d253262
SHA512 9c2a80ba3e9e22878f9ca561472619e32c783bf4078446fae61fbba0eb2a425b4b95c85ae2670b3192549fc4a8036b218e9eed15838fe3edf95271d7b7c9de9f

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 7afcbee11db10e80d338fcd551c2a2b0
SHA1 81d5ab2187dd692ddd6a7bb41309a5c42f7ff05b
SHA256 2ae6f7bdc914022cc1da1ab3e5157a9835d0ee5f061f85da0153596c948faee8
SHA512 7f26d6a0cdb4c10e14a8b4414373343f255c7ab828d01db108f9445b1239c74b84fbd89c9510697a50d542ba951af25d53724103fae66c51d250ddaefacc0ed1

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 017979c664de27c6744c0b8fc8ef19f5
SHA1 0be68fd00bcb7dfd92257685f471b2d022059d00
SHA256 58c9e8324a798010e31c99887ff26f29b1f96e595f17912fcb2df39bb7583635
SHA512 c02717d4dffab003cbedcf39d93e1dded15815724d646fb3238771890e368b2511c7b11d86790fab870b3deccf577feb85091e73ed29ad54ed4ab60cee1f1b9c

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 101b7335491a94e2b599cf47f41adcbf
SHA1 bf1ab3d1c1e693eb0f8139fe19ec6fee9750533a
SHA256 add22a29faa5b651ca4b4f29fdcd2fa7dc92e36b4e2ec017f02946351b80b2b2
SHA512 320b33044a0606443edd5eace8879f67fde775a259562cfc8cdc553fe1611d7ab35bc17c1ac175f25e71d7da2735276b50232e563ffec9fb5557514d8489de08

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 ed9c4e2b469f1d9563dacb0031dc73da
SHA1 dd87506518a4bb5a8033f040e478b088efa0d195
SHA256 099315b1ebb508563d7ecc9ed1ef9248fd19fa91b60fbebe512d6f4927dec305
SHA512 d71f522dc95838d3c2da447e27ee67314425d0d4bccaedab79aa1b621dc1f59db5f4129b0a1ebf0f4258dd8e9ce2091c2f0641466f54848c168e28c3b05ff44d

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 c2b1c38bd3fa3fdcb3f74a74d0d7b357
SHA1 02b630fa5d04fe20d6449f8e3f370b6100b2a685
SHA256 7676706cff90046330cb93979a678e926521efce2c7d7906f3f5226db239125e
SHA512 f4db84d2abec5e9fd4755e6ee8794e75dc7efeb3e77325ddf54b5b6a96ba9cd7be708ba935cf3adf9d7f66aac7e603c3711018427ff232fb564df72875c98af9

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 d80cb4930053c20de2aecbc2ff323fd4
SHA1 ec845ce2695bb261289be35efa1ad5d598784ab8
SHA256 112fa8c3aceb5a5992de0ec459286c4ec239a59842448622b51a6c2da8908624
SHA512 e4de1af64b1dc1c9bce4df515876d165a464bcaefbd094e0985d63d879d6fad493ce6bd27a3ead937b8359206a6dea9900ce7956be0cb93ad0529a1069fa4cec

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 5e2af17114064f1714ba13beb9502a10
SHA1 e394eb8d045670252c2de650856727c1a760bb08
SHA256 19777696d06fe7631d4a9637ca4a1cb6053c8ec302832062d99b5bfabb4b2e5a
SHA512 69f9df85c4cc0e0892f92ccdf3775d614416578318ec14d9c492e85b5962688cdc8ede6e7ddfc633ec1ba5cb60c4297143b7895ade82e6032a20b569cde96e70

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 6e00f03e1ba5b516712b9ff19f4669cf
SHA1 31ab5095dfd161292cb31850a74223b90042429f
SHA256 9d0627b641826bc33a6f3665dadcd611f19ab5e083d1447b17df5e607f222619
SHA512 03af8101ee1e9d3047df3934197540e4f7109c1b326246376f97804b6047514ae039e2eec79b1e8c8d145a5f46de9158842dc0d3dcb4c6b95c11dd30f3680b11

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 7b6e666b9e2fd5d2f7321cdc052a812e
SHA1 ffa3f11979e578e70ff171432633ad21f917935c
SHA256 989c00b5de3fbecf7923d0d7da21ebf37d07973a09410534ec658f4aee5b6adf
SHA512 e3dfcf71a036ad6519e905074716c9e8c6018c8fd586a0a7ecb744245164471a355811fa3c2fdcf37493967ad8a7074b55c00a6adadc257bd86dc1391d207737

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 27ab69f85905183640a35c242981d0a6
SHA1 aaea7bb686e0050a9a6c32bf50f1a2543c64bbd3
SHA256 de705e077d3bbf41ede54fbe5335f6c8663ceabf4b387fd85e9dac2792eef8df
SHA512 45f5cca0c99126b82c469cbbcf5a76396c55b839ebfaf40724fca6d67deb5968f859623088d5464a67564e07c1f63507a857222dc543b0793fb08e290954e456

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 ca498fece0057dd5b57cf6f79f2feab3
SHA1 c8790a7703e9061455c0efbd544fc6d7722617e1
SHA256 71e27939500f77184b5fb6ae950e45553039b65a27d62c8c18b98fdda7a985c6
SHA512 11a46a439c913b4f05daabb2383e0b7240343e25fb30c654dc3ae9b5502082fcfcf714b83be12d2d57f0783dfc53c7b283fcd97dfa5a603eb76d74c1c0e97fc8

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 d69360b92c9eee5e579125e07f67f596
SHA1 247a1fc6c0caf679244013fd3228f45576061d2d
SHA256 a9013c4c903b253b3ccc1c63483dc9fc0f245bcc0f789f422c844ad0d28382db
SHA512 f2ed8c154eee8e6edd36eb2078a42d84b7a3c1c496a27ef1ed55834ec22fb6e811145843fd99586557038e553cf2a922e6e5ee0ebfdb163e87838caff50d88ab

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 fe4cf3681f7a0d3891c7b3d462a65b2c
SHA1 b7bfdcf64c80223bcc5c082a328330209d4beec1
SHA256 01ba565d874e6cbb787d5290b97e60be62f3b23b990c3d5ffd652db0158a113d
SHA512 cc166b5bbb3ccff1dbc0f890c05b1477d2008f9a57f8900096ccb311e23576f7e937fc9225a38fb68356a1425a2f1333deb501226ff6ba4e6f40f3f9719192c5

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 985ad2516102f3c0572d292c341890e7
SHA1 6ca32bf4d66b0ecd8ab342241d2ec946b26024ba
SHA256 73d46b447586a59b195290675b9de3b20d62f6ed6b23af4128a8b21198ade750
SHA512 f7bc8685c5fac58bf2f19ecc24cb5e8aea96a13d6028becaa70df1227b2b092cc315196d0be0353938843d55aaf2b0585f1bc2417c446c8a812a14487ded28fe

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 f4f16d19cc335f1e6d2f6e65414259e0
SHA1 3acc0d26e58abc16fcbcbe65b0f48d85632af9bf
SHA256 2df55ee0a47d9a4d53bdde89f727b2354603d4467f3f7d191c86c4dbe7c7d029
SHA512 4f816a6acfef89899333b62d0a077ed83954b95cb81009d95a32fc8246e6d707e2085dfe9ea61c3f63bef1163bfd9661a2fa1de9ba7e9d467bb663eec1456285

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 e26d08dfffcad64b5dfbef0e3d425b51
SHA1 7cd3d79c8cf02292b5aad3b2870f83a2dacd3a1c
SHA256 5730885b985b859a2c5ff4ed658623c5235099cbb8f69c174ded510d86aaa56f
SHA512 9b3ef2c6e33385f1635b30acba9b79a3b63dcbc79fa1b7cd13c61fd827b3442508781ec2363e4478d0def7e859294fe84a6adbbc889eb2cf37abdea2ab29fac0

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 4783d954ac08f0ddb5712eb34a296b36
SHA1 676939f3debc5da2724f759f30b4be81b6a9e89f
SHA256 3374b34f83d1d1606372edcefe0957812594d48631af1122c3d90b658f0eb33b
SHA512 7abe69ccb61abe70bcfc25972206b5a905bd0023351401e747d8b1e66ae427262777e0fc84bde64b6de79c32cab77e7c5615c5a7444d7be456d5902b60baf649

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 977d120a66647adee6abf538de0bccdf
SHA1 597dca56dc8f69afb99d6f29864105999e707863
SHA256 80f16bd208bbd3a4dbc4845496184958b7e9f3d9de64f51ec5c4f0d76b603b6b
SHA512 37edd8ff33f2a37c3706f813ad0ace8896f91f593bc0d1bb1624cf165f7462d30c3adb91bf59b7fa58b8b5c33765332fea32df7516287454cbe9d97444a6d993

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 c01fe11db395b88d31bf0831a979812b
SHA1 ffc50687295b69bd879536b37969e71669fa329a
SHA256 8efcb46f2a7b93175d12b004196756a7dd73c694d0c555b8a8854d11bb8ee684
SHA512 7c39545a7fc36b40d9d8eaf069c437490e664fa7486464e11c6ffa98c75238bf5653a539b2c94442e4fe2f35672234b286f8624017c19b57d4cff7f38b64230e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 10b36cbdea31c01ba8eefa178b797115
SHA1 c4c4e70d269ee0211a62d47ef6f992217998d481
SHA256 9b71eddcfd91e9cddca696f6cd79785733f3fe02dfe41041c4b1cb7485420026
SHA512 de24a3aa3c89765bd25b21c50921fe52d6f0e14ba2843f03f2a044acb68e8a52f17a21e6426849ba1b5629c0c17f08feb033fea8b35277428092d1418712a228

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 a3d50af64805037351448aaf8ce68769
SHA1 ff8e9bcbf90d5f412fd1a00a740f761a3e485485
SHA256 46221391a38e399c11a911ed4ee336b577235f30736396d2ecc15af1341328a0
SHA512 5dec454ad7e061651562f45a41c97b24607c2e8a80b09c12978f91d9e8c4dbbfcc6924d1ff8fb523a22846afe631d2296a7c39752ce6d2802818c3d326479d57

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 7cb020bbcc608d42804614fb8cca8e6b
SHA1 1deb42500f4182b12c9486855f9f2aca26ab4a4f
SHA256 ea90c39d88d2c977a16521c545b8a8d7ace6682d71fe168ddf0aed27695d3131
SHA512 3b9d64cba86a5b436cede179295d01bad73401226173537f97d05fdd13da268983877299e5d30cba505a8f7fa0778b804783a25f259b7ccb8cfc563f3d963620

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 a4f4242027650b05efe536c85e7b3d24
SHA1 52fe16db1ae340d4536aa52a92a104f25b2f28fa
SHA256 940d1e1e377b38cb32cef643167cb0d16ec237f980ae2a263e81b02db66286f0
SHA512 8ba0c5497a9da5f3cd4248bc780f5c495095a654a1db068a5db5b40c4560a0b05f4dc70205cbc87a1c6f283d4fae1bf2cd4f6dc9e35a2e293b6657a6dc02648c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 ea03785093cee93a3b279b8f398fe2ae
SHA1 aac405d8d6d5df89c870073d59d4378f18990ac1
SHA256 19b706d4b98887c671c7b54eff4ccc74c4bbdf42b8f05ad02feb16e4a923d9fd
SHA512 4a1d891b9224bfd5310e8cb67688d6e2d6d7c71c29cc571f7f69b8d806f655e1a386e9c613604167fc3e2ce04cf269699d43562ebad73f7ca3a6ec29c8066e11

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 bc4eb868ce3a0da0121f38a723ee80ed
SHA1 0d194dc247e995ce9afb4a0ff1d0ab854f0d08b8
SHA256 226ffb9d89b6114fd9caf78580be9c348878b87c9a504052235109482c0a56ee
SHA512 abdbb5429a58fe40a22cc59d79fd2c030b14fa8b1c720e624dfc98e72fb72b4bcb8a0853909f3c7cefddbc93a556e4c24f9eac508b7bb4e376e10d6a8aadf31e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 d34f765ac135f5a70231a5a9ef5b69ae
SHA1 5b28f1515ec7887ab4fb5c6be67fe77d9c59ab0d
SHA256 5c0bbac87de04792cf3c9c9ab0959047e65bea6204959c5a82f83a613c6bd96e
SHA512 1888bb08bad7709b85a056919ba43e191adc5e3797df9ceb619b638122c4057aa350f8ac4a00e6eef73ab144690f0884fb235ea7cb38500e8df18c8951087104

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 983c1c1bade7972962861e238c26122a
SHA1 d9eb792dd309c1fe0092acefc7f1a7609636f5c3
SHA256 32927fb13e4254a439ff7063783b536ea8d555f5f8fd16ebccfee3ca94317cab
SHA512 476546887ac5428af9e6534d6d5ca03104f5f8a3260ee73cf79319affa5203e7cf6394fb6c2fe05cff03e423afbe4e157e6cdf7b4fa3b1e62f9cf51b3c60f4c4

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 2c4a4381223fcd77650f02fa380d8fe4
SHA1 f7c4fcf0df82c2de71c63f01f2accbda1b5e8aa9
SHA256 744805066aa3d37e01a66a97d213c70d44758220b1cb3ef3e6db39d318244b9f
SHA512 c9c955d0e90eff3105dad2dc035d8e0af419df10c364bdc36614a61dc15263f733441625048a8d38acb3ac9ed8a7340356570959313b53081e94e0e5c35f7063

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 18227dc8aee0ae43f47bd172c98a893c
SHA1 c168f7a1b3d8aa2d79643ee1131fd45c071df457
SHA256 6e162acd2b470a74f1c854e26e82e0edaa4e4eff31c8060bc7051b03e450b7bb
SHA512 94f2f33d3fac5bd1d5df61a5ebb87c0d2e6a881efec29123b22deed7fad2149701a98f9d29c2cdc599bf7f50f753de4cd15af860dbef2e8fac55871a2a54b59b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 53f6bee6ddf585bc3717929d7482c111
SHA1 5889d2ee24585a91b6318e21e0796c9b364d396e
SHA256 c6d6c5d585cccc58113b5a163f27330f5deaa37211fda0d81fcea31ecab7be0c
SHA512 cbc123a4a822685f744285b28aeefd05e1b1b397052d9e9554327f9e4b6e92b690bab8773474f80c95d8ad1fad89a31af2ec6a7d1012701a0b781ab23d23cd39

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 0f2c7971cdff5c016ad958cad830f5b6
SHA1 e5b08ae3a337ac98f3719013f3a835b361fbc2c1
SHA256 fa8b38f9f44d826c042547e54476b1e3c976f439dbe1c43556bc0c974866f5e6
SHA512 971a4211c0164b8f75e2492e07581b1c1a1f29748b8582b39d02176a4114c5cbc92d8f77da1fd44593574a0636e31a6b6443d0013b69b7d599219a276fd470f2

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 391d39240b2eab240286244a719f0b4a
SHA1 911d6da49e7569969235b2c413a0ab549940a875
SHA256 4fe688960878e4864ec94299ca0c77a609f80f8568784a9317e2d87257067b07
SHA512 8742b2beb03bc42d8bc4272d0e6be5aae5310366931ace471a9f152d1fde75a699a7c90e675514b7a5b58acd83ae5c37e543f8d77e982bd48825b57a86b9e309

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 aacc4eeb737b87937e2e81d390aa0f11
SHA1 f528f8364b748ea6d6632cb75358244f5a987c32
SHA256 884c81ef28c4e07137301b62ade65731483ef3443a061062a4340030044acb98
SHA512 d9a6b5ad59f37f6e66a851a21b9d04402bb276e709934f24a0ebab1bce7d975702fc07218215670b2b6e27ca77f3e6629703cc8ac0e27ed1eeb8316c26bd4af5

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 24419ef8f2878217880f159b4069e6ca
SHA1 68ac21473003edd44053c1a215de32542d0bd1d2
SHA256 5755303c6fa0f1f83c720f00b2ab1c04c72254d75f56697d7c2a0e38d536dc89
SHA512 db8d340af94c6df47f3e753cfcb70e5fb596a6ae56b0f0fafa107944a29c4986870bbaecf16c6ff02ac9f342fa38479f74af81f6fe16f24c45689ac5a77da4d4

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 ca623f0cff9bde6668e7fec3902da97c
SHA1 28137ce74d3384a9c416598eee1baa3843700887
SHA256 ed222a06a8d152ecdf69e8d15f54d21ec944f526e0729bb9e9fb2c9af48e49b8
SHA512 3e05816ba905b6e4bbc9dda24e99bf36ba72b26fcd91062eee6087e7854fc822c6f991f85a6c50f54179b376b7b0944e364c5b6113bf0b503e6783e14e6466b9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 db0590680515181f2d706765b31d6982
SHA1 1acf9ff702f777a7e2845ade89e14e80ea0283aa
SHA256 cae7422249aca5cd95dbedb9e5627b1358da885aeb0dc33f635ab83dfcac9566
SHA512 2b923c911700487dd58ece5ee797696b03384a77d06afb775be9689a426e861e4bea44afb2a927e9c229653af17feb677b47877453403ec36ebc5f82f9aadeb9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 d88742ff1aa73ac1b8b04f1ab6b820a7
SHA1 525db8d70ca08b756372b964e40f94e461257bc9
SHA256 8873a7d0ae0ff7d28530a01d3294fb4b39329e99556a72eed0c2e0bdf5115615
SHA512 ec418e0d1904048dfaff1e512aecff94d81ebf6a14cca3a37d578f6b4aa89f1d01d7f06322e2d491089120b042f5489479b4d820a6cb6473351e4edf6ae434f3

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 09f80554ed94c4136cf6a01c0a90ca91
SHA1 76bf30af26d8af5b364ad13261e7ff76be401f08
SHA256 6e6c48b6282430c398d7729b86609c00b5200b9ebe5a3ba68fab421713894811
SHA512 89a3a286b473e2564a996788ba81cc6f0d47089c2f51adc1f0a4c1ccc58b01df9382a6cf3223208c0d8f91f2bdc52f3c84a0a6ee79d0d4b97d7f937c3a2f150a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 29141602fb4ef18e49f46d1d830eb23a
SHA1 f27380de53c8dc999416ad9e905363ba621b78a0
SHA256 c722fcbaa50eb3114bd2b285f8e7341b8e77318c7e40c9488b87d6d0eb7538a3
SHA512 7faac534af9a00bb64d888ec7d28f06612db98f41712644f23a20191b69bea0879b6e817eaeab408f7859a1888df07633792ed17d773ef262579d28764de8e84

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 049783ff6e961fc861f82493409f6ac1
SHA1 b25f889548595f5b0b5ec62e70fc87d9efa7bc56
SHA256 92f49ec4807b150f03412fab6b91075939429ff79236959ac68d7ec86132fba1
SHA512 3a4b818ffd64199412ef3500f31ab7010dcf2accf0fc341279adf4e09949970c4b304192bb150cecef72d4baa4c6bbdd2a54c00bc719b5689fa9471288db6c0d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 d08220ab335655ca47d87b3d13979fb5
SHA1 b826b3c7422d3f317c77443f9d0580560c228bee
SHA256 43df74b1ab5f3f0e8b58b4ce8fe40a5fec8b3b1a1983cce485914cd9a5e0abaf
SHA512 2f92d1eadbd662e1194dad1d60f7e3c1797ca02c06b7cb01d03c9688be912a70100a5a0bea1d62b6fed082bf09521a710fada81f148f1def01a61f383ce87516

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 bcf20021ef3006551928ac7bfa3cfbe9
SHA1 ba78f21764403efca052bd6aafa913a3cc987818
SHA256 092b49ab669d346f1647ab9848e40397c832633699b590b5269cdced3af30808
SHA512 ab0619455c6faf3bc4bb8cb904de5bc3591aae81faf65cc73ef5f1db648aede58e59c14bf00705c9cbd845a320164cb542c276519137bd12940b6d4c79f4e097

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 1a50af27d5ce2da3cab3527ec8e0e2a1
SHA1 4458788c283203023151cba4968318e9c22d115e
SHA256 894eaca6958061aa08b140d656b27934d39119da19f41bc30bc5c49b9934c07e
SHA512 34ba8f5b38cf480099c736eada324e5f6a5633e5facd34bb39c585ef89d4e89677aae1341eeae95472e51a21efebf30b1809422b7e67aa335ff6e38809c9ef1c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 e6cf1a0480775a6cf79864820828d33b
SHA1 9bf621b0ee76757e0ed2258489b9fa304079520e
SHA256 473291c0eccbf8d86bd3f8a7d47695cab517db99ca93fce4f03fdd50d59c68c6
SHA512 1123eb9d805b11e95f774342c3dc3bf0ab483112f8a0b1cfb8be7f947043a4d67f52ecb95278b975f1c3bcddc610a9bff4b74730891a35256636ee5d12460443

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 481bbb57faeef7ec4ffc7ba576e9d129
SHA1 67067ce9b6acbabb0ea200c32cf6f05d274596df
SHA256 ff4bf7b1b6333230e9c6e22e0b044b4c7e5bd2450e5c14c4b6f2d912d1ba9607
SHA512 32ef9334c90dcf5f4299f41c60b99a35d5a2dbef50d44ebd0fa6512718ed6d5e6f525b76b679ac5e2c7c801a10624186a254308a684d223bff3439c06c1ebb78

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 4c6c40adce834f9016f8fd2112652860
SHA1 0046848c51f5a374e5f3db667efac8f7ead0a2f8
SHA256 b61a35a09eaf247f385b3e345666ed07aa347294f231994538b1fbedc9fed7aa
SHA512 7629388528441589802b1e2140df137b0bf6a0175e16c1b58be34064c307c045709b38925794d993dc4729c69458bc9435e1507c6c711c511d4c8410d88e7646

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 a70fd75713f42b60bfb6dd504e19ae66
SHA1 f525f704c88b977f486dd134f781ad5adb776d0f
SHA256 334013ae2e10194a13468c2cc58f1f289f44582771badb78f0e29ed24dff4977
SHA512 380ac2e0bcd5fced29604f6b3a6a24e88c94a7ce5a7bf8cc6a13b26f68d72c592868002ba88433a88337024cfc7bec69ea452b28f62d2f7af0ef6f73008809a5

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 c248eb0c0431391ec9b4068ebc04dacd
SHA1 f8299cc3a0132a9e7351b7919cbd7a577bccc47a
SHA256 f911c555fc2e886b2ff9e9476620cf98fd2a0443363d07f93a1f1f0701595962
SHA512 ecca75c589e8126381b09998ed7507d657ea978256a17bdf8f4267ebd1796c404182470e90f4d6cf845c6532131cc8fa9c81b3ed4aa93e80ae8baa018a965346

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 2ef7dcc4e542fa8cf71dbe5c6fbaf32b
SHA1 fa66bb4cbc876ca49b9008661326074bf9811dcf
SHA256 ee371a12af16f268111c3cc3c6052a323d9cb61ceeba78460f2e4251fd789486
SHA512 801c3895ce8dacfed0b70c61b81360651ee3c1aed3c4144cd0c4ff03674b07efb9a049784eb6ae7b4424b07d1c5142d7bceea2e0b50261da11eec4df0a025cc8

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 3015d71f915caf20d04c4de0825bf5cc
SHA1 de6aedcabbe45dc69749220ebcd21e2bf054ec66
SHA256 7af0e225d9636c735c65695b234aa4e85dd0c7d77bbb005c6d375bb4cf5014ae
SHA512 d31b6c2304c4a92da6e32be5a62144d34e56f4fc5740c32f3f34bd52775c1b46a7b59514df369f93ed270a43c8413be982c97369b6dae941e7cdd5662504aa09

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 843a04fc087a51a508a782e67565da31
SHA1 cfa01c9189cb550ec66b9ac0ef3511289493c70f
SHA256 17f7bbfb43907b4fbb252e8a8a87a3cd597fa73fcf94dfb8b7929ada0e1d16d4
SHA512 f984ae22865d7e49227c303c84b68b03c364feca778f142cbd57415a0ba0bf676e0dcbab42f518710556a8021e75a03bcfd8d995d441e04a928038d72d49229e

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 4bd236bb94579e181ffc26b59bf8e153
SHA1 a3dfb289590b2c2b88a2d846ffaf1bce858f6d4a
SHA256 c30f686d78eed2e8378116bc9c7f784611917b38e9821044c8c5ffd78c45e299
SHA512 ffc32e44e69a0dcc7cb501c531a46a35e43f15957eac25165aa6f9341c4a8b10ce2cdf59fff6994c3686164bdb95f77787a06a72fef1236191cc0e099b775fc4

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 85bd69c52f873e5ddb4b707c2b0e79ca
SHA1 f72df5282dc002aefac7a13980352000d02e87dd
SHA256 255c4673cac54145d7636d1f2a1e374b9a60372a2b01bf182e03bbf44e66f433
SHA512 47aa5ba555da1f47cc9198f7d728628e3b064bb4927a02be0bc0749bea57a9191ca67d232c833e2af16c39d1d7be855f2e327bd77c0150d06d0c869bb40b1002

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 70bd4688126c213b72c9655a83861435
SHA1 b8d18d10ec1e0772479d07a3cbfb4e57795c145c
SHA256 12f334c3cccd9859c769d1e00f9668a2fc4fd761be9bf677d7de3ae7460fba06
SHA512 34e038c8bebdc6ce45a6e7574e82b175ff5f990881c4dad521ffed3e5356268e9555a075dc14eb0124af839add2508670b25b7fa5231b1b4614f489b3c0db69a

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 74abe6fc6cc57560578fcf2c8ea37cca
SHA1 73a096ab1d451ec5831576d801b7c850ff4afcff
SHA256 c538d5675633d66ca2d86ca233933ce5efed6d0bbf311bfe1db202bacd4f0701
SHA512 914bb6447844c6114b4a01df4da7b6af73af5cb975177f4fccd29471b50e5c87701375b962a24d6a08766926347e656f334be2f8dd9c98eeac4c0f85c2413826

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 4af4fb8be97a9fa85701ddc11add8450
SHA1 6f43859be83ad4accc0d37fa1cb065c8ddf4e597
SHA256 c3141a319390d135c2c260f65e98d601d0e146926231e104e423d610da2bde48
SHA512 c9d83b81aab720690193eba4893a8d600369925883a5fb30ab308458d1794cb564672f39ec9d7677c2c443853ed6a13be7ef3ea91c4ba349725cf2067b4d34d4

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 7b5579660353a2322449da5813b490e0
SHA1 6334a7815107d0805b19a8470007e8dffe341ac6
SHA256 0356be458668b13631b2897c22162f594990bc724527ddef65378e70888ec302
SHA512 9eb5b0319fd840987bfe0ad252094339f41824c0ca0848b11f48c64bacf60a47f89a08f30f59209104b7c840dbeb581692622fcd928de2b438fadf218a9602a8

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 b05b06de33c22f8b3d4dadc441c7f07f
SHA1 e344fb673cb13e00d718d72dcb37c66491465ec1
SHA256 4d758afe58e26b7dfbc51eb326a1949dc2a1431f36e3869ecd5941a5fd9b1bb7
SHA512 617331042fef4ea099941d26f7a239dad3f0c386c3fe466a2ab0251e64796dfc26c74d73716448046eea072a3fe21e18c96044bb08e7949bb98010c1e6076628

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 7c8792d80b88cc3ff849c575a6f5382f
SHA1 dff67ca279dd5351af653cc89015dfcca8dddbc6
SHA256 3e5c2bdae80b6090d7db7692b0a140bbd476cdecddab067eaaa669374f71c941
SHA512 5f5a4b35d6afa6cdf2bc4b9daf8f3a64ff2227c5f5e2feccc73685f1225d1081f2417ab4c3acb9cca172c3dc18d9d5cfdfa2f657593cf8ab33b12e3563f3e924

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 08568e777c56b7a6acb1e21e056edad9
SHA1 6f15f070d2ac2c4c9722c0025245037c1a36f680
SHA256 7c793b7259f6bc496f32d025a06c54688b830aa28bb48efef8a79cb204f10279
SHA512 68f9481289298f3c81701fd3ff5994922766047b3cf6f1da2c8c6767fcd114d73ba3b4a039337658f83ab7ef90ab35ff9d249c5c1acdb6d0c998210389fe32d2

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 fd864adbd7bf45935864a4503b7903fa
SHA1 6de55ce9651f71b0f5cb0c27d4da106b722acb42
SHA256 ddfc2c55ac7c285f9c241fc97370a04a70f0ca25e0c5ea47427667ddfd08729a
SHA512 5cb2763ef5ea85a75957226a8fd2c915a7ffc637bed1d81c3334e09448bcf6291a2fe20a09eaa078e32876abe52316a0a64b3fe0ef5ea68148ad9325a2693ea4

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 d682fd75c071c7f740e25bf198afc1bb
SHA1 946341248d19509361a7d58b110c3c90e8aa2563
SHA256 50bae4bd7b0b4cf7dd9120c5cd516a565d7baa7377d09df8c60b91454e3baf40
SHA512 4f3f096db01f8f1cca0be3a489bf5e3d859288230b2fc8f942c2f882906571c496fe2a4c9860861e3b8b6c6e53bc98dd17c8af0718933d46b42f861746939518

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 c7865e062225901c0b23306da05a8a6d
SHA1 53f82fb4ac08bddb7acc420af5e71d22fb2b8b42
SHA256 ffcf30acab891e79afd3a9324e005e8fd2fd208382da0ec802a7dc544a96e142
SHA512 766cf7bad6017fcd9c05ed54b35aa0f5ad6970bdf0ba647d30c435b1676e7a9cf3650176411a69e9431ad6a529a6cb6020a912e8d3ed70343316c87e3e7974e7

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 7eff0550537d47d988a489ac070b6096
SHA1 1328a77ab6c3c54da824ed1d58cf33795f52e9dc
SHA256 8e9cde561ed052910930a967a2f5d29a83f7a6352d4ee23faccc50e59f0dc74b
SHA512 249ea13f67a46e7364d088b18f8c3a57e119d6596efe6fb150d6f25ddcb5d36fc37ac42e2e80412ffe61c5914a470bcb6569d5e557a02ba5a48191cd67580aac

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 6c445322c9e405005100cab687e029e7
SHA1 203a6ded6054d34e2429bacf875f27bf711a95b5
SHA256 a2d7a29a855a086ec30160fc6a94d9b6e51dbc8e63962b28660a3d9a899a7dcc
SHA512 50d54445a237491e4e17eb95c40864287ec2e56c806cc8fbe981d596d0aed0b9bfca65dda60ce3af67fa7fd6158ccff72441330fc8e1f691a6c7da8e3e05e7c9

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 89fe7a23077ac5f5d9e7a8142cadbab3
SHA1 417c7f5b6d228fd649bb1962e6eb252b66a6ee58
SHA256 91240e859375affaefe19cbff697197cdb22d464be9b278b286f3d5fc8ac294a
SHA512 3a8e7a66ac1e228687069f1897b6f7cfcaddc2452c3991228c6941e6cf72c1af0c60d24f9aaeeeb2ba74eeb8688726ab4319d8281542f760ede7f195ef0fee91

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 5388a405819e4007675294f22c4a9738
SHA1 03fd9630ae01b0cdb4fc2b62072d901fbec2e90c
SHA256 22735710052791dd9caf860efc775fbf6b51f806eb8990fb925ca36425c584e1
SHA512 d917229d47104611a96a7d44c8dd2dde76ef0690b726f04ef7aa1d59a2ee669926252f932b5f09df65562d7f1cef8b53da06abd54ef60c07ab32e2573d127f9a

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 b19ffa9b6152c025cf51898f65b0ea7e
SHA1 142c9423dbe169ce31c60f821a99c8f443d97167
SHA256 acdfff18d1394faec664035710684269d6c7e0fa504e115cb16a1f840c8598eb
SHA512 576627c1355e917f6d3c9693f0ab06e1eda96670fe471bf8fee8c1aee03877be0f912ca1515e31541e692d53377f98d0a3553d6a331ab5f9147abee75e559ac7

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 b20412b218b85f5995aa2f80fc0be11d
SHA1 d0debec5bd2deb73913e7fac1aa51218fe8eddaa
SHA256 5993893811ea8fc8fd756f0ed8781afc4bab32042e78656ebade4cbd038b361d
SHA512 ae37dded1b450a290ff56c90548b90eaea4c63bcdf0ed9bcb87a0fbade5817e0467a3043baf7f4e9907fd1dff2cd3664c9cd4f89249ea8d3fa34efb43a059428

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 dcccfb201d86ac77c7da7274d0109dea
SHA1 9824b48c5828c357989a8a91459d7c312fe2dc0c
SHA256 08e479ee5b3f6795b51ffbf7fe052033991c0179048b4ec5608f2f739ab8d909
SHA512 4bf388d8b3e296e93ff59f532776177a52e5a7e743da21b8ba9828c06b0af6d3660393d933ba4e3a4fdf76783bb12e96924a8185b232905f2f767b3ddbb2f958

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 2c32bfebc46befde52b4c6da4728d32c
SHA1 5664e89be110a8f102667f259a949f32dfb65239
SHA256 d4170636e603ff306722410ad259647ff53e2bbbb65db994b72fb120fcc5aa72
SHA512 4e59abc4bfee25a9e977df66bab7bed26b0755e3c05d899a3ea41909a5e2aae285bbdf73aba10613d4abd0702d9f20ae9e208722e21a8a60905ae1cb82bc94af

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 db2c6da123746ea09aa0e458b7231a03
SHA1 65124fc8cb26ecf3872d22bfcc47a4f650bce2b6
SHA256 f0fb7db5e380c0bb9b89610919b25df3caa8a77b594bba1140f11a63eef9186c
SHA512 d8ca5a2e86b87e919e031b701ad25a80fa391bd8a69ac823efc1649cc8d3a5ba7fed1b6e6c595de18b33d657cb50e5a29d11871ea0b803f7bde91b69fbe1c0af

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 15a0931ab03adfecab279dfe77879911
SHA1 a8243f0bee47f2c553af0847da390bbc77459c56
SHA256 47c118476fa319c8cfbb7bcfc3f2365fbac4898732b3bae60cc7ee77d112a1e1
SHA512 582d4ecd69926f46743f4737d5fa470afdacbfc3054f2ed80f537f617e8cca1da0a9d1c24efc5470c9ef19353defad9ba122d674cd9a981d4cfe5a7ad89bbcee

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 f22564c5cc4af0e3bed05aeb2762d855
SHA1 72d8f48904f3d077b39032e1eb640825eb5ac84e
SHA256 9858320124ccb7fbca12247a43845bfa62da4627d062fcfb67eb77a4b6578df1
SHA512 b04870b00921ced7e84e6e81c5a6c1f0df30b20665f65cab166643216be107746e940e5a81a911beb7f9264d80813314ac3289b6ddc347ea23960aeb59fbd48f

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 cac2ec75475135a394191d73730f28a0
SHA1 5525f0a32f9e1b79ad0df0f5bf8597d4a8dccb0d
SHA256 1826ba49b65b809c749c3f681e90fb38a0f8177cbf226ea6c56abeaa1675f664
SHA512 f4fefffe91e8fa59ae2b6f414638a14f2c231a225578bbc11d20823fefceab796a72b7ec80e672b89803d0fb1b05f941c87b2f17129c5703bd96baf58e551393

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 70546771d934eccaac0ef332cb742596
SHA1 eb5d935096618613f2e095ce7ce6772a68ac0acb
SHA256 223df23e83be2ef5c37eeaa8b524d846a0abb6da994255f21834a91775b32c60
SHA512 b42116a2374a4fa5b1974bbc83e2acf1f42163c3dda59c5d904ee650f8a05096376993fe220f2bbff698e5d3e42646c1561bfbf19e44be3cf3f963d6beefffa5

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 a40c1b0009a6f90f564cdf7c5ffe8392
SHA1 978030580e0297978deaf95dfde9b338e3c5223a
SHA256 d330876e8c3e1c4d727aea49858939d7ab5c3f566532315882675be088928052
SHA512 bbef1b3797470eaef3a0625527b08ad3f2a5b14666226a0e5f520a5c87b71771ccba6d7c2fb1eacf04eee9e787f78a20d14a53e930189f9b7be2f493485c64f2

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win7-20240708-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (9065) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Windows Media Player\WMPDMCCore.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.ELM C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Events.accdt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00416_.WMF.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2ssv.dll.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216858.WMF C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285750.WMF.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\ProtectShow.mpeg2.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Civic.eftx C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msado28.tlb C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 2716 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2716 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2716 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1904 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe C:\Windows\System32\cmd.exe
PID 1568 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1568 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1568 wrote to memory of 564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe

"C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\ProgramData\biobio ransmoware.txt

MD5 4cca299786028771f81f76d2c8cf2eb6
SHA1 e475afddad2af29b02cd70281c834bcdaf12e4df
SHA256 324014b0ad34a853196650fa9a9f1fba91f597f7d7038f144561d68524edc53d
SHA512 95e156f0e55af7aa6887857f0c54e466ff5f26e802043e717f7e7a0bbc83840d7d745a7b9871e2ef445c85b0d1e482f5d75b2d2ed44aff6bb9da2537b0df584a

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win7-20241010-en

Max time kernel

75s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Neshta family

neshta

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (6125) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Sign.xsn C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS98.POC C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prcr.x3d.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NL7Lexicons0011.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.ELM.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTL.ICO.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\wmpnssui.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152716.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287018.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\gadget.xml C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\EnterUnregister.tmp.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0300862.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\alt-rt.jar.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RSWOP.ICM C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sq.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00190_.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18219_.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Paper.thmx C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTIRM.XML.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN001.XML C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.INF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe
PID 3052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe
PID 3052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe
PID 3052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe
PID 2904 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe C:\Windows\svchost.com
PID 2904 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe C:\Windows\svchost.com
PID 2904 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe C:\Windows\svchost.com
PID 2904 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe C:\Windows\svchost.com
PID 2852 wrote to memory of 2812 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2812 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2812 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2812 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2812 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2812 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2812 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe

"C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe

MD5 4280ea83cdb85a8b0b347caff5b942f8
SHA1 057a37245944517cd8646780e26f2c5feb268145
SHA256 f8398f4297b8ccfefe5565e65fff65d6d969b35cd2ac4e693b1959896beca3dd
SHA512 b34b870ab411bc09449fd41f58e6b4666ef5927fe93a635b1269972a556e0b84c4a0205ea2512927960f4cd95804d31404d39a9bd1768eef6130b68b01847f8a

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\ProgramData\biobio ransmoware.txt

MD5 3e08144c681309544d6795b31a9a968c
SHA1 926d41074691d13ca0d0c9df3061a7b2b0fc5761
SHA256 e68ce3e30f06d6648ac37d753f90e6aa1e150934d63171bbc6fa6ae14d944fe7
SHA512 f42e1ce8226a2e7457098f5991cea712806eb5a543eb126981e44be0311904ed483de7c9938fef8a46716e2f207551eaf62cecef9a99e2e84e0a6c0355969353

\Users\Admin\AppData\Local\Temp\ose00000.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

MD5 831270ac3db358cdbef5535b0b3a44e6
SHA1 c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256 a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512 f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

MD5 eef2f834c8d65585af63916d23b07c36
SHA1 8cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA256 3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA512 2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

MD5 e1833678885f02b5e3cf1b3953456557
SHA1 c197e763500002bc76a8d503933f1f6082a8507a
SHA256 bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512 fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

MD5 3ec4922dbca2d07815cf28144193ded9
SHA1 75cda36469743fbc292da2684e76a26473f04a6d
SHA256 0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512 956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

MD5 8c4f4eb73490ca2445d8577cf4bb3c81
SHA1 0f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA256 85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA512 65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

MD5 2f6f7891de512f6269c8e8276aa3ea3e
SHA1 53f648c482e2341b4718a60f9277198711605c80
SHA256 d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86
SHA512 c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

MD5 7ce8bcabb035b3de517229dbe7c5e67d
SHA1 8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9
SHA256 81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c
SHA512 be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

memory/3052-1175-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-1176-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3052-1897-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-2038-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3052-2790-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-2927-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3052-3693-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-3807-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3052-4820-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-4897-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3052-6193-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-6196-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3052-7039-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-7170-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3052-7576-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-8543-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-10147-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 e636a121fd722eb592a523bbe66f6cb0
SHA1 2fa150c33de1c4ae310f48cd120f8be5dfbfc596
SHA256 b976f9b5432964c150e6132078453c221610b72eadeeda5b1b449dac60d34830
SHA512 e72835defe700af546d7aa088248d90519f06f04acd1adc32db2ac5f641161499a48b3f636a6f5c2b764cd3e45dfbb303be67cc9d88b591ce793a69352f9419c

memory/1816-11481-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-11482-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2852-11484-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win10v2004-20241007-en

Max time kernel

100s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (11292) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000C.dll.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\GlobalMock-B.Tests.ps1 C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.js C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\release C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ar-SA\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBarTasks.winmd C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_es_135x40.svg.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\bci.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteMedTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSplashLogo.scale-300.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ppd.xrm-ms.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\meta-index C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe

"C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\ProgramData\biobio ransmoware.txt

MD5 91fa1053207971e936e6bbad0c7e8c27
SHA1 61a6300d327ae6eb276c6143f65a58c8f269a67e
SHA256 f26d98cae64be561f1260f5cd1c2974a6dce9ffca484461b985ae1107198848d
SHA512 b2794993d695cb6950eaa65eecd44dfd4f8ee297dfbd0ef26532fa9f60639c466bacd18e557798e3e28535f4812f1e928bd4862d6bc39a3f014465836d88b832

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 e1e3d38e3782a84a0dd6ca585c470363
SHA1 96febb91f31818fca9325d0d0c50a28aee3d9706
SHA256 65a25ef66041547b6964343bb2fdb0813ab43e36edf2f473027ec3d6d02a8b17
SHA512 9810c98af68602ff90938e54dca7e5590474fdd4e24920fd91949b684d39fe592e963984aedfe016118107e74c07fb2bd117ddf769f48be97f32fb2d09d3fb3d

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 0d79620663725ae34e8a0194e0b2a85c
SHA1 b1b43e4eebe267378374beec113dc3656ae7c2de
SHA256 b30a8f06a212753625f4d01f4b0595d515b5ff7855fae1dcbe586a8bab8cdfac
SHA512 4c89e9f327407bd9f19492752a4aa31557a150a98761cf17b0a23d63bab6293db96ad8a9cff67ab9e4c3e5ee8af1273b3d287952a131b171be65a5f0524aa6ab

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 4ba9de578e7bf12708e47cb6ab7d447e
SHA1 762793acf7f632d936ee32efd212d60cb9b7b64d
SHA256 173ec397b931e96d31a53c1a0512581092622cec0fe8bc8dc3694e3a34afc058
SHA512 befc8dd17c33c15da2b0954b48d67b00c569a7f06f08718d8ba1008d510e725c50af49d6cea222d627dcad8ead25a46fe27a4fca530aeab400afd5887707d6f5

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 77968b32b7f6669fd21f1ce6ab761345
SHA1 c2ca59456b3babcb0ab12275ecdf7288c206b317
SHA256 eca1dd64b1ee2ef15d54678f3fb6d13055ce283023310935964cce154d2c45d3
SHA512 4bbfe414c177ae8e8f07975cbcd7a945cee9886bc7e49c986f62f321919454b126195ceff5241ef9bf4e8cc4a7fa42c5b407114466e1aeae5129d2c326faad3a

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 93948ec3c22a7844b763e24841a6fe97
SHA1 af4663f59e19a37f7c8c559751b1133751480a36
SHA256 fef882482ff8aa81315bf102c384f16d30eb17e571c48a21c0339774589595ae
SHA512 1ea4c5a6a8a2c1466f651dcb403a48c21320ea5af9ddd50000845244ca694295cf39e0f87dc0da5daedc072593a8b8e4c4e1a13be6f0f342aa0cbe49a820289c

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 15dcfe9297981b120faabffef3a92878
SHA1 81053d79f187d6d5b03fddc00bc236c05a59f0d8
SHA256 21bd40f0d8317fef41d458bb42175f0f50beba399f6b2d9c4265b31a53510e66
SHA512 aeb59db3fdd314916e9d8e999474cb794e9c4d8fa9162154820eacf758a17cafedc8e2f3b9f1ef7fe8f6ca982c53cf2ab4c326782dd63a43af4a53dd93ed057e

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 60ba84e189ff28613dd18fb729dfde02
SHA1 c30020a05cb3be0afb181ed3761709df508c6a8e
SHA256 4029a0659f6f0902da6ff1fa1e172b1f426c91932e0c00e33261064829fa543e
SHA512 64c12d9ff8611d6191adc8a8b512af25989676d7b5ca10d20e6dbf36079fd2498960e3244bfcbd8078407449e51736a360930464ceca969d71d421bd951067bf

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 116569f5dcf5fcee7a91cf6be7a62c9b
SHA1 8b2ecba28b0d8e164ee13d2885905ae8670159e8
SHA256 083045c451cd2d1f9044180d892deef629afb87f69961c07c8ab6a8c45821dbb
SHA512 5bf28b36fcc8481a920ac411616db7f0e66107790e10d8637cc7164353e6c2667a1ed5cb9258124989e38fd6ea8cdb6e913ad5a8188634892636e104d17cffd1

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 a3b0e2e54d0622bc846216cc18f7ce12
SHA1 4831b5030eb8b76621e4d9f8c04e3ca961229a9b
SHA256 b181d7e4c5bd8d04beba862e056f8b7bc916378a02f722eafac6621ad3b35973
SHA512 c002430bb547d2355d9636de7431f17fd27ac360ab7a92b6045249290a8218b7807812943025fd0842c3b6f19634fccaa2c9a1aee402d2cc9ef704e5a2c7dd87

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 77485aebdadbb0edccaf349f600f32ed
SHA1 c142ff70a2cfb0d1e02a3c3289b89847283c8b55
SHA256 6ffb62599f69a5153844e3440f019eab513decb926a8deeaa4e55567904408f2
SHA512 5dbf3ed4a8c70e8f291825c70213bf60c2c30be16ec3c364ca1d9858c614d63c1ad2b0ac2c1133b4e215e1f6569aa4b8d49c2014b4b3ba515fa8baeda3cc9ddd

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 262dc3b7acd2a263f2a68008d5481617
SHA1 182980578c28ac76b09e84c0238c70d50f9ce4f0
SHA256 6f8ef06d79faf40d4e92d40e85c674dbbb6793fb05758f156dc263f36bb5b752
SHA512 4a5c17171a7b1299d956c6783888d4c750a05ee1a643bcf30492373316a4191149114df28f499cdecdebf426f5c96b0ce4a45b2f1b4b5f1c9a5eb3cb46e9db53

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 285f415092a8ad0ce641f5798880d432
SHA1 3e56fe0618c60607821558e0bc11e28604156e04
SHA256 4cbf3686b9586d66c704338c86ae5404421532840fc16a8d1f3aa03cbb092213
SHA512 3cff70d898db314d96821353cdd769c224d00b0f3c6bb98a6a24c32446170de92519617fd9e28afbbc92eff75ba22b1f776a072da573a6796d05a226ec739dee

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 ea7755e1bbbc6ea1cc1d507c2f8d7dc5
SHA1 6be05a6d8efb23d8bb38596d370e11b93c6b2564
SHA256 0c7299a09d8a9e8ca04e3f479f8de4d170f26a9ec4bbebeff70e69ac39272d67
SHA512 839ac92cb3e83517ed6264b96ec44191a92aadefa9a628be79de2b4bd1ba26081a165762d3a2bdea31c55561f78462867e336ed8be1d0913a613e82b68c89fac

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 8039ea3a2169111b0821cd4c14c2a688
SHA1 3fe062d4f679df3b86c7b9340626b3ff4b3f410d
SHA256 e72715a3321a303527a193c29953202c5dc65f566348bd9c06991246f01d2503
SHA512 b2b06647016e72ddd693d133214bc74791fef3182a9e252e7506c10055b78e408e59f7a51c2108646e3fffe348bc6e6e76497ef76798fabe6080d07677d565b4

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 46a84caac7bca143fd8964057e54a818
SHA1 75e4590a51cc61e5de13621d122868fd0db5d9f4
SHA256 6f701e7b2d133819993a1009a791a97b9eeb51af0b7340dacb1d87d25cc3e175
SHA512 ef38d6942c875c6e29fdc2021be4869ea33d53178b970cc948997fbd64f95b894b3e440899498374559b24c0be21df7c6fc98800305a85e95067619dfa63a4ae

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 a10bb0bc26acd5bd76d04d98985faef2
SHA1 9fee3795c9b4c6c0c6a07f08044fc40478cd2338
SHA256 77f682d0f81f03346006d5e8bc7fb11323ef35774305d2ca846b6bb913b8de94
SHA512 b9ddd443e6a4399d39ead727c6e6381bc35525e86f9efda888b78284b6c0b440001e088ba08da5e9ddcb3d96750dc49904bde231b5080371818637004d62515f

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 4f0cb5fb4d841ee52aa93ec63f24da9d
SHA1 6937cfe1222c7082586dfeccf113befe7b888f4e
SHA256 2c0e99fdcb01c2d6ecb89210b64606cbc8b9efe5f3879bd232987e915de9e9cf
SHA512 62ae286a0f0949ee0052497eb488763e9edf9101a06d90f64d21793c754da0557d5beaf57ec369e13f00c4cc0d58e8be2ce3fefc35ec84a41742bba6714a0be3

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 cff44fecc88139021c65790c6d561188
SHA1 d14e23af971d5a2b5f096329c9134d76b874ef36
SHA256 4c949fdfb814ce8d883810e8829ace3d41906e59129c33adb717516e59dbe601
SHA512 6e772239afd97058ba4a4329ee78027c3cb7a1d81969e9ea551f4c93a3354e44fdbc025302e50451d7459776888d964dc9bf0c03beca5b3e0ec112b496f347c8

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 df691bb56df3cabe5e339fea0e430c0a
SHA1 066b649ddd02c8b150fa4bae465781b6faf533e0
SHA256 4e341d909999f646d4a788078d9bc24f4f01724ef1aa6ca2f1648984fb068497
SHA512 ddcc7a44e345225bcdaf8ef68bfea490db2ca7554a011c773e1058e7c8bfaa161cec4a927d6fabee59638d7ed5d7bb947d162000b3c25d9fea123029a8d611e6

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 fdaf0ece38b0f0d5f4c6f5e8f9141e37
SHA1 7047060d3d0553e45030f7a2a36bbe5169b1f697
SHA256 2920b0d016290fdea5f4259809b70da63b93991d74962c771e5b8dcbce018342
SHA512 e60b72e02bc1c8208c01ebc6a865e628eaf6f723633054df3471621755d576db9ac37804f8bb1ae8d07b0a532e7f27d3d3927d08067a1a37f605a03693b9f759

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 48b1158cac383f3b9dfab4e78212b316
SHA1 d79758687658742facd4863389487254f3c0a973
SHA256 9e3ab0531200c5246e3ca3a0221e141259af6366ee82b28780577c8ec9e764e9
SHA512 e07ba4f9a8da6b2f293c5c1a4f0433b695d42dba312c31d2595cf7dd37f83f6bbcd1674ad4aad8876647244af07f6fef85ab3d378fcace6024584eaa747e7917

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 4515174fa7a4a8b5ed82ccd256459a13
SHA1 a121566a0dc7678a184e5d7ed37c7f64246c85a2
SHA256 7e96393f9da97864cd624888eff32e14456b45c33327ab35d34dddf8762fc9c2
SHA512 e0a4f50d5bfe328b0b573f72986e34eb34bc6d5371b6760fda753eaf7aead83bd05f48ad3d116d09609911aedf6b5715bd64dc8bc9e4551a6be1b62c336a649b

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 edb99ee082cd179d9835b347e6fc175e
SHA1 94ce930f6dd258a702b09769007750399bbfc167
SHA256 759835fdbb7274d0481b957874880edb3dbcb4edf30fa6c9c0a01e2c0d3fe1a2
SHA512 e5f1dab623efafc87621bfe94581caf1108042876f4d57effe7fbcc97774cbdeef2d63dbaeab2830dad1f389b7a1194abf822bea4d6b16e885ab154d6eaa2c77

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 b231fce16cdfea162c359b486097c017
SHA1 74620de97cbb8157ac4afac2f45491a95e3bdb91
SHA256 3cd1301b62be6a55b07c14edb7a149bc3a38afcbe62b91c67431972d398bb677
SHA512 3340a63e5f5800f02f5f2b12cace32aac3df89218ab2a2601e5bc63aeffbb33a88a5793abaeb6366c9c0dbdb8ca1634584187b6412130190b1e5703b49830046

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 6258c648df952fc0829e3014d59cfaaa
SHA1 464ee7bb75baa4be8e9dc065e6278f5b1d7c95c1
SHA256 edf8e92d5003ba8cd0840ab45ef7a268cbf694b191cdff630e0bd827966cad8c
SHA512 019f1819eeca8058ba65695694acdb459f1370b000b0f723814f3d24e8deac567789d36b2fd0c6af3015e34477dc8f2dae2c6ec14c926eb15e74740c59d4b740

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 1793c54c62ad374c2bda8b7a819466e9
SHA1 84328800957cf2a6aa68d3d4fa9ae22c8d681a10
SHA256 e89d803b367f991296694e09951a70bdd591c4d54e483dafb2052f52e9b19e4b
SHA512 ee76cea4a70b50c30db0689ebd28a72f114d331c4bfdd97a7c49c5f8a02877d2c074275c9decdf09d98f345a84a7157bcc295e1c2f3428c851c89615efdc31c6

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 d3e8d867b1316003c8ec992df1a4c4dc
SHA1 132faabb1687c6c3ccd9099899ebefd213bc9c35
SHA256 0e438140dfb177f3bb4769fc6cfe64a080e0b6830cd124c96331079bc8caf8a6
SHA512 99860f94e723059a831e7e67a1aae6a771dd28055903a6578712ff47121fcefcb0ff68589b60b932a899cd1a99402ebc0b49e6a2e72799520e6f6815842c05d3

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 dd6c2228ec5fdbe1fe0be212953d3c3d
SHA1 e277594f4f5a0bd7b061510cc7e6f4aaafb3d92c
SHA256 8dbef8a6e7d5949e04af1d6fe996546d6fa6fbb69ec05874b8994da19c9d37b3
SHA512 67f2ea85f125569fb69cd287fcbc3be3dfca5b6c04b11f82eafa63743e316e9852b9c51e997fd0239bba43e403af2991d3c11c563c4c9df8594d9d6ee74b4636

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 c155d1344039930e2577345e3b716803
SHA1 e4d2fa15143d5e61be1de659f0f788e40b388da6
SHA256 0507d63da72fab4ba8d61b96283f173e7ecaaa6c0dc9df17ff868f000e7242cb
SHA512 bb6b95a1fe24cf6cc2d27c0acfb3ca87191b9d077b9b25742934a045d8f45cc7ec3b04b232080a922b52b4639e1396673c20af6f458efefdbddcdc74c8c2ffd5

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 af84d30dcde1c64b31cdb454bf2ed312
SHA1 f61035c13fe4eec768fa4e544a919e78275a9819
SHA256 0c1a4c975bc892299f8ae6cdcdbb2ea9e01af0716cbc6e3ac80b352c0fdcaa69
SHA512 ac058df8782c44f388aad75d379153a23693d985cac2f0f0dfea27dec46ffb22e50aff74dc5bed7d7506db63acd084b07c82392bfa84a5f5c710650a93f249ab

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 ac9d6d40966b5ad9a066feab52f6b7d3
SHA1 36656f04bc43d73405aee9a18c122af414156117
SHA256 258fd90f5bb9e4e59656e20eb8f01eaf9e0cb424a3a26b2fbc630099e3c946f4
SHA512 479002feeb03f85a40cac971c0e8511e7ee4830c1f772238c8a034bb7654b69c495224681881d8d02ceef7dd19696bb3b5c21fec9afded19a9f80144918a8b4d

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 162986ebc1f7e9199f1eeff2b42c00a9
SHA1 a4a465d752f8a05df0c0fba05ccc21867a44c294
SHA256 b4ff198e91ab50c5c9409b1f5e706d11a9f23428b92f988d2cfbcb37b62b1eab
SHA512 c3532305c7cfde21a295150bfe8a11650c25180e9b3dc381b327d6bd06a23f42f5a487b16f44877484579891472cf5e84658676ea8fbc1be4ed141ea599c02d8

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 4b91cb2ca087683687ecdb805fa8b613
SHA1 c1450c8fbe6fa2064b0ac862268c516e97ae2c39
SHA256 2bdd67348b3bfebb1db80ed72af01b9534dd51937088caea1681a740d28e67a9
SHA512 ab9e8b37d247b3e2c521a315faa15693e52d490cfc75e355c4849279bfabf6895c37b21fc3e3a387b6fc3126f4668b310872143e59c28a528d7bdc6ec326f23b

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 f3312db596ae4d53067ca8aa1ad1781a
SHA1 f2ae56182b0e8aa82cf11177a1779ec10de220ae
SHA256 22371c4622ed471e2a947a75787d30170c8b59a7832d533472a3d45c4b5b57c3
SHA512 ae697d2dcd73e092df5c90f583ba7a024a96332dbc146ad71d2ed3fc544e22ffa7d9fe32110eebf6920fb0af451f0c217f171f74a9f4ce3f4c078fd784140544

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 15dc1abfd3e3cf25274bb8ec9e52f4f0
SHA1 804851de93e284a688fff1d13adf379c35b4f1e8
SHA256 073d6be0fbc285f59d8627f968f0c10731d9e66f360fbb6384c5aabfbb13502e
SHA512 d459b7a48b6006e45c28c1e48d46d1fb7b3e20a7d19cb28eee39206cbc520c6cc6b8fd24da6a58748a17db9d6169863b72f9794c3306ae6a03eac346698a45df

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 1e25c290344f9e51cc6741bd343e806f
SHA1 007e047eaab771895849c97519a97755fef3d93f
SHA256 8c48d8ddc25a262da31624a895347212553e0ce3f32bc6a671a00a99a41f434e
SHA512 b3cf88c7e327af249db36df9f18152d424d9fb84ddea7d15f9dbba751a1d9a43ba94032c8ad4c8e38613ae605aa6a847c27931688408c6d05388763401f735b7

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 6b428e00b5aceba3e6f1511a13ea804f
SHA1 7e974a5d782ccfda7b9a288e378862460b7e9c4f
SHA256 44049a1f89cf75fa14bee91227c7f6fa0914d1d66e1bcf17e6ed80cfb376d3b8
SHA512 f62706e28cb10436d06b30399b5a3d0b3d2808dad476f0eeefd6b54186c7985fab9c51c3144dad0bc52d91af9a1bf067b6c7223166c26db1e183a2b30a07d7b9

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 7dd3ac385051a42b9c825b29ce28c695
SHA1 5a840eb14d0fa61be85c6093e68744a9e15f6c51
SHA256 2c19bce7bf827e720bc82a366ce205f8792c1b19cc2271ea9b238dfd4c740d75
SHA512 c48c98b1d1f93a6527e50511e5e879cb155eec601f5534f9f3445b839d72440254440a0fce8b7b9b222fa216ec1c3740af4249d446011e5c35acf0f5f67de73f

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 3a85082082636ba9a15ca81b36761467
SHA1 e32443a3a6283ec56039b060cb90491b5107c832
SHA256 b56c890d863dafd0c0ddff37032720aee3bb7b59ef90266bae2fb37beb12255b
SHA512 924c3538bc90da1c0f96567fd3fb022efa781f7d2f156ae7443715e1d345774db0c3c3cf6e708a797e87ca50b437506e52d0ef2d93a5b2fae98f269fa556730e

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 7e071cb80967215ad2520c6f1b86cd2b
SHA1 c11f34b58c007f0ba4dd1001ad361c6e4ce6949e
SHA256 c318693961ce6664107fc86f7930053f6a2c7575ec48428e5856dc3a2eca8e74
SHA512 7b39a185c99162c67f2e084a3c5c700db35baeeabd6d51106f96d7a349e93d8da9db90b89f02dd7662ed8e7df298de8f2b2b063c79ed84ba962d846b740632ce

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 08796bf0ea8679ab8df0b7cbcdec8235
SHA1 c0f5e9e83bc65a13159943a6e6e510add030b9f1
SHA256 362159d1caffd110f9f03e537835d1dcad9da0814bf4d71ecab8b625b897219c
SHA512 83b2479ccbeba41f087c8484ca9a4c8045e4963cf529562555eef46b7244ba6230353e31cc869b00bf8e3fca7ac5b8e1ada2cdc96b3aea739efc7769695a1b28

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 7cfa1f8a8239f8a6895f6133482c861a
SHA1 f9c0b47024a91d76c769ee5ab31d80c8cf699672
SHA256 af6459d7278094867df8af4b9b4e0b004419b62314f060caef10bbc9d70ddb73
SHA512 fba99bd37a5382e6b9d9a2434f1a2546d8dcd2819a71d91e54cd33a088a78a04d3bc10abfaeedfd7621dab07908cea5a48739c54ac2e020ef0289e512af8a618

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 f78b4e911a4ab39a52087e9c7c59990b
SHA1 29b65509d45539fa9787f1d632d5f9c7f4838655
SHA256 3e63b67a4c452fcca91fbf9d31c769cc3594158d46b99c4cdf5d732c4bfd02a8
SHA512 ec93d95eeeec32d28e6f01b82365f083b92c9069391513abacbc00173857b593d1e62b36e619e6503c39a172aa787cc1d47d391ebe70262a566d05a84995828b

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 87680107b88425c6990d70effac125fa
SHA1 7be305a3fe4b9ba77ae81d2320dba5b380c0faf8
SHA256 bf85e92a78c0e1a1dde3367eb3ad3dbf5c52a72adc0115e8d4284c0b88820a68
SHA512 05e0b977ad0c6612e85e4e662cf6340e9b28260c6dd1008756be4209ac60d13fb8a339f8a621c38eb2155ea66d1a677ed92ddc053f70ce91f0298d59ed972fb1

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 ad0f33483abae80b441c7a9333259117
SHA1 fd8ba8d639ba566d381defd292528823cad32be7
SHA256 bad247ae3b819bdec54b49f4308b3e6bf837eb509305187f8ff0fb81da289314
SHA512 cd05582eadb10c1b452d42c84ca097d2fdd6e8cc4a5ceea0afced9776fdecf7986650a6825980369a7fe75eb02e9e366ea76f4a4a1cf2b4653081563cab6285d

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 34ab2e441ef39fdeea2a1c6867391030
SHA1 b61b9f18003f8c65af8f74fc285d1e175cb92f97
SHA256 e06fd3d90e685881f0f1fa83d2e677325306728fb2549c2967ebc155e1ae6707
SHA512 a2b8efd76deda094ea74173c50346cf796409fc77faa57e3d182d4ec0ce710fc5620c2a49f33a90048a4f6b4a8b0d7595e909a07c578bfd31ae584e53cbebb25

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 9b32b5f7069ca3867f7b8d32ddafeb08
SHA1 174e230730084dfb6a3f1a75885971142091bf1a
SHA256 1fac11b3865d51e29179922046d9c3bf34f7778f143a06b53d9eec9d8bfe98f6
SHA512 df70c7ab001719489f9a9c3ac2cceae1f3cf2595e9b354d05dfd5f026ab21b17a38fe0261438550ff5ec0f070bf71e05e604a3433653e5ae39d09d76dd1efbe0

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 122e43ceaec0c294b0d3fab4408be5d0
SHA1 b7ad29a555b046e16e70ab8f150ba5fb17413d3d
SHA256 534ee4a14d35a1844af751edf14f7572aef15b52cfac0c40b5cc83b6e341da6e
SHA512 c953f381f312f7a7069b757034ff28c0a33af095eb080ddbde95026d4c6e656c5f2ebc3566c1d6f1b157a8187304068c70b5c958e647dfe78ece80607a28c967

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 a29ebede4c6f065785c67114826aa2bd
SHA1 cc0f3877c45728384387cf6f961bd06af105cdfa
SHA256 9beda22da8f998767c195061488780871c056c80079f8be65797f1fe2569436f
SHA512 45e070ac51c85bd47146319ac54a30f3cd1b8fb9125794a388fdd916189ee20c5841b4a71eab4db154266cf5219518ce6bd2d5e00d3eefbf30749a364a2b2cad

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 5d2ada9f1bce7e0fce930b0dd926ccc9
SHA1 72f4d592495f5341a5fe55c29d0b5323adaf614c
SHA256 9d55b8c9bfffa1da7ce8c6317f6ccedc49840c2ef5f76d71ea930ec9ff102df7
SHA512 026d0903d063992066f2e1b61998006933fe1655dd89cdd8a5997df4abfc06ee96c77bbbff712fb6e36e37e990028918ed7f601550dd37b9716c7b6cb89901b8

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 4841cfacdbe4a7765e048d5132973475
SHA1 9811db6f20cbabf962970f708f763de83d0b8590
SHA256 0cfb724a3f7c192f67228ea9ac02cab6ec918f9f8fcdcf156800a21ca236b70b
SHA512 b759f79abde029ce5e77d6ae5ecc96a06652ef1ec04440ae054d306400dbf9415bd5ed8507c473058653a796bac88172ba33cd8beecd2012f9274e651e823f7c

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 8c018710419b056e02498b82dd9a1ae7
SHA1 77fb77e1e69dd1c36d3200ab7e9df6aa40b97a95
SHA256 ef394db8d2d96ad23ce49a3756c8d1cee093aa6201f4612df40a74d5074d0ac3
SHA512 e32e0ccf60c37c5d917ab0e16b8185df9e6ae57160b4494a2ff4cd92815b444b6924288a28982f4139c8766e37c5f5aebafc4edf889685bdd47472a4ca86c01a

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 921ce5c76cfa1d08661a48a0abec6d29
SHA1 a8f0a49481a2198524e16b25104078c05b9db0b7
SHA256 1ffc580aa9e5c1cfd31bc8ba95102bf37a40ed2ec961b1a62742c2298fa5030f
SHA512 28cbac8345338d94a313b83e744e01660a94ac798e17e7c4f32214f1dd0dc5049f38088638da4eb727739792fb9066ae0eaa5eec3691b6aaa0d99a9e511ffd44

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 10ad93166fe2c5d404b8706dc1ab4d92
SHA1 2dd6fcd9127720ccaaf9b1a70760e24741a6b038
SHA256 78c081bf24f242be6dcc25fdb7b5435541021c66cb469a5374d4d0df605c14fd
SHA512 8a30b96c8d50f516ecc489a569bdd846a92e75c5cdd7a724f543d48e0bda12410c0711f74fac5292b89f0c324d5c7c55261e05d13bd7d7b328b12b406a2cfcac

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 a18c3918ca42459352a49aef66e91374
SHA1 5b2379136e99bf6e1d510f0b4e562e0a3f00d4ed
SHA256 9f0e59dbd552fc1bb7080789eac14721e765bfb9db0f90b4099910889cf90fdb
SHA512 8ed02810f82cd0045e5b70a4bc27f1044bff7851f4822ee39489b2545ecd1480acc4bbbf5216148d3d198a25da733f3160a294f3275405d1acec4865e3ef4cc5

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 6c85d6121c408676c5ff64ff27e78a27
SHA1 3543f7f527cdee3c5ce81ab20729a70a46bc9c4c
SHA256 8e2c7fef2fe14e4f211cd4fe0bc85ac1aa413adeb68dbc0e09ad9ca0ef2d94b7
SHA512 183d80c012a48c8f6762d1c9db47b55e803a62471c0716bdd6563302cc7979ab7cae1738e599526798d8a5287984cdb5a2cfa65b4acbff8d3bca150f4f5c3952

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 bde5a17c1b63c6e509d019753c7f6920
SHA1 00cdb618ecf172f39bacb69efd1ca3103f9c65a0
SHA256 e7e3d8187f39df8c85877662da841e2bb4ed1f9db695ace9fcce707e2477e906
SHA512 69ded5bfe7b99d5e8e4772c284c37185d26d68b7c4bc2420391a2e41153467dcc38291d87495f1db6d5195078209b79108011c7a095795df870ce733fa004b7d

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 feb8399c282c51384b901ceb5943a666
SHA1 a0074acc74dcb9683dce372524cf7bc5d31a6553
SHA256 f797f37ec36a363be15512a3c2b299de5904481412a7dfef09e0ad3b6becb69b
SHA512 ad794f24dc0ccc52d0e3b60070471f9e0772c4a8d466a2401d03bdd12d5c82d31ac99a731a36cef8ae3c12e4cdf63eefbe2ee4c9ce0a5e1899741997a3435592

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 ff5476dea3fb1068e8c5fed7aef0efd1
SHA1 cf14b273aa5645ea7af0bee10f520da72b676469
SHA256 f881232ec591507153354a419ca331e6dac7898774159800329255576237798a
SHA512 03d900b890bb8b552c574d055a0f96502370e2144193bdc1b2ba292a93f9281cd00f7fdb23fde3f94a38184246738669fd39f2b85a2321b46bf202700c99a682

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 06af7fc0b234599f95413c78e6af7850
SHA1 4c228030443307f08e22bd5b188f8fbfb5121ac8
SHA256 6de750e5f9c5bcf1b928bb91e8d8c1400f5235d52e91f5d1f92428a6664ae00f
SHA512 f4c068064cd1225fc41f8768e9d2793c0ea723c47fdaaa98fd852f0b413e51501eeb12457c4bcb24ddd4f1a6dbc4f360981b9c7360adce4b6b00207c32175ec0

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 555cd6c71ecbce056687e06ee7757670
SHA1 9a15db2b4cfe1c863788b3d76bff4b4b1d1c6819
SHA256 cecd2b2ad98ab6f16386cd0fab6e0b99cbc3f816ba4084e98c1fec5b6de6aeff
SHA512 5f0de40f8eab9a05f37a073972d1b3f2f0d9cfc412bc32f2966aa37ec2694997aa557a494f11f833f8777f9b351076a68377d2660dc161fc8befc6c7832560e1

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 7a1af3c65168f41779efba3e68c39873
SHA1 119a837b3f9e2f7ace7a969fdd20b40b7b6ab515
SHA256 7eea0ee57a0b8bec8ed1b2c19a0dd002acc5ea0b17f081636cf7b6773f911b61
SHA512 7c0430c6f1eff14e3b721b19f4657a105138c920217ac038582bb26f8f93eed5afb61d81569cbbb7eeb2fbda37ccca627fff0e24dbb51d620a6e615bdd0a4e3b

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 d054c9bc8a8f306ff3bf12768ae83127
SHA1 bdc7585e7574294be835334fc5a942f309126ce7
SHA256 42f84b091559266dceb51d8c6eeac64af1ed39217640b0e0c2dba8b140014fbb
SHA512 a9c90f86216ab958d934cc3f02123813770ba44de2538b2ac240db569429310bd2f45ee2ff3480312fcf64f1eb1611f9505446a2f2d65f5cd222fb0df533db11

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 4edec79d7d386c83d5f65fb1b4c8c12e
SHA1 87efe4e776d3b9ed2f04b8ef16517a2845c0747f
SHA256 fa5fc9b7c7701f8a39d3f28d47a822dc550fb333409b2f19ba028692cd1f0aba
SHA512 e0403cd0002f6cd24eba2635471feb15ec946a6abdc5168a72f01e333549320e8b7b8a0e8a28a3498996026c796b69274e052a7e0d33b295ba819edf9b6595a0

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 7ba0c7a24ee26f5b3c377ff7ff1727f4
SHA1 882a8ae2b86342ea7813e510c39ae397f9b7b6f1
SHA256 5ddad22673fcade7f2e33a870fa376f46fdac56e959c167df8c31d6b8bf26292
SHA512 ad4202952aca89cc4764440ebf5c9da7d8ac245ed066ae521f683ef11a21b5e3990cc4a5cc10ddc689654c3cfb20bd149027c849ce95159d484174d358ff67ca

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 b2cab4782f7246dc95ce1e31f99fb94d
SHA1 3166c20e592e197ebd47771f6c209a90b6200ba6
SHA256 8e6501d0150de4aff92f38766514c74a18d5a859f62c226784d69f304bbf16d8
SHA512 92f5e31683cece0ef7fb0f79841bf1ea9077c2d8844eb5f6ac708fc1d54067f954f5b61df7ee48a5a960c8ca3a8ba47e31e814069df56f3c39f29142d0f64125

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 b8853f5fac7140fac17596495596bda6
SHA1 e04562b98380994e9509bdf9ce3a2b4cc0993f22
SHA256 c77e4eff1dd2b10c8e3b36771860f543f3a676f04a6d300907101b9e98bdf0cb
SHA512 4517d758a5c62dded9c8efd67cbd8f9a400302ee0d8fdfbbddbb70fb7ea93c4ff770f0d76dd8df52177d20806a4c37ca57e2acbf009151ca8495867ff6c00337

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 ff619235b481d61dc5d44cb2e1d289f3
SHA1 0b2711d50c80514ae0850c798c617c1767730700
SHA256 aeec24bf94e7972413257408567d738df2048d620ece45e9d03f89fe4fc140cf
SHA512 2e4a1182df03f300407fdfe17a1d6ff384584818cf0a16c6f0fce4b5a79d6ef8cbc857e6a9744422b0c1071283141484e9273e593eff0cf18e07896b9e37b632

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 f52c6f676d841e25d519fd3784f37f4a
SHA1 693a3a981dfb35ae07e825c743c0d56a143adc06
SHA256 087fd1745f927c4515e93168024508d6e655c38947771afa98aeb58cbdfebf96
SHA512 4b772202cbd8c02535f6ec080615e2f75282fc3cd73bed5ad8a119b66318430973b8263ef4a1b8df7145aa1e858ff0dfbbd25ac8a6095d314416746160fb100b

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 a4d92322269d4f689e91d76f986eeae9
SHA1 0bd1f1de0e0f961893c3cf901546aeb5bbd4469a
SHA256 4d2dd00e4df24d426573b12d898fcf345979e4343a6bd7c94369194212014290
SHA512 935065730b15faaec24a8f7f9bc7d68c224ab8b0c454a557f69021c8436317cfebc46988892479db5900c4699b2efdef7061d53357e4546cb613adf538484337

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 52b077a500fbd76f50b69bf56de5f40a
SHA1 64421f3d25d9694cebee85ad4c5d2fe8dc1f728a
SHA256 9b7ce42b23b80a32adf87b9f1fb9610aa8035c0a65de27ac4add078d4fac0639
SHA512 bd1d05bcb1be517e20e24ca7b1c1482986e79e09ef2f4e58ccdf7006c87f02566260badc053ab7eea7cab36c0758e4130a33368d97c871b1939c89e8206bbe8d

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 34372870d9663e44edeb08873b04f5ef
SHA1 86fbcae666a10deb1dcae772c3a2f6cc060760b1
SHA256 d00975c8f4addc629b27e24d0326bbb87a141e150421a832b2dd52a042f15da5
SHA512 c345582f596d4afdc3b729237598303939d8f00a98d9d945054f23e86683093a94f8d6865fb9fe73c7073fd8e171dd6c691fddf610a3d57e52711977a3424188

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 6ee002e05371997a9c2328d6836dd0e1
SHA1 325f318f492959dcb9da4c86d536f6ac6761f5df
SHA256 a072a53d39ee1981102949cdb23b3381c8e7ab53c8a678d7f2a54411f8d0cd7b
SHA512 a7b10a0971a1c86fc7de9a9482eff568acf699c6b956a5b793eac7cfd83f05c278b2ce1faa21b8e12feef096ce17d34743a126aefef6d5b9201d4b03f647d504

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 825729d223ba21b2731736e7512e35bb
SHA1 64c8054e0be4935a9c1d7dd8f4d6652a9936e120
SHA256 d7d2e7971e7181985ce159106898746a568770c1f9da85edcc50b1edff9502ce
SHA512 80b8fa6f5759f97d5c95afc9842a32af23a716a765d766243c19dc7f8f9d4f32f40d3977c030d37c81aa44390df965e97f8f742d10d8b0a8e1d2aa8ef5808722

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 0a6c0e91faa7672a1a807f869b4c997b
SHA1 1fb75a84dc1cf183779c88be9c5b29be2b94d8df
SHA256 de253796a3c0403295d194dc016bd69439a14cfa099d0895c56875ed1964c283
SHA512 a9cbb7d266c80373095d1c5c130e2117d0138ea9e2e24d5fba0e01fe2fa741e814d3676b863531e1f88c09c1d0d76a9609ac25dfbd58bece8eb46c91014d1cb3

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 9971ba89ad705db6fcf9cbc1921a379d
SHA1 92b32908765ec2345331794175225d6dd55243cd
SHA256 370901ba3087658e62bf74284b8e243052ced6aa56864655079c4c353c3e5ce9
SHA512 c3955d0ede1b3d71d8bb3585438ddf196211528b89860d15f5171b6ddf73ffdc997c7af3dfec1db162cdab8d37adde0a28f0eccb713b4a5acb4c54bcf1376db7

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 80c442d228ea7b3f767135dfc76eabb4
SHA1 9efaa5a028788c5d7233ef1952aea0c780d8e624
SHA256 8301087e2f3cc456237ece713fc70ba56ba7f1af535241bc36108774d8800d21
SHA512 1fb4a3171181740449ba83a782f0f0cf74b113fef350a1a8a6649813ae14eee63dfddcb7227061ace228cbfbc76a2f98b75be549146a55a969afed7553c16794

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 d8c33dc050ca1637a20abd5c3fb8374b
SHA1 7ac231cc6dd0a47cb8a823d5a5e70cb9a6ce07fc
SHA256 dfccd3a2837abb7b77f862eba682a0afba1cffddef931d591229eba602fe69bc
SHA512 198cf4c92ae7ece6b3749e55c43a2e10f57a447caa54a0a3da5b6582c1db0ac63126e58fc63c8e8124cf6646c0400b3ae796a4178e7679adff6a420cedf0ab9e

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 aebb6903b876dc494bcc7cada0408a9f
SHA1 c98aa24083b209a622331cb873a046ab82eaf687
SHA256 02293cf240dd9a7b3cfc9f4e582ab9fae13f512760bb1e389b30abc969137370
SHA512 9855ed4b8d159ece4b445ee8b3c42f88625bc017beb269a17ecb1f7b5c9d41bd899a24fc968ad02d739343617054496b0df9e968df209b0d1a3c2beefcebaa23

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 5cd4d0b302f123b54df6277e110e7c6b
SHA1 c8a729dcfa3d4151ee4c626176a97f88d8108072
SHA256 decccf6b33dd9565cbc1ea00a5bde9d59b0ff7ef90c3b5e075cb15967eb7ce6f
SHA512 65be85ae15132ada1062be7d5b6b64d40690bcf6e726bb5303421f0af7fc5d2d5bd43f300b3345b98ab019f3c1adb2c2d5417a6614d9d3495d4651ab79048963

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 56cf1f0425ca988df7d19b5aad526fb6
SHA1 f8eb6d2992adb857ad9a2ab9cda4de4dfcf3e298
SHA256 8195dc4eaf7ce4975baa9c587e3c85de8be0da87f8ce5f1645796dbd26e9ab5e
SHA512 3ccdeb992085277561889c6663dc9fcaa58c1bbc49ca881f83cada7eab575a88e22a79adae3e83570432f52ec66c6a64c7e4ce5d4bbc168acd658a8c1de62a8b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 be12d5b9e11216eb1f67d0462073dba9
SHA1 454a0ca35be3874243060f5ba92ff95ececf1669
SHA256 a6b5a164cb372e377e68e2edc2ad36643ea55eeb197ec502535d67ce8436db53
SHA512 d2e4973e97f5159d4e40db90254fc15c90deb372fca72999f756389259233dbd77dfd0bbb8faaa9c47fc5eb8d5fc02983fb3b07864d3be3f2b2019f0c409ff57

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 c8b54518b1d62e0e740743f8546985c3
SHA1 1878563dc88c8491568666f65af3c34c07b918b2
SHA256 4600939577c890176a64b7e5b7dfbd161e62861b9dc976495b65dc60a2343a44
SHA512 c6d9d311bca93851b8d7f8421a5f0df812e1a828eb7d5653eb8b9ddf61da6a90e70abff6eddd3f1b4723b64c7899a23831d9d2d89c56da61fe129d5a7e592aa3

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 7aa29704d2d3e09b0006e961aa4f8387
SHA1 4cccfb75a64293585833fe921662c9a5ad60c203
SHA256 691e868c8b9680529d74803f461bae9a4604963aca8b4546697f4120256708b0
SHA512 334c15b80ce117ebc728c9b414f20123b2b3b0cbabe490c72d933fb7ff14e5e83563f8fb07e33b07f4b9fdc885c80aa9162bfb554263feaa965ec79cd4d54103

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 8f572c5d841adeceedc1db9221058f85
SHA1 668a01ad264a314bb24d88b225e4cc49d0db4772
SHA256 8209a1e9d35baaea55893e61d151745220d6388440833d8b365e532d81a98224
SHA512 86828143d3a04476e6f010fe8d24cf86ec7e0b769914af62981c74c44c44b3a5b20cb0fcb869b62805dea8ae9eeb9892be5084941e4252fc83ddbf749bc405ec

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 fad84ae4c0c80844c6513960a1ba6023
SHA1 e839b7f92b4e996ff5e14ee365356125a7330d1a
SHA256 f8b360790726f5fe9d32a079b2e04d9ad4b4c132bc2002b4eaa0885645c82bb6
SHA512 fdf2d5ce723398b2e5a30dedba375800b6e25ed663fa8be5246250678ef7a8521e52f1388e0edcf86cd1ac89d4a09d00717dc057c5ba5f7b06f21ac0273d577d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 c2b6617bb6f6431642f5f42c2198a8b5
SHA1 d40e48f54af0443732afa62936e02e76b960aeed
SHA256 b04a13299baae5553a3e5d670edf240c7f35154543d7b8b487258fb694f0a9e4
SHA512 c6acdaa40d4e1d43803ace3836631b150ebff64c6b65b5b4349a98410f3782650d2dcfb1b9cc923aa33517f4aa1a58d7fdf10a567eca3be7c64e1205d3cb3988

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 74e9d26ed29b1262555b6c0517e05d96
SHA1 53ec61e6c11e8729f3c8a4ca61e4cba0ecfa7c3f
SHA256 6bd4798a4180930888fdf5d5692fb5326bc37d11ac45eb97a13c379da65be595
SHA512 449d6f4b7885ec38ae5a82c8c6db98caa85fc7665de4aa4d477d933ed13c14bd0d83b2873d6d552535fc8410e0bd1a7d017a1414954343bdf9d96d9099c9ac92

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 3cda1d21f1259834c4ad88cd201dc9ae
SHA1 10645013cd5d479a9c9a8b6662852950f429906f
SHA256 2df9df820eca68de48d500096675da516e675d181d17c054632f52a308d4403c
SHA512 3cd79e81e2293a47e02fcd65c3473f2c290d33152fdaaa4d947375bf39756915db92275ecea4a43ab4502a216a998082352d2091fbd8273cbb0964886c7432c0

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 132ca319eb653fed4d5a9f4b62f96ae9
SHA1 5f0c7d734531fe270b07668157712cd6d07538a8
SHA256 5f6d6786355bfd17cd021aff7d21808b661e622cfa2347c98473b67d88ba3432
SHA512 bd7a690dbc102f192a4bfb5478aa702d293a2cb8b083665a939f9c47b4329e026489f39fb78511d93b11c4990da568c1bc8670d8c98d707dc209893f08c79122

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 a5e077db6ac0976cd96dadfbdfd8d0f2
SHA1 d7caa91a3786ec902535b683d1ffdbda92a0ea08
SHA256 2c26590b3e7e632e41ce73721f760e0a5824a342b94afc952f137553167d7a23
SHA512 6428aaa8957f147dbb8af81fe5641b3b031418cd7f9189782c9b0ec54016f91c4bd8ed4856aee3ba6cf617769562955abac1ae10e23f0ccc27fa92290f221d4d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 ae8c910b4adf1fb1f3fc91d16d9aa8bd
SHA1 966a388a37f543cc7d4387019e5c53cb95def9fa
SHA256 7701ce0dad9742e67098a34c66d6448adc8926039658e9f060e0ae32a315f856
SHA512 da34c3194791bd169ce018ff358b68669715bb46713d84bdaca8c922120d2eabe10c9ffd58c3ba2c382cf775bd8b10e5aa4ee33d18eb47da4a233a154210c0f0

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 e863cd6084dd5465f8fa0569d41a8fff
SHA1 bea8aaa97cf7819fce8b163da8267fb1e18c6b81
SHA256 3385e9a180e0535f6049343262aaa5069f8a3fbe1beb1b6b29a03252333ae75f
SHA512 a8b1aa17b56cb1afe2159342467fe4561b413c4aad1df000c18bfca9431fce7debcad4fd2437b662960bc963da93f01c320503b480688a7051f43931f1628ab3

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 1070b1c71346263ae6ec39fcaa162c6d
SHA1 7b6b557e08106b1e49b76dee1aef54d5c3038922
SHA256 d878096dd3ae0335f90456fcfe0fe089b227ee2731cab983496ae1cc1fca2412
SHA512 ce3fe21ae23f6bb0a0499b2c3ba9d10e84044befd02d1d98184fae9f8cec4079664fec7109b84c811fc921a0b652f93834133a170ffe5bb08f92f56eef2e26dc

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 18797dddb8b340a458546df78858cd50
SHA1 087c8ff71a272052c4e64e5f658a84d9ddbacaa7
SHA256 c89b251d7e287f67d5fb7b86cfc71f3024a5aad3d682da9bbd9428c01664129d
SHA512 3d7e762332dd963564c2111f0917fb8a747b6c42886e513965c15c38336fadb5303d03b6a3e2749cf2639c603fa56b121a576a56892b374b95eb97dd801f4120

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 84d75393af9584feb91830f557ea66bd
SHA1 d0f6473aa766880be731a2222767f1a64c481105
SHA256 0db8a9c0f679e2b92edb3a4c80522b76ca9a668a5c1dbe929ebd6a5cffb5d6f5
SHA512 97fc479d02e13d87360c5cdb9451a221d09cdf22416702c840efa5351c77545155d49703b7e0c197cb80ad616fa1bf0bf6de45707d6b6e16bd175192c0a30ef4

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 03e5fa15aef2537749f32e74e6f53922
SHA1 833bac5bc4b3836327f5e2cf98cfc54f1a8ba8dd
SHA256 adb0ad764d7f4faf7e5689e18d75456b77ea3252a00f8aa6897c8c99fd35fdbf
SHA512 f3f6d872197c52a5623d6e02569c87cd7ccc2a32588f1911d0ac50baa9f38196fa3ef9beb5b767c2b8195aa70c65c52fe104970c0e2b9c28de007dd3dd64caad

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 983ba59ec140c4c7c1bcf05b69c137c9
SHA1 b0842434b9504a710982d3253ed53c4d7117035c
SHA256 b7fe306a2ae16f9ae0fd281ca9e8c201fbd3de4feeb68791ea336b4eb38a817c
SHA512 e5c8462cc053d4e194883fa97182fad6334e2e32116f7fbcd5e87885a18a46c14bb152e41fafff5952f768762461300bf588b8e8e80796399a6e1e7f16dc507e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 0bccac9ce1171ba0805c7b08786acd78
SHA1 478e4810fe33ec78984f90da65357aae914b9dfb
SHA256 896d3352d805f8774fe76e8e7221217900e2aa1bd9462d67a24eb79fb87b1f4d
SHA512 e94eeee4b6aabf2938d7a00f51043976b97d04e35f1e3189c830b1ff518244f98657054db0239f86d514a313bc8acf9a5282658a6e22becdd292cbb72290cef9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 afd26afd0fc32224b5b52f2b3ae3bc0e
SHA1 72f4d705992999fd6a859ed9e0a23f16a06e420e
SHA256 8bbfa71640f01d7e5c86707cf872d956e33c66b8399396ea287801a32853dc95
SHA512 229a05ca12556e049dcef7bf06f6169e4a9c9e017f92b1f96968b6b66784e5c80fbcb3e299dfa237b594bc2ffddafedd9b70d03cce9ac73e352f18980d443190

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 f37c501f24eba7289bba7aa5d9fe54b8
SHA1 b4425f3debfddc979229c4d69e4e59c0ccea5c8a
SHA256 b66df621b404c4c30288ac17dd913157dc2b586e762d24b1919506efbf0c5508
SHA512 2a27321c8a180160d3bd047b8abef1af2230255206f42696b53bb1da578cd9f36d93d976b33aee571e311300d8ecdb77eacb2a56dc35d602b60222f82783c8ed

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 42f9793066a9082476665e743aaa1dd4
SHA1 5c23dd8599d0d2184db6c033f801fce965e14546
SHA256 1e6389eb7427f49f9548a86f70631ef4264e97f36088a8acdfb219c4be274a71
SHA512 2c8e143daf2b37d0d60d60b48c4a2996fa1af3a0fee17a2b87f9cbf7771dc769728fbb568ad15495af4182fd8f8aaf96b4a08c2dc67e6d4b5bacec6096ab5a5c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 2a59b7f39a7f9ff6a806eb65227b0af1
SHA1 8910131b339aac1ad195683dacbbeef338d2ff62
SHA256 c14576d06b59755738a4d7cc895a104a910091e3ee90a3b0fe064862bbf951ec
SHA512 86a1317d8a5cf8ba67008fdb9a8e21b86ebf3baa3884e3fff598ac1a9777877c99d86619c92b5e17a2600d43313cf8ba4a73fecd11ac9d2672cdc4c0e54c4957

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 936903598d089f53077a850e51d234d0
SHA1 9c69dc24d2c4991e06f3891718034b2f42aabcc9
SHA256 936b2a67b8ee5fbb345f61dfa0cdc15269af6ff662a3f84e834f656f2b8fa04f
SHA512 1ee6c0ef854264eb05faddfc32caf8099500c6edccc1b5a79835ff2987eead5747c9726f0edc96dc31a3581d1e5b94f3552a5721d320bb8c18e5e8950125f35d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 d32ce88ea96bdf6221b833c466d0650a
SHA1 a635cc3a15e043f40b40ed0bed4245192c7a85e3
SHA256 2e4714e8bf5cb59fe9372a8d3c0e7153b0723217e3b05d9e7297569630d90bb7
SHA512 8adc572a0ad47132bf266452f1e4b47ee516e16a116a1c5015698a0652165796a1f2d1c0ab0e081d78952f26b2a73394092737ef18a95bb68f0443ce20a7a2f0

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 4e3b599045c53f5eaec637d5cdfd114f
SHA1 d7edfeffc06629a44aaa7084a2415c373036b300
SHA256 579a981efcf62e29421dca6326a60c1a1dc871436d96e72f52196d3db7662426
SHA512 2ef7e2f3f47ab83a03cc22d66d79b529035de3815442ee4e246304305c2cdb978eb734103ee4c5b3d9872d7891e130aad57b17f26e2562b7d6bb60e0a1fb8072

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 8ed2e4a2fd55d9015a94d8db2b68d332
SHA1 27b6b06f2be162df7da817e05c2a3d494d57f872
SHA256 8dfd903f979ca6c5116b126becdb1909294219c7a95740f8ba0abefce545621a
SHA512 9c7e1eaf6399dcda8c9b15f740c96dd3c612644022309200e5da9efa25a7dadacc4bcad688ae6e867c29d0f859f94fc2580efcd55cc440513ff7502332cfda21

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 89089271d420d97b125ef94a753d50b7
SHA1 264ee920a1a1b21989c1e70df49cd9f8b5d283f0
SHA256 2bc92b2eae4ccc6b05ef19d274e5db90c58ca9f3ffae49295d5e90a1969e6f27
SHA512 b450b8f34c552e202ab12d40a7c7dc87dabc8b79c71a73ef31d932b22e65c72ea99cc0441e195f7808f88d46f0f2655f8f74d98e0a9e10cadc93b8dd41a1ad75

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 ac1771e91c6491048943ec8762c521a2
SHA1 84d3a7f7cfd23711c8a231d7fcd6814f9394459e
SHA256 b64218903f77a117a3ca9e9235f835f60e7afcafe484ae659767f12761a40987
SHA512 208bf17839f2c2e84bbbe98090159324750c8d0944989d601d7b317c9213fbc7a88244c77e7ef906e2fb59dcb72eaa9d5ed59cd4f6ca0ca0243b25b72bfd3c4f

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 4cc6fd7d971c5f5d5cd03ee51de5c194
SHA1 71578ed512990f68d36df2499cb475a5665cb285
SHA256 194414897f871f969452916c8a0b6f7748bfe3c40cf70d324342bd2d15df685b
SHA512 e1cbd96dc34d1a6272fe48c0dcdcd7496291a19409841c3a71f695fbb33d49173b3266ad9d1f9d9febf50221a21b95eea2cc2d86e64d47e6c886696f9bb9ae3b

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 1b757d01bc1b766aed05f58e985d8df0
SHA1 206e9bc04d762897301d9f2646fe82a1136d2ced
SHA256 e0de121009b442d28f6c99b0c3811c71c383bda92cfe5d123f42b0fb9b32e405
SHA512 621a371d96f95766b9d212e2059415972d98dbd9278f983f7d68762b8ad53197b51a564176fe449049e5ed1d25a09cef0dce1fd7b807512c43735ee811f048f0

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 5b2c2d1cfd7525474d115e63f610bfc0
SHA1 c645067efa8a2bcb907d157a8ab5fc1ac9d59e93
SHA256 8169d93d5b1aa92f9cc91e4c3d297c205f8dd8865223165663df36ee469c7af9
SHA512 8b072b171b89c1a709f03e362b2c39b10bae052564688b9a8c85853d003683561254d1497aebccf00c1d2ea2b19ff3970b4b4b47785919ac3483425c290f6cc3

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 50f0c19493ab0f4ca90540e44dee54bb
SHA1 1cd77560d591844f6cb1dd7d6cb70fa5d7c187d2
SHA256 1f5c5e6fc9b5913abb5b782540ef424165fafc84b6354e0d8595e3a0244a3f2a
SHA512 280b118eb5ef427b8788ac92c4383d4af866cce3ffebffd52a6639fd0b92055ffc621a96578f4b1e04bf164205473c6c47c66c9ba266a358f05252e48e139078

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 3a1ad891c8907d70074957007fb5a748
SHA1 58849cd5109b3f94d653c6926c8fee3fb142c147
SHA256 8c5d91e16dd501d6e62c1a17feffa2dca161841f236387029dab5241df6ffb11
SHA512 ba4df946a82bd587249be27371b377c15169ae9b525f6fcd7735a7808be4a252d8ae5c93f14f7077d5866e2ade593dfeb7decb5c9d889f67aeb5733224d953e8

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 eccb589d9dd06111adfa9f3a9c7718a5
SHA1 c335ac391ab2c958245b40142e4e60bce4271763
SHA256 88bd9685d0b7df0aa992c7e5d86f53e823b4b0bdf642c80707288242b7f17e6a
SHA512 33f93a1dc0f2d95796bf52e8a0d4165a0373ec9fad96c56692a763a29ec56c3b46191969802e5bea072321a9ff3331cf566e8a14ac4c0b38b8244e6b94641cad

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 e2fbcb3f924e172ccb76da99368e3eb3
SHA1 665bb4ce9b5d9798c9ce399994076b11aceb1641
SHA256 bc0389b2df45b6de3a614a194ff1bb00a2802ca8a3ce0688823788e4e1095716
SHA512 a503f51a68bcce0596984d3cacaecf16bfbefb2824d5565d92f7b9e075bd33e8b6853f649918cb74f5c0129f331b6b2a3104ee2365c1e4e38d3f0da943bd1342

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 4390a101ba8222ccd5f47001d309f17c
SHA1 3b2d6a8bd12906517dc2724ace2b0c83f289c2cd
SHA256 bacc833a538936b16d999e1ed07b0941282e10731e7edff88ea6adcc4f6021e5
SHA512 562ca697512fc0dc390be5658526adae9eec55db394c6edba0c2f1075f7d703d96bb9cb821fd4a7f5db5e1ab5f5565296062fbd4b77b67a8e1b6999d960805ac

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 26abdf8ffcbab8a7a6bb621eadf10a86
SHA1 04413205fe0e6464b910af07e07ed072035be69b
SHA256 ae8499e7b634a5f1baea563735ca0657cca2a700ff14e51e16509bf940703983
SHA512 334b7b0d2e80813bf86c6cfff778bfa4e5b798a77b44d04462805b9e4be11c397d6d98a8377900308d33812f533a4f4bd7908171cc11089ac5e3e78ef23619de

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 dfce248710514573888bad7be1f48d2f
SHA1 738da7d734efc38105d2a48dba25820ae3895552
SHA256 d02fb67da02323c7b76b35c5488c01945f3675b9434e55aee5e7761a9b2c70c6
SHA512 720d9bdcb3a5092fd59704e27fdcc47092af0cceb409c526e586bce4bc7a66b595718f4d7c13deba5be101c3b659c68a5fd14bbf884c082276939b94a7fbd883

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 2266058ab6752bfa615950f1afe870b8
SHA1 5b93d1ee4391712c23a88f69c633f00f6a31aa9f
SHA256 ade4a41a4a0d46a9ffc92a9b50ba4103c8d3afc30ce442d64143861a6032e0c4
SHA512 0707c1ee2c5617a0f09b3eb4b1866fb3ea4fb9e78da53e7ba3ff062bf66a7a3379d435cb8b8f099d4278ea25da6879179a35e3673e8e9bd7d5368ee22d120237

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 181e626aa416b05abb86d53cfb5f66f8
SHA1 5046806d7028e331555a2e292ddd2c86e4effbf2
SHA256 eaabb83ad4519947359270ab8d14cec4e9908c0e5373589e33e872f00ca16b6f
SHA512 4d92a0e24c2059600046bb58e48d8e7a78b7c37f4aa769c98c5c22533fc8c8bac74ce94542d983985facd2984d54d30053b6feb12117f78c56080485a5ed3642

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 568945a60847af1fb5f8a7a8b47a1c28
SHA1 137d7d83b27d9bc143765e391adc6c46dde6627d
SHA256 8f27f621ee1f194ad05e5a9025f0866f89fc10b186b0a906f4173b58f7ab94ab
SHA512 106fd837b04e20ca9e2d0333687974020b26021d945cc021b342f39125a7f0ac8d59ad2cb9d2f10e080a3c2387e629ab509efcd08cfff99441e76f527b81f7f9

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 4f8c93718233c5b397b4c39e1251abf7
SHA1 2271ddedf8a8fae13d3d564d63560bd48c8d30fc
SHA256 1fc95d56ec50fc2a41d082059de22cc583c28cd0dc30be69ad76c14eaece1611
SHA512 3485e50bead9edd0c83732c7f7fa7128b89e1c5ba181ccbe95de491add0cfe098afd7383bdaad47755fe4933125bb48c260ab439e9d5ecce89c370274ce9df01

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 c73aaf7d954e8ae0af9d22cd74ae141c
SHA1 a3a63573a1f5cdfc16d4128942d07fb5e12652d1
SHA256 1b221a0ccd4e33be0e93e800e775410dd203b3c7216eecefeb2164f5ada69a4b
SHA512 a0e06ffd3189c359cd4a20d8fdf6d80c06e9ddb8d1bb49cb9e0575262ae0d913c7fba96a3da34ba528ca254f6b24ee8ca6ffeeeca26dba74852447da0e4e1a7c

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 1889de517ee29969b6b2cbce6c6991a3
SHA1 c43f5d94ed4c5c32a960699b1eb582fc248140f4
SHA256 c2b7e16ee920db4bf70376580e59375300e4e8a0be09779810af0c9af5d9661a
SHA512 2065002e413dbf55bea3cb45fdc858490adfe90431edf7787a7a32aafd7c7f907a1993f7481a14369df977c2eb7fc7bf2745507ddf3132df5ffa7ecf1be67a4a

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 5f4943334fcb2c8dd3b14dfc262fe49b
SHA1 b5b494d0d4f0c6783bb616f4c3e35f39e108794d
SHA256 2ffeb53baaf0e13844872128db5d38e2e35b5b0e1fd60efb2778fd55505a9712
SHA512 08f5d801160695998d6f61382e4be1e5d4373b629fe343407466120c1d0da25405ba9a08edb3fe9d18c88980a6682a50ae47d5a6b13b5e40bc2bafe0b1955ba5

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 e53f5900d3120b5e273fa662c76b9c22
SHA1 e3076f4d2c7495a6fc386c09f15dba0f8d2bb1e2
SHA256 314e0395587f18cc8d752ff5eb308d4fad089d1700b0077022eaa279f3522fda
SHA512 8cad1abbd94a8237a688a2e28e71a938be1ab90e62af249dad5aa7f64d8e1ab10d3b3000b4819bfc41dd6f4d2c6dde57e1727bf1013df83502218117eb4004d7

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 5207e493d11fc8895d1ea5e55ee0936c
SHA1 acc2a53c136e2d7b7bf8c1bbddf6794d00733906
SHA256 698c015e0112ca24fcadca240b9fff75a0597a440bb8a846f16aa4969fc170b8
SHA512 25f556e34acd41e19d27eea7c160f8235c356bf8b64956cb107a192b4e0ad1f91678494a04530419a0943492d763722c26848bd8207c821bb7d2ebb3a80fe7b2

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 6b2a5a581a406afec632446f75034599
SHA1 3a4510653b7cc149e3d7049b7de7479100ef4d8b
SHA256 09a111aae904aaf6355dc35a41039d731280e01cf2d2629a112ee8d002e9f8c8
SHA512 8b7dc65c2309ccdc9a85446b8174e61248ba2b2937605ed7507713516e62e334e877cce89661f1f5a62fb11a2147f8e73ca996f23a7c88cb1c64c58e967437b8

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 612a76d2b90101d1200a09003e09dbad
SHA1 6ec29a7d70dc4faca0a55cea08e9b16f67d4c8b2
SHA256 aa830c371dbd76e6947fd1a2f13c19994def7c31d4ce9025e0541758579e4ad4
SHA512 7835e37cc526cc413cb8c3cc8f0f7903feabbe92fe7aef48e3d0567adf5611bb4efb1fd92658440a760b13b1df7e635aa825dc0f7a93392a42239779cc0397f7

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 d2968f5735c372ba2c995470253d82c3
SHA1 089d1f9dbe5eb2c0452b0ca108070b07bee47a03
SHA256 240787551a2b8775ac32169313861383a9314370e03dbdd80b7d137d23277558
SHA512 ac4dc015990aba887ddc5dc31a61781bc96eaf9260ed605bb951c9ccc30b79f2a53f6195a76a7a0e39c2df0c8e53a725d558f8623400bc59301f44a0ef37791d

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 f6ba44dbca620b449341aa6f177d297d
SHA1 a81187d6792b1d9348fa1c19764b392025c92986
SHA256 a6e4c3efb30a85fca6b5ef909400f2dedff23001fbc0b61dd33e3f10e5964db2
SHA512 4cb9b789afc67bfd5024dbc6265cb0440541a0c549f5d90f92bb32f753da70520e41b0638f4cc40da768ae4658c6f3b059a73e86609456ff5889141e1ea63a82

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 d26d976b64afa3288339a1bfed0a68d0
SHA1 a5404fef361e2eb24a5ea60850163d94afa867e1
SHA256 58ccdfe3052b6c415a18c3ddde1fd02135dcebd188a188d1fe44349ed744ecbf
SHA512 0c9873b225a74ca3f713b5c4ab21e4cd69e97f722da2c402657e4bc07ec10d5969d730e6f4826cbd18a3d8c485e535bdd6c37a6e979dd5ecbe939b7b6d244e07

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 11b933e7a32873a87af316ba11b122e8
SHA1 ef9412b497f3c65737978ba8562185d92b50b778
SHA256 afca257983947d446f2407805a8ad3738317f7a70cc8961469dcedba02664c96
SHA512 a81a8063eff67b5c895951efdeb261522b9190a5ad97171e76605e3dcf3c3c4ba3cb5ac8e4af1a255411ec2c8724541def6aebdc2ec4dc6f99b6691a5249f175

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 c711321e49909d868553e6df3a7f5107
SHA1 a8a84dd39478c8ba0f9d0ec3606cc46e06091974
SHA256 a6f3e9d64b8746b7d82cd269efe8466970376600fbe013875d14229858317e36
SHA512 c75b48e93e02bfef7f6b9479a891dc8121c42ed3942a726031ce1dbd9bbf3e0404660c22a78ee10080cc0fec01f0c3832ac1c41e7c4d5adab23142442819ca58

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 b862aea85ce46292fb24ce889eacc867
SHA1 ceeaa152f7cb25bdcd865df2f284662388c0f580
SHA256 02a5beeddd80d14e64c5573e15a42b74b176ca804bc46497a594c3c83f60bc49
SHA512 b03c0055197c928d450b9de108b14a3d5e8662c9eea76005f6b9eab97afc16530f1bed3179a6356a16b66ea97aa96176b6683f9901c6e502f3cd260f0b45d28f

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 1f87df3cd49f434790d295c6388f4395
SHA1 1547dcf082962d712f7808a189f9ef73432b5fb4
SHA256 546b238ec9fb346ad5470900b94dd85ea79b19b9eaf895fdfa494e04e2b6f7fb
SHA512 6584dbb8c36f908bc5e0a6d8ee8aafb89a3e428fbbf25be0811a62cacb7d3dfd6e3502ca181b9a216cb6d71254654625f62b310aacefdcf10286dda410369298

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 a7c276137c056934ab68c304c319033e
SHA1 b34abf232a61e7e11a2c9c1b777862a7290cce89
SHA256 8d4c88156d0de75e86b2f8ebadf8865f2eb56416b6cce1241fd69e0d10a5108b
SHA512 7742027aabebcc76c7a64e5f8ff00c0de5e19f3a8d7e25dd354731095cb3c02db3903f5f0bbc37f61d30744c94fc4e3b4aad1c2b5e666c6769c25245b5716368

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 9c7705471ec2a3f6d6d50aab780f2dd3
SHA1 34a9a47603ef94b30ec5b9566e980ace3b8a1215
SHA256 d895c139325ae22213dcaef7d3b2cc745d5eb06b4b690e068364b58e8c9bb3f7
SHA512 ac2bc1fd7cc5b98eb22f0968fce395d22df03efbdef8f149f6eac8fed0fc1f61cebf14d4eb425804a5bb6ae139b1fd894a634fc2256e13064f1e7fa958104a0a

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win10v2004-20241007-en

Max time kernel

130s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (11273) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\153.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\organize.svg.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\SharedMemoryUWP.winmd C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\osfproxyimm.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.strings.psd1.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.ps1.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\questfallback.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxMediumTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_24.svg C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe

"C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\ProgramData\biobio ransmoware.txt

MD5 c8a67f8b8ce607ff54e7ea29fc000450
SHA1 4fc728744bb78a8c29f05c67e067d3af755c9cd9
SHA256 9a0cc9b664d21fc01f93ce946d8426cbfe4a38623e2b6fe06c967291fc9840ee
SHA512 43148dce167a73b32b26a031e97ca75b8f7be8bd0391217d855ed7ae1feee09a9a7a4f356f30d054a9c157cf29d25b24fff321c96f01cedca86cc348f3f556e9

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 3d50edc282e670f5fb9e6b645c555eb3
SHA1 45e29290b5a6168386086e2e5648c520ed2904b9
SHA256 d295c31a4125b479fb2d4c949c4cf39f39d8ad871da7436fd51ab27f479aaa23
SHA512 4b84c067243ca45a32aa15e43c3b458e1a0ce6b300c237aaeeb703d5beb4bc183c260dbaf445b90ac2d4548a6be5c55fe461b1eecbe5f65328eeedaaf48bf03b

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 a232c4e7c5802067ef9d193a24086403
SHA1 1e39e3248fc12088d5d31639ded9c05567165425
SHA256 734f306a94a45e68b3c5ce86e4791dfb7da147bc2922f3e94ff731dda1ef9937
SHA512 7ad7c3867414534a6d2f83d0a7e3ce81e8c0485fae54f0e48d0a20255d711e2805e27a6ea149ee9f3db2c91e2fbfe266e434573830b20e284efb00235f51d420

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 68f44754575b747bfec321f7b2b1acd4
SHA1 ac6b5510ab1a375915fa41613673b542c51d2e28
SHA256 ff317e956f9bcc5eb1349cf691c600699220bd0451c67475327b747707232a5e
SHA512 60ba0df5fd606f1b6a63cf01bbdd2363799afe6fe1a159e93e80feb12e47c1639513aca936dcb9c53fd0583badeb656190af7e9d3741dba17cf18d5e2176de4f

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 f58aaeae47a1c742b23b118168e69e7e
SHA1 46d50e55a92fcf50c7f5d0a06cd9f5ae2914a8eb
SHA256 e3095d1af7b66d7d085062e782e62e9efb70217cedf05b5800343f6995b1d7e8
SHA512 abb8e9f520ac12745c866ddf9c094c4b727bfdab608e3d45b61f3c41ce61d0fe788bf50426a33b51f556af4078718f96da86ea693c0a3ffdca509ba47c917b0a

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 c52bd9c630e857d73b1aa89adeb8bf7b
SHA1 9bed2b1032e31f65b7dd91c2e038bb7f05a10f66
SHA256 c8d9a3a1fd12b88f58de698ff7b9729c55e4e92c2d62789cf42a06708d3ef6d0
SHA512 a0d69229131c70b6b931509e3e54f3f5e8e38c81f2a3b821d952fc37e7b0bded4e100d70fc55a9b3f168fb6801f90c90463a2c3641693572f18c92ccae6a4510

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 f94624af53b5973823c32ab0ee218a5f
SHA1 213e0b44648e678e1792ad24d9ce7a8c0bbf619e
SHA256 32598a992ec8f5d09372b956e9586f5c4c9e446ce8625259f0c46cdde3641a9f
SHA512 04d7089e2f79f588d0673cc5a3aad5f1afb8baef2b8e523460e1e2abd317b30bac67e9b53663324c121fb418f6dc0f296692db1ed9417711432ee351e2a2675b

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 60f3aebb3b3e1d9beb985741043d42f8
SHA1 154d2ad7f9ad150936b08109d5d543dd5e396085
SHA256 6e3a8fff1b4ee1a7070c77564c3c18055911e3f5625926d1cc0af2d1f707a8d7
SHA512 43205c8fba7235512d16de29de2f11efa86ceddbf26ce414a8026af4bf99d46b837b5b2b0bb6f32d6c3f277c04f5fe69ce7873aa92f82d3f315563020065ec53

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 98c5f7f12d4917c9e0abdf010ba89968
SHA1 4ec95e2b10a2f2462c862bd203abf65e204fdd16
SHA256 8f97b62b90cb4d1bf765c6b7ea989a169a03cf9bf955c0fec34658f109b0b3c6
SHA512 389dfbcf9480ea2054ba49307f8628bd36a07fe37f9667e0495737185748eea67e2bf97930b29b93860e277f170f398ac85fb09fa6fd5797cdd9bb582d7d9c6e

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 745600b6b3f56525bb025b8952fe41c9
SHA1 b18d7121bde2e1a8f7285442f96be059802acf3f
SHA256 2a51a2e82edc12f55ad66031ec808312af1c860f561b062d4d09bb2e891c4a89
SHA512 02e6d45a5545a120eac069b1bc9d7be8d5daa516d0691acf554eb08210213d15002d7430ce0593e3d932ad4a66b05b98051ec9d0ad7d32b1ff0305dcd9be9cd6

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 3ec86ba7a3bf25060c3b546680d0a165
SHA1 843ff8875af3020c0360f8d2f90edfecfd362ddf
SHA256 8a928346f69c00de651470fa6791ba5d45471fe827b3acba63010f252cc6748b
SHA512 bdf099c7da4ee42248c57321322af13253304aac5c28c2cc86c8f242e323e869f7da98f90129585af1a3d57f6a0aed2b1f9c51d96953183e39c764b225213037

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 36e2f9f44892cab94a1388263e4ac903
SHA1 24187905b5506bfbad05d18ca7b4b96efef7e47c
SHA256 a024c747a8aa93d0f22bbc6c9b66f4c8e820d966880a873622701b935800d5e2
SHA512 fd85459b49f52243777d51a2b86900b8f4632c9773680f5548df06cb38ec9cb5545e78dd2d6cc0598630e220fd93140816eba7adc7b0ee0aad225e5be1fb3a04

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 b002300714db9f27b6fc1d173c64573b
SHA1 a47be74afe54b0034850cf7a6fb20de1204f7e52
SHA256 0e27c1f9fda3e81038cec2b41bad80397e77f20f902a223996586f6c586df34e
SHA512 8576b1a742ba523624b33ef2a32d1383946d7307479f5e8698fde6f7adc37b80a8a53803cb7af17d16b82af36576c0276bcce0fbac865bee09f1b88b24bef076

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 0e855853531af3b5840fcaab1f64ef57
SHA1 bed32cc61559ad59d317945aa50913c47eeebd8b
SHA256 11a3c461a60ac16a898450545640c4de3fb7f9c0e0d91adebe420253a4ad0469
SHA512 c5418c4ddd3bac4e30de980b8dea20c9be918130e92fafff62500549a4dc5b7d4069f7d3ac1eb1b383dbe417968e9ffe2bd032440289cf4083d01e7b7a80dff2

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 cd65c2bf5258742d69d8f0a1a08f2e4f
SHA1 a9038e3e6dc5b325c75089b09dbb1547fc297f52
SHA256 7b6961740a60b9f752a0892c6b3e6b10e05e6f881cd86a5ff84c12d68e72b13e
SHA512 d73b98b5e10cca9ca1d2b4fdaf2426871e36b24f2487acdfdd437ec31152178bee9f86d68e5e0ceb15b47e6f875fcd268f3147f40dbf082d9754d8908f9a5867

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 9cb9c10517a56be070a7e9ef10f9cf58
SHA1 f62997b08402174a41757fb2e2fbd07aba2df372
SHA256 506e27d6f29f44e2e808f5141657d87808e9da354d20caceaa93b27d6144b558
SHA512 c6de8f37477251a24eb906a0125a5fdb7c5237adf1d5db4691b3b440718d474d05fff3d1196cd93cc06c8ad3c12be26ead83f6300b02cb42b521e8ef94b9671d

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 1525bee25bc1f54b84140b45ff2ab0b8
SHA1 0fdf7686af95816d62c444136de096b0e47294c5
SHA256 383488a4c8ce6082a7b10dc8faf6416f9fbc1d1e23452f9001f40344ec750c0b
SHA512 6ee1c0e682f806e01084ff1707e4e26cebbd85268db57ac7846f0a732075c6fcb8fc8b354f66476139c44a8c34cdde8be4189d6d6d2d58172e26c6a2396f4f7b

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 f9f3cdb889018186a70cb6a708c33b96
SHA1 f6a0dd62fb56413bdffaed0cdf3de19bef3da299
SHA256 0378f0e7c3aeeb055e7b826fd1390e27736150da02a3e5276c49de434a509e13
SHA512 d3b04546f4442ba891f436e8ce8b0a10c8000c59e3c03cac98e753c2f38791da6e46ce55911984e9ec9108845d46fe73eff3c76abfa7c394d30cbc2652f3116d

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 1b0062b69b87dc08cf5a87b772ec7bca
SHA1 7c390de7de640877c24b1534dad0d0467215c369
SHA256 32ccf8480525956c79d7b0a7517f5e1c04f353a935e34ab61dffa1f0f55f0d0a
SHA512 6181470d74decbc944197bdbf5ec55ebbbc4a3886e2afe54a31faeb00f6245e450a56c88cc36cc57fbbc3bf0048de7fcc08dbe9ee5ec8883b5b2bf6f7d70cc34

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 921cd88c459d787d53f41103fcbc706e
SHA1 0ab363bfa0ad15d3e1c40014633ab39661f86919
SHA256 ce2e69f4752d481e1ff8c1703d4a8480db8bb7ba3d3ce6cae59cb391b557b770
SHA512 8729543ea85cb8e5a6d5248df093833d0012973bc8df3f3895984b4201cb6cde08c3856973035b6e306588dd46a6843bb881440514a95211b13b3d01c82f4f8b

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 4dd567d2208ae516d5faefdd74bfb92e
SHA1 06b9fcc0db2cabcf3ddc1a2ef076a181f51eabe8
SHA256 bde5197e592914fa556924656cacfd2a272eb8efdb2c25282f6250eee2086e37
SHA512 cd4782d1c4cc15d9d18d4912a5fe5b8ecd41354cec08d647bb7679b4958570bafced4e5578d1b4d0f081975ee7ec51c451fa10ddf23acc5cfea585f4f76c3151

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 a2445b27ca9df05fc7ce3213c2ad51cd
SHA1 2a6eb9a86179a126a6f2b6cbdd5f1a74dfdd3171
SHA256 07f11b866f8c3dc571e8fe71f0e60d8b23ac133c389387e9ff43684e52097db1
SHA512 ecde62a07a7edd276198e7022fcc129d615e4096bc2fe5d9962e68fd5a44e42f543b8fda237c85a66a39f766b5abf96aeb6ca4d008d6266292a044eb5bdc5e4f

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 534a725200f0d927108874d785b14fed
SHA1 75508603b342e4acd65a45bd5ea203d0e1882232
SHA256 85c0f9a35c8cd52e37d5776a966db38d1f920ec7fc764c23d011bf602598561e
SHA512 d21bd8fb3ac401d21623820455df3bba1de6def413c79177f43b9725916a80a5183a3324740f77fdf9c3046050af29990b819507b5d4700c9f50de75e130da1a

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 c4e64f8d08d190ac093ab7fc76bdd4dd
SHA1 790dadc63ed929081e146c0df1ebf707e9e22335
SHA256 d73c34a1abaf3ba0c3cb77ed3be0a0ed62ff1da00b6dcbaa8098fd164f48e789
SHA512 911e8bff527c1d2899e2022a5a0e2d06c2b9bc39d7ff9461e6b33861d14a6942f1bad6292abfb852a12ef732dbadd9cc8970214e7ad59f600a142271c2fff6a4

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 277833704f55e6616c31ecc7258af49b
SHA1 b63a095d7e5555ecf533dcc47dd432c7b3b5dd9f
SHA256 1b020eaae5a01eda1f4a18a81b2ecb8861815d49129e28751c91b63570a2cb4d
SHA512 3ee3033d54a2052843171f1b26e6fd33ba4ea78b595e27c3fff688104f6ac0c7e36d2c312de2cfab3a60c9fd93d6c31588145e208928973806ef353a0e10720b

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 6542e1f9636558d80d0c4f44b6c9f076
SHA1 a3231aa72f9a8934b07feef0bbc9ce29834fa39c
SHA256 bba612c78c8e93aaeaccb7c9a14276385abf0115e7d8226bc84d2973f8d3f646
SHA512 f7caeec44e0745ed9a168efeab175a8175fb8fe405b69f3f195409b88a3e7850d53f611aad843b445d67a808287e162d34cbbb3beccaa0eca1f79d7835a039e9

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 cbd4a1dbcc2b1820e6db1a040d840591
SHA1 1928c5be373145d0ac2dfba9791195708e1887d1
SHA256 0d241f0ad27617c89b0af84964cbc1499671c06e275a04464fa04a771d224eb8
SHA512 1bbcdfffda5e1246365a64858c9702eea6e47a155e4027a9d471117cf4abe953793b2a797fa5ca96298ba29c68aab60599a8a0fb8d1e55c5a9791c1fa6c5a2c0

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 494c71c5eedde5da5d646b2ca27664d0
SHA1 e76b9792919d815ac21b35d3671eb2ca0d383592
SHA256 39c09616f8c4cb9c0c413c46308cd534649493c8b4adfeacf593f1d01f147fce
SHA512 343daf5978e84cfe5203e9aefdc3a14ba396b2035e9c365ea5b289412e12057e43b60bc7006d3e57cdc02bba007f188847b84ebe58e44a03ee0d7944bdf8ccc5

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 eb4317ba9f02b1d45e06d18e6c01c8e6
SHA1 2d42b7ea5677035cc3aff49c49ea4a0be4b2228e
SHA256 a7de85389895de80098a2c0837a64a1b0be11e5f30dc475b490cddc007f6eb94
SHA512 45bfa0f8652cfa792e3dc4a69a01972bd6218d2d8f3f2101bbb2d610675ae1984d1fe7867cda7082edeb3091f1daaca5020bd60258855596dfb449a15ff14db4

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 90d33066e3ef861ae50d3887353a34b3
SHA1 9261d5aeaae11ccf43a3165788820a1da7527ea6
SHA256 3315e968f32e767f3a3c6e930e5713762146d004ae4b6bfae0ca69b60b7ee733
SHA512 2efa5284347a39f3981ca6d9b5c5bcd46a098484577e20e8167a3663bec250881561a4148d6b763b036f216e4de1612cc59ea64661f8c1ccb3a906af6f96bc50

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 4d7240b408b93509255fc6e897d6a924
SHA1 74eb773d73dc4a20c0ac3d9d2e0ea18fb361ca03
SHA256 1e5b6c13a39a3de298017aec8fc29aa799c479852883585bc16a188b370b4af1
SHA512 5d50940d6e8cca5219a7297dd75b2449c3c14666ef7cf6529db8afe895fe3aa93f287d3d357ae211043d56a59ae817cea00317909d26dad069120055852a5537

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 bb9808bd45ebd79004314365d8c8deec
SHA1 8c16c8eccba7afafd280baa630381f86a222ff59
SHA256 0091e341c2d27972d1641af6abc7c8de5ad6f501d67da1734f247b7259ae371b
SHA512 d91bf3b44550b6836e6100d6627f0e21e425d97617c5dabf726874f0fe614600bcbd88547849d631b72492e1610a197ef8071e45be25ae0f7ba9ffb043d4de30

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 3c0111b5799b4400fb628ef2cd9efd35
SHA1 8f00bfb4612098182fcf1b53d959657a4dec5209
SHA256 fde2ace34385244f96853961a328c652a6bc47fc428ef4462f33f1bbf44192b3
SHA512 2833e71f82c891048bd13763b9b0f05e4118b06d01d3f1537d950e196f821a21e74493bedff7a1075940d7c9c57b6fe1c29e0330f944f86b8e94f85be1ea70e4

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 0a195aa265ddef68ade10e6623fb39e9
SHA1 798de0b30fbe8536c8a332a513a3ae96f680bf2f
SHA256 68fbe098c2716f076204894d175afd64365ded1fd2f4c2f1ad9efb18035543c3
SHA512 0bee00721283041d1546b15dc5351a39a55002d0deabe095fb5bee1a58e0e13f1d31e948a57990c51da276df024ea7a12a41120fd31d731ff9e96e859b010dfb

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 dff66e5064295a29d0c3191422e61342
SHA1 64e999a911ef877d60540c5ece1ce285143f41cb
SHA256 7e1930ea792ef18874ae4ab2bbddc33fb6621a3cb45e5e6b75940bcf2c7a33f8
SHA512 bc57cd60b3eff9c34b44abda8dbff611982bbbcc60165c31bf9211d1524a03c96a5653bdd517a8689880195968b2e47038733a7e30c06748bdc754ae4d4332b2

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 c9d3e6aa043f40c0b3823e75f1e311b4
SHA1 bf739099ea8eb834378be1de9fef6276d6f43988
SHA256 de25fffaa4b108866c8f41fc02211fb4ffa1291054dbf647aa43f6cfb517c1fc
SHA512 47e2c140b96230242d91f8dd9ccbe7045452e62faf465242bf4091e74745afb978dcd69ae2c2cc41c55abcdc9daf6c0d62181f34e8b8a0c95cc56571aaa64459

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 00d806dcc2cfe2c18dca83c18e4c4887
SHA1 44f5cb7439e718ed7b3c06c5abe2c744c6c16a5c
SHA256 a30e792874e3dbc518a37d762ff5418f5c7c26b1f34709fe7ca57d344fa0e7db
SHA512 c9b36e6af5178810d81a872403d33b5342bd252b3bcfb012f34f3a689aa296a301e8bae6161f0c23a1e909ca4036b61802daf5186d0d8314d470c6d4e31a7c75

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 31b1dee539387cd0796338d194292d37
SHA1 9a162f564e13588c8f89bb0f2127179673260983
SHA256 b917fbd3a98f3dd3a407c28c86b37c79bf8a4e725acff24163bb90f40301df74
SHA512 f2a02cbbe94bad644225594328b4bf9cb588a056aa0992b5d6c0d08e20349aafe7ef72dee479b490b11d859a9db6f9dccdbdef9dba710bff5683d9a063779218

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 128a53c0b5d58dff0a75cee2249c48d4
SHA1 08c9855b8bf2eb25502a427f1cf911da17fe3f16
SHA256 b9470daf4ce341e7f0c5abac5a0f840c5d7276aadf5d9134a500143a99c3813d
SHA512 67d83f6bcd1e1485a2d6b6cada639caf0a72ee675a3ea6eca53a6af0685e84cdf46a8c042fa5e5c24b7f7cc593b0cdd4fb895cd468e6210ce6a909bde0681894

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 a5543b59f4ca6eb8f7f8e867808a8d09
SHA1 9e82275cfc8ec1368983aadf3d3ff1b1d669035a
SHA256 74a25eae0ad54bbe94f85e6ac4552cca3cd8e3f4a778fea2649ac9a11b6b900f
SHA512 6ad3e58f7191999ed05f953757188b7b38dbb0d881fc544bb5a5df513c2f2a75a63d1105ba3e8a55dbb5243077ea311b9b5227ab607bd72791ad3af92581bc22

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 0815f8d9e23ae6067ef6527ae094cfed
SHA1 90372c71d9396e8701cadc1056f1bb1568228e04
SHA256 9eac2002f63d3a02a5e6a0fd914436f42b3f67d7bd4263d4582689abcd00f60a
SHA512 c37ff62d2fd02929055a18342f0d964e17a95134ff3fe5a83edd57cf038ec267972f5184a25967b49f1e6dab97e9ea1dad9e2d4c79465555926e06c64ec5b9d5

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 a93c869d27c6bc062a230e6cb920bd8d
SHA1 324f76ae5a6781a28c7e8966a5f5fba5edd427e7
SHA256 31dd0560a1543508b7267b0bdc469b843f57ccb364339d586e844d436feedfa7
SHA512 4fc55fa389711f3beabbbce0c01d6fd0de010d2a3a34623bcd1f08f373308c7ccc20cae96be0e5e00000281534fe0d16d644214cadaf44cbb9af17d81cc99025

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 60354fd7f993aed64aa163d14886fcb9
SHA1 033e493e4fb1cb830cffedbc2ebb97a3cff2fbef
SHA256 a3f29a32e1e640ca8f2c190fc3169fff2359e8ab09af3d2f2e0513209dc1b862
SHA512 288ab2af2549570c35bfe50689800e278b89d891fd0a8b5e8095c4e0ec44f0ad363befe16103a502e1021fa5eadbbe987bcf8ab27c8d49f36db4116c7fcde4e4

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 b1ff1ab6b1ec501da6ccab8cfc6ec675
SHA1 5de32f2ddd5fff9f634d22bad1ec4b2a3abdd75c
SHA256 59091d6cee78daf175aff8ddc8fffba6561d664437e03b20ea942bfb35f9cb30
SHA512 51f4719027cbccff07bdcfaf11ce28a9be44cae9fbba8cec5467f0100bc5bb491c700591ac0f33b520218aa8c69c1eebfa42fbd83f254e149d4a3b40674a1b18

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 3486e5cd5bf6a5bd14af2f5400665f0f
SHA1 dc22c8657a9f6a5c93e3912703a5b05b8cd9b378
SHA256 c6017ffe39dbb27e3e10420e6500cfb8b443270bc690c26e2a33f940ca031a77
SHA512 f7b892a1a103c80b1e5a1dd5df592250b033fce6743998dd9d70f19a4715f21a4c55ab5b6cda448d74fd9ea81ab374196efc43fec7ac2bc12919e2902c5b0bc3

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 556ff3a145729c65a1b0da41e813ff90
SHA1 72a29d82c7506a098abebcd7e4273ccc8086bb84
SHA256 0ca4a4e792104227a44f249d5bfd9648c2903a7af9c989b74d53707295136048
SHA512 b982066034ae0c5f9e19a22542ab07f6125bc9d5bedb17d0a7e9f96f7653e5eb9363594007200a69f5771d62582819c894d896e8be898ca2b8805a51d9f8a4f6

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 549fa0cfda6cb8b1b5e833394434867d
SHA1 f3407099c1162334eabfee74a043f11b69614d32
SHA256 84f9a0d31273ca535c4fd1d7f71a43eb0bc6cb0c5916649192dbee7d8ba17660
SHA512 01c8535ad3123510f0da3ceeab401810f720ca9b4d37e340ad86bef72b9f74daba87e0d07864eeeacc35fcc429f2e8adfcd17cf2cc86b3ed21fe338992fd3af7

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 894c67f103e19d1d31b8dc16b8e3e490
SHA1 0b0bef58100700d643653930899435895930e623
SHA256 d446512de9974f0404cd632c0c5a149dc327406673597852722fa0e0c347ccf2
SHA512 ccd32ef455aec2b28ba4297290bffd0cdee54884f490715f9fa59d1ef420963ca613c272af6d01af4da43e171cf0944f867ac3b19e8b1b05219011947b8fad36

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 e434e843de202a6d71bdc7c94365b824
SHA1 6e8d4944252e3f4b8e1a8e71facdf17c3b4e6367
SHA256 da40aef23f088d7b35b9da5df003009169c29bfe427768cc8e952c410599dd57
SHA512 e52181a397f903b91aefa7bb2b035a11398246104af8a59db7def1c8efa9d9e7f04d56ed01e1349616cf33ef37643358ee59f30258674f15df14e3235d713f9b

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 0b666b7902654b88346e2f3c6fac0cd2
SHA1 753247f4d886b5578b2a3ed2354cbdee83234a59
SHA256 9c1cd1191a1562115feab95ba880132358da01fe4fa2703a4df019270118c53e
SHA512 adf60fe80dc904bff0671b272624d622de3cfd5179b7194e157fc5d1151a237a1c938c6da5c57d1a81d3cfd33d7b75c680b5941d12df38cebb225f37f36c3dd6

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 f6a1f42d7b1ff710e61a4b6373cb8b10
SHA1 61d08be27bd534f12609aa22cff6513bd378d0aa
SHA256 08dd5bfbb20769ed969e4b7bea0c505f1184bda167cf44e91bbdfb6f854e2395
SHA512 82f788a318e0c4863f7fee0ca27f2ecf23f3befe2d36bc46c006afdceb930792a5a5959aeb554c23db19151e41b9b68349c1b8488bd0c04627671d7753fb6778

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 2023b65c4851a982f429051ffaca9d77
SHA1 50db94435dd85010e4cca841a945182b272b7924
SHA256 c56a342cdab3a37bea1fc7baf1097c5d8773ee44d2186a7093c2a4b0901e0e38
SHA512 145efd4b27cdb4deec4ab0b7a74e94f3823c5b66a9ed87f5c450623db0daa3fa2de6f306d37d1fe223b078ae0f228930ccb1bfd1e4de81e646ee590022fa8f30

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 721b845902e17db62961720087b8c966
SHA1 1413ca9840c62b14bb372ec537d50625061c3fbd
SHA256 a5d22a59afc25fca90e9730bde82de829f17c4f79006ded0424f88cfd8a099cc
SHA512 310ad6f398308ed0c90d7497734941cc95bed02c0a0d1d52a229beba6d72c576c416a64a0f287afd430904ab52be08680507441e1ed236c78e85be89fafaabcc

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 f0ed1f139fca3498eeae20d9595250c5
SHA1 af5e1c2c166380aaf0a8acb27495ee18b564001a
SHA256 47b85ee3323cec09c71cd81ff20ba3e9ace181886b5e5db33ee586fd1477337b
SHA512 e66b70c4dc104dfaf04f0b5d68c24a51a9f7d35796c471a433f09faee72ffa9e464e5ca0e927759efc1aca4bee0368c8fcbb86bc296393469ab8014ae94b4b54

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 1ce06b9b32ebf50ebf0e7fb7ac98361c
SHA1 9b81d06d6eda9ab6e44a37f667884b38fcdfe083
SHA256 4512eadbbdb10ebdde32d158ba3e3fb9d513a36172bc55eebd5c5fd7eb0adbd6
SHA512 332ac752672c738e2ff52f0cf9664e356d2e79f4689a0451bfa29a8a7b20fe23b1d1f610b673dd81acf922df6288b96d262c7b1b9ec4d89d2407c81980f6ebcf

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 636a4f85bf1ef20a7f0a541bf20a6b25
SHA1 fac5cb967066e8aed10788439a157c9b12664ace
SHA256 7e892768dc9e0e17770bef5420df4434c223f51580038bb63ccdf74627979352
SHA512 d26872a83817004c4e9c6f14d429a1e7c3eb461c0a117a41a2ce2f3e4c8292cad3687e16fd0e0878134b45813e08805f3e28acd3aea7c01e15294b71f24a6aa0

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 53bbd43b4467068892cd2896463bf125
SHA1 eaa89935ec4b130ac08b943affdc6dffe2ba31e2
SHA256 f2c47b7136c78500caa17aa3447b65a941097e2ac1ab0eb74237282588ab59e5
SHA512 8025a60f9dee65747d70ccb7ffc3b631ce3ba9e19f65fbfb11dfd23b463ea44d79e429e2a7473940adce2df6dbb1b86fadffcdf03720723676361f092647dea3

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 0994ddc7ae15d5da37dd05042a756da1
SHA1 4278f7024d366309cdbac2ee097314d2f976bcfd
SHA256 9b53b26aa1dc1ab7aba9ad5190f99edf9e2221561a437503c46ad9538c9bdf5a
SHA512 decb9d0cf987376f843421fb76086e7e28f14d0c0e79d834a5b2588f27c1f5edae591c11fd91f4e14c6b06569984de6a4184d37049d4a81e49583ba769e92c96

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 f02ad1354ea83bef178271794d23dd89
SHA1 c9e541a62224ba47e82221c1815c7be3983b062f
SHA256 399ee3c7a2ad17e914df588af70dece302ae033b593a0c3fd3a4a483151094ce
SHA512 71d0ff4bc189860f04b57d3218cf58a17794c2824515b4f3eb7e3d9d73bf30168edc0be4f127085e307359869c2e39dc408f42bac9c39b4f5afaaa4d0c8d42e4

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 1d588aab2d06ddd5ff46484875d26f71
SHA1 27e36132eeabec1b69e2ab48b9d60536d3e24302
SHA256 ce07bf5598f7d95ebe00f9317072587435c9b0b0806751457585d2a4ffccb0bf
SHA512 d56a6fb9fd5a5c63976ecf193acfd449f195e833f489ac8f14537af386833bda32d8896627a321737146c8ae6c35b1b30c357cc19b885810ff38340d7be3a36e

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 2aec981a1c8407d6188d7713c364fcf3
SHA1 e11d25921c965382854ce3738af2eea13857f141
SHA256 004a87130441b4984b9d119f289f59e8b6cba8a24edce09bf06e84c412f00f9e
SHA512 5023eb1d4d24b2aaa5595298e6447c7040beb449fa2d81894db743087899d73dda562014872e28911c5da636296d6950a9a8245fa469b78047cb591bf78be32b

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 887624c5c206b73b74b57ff1b03b36b1
SHA1 9eaec3bb6176108abdbe5a46b074ca59c6b2f04b
SHA256 9b5a4442fb807daed3a5b3ffb71830e83aa0a17f62d0aadba291417e758f3698
SHA512 3e1d853b372ef52359b994a7c1aa84054977235ab31ac699c5e6170683aa4735f603ae46973b91c9b031167317271ee9bb37b9c22963212109f5af06247de881

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 08bfec6ccbb6ba79dd9a7d01ec7a488a
SHA1 6dfe3f13083fabd5d169d7b03a4e102c8b493932
SHA256 784c5a1033fabf07a3f515c4fe1410926ba0df93bd46f1c806a52d7ceaa5a9d8
SHA512 8caaeb38a50b85e83af35aec025b30ab079e49a84a1db7c419ff22c00f1e1bd1210f846401328df75b6a45b9372ffdfa0bad39d3251c22e46b3a50e66b3fc7e5

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 fbaf2a5d8c845b9ee212555e6551b997
SHA1 e5419340a0b541a3ba2ad9302269b71e079d8353
SHA256 9c422a0996934d83421efc1fdd44a0aeeb5e603c02ff784ff34b3bbd700ead14
SHA512 c6b28a62471f6a69079a5ba3eea311b500fdfffdc26bdcdd6a16f34b97d69e21d5d2ac0c5be2956ca63205abb36ae7624593343de5b32cacfc0f9cb919d28b37

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 9be4b4c5d96c94916ce551200e8ec33c
SHA1 7abbd82a3ce221b34594a3de9b460494ef8a9c5c
SHA256 aaa5833778bc14ddad8337bb8c8719c17d44d63e40b4218082414c3b1040dd14
SHA512 c639777c5d0179b0f4f94a5ef43cd319cc2301cb8ae8c095e4808a4cc2b4ac2d2470ee41359263dd75d2e3af49d8e66575099784978f356ab1391c5a1518b14f

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 e5f5e8e3458b5094a6c92f9df5d10091
SHA1 65734865d0fccbe5152fe2ff75a6b5fb297c90e0
SHA256 31c163c52f7d1cfcf62e5ef33e095ea19afd5f0aec10edd40bef071055c336f0
SHA512 2fe6194b0150ed30d4c4bdbc83f20cd55711e885329ef916ca036ad7c0380103089c9cd1126ba79c0c0f75c63f95f3bce6f39889036adcf3b86b53474ef97153

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 9288609b44a4f4b280dfbd288ecfd4ea
SHA1 1b585768b33a93a23b33029eb98d90164f90e96c
SHA256 a1821df91c67ab983e170533e09a125d2a37744a015cc9d6a923b923b5c9a224
SHA512 aeb805f0c9ec585433d52ac9fbb1609e4c2eeb73a0b2b41eeb076f156914118fc0a59c586079c2390426152ce9c87b930b70948f0c5c71ce1f2d4112061d1f76

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 230c584425186ba86f686f6b5ee24a30
SHA1 dec2144cc6f231991e6c4cfd47b480e0c39a8fd8
SHA256 bc798f611d9206a9c2cf57d783abed5b8b98d78152e5e0288d9e855210119346
SHA512 4d64456c24dda5afcc7f64071c1614d10cfb5d56cc9952baf93b0ea69a095587f9f62d6d0564a80d93299d16585d6509bc6b035eb9253c58c946a0ca726cc92a

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 bbbf35368032fea66d05806c87c7e95e
SHA1 a272653c82009eebc1682c2c27c6bc009c10253c
SHA256 40914dad1fb421d60cfe6a71494087da2e43c0c53d4fbf9899f83d7abb237674
SHA512 95ef61622ce8ccc6175acee8650ed85a621bada65ef8d29f93e8dc88c20ce74ca32f0ea262b96f65badb003834d97ac92ee16130f3c8c133e9b75d5196a1bd05

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 3a938b041fc4232f09d7c5e7e5600975
SHA1 118fc228e23a6935d502aaf2bdbd351a5d36dfc9
SHA256 7044fa6cec3e167f68dbdd302e4cda5056c4c36da23a6cc560dee2478953713d
SHA512 015995a32dfa1158bd5f1bbfc5fac398129a228c7daffc89d44a512332a98170be3bd824714cb588c3f036b5b1d3d7ebdd2602522845307b1bc432d91cb36559

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 7a0d591b742c3dcfc9c31ad07722c38d
SHA1 753581f894cec851a68b41b73c4b7c589c102e03
SHA256 b87c04768c235fcaf3e89555322571a307a6135d51090ffbbde5d5c9f2aaa699
SHA512 da6eb51ccc88e7048caea42b02c31b1c1b4fe8ece0ae9daaf09d0dab5dbd0a4a2f499026921abce75df46bcb83a3a4ec111f351dc75b7f80d29d586ba280ae62

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 df4a579f0800286ed93dffcbfc22e458
SHA1 46bbd39fc1b594d4d9cbbefb8b45a106a02cfaa9
SHA256 0399867aed5c990c84e90dca242b7b4f5a0270a6e235a5cf39fb728b50e94c80
SHA512 bbf125b27b27025d3b698218117e744430133c1da7d947f007bb1b89835683ba3056708e4c30098028dab3e657bf059d4609b73fa41616e23408171867ab3640

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 975d7fea5dc918281cb8c8cc637bc689
SHA1 e3615642581136955d2e6c0d1a796721302d2d52
SHA256 c0bf9eb611f2a32f7235310c4272809fec95d142a8cfec7c9356b1b454f2bfc9
SHA512 323c44150252d02e42c2b954b4ab2544c10f1db16dcf1a6259e2ad2523efd4300155e991fcd78aaae5ca5f4d8f92c079ed3d99325c15a854d0f9ef6c6862782a

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 4228868d282d5ce978d8b0e6fc1df259
SHA1 90ef71a9338f7554606fc2ffde04196118f8bb9f
SHA256 023e7d9f871a2bb91cf472e8e1c9277bf0fad0fd9395ad3303ed63de98285a98
SHA512 fff524448c056cd62939b93df88892a734642dc2a13ad78fb9a2263f16942b1a21b68d3996a0fb1103093c1424ec32794d40a0202eacb2c23e3d6889596da740

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 149d313654774ee2bf12a7347675fed7
SHA1 574d8cd4c5a09b249991dd64d7bf00fce42af94b
SHA256 986d22a482643244992056a45fc5ac14cbb65c89dd9d4e83171c909fca9daecd
SHA512 50c1a20052a50655d208fb7dd1d4860c81e772741f13d2d2670dfbf92e6aec610e29815e1d0de70da740048d00e70154ebe111b3f62a6b7862fb1385f57353c0

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 44854b1aa60d80814e77887bee67d1ef
SHA1 39df8452fcbffa1e2dbe5d2cd75a3cfc41e3a285
SHA256 023c883cdbe7ec657315e4e167eeccf3fae677660a1967d41a6fba4e80721520
SHA512 e739b03a004b76679839d422e11a9ec22e6cbde741d066ee9151348a9ea29e99b4963f0ac971c78920ac03e9b94a03eb22f8d34daa2621c8ee7d14b7afcb7215

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 02ed4749246dbfc7243e75fc27b143ce
SHA1 f5253feea725e3a18083d2a66426d5ba60a7905e
SHA256 3c7bc3334180f6a5230156565776332d9d36bdec2eb59c5035fa1be5e238ecf3
SHA512 1717817b6f120ceecbcd2728c277bae099eea790ce6dd2a71ae611e8d7f0d9d2803091d68cc4eee294b8855bc0e9363c4be39b48b296949f8144503a0543fba2

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 d6227c80dac015538e7ae519594a55a0
SHA1 8d9b29cc1a4c3d579d3ca2ef228c3c83a9cc212b
SHA256 d428176e313be241af48df95d6dc45dd007bd850ee2aec965d72cb6b1b94bdf4
SHA512 1840a5fa1384352483b5c1f15e465f78f51410498cfd7f5a7dec455ced64091c69c2f07c689c4e688bdaadf727b47a35d32ca45f627bfcc5543ff564f2721788

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 64bd67414afdca53a6efffac897964ec
SHA1 5f2a0209523124f8bb289519b34e33c11c2e0f8a
SHA256 52b1c6464d91e021da8fa46651297e624ba79b67c756ff432e02900bfe7af92d
SHA512 47935d871226861fcb6678696e06e07f352944f8039015f1e9378662d01033121993fdbedeb118797ad270aa880fdb00c631db0c16f203cbbd65f6cc958f8cf0

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 46eb87188502577be1fac5f6475c7332
SHA1 5ca6d831bbdc78838496342ca036629ce6a524c2
SHA256 aeaba0f882aafd9966494cc6d91c216f52db5105f12eb91ec9daea176223e23e
SHA512 dd2505bc2983741b9633d6aa6af01f19971615a3f1251323e88ba4e7aef577b5820e365c053eaca3e7084ede9a6f445de50970e49a85ae2116fcbb756b4f1c47

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 623989051a8660ba2abf837c6181d651
SHA1 2d6d1acdef9269b5b80ffc2b634be708da028ae3
SHA256 9a4af1b11e3b83c3b90f7475c93e741a782168fc1a73f2e9129367f8ce461bf6
SHA512 a7d8729b6e3610d01127bd360cf6ab786d424326cbaff99b81b9a51705f18a6a65d2061bca3b53d24e688ff10276e3ed6b01281f89bb058845ee214ca8cbd072

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 fc51e6364cafa0d0356c4dd5d0f3112a
SHA1 36f3c8d9c28b4ea9b527cfea81c43dfef503bff7
SHA256 74509fb024059b1446caee9d7c88acfc636c8fd1f5f6d1724307a32d29d6f09e
SHA512 29717a6308fe9fef8d78ae13f6b170a39c37c71f3710b609e659451b903c07c7569c765a5ff5e5547e2e4a724b0bdfc0b35673ea20b022283edae680ce387395

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 6185969cc4e4085a24e1ea2c13704417
SHA1 731cf2a83a64ddfb4114cc2b4e2d72f626add7b5
SHA256 cbede416c90f9ea597de511e391055e5cdf55b63e6579f223748df99613c2534
SHA512 3c2c5b2774e93493679ae85b82b864e7b389d537c4c7f123ba116a1b09f9fe9927eb486451f2c7f64136a1111c681b05d1bec164a72cefe1b554b354ddae94c2

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 73597f137f9d290f3d638d2b9a04accc
SHA1 73a34b49d5215bc200411d0417ae1b28ee6a8201
SHA256 1d50f1f1c7bc8b07e1911b76f78dbd7023091b51e0912b623e16f70c5728af63
SHA512 b14df6e9e6e6f02cc5936d00c8b60b743b6a74403b94ad7e5d8ef357879ddba2355cb44840185d1f4ed3f9ffc2bf10a7b975d75acd008cc12554ac2bc732e754

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 0540d4407ba37514a63941144fc8d8ee
SHA1 71deaf7e947dc9ca47e5f4cb30728500827822f6
SHA256 1a7c2d70e440d31d9160e3a81ac157fe5c0bb9a51e2c049d7e0609736db8a059
SHA512 553cfbec470252154eea3773ff64818f578e8943ba1d6d39becde2aac65db8ac2e57c40fc3b6b9abb63249a87bed03555da878717033d930c92abc4c33afe854

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 0a36704f84258eeadbe526d2780833c7
SHA1 63c27c377c3d9e390ad8f8a38f78d05be2a67666
SHA256 016db238f5f45028876fd887739dae73c4192358ff462fa17b2b1cac5c0319b1
SHA512 dff80bf4b0b58295c11533ebb3ce1728a5ebdce20411f8fd278ed411e10657af7ce2eac015831554772ad0e11b11052e4c5c72b86ccad8d9fef4414376954124

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 215daf5bec19835c53b61a47b70e63e4
SHA1 67dbb0d79faee47586b1a62e96f09de620107ae6
SHA256 6cff110aabbc98d9ade46e6c9efae142b0ac763ecfb638e8b56b7a29891f5738
SHA512 c228ff0d639489beb4912a7cc7f65b3e4bd8bec78217114d9f7d2b2d5fa4f802097cc50e260bc1d505dfa03718bc6ca2f61163fcbd129cade48600f87c9aaa2d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 94732819796dcaa2141289939277c278
SHA1 a16b5cd42ef28f1ac087bf558f6b70c05133eae7
SHA256 3bfc994a80a9a60e61da72f4286c47c6e6e7392ff7172aea69d509993ae02388
SHA512 c92fa7129b264d85cac13ccbe7687ce99e3c215b2a098395ed9f2ac18ae7e33f11bae4054b180b888e2b0a3febaced0b3ac204dc7f3884db1f347eb1c800366a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 1e4dc0c22d963d6c9197b2488be2d691
SHA1 f39b95f33cfb11df576969e5a3cf6aa52d8a9e7f
SHA256 2345961d6047bb8d9334645fdfe206b74f5f6886273dd2af0df4d52e0f180596
SHA512 d51dfedbc1554394f92038ad405f76089467263b12ef977d95705d86d480eebda360307a108bbc70a973663a2537a98a886b2396a48cd76540e1b00461b4169f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 999018b9429729e2eb0d3153bfb8b632
SHA1 9c07d7c5cdcf05bb395fd8a26f13987a94d89248
SHA256 318c0d068c28b4e3c10c7830c4ff97156aa58047335f8ddd08c3718a5c7e1c57
SHA512 d9ca82546b4d6789b6bc4f4377ec0159dfcfad146fcf770f4083ed525ee0bb5f09cf0f61cb3be853746da3fcfa2300240d6d08fc53e109cad1097ac7b76cb58c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 e21ea250549b4584aaeb60bd26a37a36
SHA1 1710f2726b1cf08141db96df1c8b2711d32531f0
SHA256 810b01aa55a8f8f056b1de879c8aa979dd5f0d0aa67ce56bd38326bc9d5331e1
SHA512 24d783a4d8d91816afe0c51b1ea16cbfb453f5387cf1e960379dcbd99abee50680118a5a46c59e8f82f898198fc6f61871de4a649a59cf8a6fe919b5271b45bc

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 a0af05d49582d3105acabaf3b5bc5388
SHA1 ec24b85285dac6312d779475278f5a393350fdee
SHA256 1f18318123244bff3a4a2e9c9e2d757def87114ba6e08901b139cfd91dc032fb
SHA512 d32d362915be90eccd3bd7468781db63ba83d627bc26c42f10a8e59493833aed708b167ff1bdad8aa4933ce9de904ab948d2521db295b9d4686402bf8e3c7afd

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 695051506e6aa80e357a99791a758f66
SHA1 39fb728cda7538fc084279fe2191f1011b01f7b0
SHA256 ece36fde84884d45ec381358cd8b73a67ee4b3981fddfd138df761f5b257de39
SHA512 23cf25c98a159e6a32aba684cd0958a2cd020d579b5e379517c63cbef86603ced166f69d12cf961f3f2d5d1f2cc84032873f9a3cb4518254277de40c1bf52270

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 9995436e6637d25bf362810662ba9934
SHA1 3e0491a92130d74c7638706aa15035340fb83131
SHA256 0d514ad7d70246074a7bb62d3fb70471e3672ec503ed891a1f5d624b2b2f555b
SHA512 1c29b0dbd2839eb4e2ccec6a67c20a89e458aab03c7edb2f474c802e1069c6479860afa377f3310380f2be3d96332074d8fd8555cff5b2c9ae99d19e2a3e5b26

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 2a151b98ad4355cbb061ec9f26918a35
SHA1 2edf03343a67f8d1a7d2e33068c0dcb515085ea7
SHA256 65a7f0bd02a5d33278d28bbaa7cea65070863ae2f96494ae2cd34593502282ea
SHA512 612355a2e2cce05bfb192c1244655f8b94b1b522c3371f47c5e72159a17241072e97191dc07436a1be2ecfd8bde0de096c6e8c19498780b357a3485cb2c65723

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 63d397a493d4a3a8a178b3ba71717af8
SHA1 50150bd8816e4137a092f43d5ee21e531d758bad
SHA256 4270ccf15acc6f9920136ca75ba63e58140be13f267588f3c6d6eaff385dc4e6
SHA512 9426f2dfeeb2b24ff3e5e85b9bf7349d2f41cc0bef370c340feecc9a52dfb80982e422cf869b76b21c98bf6804be6709e7e32594308f3fa0508896202cfe9e7b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 a0c89ce12a6a1412f8461a15586ada10
SHA1 d514e0cfd772840e7575dfadf30567fda5111446
SHA256 547683109245df577e54e98b4d9add184710726329f3835ca9d5478263a737b3
SHA512 19b64b669c3ca48b331961254ed5f62e413c91e6a2bf7a6c39ae3b2c27429073dea18228fa8ee1caf663e68b0d6e538cac140b79a0923b866c2b8fa8faf0e1e8

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 6b93c2af91ea2574555a17420c786c63
SHA1 d4f3d80b8f0e7e8304365b173a9f19d4ed9bd679
SHA256 a88b9d6d464bb8b28d52ed44e8def9a8a380f9d597194784ba6d4afab1f5a6ca
SHA512 42f917021cc0f9f64d5f0945e2abe3f5df856d518628e6bc5e02ee6326fd6b5c880b409388eb2618f9aec632daf477ad2bbc37d7a1bff768fd50663be0cbd7b3

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 891ec968761f8e686e921e857c303bf4
SHA1 5cfccc3fecea76135405d8ecaaf868a268095440
SHA256 f9c5a6612309132d113a82660bc82595f90fe8ca386d07517391d7d013ad9dbb
SHA512 f3ad3be98b0736dd0411cd75af0c7eeeeb043da22103e3c9ffaa1ad9f34a3d365d455de8d730eaa4c94902b66a5764f18b848a541ea58f75c2b01e4dd817980f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 a19378e46588ad43bd26d751f3d22968
SHA1 077a50b9f73250b6875535e1fba2357e2ba28d8b
SHA256 5184274e130f4c7679608ab533fcea1d1ff22d7d331c3358885e57e524b35a84
SHA512 b6270dbf5ac76d3c07568a6e2b607744c16300dd2b33286253199bb7349329f63e73688647ff3bf5eb19d6e6bec7650a2b5622a9479ab4321129ec7e51cfc8f1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 3f7d527770eabda213ce072ba10b5f35
SHA1 50445c55edbe44df60f9143b43ad549fc960f14a
SHA256 edbc8e74f4da9f42bbcf1eb3d78b5bd2894ea6ead2d592f5c799ee6fc4566742
SHA512 e53d6d147ab15b1e6cef85b27af25844870f0d393f84f9fc122ed7692c5bb2d07e845ae177911c7b746bfc1ae593771775f9b87a6b959627ec7783fda0aeccf3

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 9f0edc27166d05a9cb9d511710dc875b
SHA1 8f3dbf2c8615193086cae09ed81fc7ef5e46c393
SHA256 e96aa19c43594723eb1580fc8e6ebcc82c1d2ca6f87aa8c316ccb16d16edc493
SHA512 a11df0c6cc6dda32549d78cd5ac1074ff8a7d01e0adfb138ba8d9288fd4353ff13d91c054edcefe94ee2428160cba11e4fccd74f25b7bdd5733afc87a422aa80

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 1f227abbadb3c1611b9f5e4a7c010b06
SHA1 6f53532ede2ef5fc0c42768d5553fa5200003f7a
SHA256 3aeff327e9946438f92c55b59171110faf7086f6e17285f3fa79df318cd60be4
SHA512 3afd81dae8c88ef30af160e725accb97f41d21475c9087f32aca59f82d50f3194370c13363b774a4c45245a950a517488ceb76e6f64e89c4e78a9ffacd5e06cc

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 642733b64443f824287c6c19eb172ca2
SHA1 38190530dc2b16fd0dbc96e96d3712f5b6d135a7
SHA256 bb449771cb96b2e46ef4e4635610ad1f9f3d9ff116ab99168eb40b0c070a0e48
SHA512 839bf5b992df4b561d7aed1a478b29413564d1310e0269287d47ae3a9dd87bc18aa2461e6c06891d53365b6cda6388d61575486f6884cbee1e33a4fa296fc918

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 8ce9f84e653914a6e34363410e83794f
SHA1 ef2beef3a5c6524dfb2ea6df937eb710506707a5
SHA256 09d2c68247c819d9364ac82c423c6c561c06e06a16d9a6d1f2638419c69b72ea
SHA512 6c63be437d11a92ae7c4c3c37d330ca9bbfc109fce142dde3f30add10033ddad924b04854aa61ce1686a49ed3540d7639cca3b7ae2d2174a5ee02778212bc8c0

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 db1d62fdeb3ed049ec4943d97220a8a7
SHA1 5fc659012d8ad00d9817cad066f79e2788185aa2
SHA256 9b7607d1ecf385c5bea0f43ff8765891217242357f335219c451f0e5a6225dc9
SHA512 3a55c3877ed4d55c39ace273a714beb3371d019331a8f336dfa480108a563a84c83dbc952ec625e35c13db6b52059c0efd39bc06be1c316c4ee235eb2189d1fb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 bd86b7e8914babd751fa0753bc32d4b9
SHA1 ac439deb570f5ad1bacf76b1aa26fc603f792ddc
SHA256 e3b000ff05ea7fe5248186e8032abe2c72b8b60cebcb9be2883ab1ffdcdd0a12
SHA512 86d672970810a8c25405bf11bf79579d06ff97ca2398d78012de352cd435f5180631660f084b7de5b9dd66bacd89b6d3388ccfcdf14a7d4dadd49a30d79af824

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 c8a57171ed9d998197af3f9ad56d1e05
SHA1 18cb5ad21d65394ac1e0ce6f84270f25b8f338a8
SHA256 29190e52bc560adceabc5b9436787ae9953fcd96c8ebd9817aeb61b50675ca60
SHA512 8ea3c9c4a4e387c0dad1ca627ce15c13ed39196aea539fd678c82d380ffcc2a7d6049d6dc4f44b3151d497a31199b644a36a5460e4a73044548823c18f757d46

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 e790f7397098ac7d2c7053fb39ed8a24
SHA1 d86b60c2bd6ede309b7f13957d864ddf58060121
SHA256 c6bd66072ab405c4bc93377c65564bf23c2248f0f7032b26f68f6b0c866e117a
SHA512 43f344df3a02f04c1fabd1a9e718f151137e64861eb46112879292b02c92b9c53991a26c4514d10fe50b88f9220ab46c9f3479c175d3c18c6b7205d372180b36

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 9b73be694a74a115e2fe6e72dfffbdad
SHA1 29b63f948c95374462cafb06b4864846fc28db73
SHA256 f87e434160f9c23eeed2e388ec9cbba1a67bd576d75575f2a8151d61d94cc267
SHA512 df79ef912822d153714ce007b00ed17a984c98a5b6c303ad6db94ad706fb6a13cd354988cd6061fbf290951308688641a75419b591414ad6655bb681e2f25382

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 60a9e75b22b045faa77183391baf10db
SHA1 5ecd0f53d9da9b76352add2c92e7e35fc8f7fada
SHA256 ded9e4cf71268244aabc9d7175b488ba454df90691006bc7ea5c4793e4f5eae7
SHA512 81402968e5dbe931495564603ba5c5d8d873ff344998fbdd6250689f7c3d3ec0aa04087cdbdb02f3ce42f8aa2ce62c6d17b63c3de77ad4153b3b5ca232a42451

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 bbc547d0f7fb1c1449296e916ecd2930
SHA1 d3757f0fde0733f9c344dff8ca13f26040497c35
SHA256 edff2974f2c587d8ece17060cfa6517a76b73b74f78a6c816690fbd67e526fe9
SHA512 36c8b1577205f30160934b9c1984fd1de03950a4512d3f5144ba7873a2f1f82c2ceb8b3bdecb6a632d28e39e28970a1667255b8ba8b6f53c8ec0db985657ee8f

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 547ca875957fdc4f4d39657e7734417a
SHA1 7cf90da42fc8c58fc5cc51b679ea4053d0ed4602
SHA256 e0f95b767b331286d5e312cfc0ee3e6ae1860ef59d29e747f80e2e36934900d5
SHA512 9d061fe489683ea1a67a1d361d51c35181c58c56eada08a8f9e649a7a67183f692c503b628b1a5f78a92782b39600e8c00e986aa0e78f5f3320ef2b761f6d943

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 5d6685774c7c940899f1296f32a44350
SHA1 a57bf70ed1453f6c8e53bec6232c51a918880d2a
SHA256 44b9b2ad880b852b120c149b6d2c9b01477833e38ffa1f39b200d85ef01b5e8c
SHA512 f08dc0f148a6a43c41d591d48d33682236f061375fc70105c933d11d55e287a4a646a0bdbb1ba5092553a9a60695009f2206c561f7031523f7680b97173a6bd0

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 2bfccbe7b47cd371f79ad32a43354fa3
SHA1 22dc35f39e55c5d3c268a570a3dca4fce3de6784
SHA256 c575d80e16c966d71668b525c41515204736fb1b10419de46083171e9785de77
SHA512 d7973430373008600e45ddb0b364013cc91c50e729117258f72b1718f33260311ffae82f9e201fd7053a8c77099f0dc607f36b268a72ee1930a9c02fecbcc866

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 1eb806c210b7b9b72e4482e28391fd1d
SHA1 5767a91313e5015ddc36c2c9ba4acaa2d9bed81b
SHA256 92c26a2416f37e09bab3dfc07cf208da600f5bd1d4ecd626c4445408fd1c2f8a
SHA512 854a70e31232117c7f091d305f9137c4f2c1fd1e1b5b67a612b351f099ba965646ea6d9346a69b913c41f218d7546f3a04fdf928feb38fa5aebc2dd1ef978cde

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 f49b97c10ff4058081617fe6abe5e4ee
SHA1 3e9567e4e373f9de3ff4e13968ddc492c93b10a7
SHA256 20a78cbbbd0a0d2e8c7a8e22b65e9ef08ae72801740366f4de874305aacdd07d
SHA512 4eb938290fc763fabbf540adc8ddc072fb1dbc6496df833f9b746b39dde5c0e1ba13c9c02b901c67a1e9a6642cc555493000b1826602c291e7200a4d9b8e7398

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 6c25fd5344c5ad19fddc988e5aeefee7
SHA1 54dd0c583eb518e939b805d02a01605112536123
SHA256 eeddf49e40923474bcac71e47a072ab610a641eac270e75d1b7e420b454eca2d
SHA512 bac59089af85e88460a749c0ff3c09b8b87acc5f13d44ed709809507a745d1ceb9392626e2f85f3815e1f6993deae5bdc17f3cf932e6d3538bbe136d7fc4dc90

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 a17dbb861b8146228be317e140d8463c
SHA1 a3974d850f5b0b77bc123031475f8fb517dda40b
SHA256 cca27dd28d9bc76d90e9aa50d0338d28b7bc34f53fad1ffd373f81d33baf9c6e
SHA512 70a94ef1a0db500537d6ec4427ff049a0e9ce8bd862df18709c1a9237a9c8e75ce2612355a4d5e929ee24c5040afc03a47427b7c80f543792ed2ce1d794bf2e7

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 80327f59dd58b5458c708d688907ab17
SHA1 1a0719e291e65a1e18fb2ec1c804c808cb878b9d
SHA256 cb6c8292d53c2acd7dc6389615a73ccce48399e67d0fa5fe5e3717fef155ea35
SHA512 30752c307b537897f4f1e310a21545e265cbf2e8e7543706832baad4085108cb48c9d238805512917314f841aeba9eea45e1a10fb8b7810657dcac79c31fff86

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 1f95c0c1e328d043467bc03bbc978f21
SHA1 e6d931a5411d5b0f5cd0fdb9ef61ad0bb8a5cba4
SHA256 c17eb2ea1be497d3f319747414c222dbe65ff3a3e4e4bb56a12e6f3e3ac707db
SHA512 3a98763d4ba222e59a641598054f8f644a4895212d5d2be39a895ae3cbd60a0e15bf347bbe55928d8e7846171c4e89d14ee5a584216d16dc018414e6d98c425e

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 22749bb9012a37c05f0d4a740ec8a0cc
SHA1 aab0ee09298e61972a2d39b9eb3558d06f124511
SHA256 5e5aedb8f478e4f586ec55826e41f9b6b018af86e3fbc01d64c367d6911f90f0
SHA512 2de056fe6af754b3889225d7756f3ae2ca8fe5cb4689e0cf832d02c428048abf30f35009eb035efa702d1d18079ac0cb3bc4cf47f46c5e15629e2712ca9d44c7

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 6f828a59222cefe56c38bbd304d5acf2
SHA1 2b553f7f323cc65a6b912c3d54136d3f5f26e9d6
SHA256 2363aed69105a5258f99bb16621c28564838c1b5f3bef39df65ab63e74b0953a
SHA512 15473ca3810c548c6e0ddcfeec78115ae85bc871370161d9247a2d684fa68827fbee129dec8cc33c2f0758e1c7ede2f755e859d61b8b66965cb0aa10932b300e

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 091ddfdb651f487b0b0ae6e67955ff53
SHA1 b32e6d5f77bccc2cb66edf1d2d348a39488789de
SHA256 7b01d9407cdffabb10e4e0a802ff04da7d7e7ffc82e08aec6dae8da3da6889cf
SHA512 a9d921376aa066be5aa4a0d226b6e5aaf53896fa67d14a06b06e6c233702192cbe77e5841fce9460e148bf6479cfc76ed02d21bdf67f3d763d76a2038f2a1d6f

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 4e8485511ae6fd0472c0941e86d2599d
SHA1 68cfda0c660e3b5952df3c0748a6c826fcf3176e
SHA256 a5667666ffb1dd09451f03b0db2258c1a650deffd47fafd7e27c7de4abbc57c6
SHA512 aac80d9ae546573fa51a704d6f8f35f539354642c0a2e6771998c06e105e3ba8790e15c79f95a860afba5a1e23e59a381f55dea9ed59ff012b9b54bc99cd565b

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 5adb97904cf617d4e619685140053844
SHA1 873ce4c8aff4de000fb2f404aed7d835545701e2
SHA256 ece4223966fb0ccec12e538ff6c80cba13c4d70c95818626041e3be0a8bc5eb0
SHA512 f48f058ffbf76e08ab52b83df164c3e8d69af7feb0759d922482a6883b8d6723332396c5cf0a1088dfccbcbd6593d3f132565238e2fa96d4f62305ceee56e5d4

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 e27356cd571d00610b28d6c3bf3b5934
SHA1 f84ac047919d4f1dd9f0f22cabd34f4122ae213c
SHA256 57f2cb226b02c39a8196eca74089d884a9f61c24b275fe0d5ae0288e62b9ac2d
SHA512 773aab29a25eaf5cd7a6f197fd744c76fd78cc08790a3c2d736f509d26c0785b6c7247839ee16e07e7034f7c290750d6a38c71ac9bf8ec7e391207ac90db4e60

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 bbf48f093b2281d09bdafd27e2eb4f07
SHA1 d52c1f04c81a066e207be292206295e46a87ed9b
SHA256 bd12f78691094405ef842642baff4b245b6a68947baec10ca7cff532a3c9f795
SHA512 9e207b4e7f111106d7fd85119bdccc6af75258a4b14e4266ef98ce116faacef0576f0920025e24a560767a12c0d3cceb8eff0940a0a46f03b0749f9901e0a494

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 ff6df2cc7b1d1d4a20e560aae93551ed
SHA1 ebebd55a0f1b91d1561b0ecedd4742559aab3708
SHA256 d807aab6142ec2e067b02cc4d212f9955aac5164231655bb838afb7712d39a60
SHA512 4d742134ce1f175cde42248649644993f8f19ef702bd11797a67a370d0cfe5dd4e8f1ef59cf64f94a67f4f831b93465fe825ef744c66cc7a429a8c38d4c09311

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 2549355307e539765a32c7c6827e210f
SHA1 3162dd563ec4196dc4e9b5cde7b6fcb2a11a27ae
SHA256 5c9114c44fc06bf37a0a92929d18b27812712d99a4ac32eb9b3f1794ad50f312
SHA512 97a3b51ba5ad112e0d5c6e3561eb70950a34dfd20361e86d252215ee03dffbb7686d576e8407aae28ba2f8e646d2c77cca489404be0a8202008339a6c9aa5302

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 9a214e0c75280b673b0ec4f489129058
SHA1 459aa015e7375ad0263f9b3a8fc1aac438ef492f
SHA256 da1a789f16168849b756c20159b4802dc2e54fd920b9e39368356c5f1624d683
SHA512 5574167dbb8f124c9279dc7a15cb7768c71cd2d5eddb10461512f5c5a2fdae815187832f34774ae7772a6f76897c666ea4f033666b5e3e1115818c203b69e684

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 7e3a65aeed4ef98c12c193494baecbe6
SHA1 47c00057511bebb7786768ecb65989c8acc471e9
SHA256 d5add9c2bfc5c38b84e34e9ac126d60f3227230a360c0a9e6b3983bbacd832c8
SHA512 f097f8245bf2772f090d6f0b1057537be54202b6e9cd7c849dc5006bda9b639badcacc374ee4a94f5121478386b81cc4563c33aa9db8cbb07313cf838eb13750

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 bdfe11ab8e3745740091e4faa9c428f0
SHA1 779bc9dc8b9dcdbfdaa127ff9068a7409a2fd92a
SHA256 487b01214851b296e4790751528ba393721f101ffdcece863f089ed1984ce66a
SHA512 fbffb0bade8b443719ec4de5d5c8afde9ac8a0759f2b689cb440d6686db159b079d84e33eabb98021bc8185223bf2600b33c4c0c7b6e2226a9fb2bb520907d4c

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 f7dce39d11ba27dcc9e9f52ecef0aa95
SHA1 b969e3e2c582ad575fe78edab79d57152a3b3c41
SHA256 e487548fb499491325ac953d274e06e63cd85f7045c891e37cd8a320855f6a7b
SHA512 778b906ca776f0517d368aa55eb272ce0d3fa742bf2b1a584d9af0de7afd969cb6e7822b987cb4b0432648d8e75f352726743e7de2b222a61e4a14e223d31211

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 6a52928359f89c1b8e1e5a2ddd7f26a6
SHA1 db00178c3a74408280b5bf676ed49cab2ace25de
SHA256 15270a28fa5f1a7f74954f90b5472f48445c37a848bf7c6c60eaeb3e388e7fc4
SHA512 76e08b1de281d2d95ff58be1ee0049da7a519eb1dd1d68e01905f24baa874ba29e76862d2e45d19c8ec483ad87fe635a6c4f46df8a41bc31000bc2088b53ccc3

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 0cda1eb4df888c4b31d0f9e1716f1128
SHA1 d6fb55fdf8a1f4207b886049f52afa7c3da20d03
SHA256 02045b4ad2a0db5ef04a074fb50f776eb30271e848e5d000f513524bd18ef2e4
SHA512 063c03411bb256e97758e6bb3e56a6931a84caea78b4bb8be2a79f87ead2556ef55986c41768c0d9b7e6b3f8eba0f78b4ba97b63e8e36ee227b3152f9fa9344a

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 205916b7e1710637d2943ca096da062d
SHA1 6da9b413c8401a42fe4c0f8d0882469eb4c828d5
SHA256 cd3fd3a3d0f2efab3efe612fc5c1fd8e9263aff1befcb97f9cfd3bfb8cefde81
SHA512 de1c685c661700be762bb7ea2dd169a121814a657bb4c1c68ebd611a23766b7c497215abfee3a24ef90772c7e2d26f552a5328ed6fb46d09905adff6cbce0d9b

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 433d6c2a77056bbfc4bf8d88b04eee3b
SHA1 83597ceff49b94f49b8f50d85edc85788c59c80f
SHA256 26840988684dda82d8da3b9ea26c870f6a579eaa0c618c1f65482d06cb0f63ea
SHA512 dac9a96d94703e1df894368e91dc94fc9ca71cd233f79c600884e63acb0646c0a7639c65464b7a746bea4851de8ada7f552a33b9ef5926a2bd7dc4813430a1cc

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 cf7d2d2a0d101bbb4cd88075d121b3af
SHA1 adc21da1907b8ed489044995250866b56c95f0a7
SHA256 53df3d9e3aeb03fd53ec311c6af1ffde0eef0b975f17816cb6486f91f821bdce
SHA512 adc3c5d3ab70d3eb2f96e5b6668e61b91c07af2ecef1f1c579046108505f52ca6b017113d499f341bc93edc30a71afba0e275772384ef6cbe52aee3561bc5bd7

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 53699233827fd554b86c48fc737e6afc
SHA1 a3177c3ba8b81fd5f7ff451a515d3b5300296b81
SHA256 f2bffb5acdf32f6b7ca74764bbcf2e243bf4bca187a9d639100fd0d580a8505c
SHA512 d41243450e8665a84e996d5f6060ca6e6e5e32a7f845ddc4d8c5c7bd2558b63a7b226301662b379ffa787812c25b78bdf7907618d7f95cbcbbf0edde7dec0112

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win7-20240903-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (9074) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.ELM.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\THMBNAIL.PNG.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.ELM C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21448_.GIF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis.css C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files (x86)\Windows Mail\es-ES\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107316.WMF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\BackupRestore.ram C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\management.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTINTERNET.NET.XML C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT98.POC C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\COMPUTER.ICO C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Windows Media Player\WMPMediaSharing.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\j2pcsc.dll.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Init.xsn.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36F.GIF C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2140 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2140 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2140 wrote to memory of 2348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe C:\Windows\System32\cmd.exe
PID 2572 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2572 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2572 wrote to memory of 2708 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe

"C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\ProgramData\biobio ransmoware.txt

MD5 35e12534b477dbbc950008d0b9e48b2f
SHA1 8c8915df37f9345ccdf65df19401955a666adabd
SHA256 e296f4114f97cd3dfbbe03ea3ffbeb2d53578a417c9e9d02c6f6ac850b96c85c
SHA512 4842b68f65b5399cff2235d00e84976bd95a56fb739d3dadee451a1fc8469fb2941ba3f899c59a2dcaff4766585bdab19e9344d44adbb85c5c7302dc865b6fab

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win10v2004-20241007-en

Max time kernel

56s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Neshta family

neshta

Renames multiple (10830) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\vccorlib110.dll.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msdaremr.dll.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Collections.Specialized.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\mfc140enu.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\wintlim.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Nose.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VGX\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_36x36x32.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssui.dll.mui.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.EMAIL=[[email protected]]ID=[F5657AC3DC58DC8C].biobio C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe

"C:\Users\Admin\AppData\Local\Temp\F5657AC3DC58DC8C.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\F5657AC3DC58DC8C.exe

MD5 4280ea83cdb85a8b0b347caff5b942f8
SHA1 057a37245944517cd8646780e26f2c5feb268145
SHA256 f8398f4297b8ccfefe5565e65fff65d6d969b35cd2ac4e693b1959896beca3dd
SHA512 b34b870ab411bc09449fd41f58e6b4666ef5927fe93a635b1269972a556e0b84c4a0205ea2512927960f4cd95804d31404d39a9bd1768eef6130b68b01847f8a

C:\Windows\svchost.com

MD5 36fd5e09c417c767a952b4609d73a54b
SHA1 299399c5a2403080a5bf67fb46faec210025b36d
SHA256 980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA512 1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

C:\Windows\directx.sys

MD5 e636a121fd722eb592a523bbe66f6cb0
SHA1 2fa150c33de1c4ae310f48cd120f8be5dfbfc596
SHA256 b976f9b5432964c150e6132078453c221610b72eadeeda5b1b449dac60d34830
SHA512 e72835defe700af546d7aa088248d90519f06f04acd1adc32db2ac5f641161499a48b3f636a6f5c2b764cd3e45dfbb303be67cc9d88b591ce793a69352f9419c

C:\ProgramData\biobio ransmoware.txt

MD5 3e08144c681309544d6795b31a9a968c
SHA1 926d41074691d13ca0d0c9df3061a7b2b0fc5761
SHA256 e68ce3e30f06d6648ac37d753f90e6aa1e150934d63171bbc6fa6ae14d944fe7
SHA512 f42e1ce8226a2e7457098f5991cea712806eb5a543eb126981e44be0311904ed483de7c9938fef8a46716e2f207551eaf62cecef9a99e2e84e0a6c0355969353

C:\Users\Admin\AppData\Local\Temp\3472CB~1.EXE

MD5 10b721c665a6bb03d214443d00f0c170
SHA1 4f6504be8f09e49adc1cb56caa505c30b304e016
SHA256 b79b672fa52d036dc71bbcee277d9409f144df74746f2bf86a587fc6a45fdbe7
SHA512 b12d1d2737c0bf354307cdb0d583ec4e0074201fdbf9016b67321de5d2562315e30cbef6c2d5581a8dbd0f7323a3885606beb7c44a136ab20d4f6165851bbbea

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 c2fbe629198994acecf91c01acfb8320
SHA1 0b5691e67266d6832cbd203b355b7740258b4760
SHA256 2ac35d8bbf5a2c16d5ce8d46df3ab63e79a809cd4a6e79cfb8df5095811ca8e7
SHA512 a2ae25160a6750524967253b2ac43c319e5f6614b47ff5f5b90f17cb28d15b4b6a4e91aebfe162293f81f39b31e8e89d63b5bf259fde18b83b6f500561bfcbd3

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 fbff3ec1b9c5d4c766736406d3b674e9
SHA1 6577578586d1560de9a3d0771677db4d15b0977e
SHA256 856acde15927b1c222b6bb44ec109175fa7ca1497fca4f51963eb72fbf0de28f
SHA512 903ebb86b02cef0d04eaa143aeaa24d040f9c62ac47b28e48f3992f4eaef3bda5c3e04c57706277be0c4e28ab9b6aa744be179c47297aa50c6367269908aa95c

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 037771444fd29d554f653b1745cf6d33
SHA1 a398d539c67095d3c58536fee48565400d282341
SHA256 23babe6c3df53e7693fb39edd885036f8ac42fae1c4dd5fce896f4b1bae1c659
SHA512 891b8dd909b3695c9c63b559faaa4a7cb57fe54bffdc8de5bef44357000716fbd603614be78d5c604cfd689203e76d7cdff021466a94e1681a69b1befe83b937

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 7a2fdee4b5a17b112a0a2d1030224045
SHA1 8acc48500e7f16693ddf8d5d0a690dbe94683f1e
SHA256 c1d343291f274ca661b5771a84969efcbe78116a6185e2e0ae5d5e63d9f3cfc0
SHA512 c347ed22411af645992cee027143fe7dd4500a24c283afdc28bf5171112ad03c087b2e2bd74cf48b1a8cef7f32d0dde1b908d6bd2ddf11735b877fb683583c47

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 f362fce69c1b24c5be622de9246adbbc
SHA1 483567537689efdb78bb34d782f1ba0e024f9b65
SHA256 a8692f67f20b1644b0af2299bec033216666cb4ddfefbe8ba8a08b55c95ffa35
SHA512 0451401fdb300cc2681193b1ecde00e52978a0f69572ac6d1f3647a5dedcbb5cafbb8e41c5a4acb60730ee86a2ee2556ebe06b8c23ad0287e595a01834e06b06

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 9585945f027129ba80fc2d14c1f6e6a3
SHA1 7527cc594be397b2f9beeb360a66afa23b04d7a5
SHA256 1d9aaf311d54fbaa7d3ecbe457494762d850b96d1d996b02c9038528ea2fdaf3
SHA512 d2fe8b4388834d5da3684a9003da0c088e6963a3163efa7d5f071cbf47536e59839683f77920b29f8ee4509a716336cca9eb55b37e4397694fc673de8d8dbf63

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 ead8c01f158b9246f44ee4cd1045c346
SHA1 da199e2de0b2110c6e87459d04225ac71c1df5f7
SHA256 94f66c7e88d29a5fd3f637dc85eb03095630994696245b69bb0894acf90eabdc
SHA512 703540fa3433254f6c9a3b91e21bb7d10507fb51c6cb3f8c4f6e73704ba0523e7179e50dcee88f4020c9b013f590eb6228cb2cbc147a67ed123d52daa3adb9fc

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 4acf863abbff975ac2cf41c7eb06cffb
SHA1 248e638ffdc3967357bd970b0bbee48e6439dc7f
SHA256 9d3671743842e1934a7a4dcd2760b6d1a4f0994eb15ea28b0bf24a984b91a2d1
SHA512 9749a1adb522ee209e9eaf5fd47e4fc7d098e69c29af32bca9f75c7110b6383a75a5788f3c044c4bfbd92057b4925cf0f9fbd6988adbc2c982dc3ea6eec0f9c1

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 d1d19be84fba210d6462eb021aa87504
SHA1 447b874828a08ec90f25d3a5a1b6ba9279c29115
SHA256 452a5beb6266203c29716bc5aa1a0fd8a4d48380420dcf622da9dd530b8395bd
SHA512 963932ffc4ddd120b69df746b4e56bf4301e9a647ac9ccaaa6d1502de0b7f6fbf4842f3ce8d9571cebdc8d43c44934e1871dae6a94758bea63abc50ff7744a87

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 2d6a2c98f48e1c0bc6cfc4b512775c8a
SHA1 62c3ce80daabc88dc2cdaebc054b5c6612c250e1
SHA256 78d041f86930aa7093ff8bbed93578c106bf5e45766cc1c2fbf21fa05f190516
SHA512 abf33fb939e566e8bd9be640d19567731f0bc48e2818fde62453dc3f02617f32d5d2a541270c50e23d9778ff755e62649ac7a2608f7bd02e0943b6984b61a179

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 822eac62c6635d094a68745cafe41469
SHA1 994f2b4efb6ab1abd72b54290f122a400d671980
SHA256 590d41f84c521ceee2d1cfd3d46ab4781c31006db9e8c1cb1dd360103aa7812f
SHA512 2bd1533f918eaaa20868a1e1b28b9c0708be0ec46d5a104f35d371fbefee8b8b71d199f44f75af4082dc879dc636bdfd515ce8008db1587dc3ca4fa2dc4fa56d

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 7cab47ae99967bc1cee0c24c8fdac778
SHA1 6b9f7d5fcf4bced91e3b1cbeb7209f2a402e3647
SHA256 b7801f80308bcae37d5ff10944c57acb73050f677264f0170922317da32782a0
SHA512 60bc77503dc202f7202ddf51d3fbc98079281b37fa1cc0449939418b0082a446eca63a21ac89769e72673e394eabbe62f005c4149f483304fec8405d646efd98

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 da3337bd7c8595528591ad73f56ab195
SHA1 00dab8b93e50a3fee1c5241dd985a2b382e4e8e9
SHA256 f8983808254f91a22cb9739abc88f82f9f2bfd0852b5eb68757da5aea5534868
SHA512 54b821b79d25d891f2f5bfabda2e09c9b7794188b2d7dba5d0118916e043943eec9d2ed2aadafda178e582eee44672f981c69fec177d04229d2ffd1ae017f496

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 fa5762949fd5ac5a2d38bcce4deeaec4
SHA1 629be01eb2d3ba36d051bf3b2c44a99d79ddf726
SHA256 5447cd858e699a89075e77a15e7fb7783399b25af34b02609c213ee1e45d6f96
SHA512 ddeee48cbd95c1cd5f2e7a29a3d24a3143fa658d5b3f9d05c5a4c189e75c430e41c1e4a1b1e54063bfc515b0b86ce48271e9cd9fb9fa3a851794d75982910f29

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 f8de8cf2a1852e18f6ccbafe33389b4d
SHA1 c35e0fdb8ef6f580e253f36224ef270aa1fee177
SHA256 a3974c3e0d23d40097fce60c93852af3bca65c502dc26a0fe18f6a5563c8e07d
SHA512 f90e1420144110d41fa979e26176e3e6c31c9b3d24eae1c929566809b5ff008c7583ce647527bf94528e20b4faea10d6c222850d29b4db58f857018be7e514c7

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 98588e7240e751ad21a2d9ac0d57cd86
SHA1 efb8e1a575aad1835ab21a5d6bde68172f7951e2
SHA256 342dbc9746d7c3bbc36fb5d4db0336488cb1978f6e3a7b74308b06b0416f126a
SHA512 68a6772d26b39683e46e48960eee9bb256b8dcdefe730ee30b9957fdc938c3c991e218edd29b7963dc1316ae7c6188fa3930c2385510cc4eaba4e00eb13939b0

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 7fb0b2b46a2b467c87283b1bf5316b59
SHA1 13294371490ad6d8ec27a5e6384f6d940700cea1
SHA256 a384d8e6b6b16a73079a1297885e4d91898ae4f0abe4597b5be12596ddbaaefe
SHA512 883d2cbc0c69e3574c8c807510e3d003fe44f9d4279d1c68d5c9cf8cf8d80af18b91ff1544bd32e2bc6c128534b8155290fd245c4152c388c2426984449bf60b

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 f073ffc726b689acc9c71f12a8a64872
SHA1 f0add69eda60e709f99bfd2be355402751633f7a
SHA256 3266366a929cda64c3bacbe7e346ea01278d1d5978a0dfaf6eae4dc2eeb03463
SHA512 310d050ba676fdae07b9e0ca7485b7c34a6d5bddfe5d6e40e6587fd5b691fdff4b904a97faa5f7c7e23f0d28666c0003c376fd4cb5c8b011639c90b28148d068

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 6b9254122207a82bfb5e643febca6744
SHA1 811a0dee6f9c544016e794f6ac50102f1faf99b8
SHA256 9c7fc97e73d9fd2deba628faafef154833451457f7752c81f809d9bf3622d86d
SHA512 2fdfcd99fd118c02654dba6bcc6acb64d50e01c4092e4575dbed6fbb7743b80a0512446ba3101eac422bdf9a9b8c5e3a354af50f3c6018a967830ebdc5d2e879

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 f00d2ff0e48d023d56ef527a250bfe54
SHA1 b60203c22d81601d88d9d44e54e75cd531367b30
SHA256 045b0a96052799a45ee68df02103b1a78d520a4d62a18563a766d7e52663b620
SHA512 8e83179b5ff42da6268ec5aae627c62e46d15dabc88ff724756f7594902dd77a1c6a78f796bf824d7cba87e727fecf41acdce7f2ff020e29b1ed340db678979c

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 89b42574dad15ede8c41e0b8e24a4306
SHA1 f38dbf634db342f85440ef7e5e184ebb194c1f6d
SHA256 a9ad686a4c7e44d3ed1da30085c16f3aa60fe1babdd751be9aafd1d12f3349d5
SHA512 a7ca88b322e20bf99d34d406ffb364f2c1746e0cfb77f471aa5877ef97e8545851fa915a74ead1c4e48c2fe701ad9087c1fbd81e62f45916a75c29359c78ef92

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 6cebcefc436a0413be02a996136a111c
SHA1 5d4f0304b4188d1f4b5cd6a7bd1942aa6b25697e
SHA256 e9e707b780bc2d159ea2e8620bebd185387424748cc69e2af6c606726350eb74
SHA512 974920988b3e3a7d1fdaeb5c6625f0fa92a887f95afaa20328d418c3277f27a45b6eeb6a51959e341f0826ee14dd934aa2b116757205813e271c62381d09b5d9

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 d0c67cfadbcee4a68961c6c152e077fc
SHA1 ebddbeea26541172ff3b0e4f3f469311cd807035
SHA256 ddf3a10b91aa103f20044b405db92062d07fa0b41294a353aa65c398f5fdf00d
SHA512 998f45d56c720000308c6c7a1ccc5ae30687e413b573a1648b258924dcefd1b4a919cfa577c55fa411c940122b3a55cc610fb295851884fecd81d29c550317c7

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 ff5bf608d3230da04cb7b95c5edd23b0
SHA1 e03b74b987ae6d7d56d0d6f6f6f611881dd9c309
SHA256 1e6de684614d914a8bb0d8de04c9e604f2875d936f4b85606642545253aa17a3
SHA512 162e3396a9c6b1f964a7eb073e5bcb7a20fd826baf564c428534c148e5d9598e6829a8535862db2d04d16c4abd4e9b1a18e1c60a6dcb630b7d5a9f708054cf68

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 e599a2c30b0edb0ff187c7a5f29a350f
SHA1 efa99269b4847b9e2af4c624ec2f8957ef0b3a25
SHA256 bc0614ccfd2570b312588dd017e2d90aec046c0a3acbac6e1e21443833c19621
SHA512 e5dccce4803eb8b51f181b16e91ab0c3c213efea6f99f753cd08eebfd5990a0173c731856f3797e71b44086cc80f0f403effbaa04e8d754b0749c64503becbe4

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 285f5857e3f34d05468954c490b1c5b0
SHA1 d388a67ffee846f937ac6382fa0771575d07ee2b
SHA256 f0db503cf591576418934157e836577e3095b8f152ebdc88ff8223e3c04512aa
SHA512 57322533129b776a1736bd23973aed6a349ce5b2fa95232a24a7e88b91efbb3befbfc5b1a032045f848ca007daf540641347a3f7d1d71925b56cc64e46ff1051

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 ea12d1698ff9a6bca0208622f7b68c5f
SHA1 99ebd592c09482c3a374cb559b67dbdf138fbeb1
SHA256 c5cfd389b35df9417c12a5ce98ceed871d29215ab4872b2c272445847982836b
SHA512 50de894bb9e7acdf33593f7c8dcc6c0bc483732c5bd451e424161faabd9607cb47838379b6e3075b1d0134661b387e76ece0b352003047137a91acd25138fb52

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 ca5436929fd2123ba5b72ebcdeac4cdd
SHA1 4b36d885edab8cd2fa332abcef720bd52f76330b
SHA256 10612de2eee2640ecf9b3db2258cbc66f13f9f72f08ee6f99301d0dec7633d43
SHA512 892af8e5602c045c23999c1235045e37d2af5cdfe51e8b1643a9f416085681f340c7968a7336406ea4ce523a9f012b7116f54d838403e07433d305b34cd07f14

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 7d7e1e1195a32ad84a0e6fcbda093fc2
SHA1 ea4d1fe3db7b00d2e62d74af20b15fbdbddc5be0
SHA256 e092f5c9f1d92aa8dbc9d9b8f986797291be0c02dfed69d58b5ec42ed828fbe3
SHA512 a6c3254dcabfef8036682a19f3ec3800cb859a1ca12aa8c4c3c8befeac0bcdd35328eef192ea90f92eadc1c8de2274a4f1c21b10cce0e007d4c2425d082ae07a

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 ed8fb4627d14fe73515e08021711b98a
SHA1 6f4c535a02a0df05dd12842a92309548f7117fe7
SHA256 dd8a95d6c0a4e8077be96cda0e3cf61cf0942360f3587a97e24adffeb747149a
SHA512 cb8bee5386aafe1a9a93f84dd22a926db42603fa36e7dcc9421c83e7eaff7e2fdf7d80bbf0ffe6657d9f162f9aec0ccbfbf36788ad2f2d5274c973b12323a7a9

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 2606c0db8214fae4903f8b166d9664b9
SHA1 169e2adfb646c8e1a20a7c64e84254ee0a353c2e
SHA256 71c86e073f530eac1dca3bb0bbe81fcf37468cd80937926ae25f757d902ffdd4
SHA512 84d46de136f3ffe2734ebf9f2bbc1b30433b189e628b807f571399494a1d22feb083506a4794696c8fb5b33863c875e805e8972b880bea888bb52ce3409227e7

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 4f22fa88f65f59a5365562b63c1f48c4
SHA1 d3131a7eb7dc20c66a45221669c6110862ed0d9f
SHA256 2b40e1b9279f75ef57d9e72e6e4e6e10cb1394883ebdaba058cefcd90c97d3bd
SHA512 bade655eef843360a7b4a9e5809cbfc9dee04ee9f7ae6052f8e10e81d9451577789921efb2df86581de866e49e302d55ecdb11b0d78bbe1891422b42afb4ba0e

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 29b5eedd45cbae1263b65e23724f559f
SHA1 a551d03c5593f1b31784bb85a91e3c1f9672e0eb
SHA256 53e107c05ce56443d5bcccaf31a147d9ba1f886b569d11e67457ccec51367bfe
SHA512 eeeb9bb553e88d36fdb57d82068105ffebcdabd5d81dbe47b86711c7d3262dff407ab836531df7ec17366ba4eae4fdd14c13220be0b998c06a948f43db7aa0b9

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 28e2e46ae21243a84bd4419ade0ae46a
SHA1 544129059210d67fd7430d839c48e9c2474c66f5
SHA256 980b924cbe5e9cd9e934626c342344be58f0a4abf05a7f215d40a366722219b3
SHA512 35ec45a04d7ff41de55628b1951084b58e91db71603eeed8241d1b24ba12bba391007972fe192de589f4430cb30bcf15fc8b8197300201c60a0283076ad05331

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 24307d69b9a19362b5b5fda2a060d43b
SHA1 2e79448d878a53fca86613f494be68bef9f6c12d
SHA256 f7b102818aa0f788a23d3fef84f00fa38e4d77924f5a52eb94ac4e95c32aab49
SHA512 53ef5a68cd4fcb545fec52b61fbf8ed3b3763d95f9fe774a7fd26295616ed7fc45887a255cbb02d975b5663b12ec317dbdfa8797b42d12da81a788344dbc3097

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 3dac012ff2682a1df44c18ed4fadc6bd
SHA1 a278bc75d3386014a3decb46e11cab293f3b9cfa
SHA256 6adc875d57275a9801bcf39ff6f8be2b32c3a5cdd27809bbdb176b74c1fcf6ec
SHA512 f7bed548149aa8109f99d4c15c709a284436e177f9746abaca9e3b9510c32f784ed54c105351f9b88e67c5edaf39aee450702c923cf365bcd3427a5a4c59c2f4

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 c53ecddac811cc443568ebbff0352633
SHA1 d5bd0b508778189bc4a7308e53c93e12e828c600
SHA256 1b0044c3e406649356cb3126bc7e9f73c7ab3378133eef1b81d71c9df8e3a97b
SHA512 c75de4abe4c189557dc6148bf6bca973b014395082cc21160cc290b3c3d4d8f89fd00599a68ec1451f2d0119ed8c80c2af5df6955162f4932d76b7a42cd64d49

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 d589d24e5bc1e9d298d471a4542ed016
SHA1 4319026c40606b9d284ef91bc8f617ca5e2e10be
SHA256 7968d0962778742cf622dfdbb23ca02abd29d42305308004b1d00f7e2b4c2903
SHA512 c4ff9322e77ea77555987ac25aae95955543303c80ae5bbb53558f00a43d71e376134e8aacbf0ca0b4082687888ab10b0f4009a50a7af03e120b8206b6024702

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 42c8f0e7ba8c46e46268d63caa590212
SHA1 caa9889d860474dc5b8bd4ab7d31d6942f4f88ff
SHA256 2391e51ed04f73e4be2779f13c90aac2dcf57777adaf2935070b585383b6e584
SHA512 002c49456ac70edf4beaa589dd9696432aefe15fa2e0a82d9b48bbdea92fabd0c82bc350e32936e5545fa3523c47769a61e95eebadd250787ead9e9325f635b5

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 d988b75450f496623374fb7047d03056
SHA1 d1c6cdd79f87596a5c4ff9f7fd5d422815e75e22
SHA256 0be8600d22d9ae1142f7a456c93074db65d24b36c32c0c9261c6cb75b80b5146
SHA512 2bdc139b6fe89c31681584193fbc3ffc6a2d8ed94bfdf8462f2d2e2ff3081e7f292df78814ee7cef447340346863f0b417f415fd4c8f6df0600e8b18948fd8e5

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 d621d4ccedbe7350d7db7aaab78ff870
SHA1 9fe424c0aeed86e1bd7b85d55fd87bb260447091
SHA256 69620fe6c21a376f1699bc0dc69be3f51aa0b74825934742cc5669845e113d8a
SHA512 a843cf963f1a7adfdba6f0cd35719117f1af3422caa88349a27b659866bc5179aa636f1b879a45a65b270e4287106f2fb0dec2b402f5d37fadb359d06b6ce196

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 5f6302a479ab70c92d695f66ee57e9f5
SHA1 97e2401ba5f22747643998cebc2d9a2cee6f5ddd
SHA256 5546b76404af87a3837293a7d56512360bbcc10e72c13b08889c69c5e303c1cb
SHA512 a08023ee13296bdcc8b00f8b0c43243c4ccebcab46a4a91eb778f150e8fbe6b95885bd9063ebcb3c3faa27ef6f0cd4f3ee391f676a24e62d4f9de42a355f6f52

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 431c6ea67ab9be5850bd1eb3fef9a451
SHA1 60683321a10484ba09aab3b81a62ff7827133af5
SHA256 44fb2188b6bba039494e672873ae38517f0d0b9002ea8fdfbfa8f62940e7698c
SHA512 32521f990ad7d112709d9b7fea6356957577d99b9a2dd5404514de2520aa808f22455bc72bded59ac99327d740aa79367f785b7772fc7c752168b9921109b870

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 883c2ffeb75d24ca6a9c79cba3929e44
SHA1 465f332a125eff5cb7b85fbb39f5751e9ddbad79
SHA256 b063fd7438b937b976a94f10858fec29ee73fb26c74ee6bc188b3bcce9f5ceca
SHA512 0a81d565e88434e307be5ed2fcf7db05f4115d90853d9d957a0d3b6b01a77619fd99429b4cedd3eb2290f097fec35c4497d689e6d6b05bdd4aee6fe95b07e376

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 99fe4a23b22f8784e1118ed8f5fd676d
SHA1 00616590cb790e8494a6634806fff7767e0d545e
SHA256 e6c6355c97cb973e7346cc1e22bbe41e1c510e4fa16053ffacf5b08bdd43fe6a
SHA512 e5510f38ccc4b3cdf3eacd51a3693fa5f71eb7d0e5c269dac9e640993ef65e77f94a9e8013d7f022a905020bdc1a9ad25371dccdfb4507713fbf475344f7415c

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 d7f53f2cc1cc3b08fc2784899569eec8
SHA1 f2c62f59d8fc119ab4cd9244adf78e8fdc28eeda
SHA256 a45fe05e1b58756a5f775d584c227ad59d50f77ece1c45e69a1860984903c97d
SHA512 db24f383bc88801340f22fd976446baf4f86982be8c132192f29adabfa712409a3e4411729f84d2361c23fc2e844e577cb4dd98f5c00d5bf30b544eb83079375

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 1f8daa55cb8858783d89d33a4c1c271c
SHA1 bb402f09ec1f692f2b224d20e1ff5274b808acb8
SHA256 624381625400739f4f626eda4801525f3bbe497f7d59badc138dc71a04b6ce6f
SHA512 d8050d18498ccc150774cf20a2878152ca1f1493bfb5c0c61aac70aba94c19f03887c041f7f0b398e8eb33b11816103c398f7129a12b727c9e227d631001f041

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 98f3e47583731466e1b5260028ed4c98
SHA1 c8d37d3fbc9ec0f264c90103756409ae1189c785
SHA256 18beb8ac2356031d958eb0e94e575226d4c3ca97112b3b4e656ac666d2dd442e
SHA512 c9e829bdb07e915f78e07e111a427788239571389e700100358b52cfbf9e43d4016e13541028fe807ab2c3f0847214c5928655858d81eaabbbb95cdbe28901cf

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 8bf8a36b95121e9b3cc036b2af3bad64
SHA1 8f92e88fd7007bfee9f2ff105d81306740a0a6de
SHA256 7bad704d05376f3ce3e32ba31a08c0295d54d95c70fb7630869bf5f2b55098df
SHA512 fd006f4782a8d75b1849fd116ffab16ce2401f07ae8d46d2f7d2dd94002beaba3fe127ca1cd1fc5ef3a3f0f6d40d4ae0e32c4aa38a58a6c41c7cb9a3bba0afde

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 9f2d18d8d8497a9e2f0921e0f8fdad63
SHA1 d2ffe640da65a81bce02becbed08b2b96202436e
SHA256 c78d8597a6d74a0fa1027c005f28e00af173ef77898c341a1886710a122cb6b2
SHA512 1c0019978543c9dde41f464b046878599a41cf569e06dda50595abb157edc00b49b29e6a884c5241610e601f33c7d1770c440f29f84e76829da01ba424a85796

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 fe9b55721c6095766cfba681d2efc75b
SHA1 cebf987817f2468083f06aea83f83cf9a7601c6a
SHA256 4480a6f728b938c84a733ef19471e52cc0a4ca4b8513d27078053efda654289e
SHA512 fe1c7bedf1b52318616b1f114a943769aa4b5dba3e2a5ef28b795ba1fa36c7616baabca7b94adecb9518315bea1e144471cb2c0690d090bd75f47a471a20a717

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 73f1841a8776396c30413117ab45d948
SHA1 79b3260f826f0f80abe3146d183bbdbf3e7c6766
SHA256 9989f7cfb7d7f7b2babde0be6e20ca52af58080aa6e7af1ae743dfc660f57b20
SHA512 e096e05bf73728d630a81ca051606d30bbf252029a5c3b111532a1cbcd4109d9a27bd99e5b2750099f8c9c680ae4999f96e2080f0408e0af2dadfb5b820c1008

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 b714f2f55953fb932a6fb02596e77215
SHA1 152b7d2e0bbc8df884749c432b23c9c9a116708a
SHA256 9546ef50ff37eb1000ce1093059ce6a6417f331a8dc8475f712cbe06614d3902
SHA512 aa3e9bc688153856e19860cb785c9f0f97ede992bf37a13a9fc30703b54e5b6fc2a690c64fa56b86ed2fada50b4805e13bfc5d8b9094dd94b883ad5cc0802abe

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 82ac513ff6478bd175267c6d2e1be141
SHA1 b1d9530e255b9cf95ffa5adc47f9805782066814
SHA256 cfe95be8b7402aba098ea836f163b0120ebf6bc1da2e6803a3b91e51da9c6612
SHA512 99fced42a4576345a528a3c82e643eb5ef5883a23890f34033461ac1de09fce166b6df8f660581c97b785930aefc774e3a4019689679afa2a9c04b242e13d3e7

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 13abc484d8ca22bce93f6ae100465aca
SHA1 5debb699c9e4572062fe2ce91b7ee18ba2641bc8
SHA256 98a087e0f88c13554097637695ae2cc3682a8bc26335a441eece15b5d561b4dc
SHA512 c00b0bdb9e48d359367ed8905964ac770cab12d862d8a531feee00ab3dc31c2b5d274f93f739175fd7be0a8c12b65367cc521155b384bf205b502323013b66b8

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 1f8c88046ae2174d13bd6ece408fa79a
SHA1 f8aaa7f724e7b344c247c1a3ab119a9554fbad90
SHA256 888e6a18cfacd2edecb08e3485fb1e10d47ed6f51c45d8475c8047058a132c87
SHA512 58711bb0fb61fa9b5920146427c072f000a48737890eeb3f1d1b99f30867009ad497c4805cdf10c4c1c6b4e2731d5c7e31bc956ab4b2c4a2e41b028281a5c08f

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 219d4408f3275470880a38bb6f1d5247
SHA1 3a0ec158ffd630842b21da474594cf272e072a61
SHA256 5c97b415c9eba96f91c8617ad5f04e51984fb7145b18534cbb30ebc2b1dd5a8c
SHA512 505c2b1690d969c0011e8978cc88f86198480e26b885c06603c542c9863c408bf8aed90c3050cf7dc425f1535bce21d71488ac413b88a95946b5c1938ab440ea

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 349e86c187033364000d6afc5d139690
SHA1 7c668937f4906afc687a5eb6cc382036fbad50c7
SHA256 32e82f74a2deab3b3144af76c2596befdcf16716074f163aebd6d120c3506077
SHA512 332ad3f8ebc96c5f1b39a913f9df990d6f1b92b13d17872a2be440cc9a68a39450b8b8937010157c656faeaa3531be308fcdcae46fc64dff3dadb0b066b8a30b

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 ca7b2282760a1db29636f00a4522e72c
SHA1 a1129fa97338e3e653fe81cd48a4594eedc941e4
SHA256 1d006ec130d4c29705202c600e57a981c7b385fabbead94620696572c812d08e
SHA512 909ad765be6dce3e5e3f6a8c4e75f612e9558716ecfe6735a12a1015fb975ed276fa618a1515c8d86e7f809f1c93cd04041f223dc960bdbcb7b89b46a8d420cf

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 e0142970b0d891edc2cc23fa109dbdb0
SHA1 2c56b12be30c2ebf300834e086b180320b24817b
SHA256 6d4029843c0e2ed39a55d33f76aebc496af1155c6b0262ef679889a3863cf28c
SHA512 bd6fe212acb3144b55b44181e78b01fbfc4aa5fa6b3354caf66fcb22f6822156eaa9ce4fbdf134da0ebd32f71d7269026c2789b9656b0af45a7017d2ace0efbb

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 0a7266a911fc4dbb5158ddf4a9d88050
SHA1 4236a0156b8e42de8d7f41c7da633d40afd1bd74
SHA256 2bf5f02aea1d76e7a931652181e64f7f3360b56c7790c111b5818aa09b4fc00f
SHA512 bbe052a39290ff96a5a16d6498b4a0b4115ae66979d3e1f6745cdbb1b41c1544430ce8b9b4a5995b9de8274822197ee821b75a4cf8a477832d776234dd3650be

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 99dfb8be0d5777f5b2ac1862b01904fa
SHA1 8176047359a0f3489b6fcb982ed41f1ed32ffd25
SHA256 d392210d62b36a5938f80330cf80e2112d150c60606a7cc6ffaa35062847e089
SHA512 532f844339d7e4d02688f9daa623b7df9d78d34db99189919a402d75a7c1a15fc8d9aede497dfc5dd936ee16bcc6ed51ca2062f8098aa7dea84b67ef1c71db9a

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 d9503d3248bf43230c617afa20c43788
SHA1 72ca4e5ad7e836cb5d1a432f52530c87ed6d94e8
SHA256 1c8967624bb201ef8cae17aa1d11943c240e3a0b471f054a2d93df00fb7dba7e
SHA512 8f1f444b0677e742ebcd32f111c08a0fd615d725009a28aff0477e38655a6cbee1a15d08851e7cf86ddce1c413a32d0e938f7e348053ad23b7ed12a72b83ada4

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 4c4a966d32226078720eae0db424cbc8
SHA1 d7ca0d88e1ef76bb50bd74b27d7dcb8df0d6b119
SHA256 2735081965f34ebb494d0ff130f16b839affbc0486f9d19d6afa255433245442
SHA512 d37ce1d68087100a5157a7d6eff4cceb4481fe7539626eb7f0521f7780400164072f8c229027a863fde4f5775facbf5f16d727c3f6d5ab24cfcdf61eeaa64876

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 e72a0e8de90e91c132dbe5b34f1bea5c
SHA1 af093ceeb2607fa2b588ea65eadccaabdfb4f140
SHA256 5142bc907a05c661adc4de2b183a454b470c74844b3bdc0bd128428decf06f4f
SHA512 14b54e4a7e2b590d978ffd65e372df37483f1855737736e017ae4270454a3500a9a5ae9824fa63156caef939f77abdac8286267cbcb217fa3d98bf8fe3956e57

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 47ea2f653ea2bae2c54a8729d7bb4463
SHA1 5edbe5144f9f8124ee531e632a77c685edb17ee6
SHA256 695c4d3f46934f06e3862f7b7ba210ca81fd4970f859840a47b167b7d22a62e6
SHA512 c02ded31a755be9a440fb75f3b8858235b6a54ab05cd57d6f38c07df06bfee79b29e1b07e99eced21dbe7034094cc6d1308c11c7079f82b82a134c46ad2f1f58

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 2204ba76558d81106befb9b094fd47c0
SHA1 e71f3ffcbcc767a4c8efbd02b014e71a300824f2
SHA256 6f82e53518a5e876a3cc7317dd1e7bb84a684d47e56be24ee495a2613aa6de28
SHA512 680ebd5470dc3ddd6863ef347291a964196d83b75d6d2d5668cb33e9ef3c9dc10011b322ff2b5f98c5a764dac41927686c6de9e7782dbb468294c1eaf90748f7

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 8490e1a7e44bca5256be55c806da0da2
SHA1 8702815882a0b8c2a3739932130e18c54a6d29a9
SHA256 50ea2665e0ad4b4e081cdf39d4f71c07c2311f5724e598a6fb8660c2766c293e
SHA512 ded934c015d1e67c72331cdf800dd24d8e56846c9c6fcf6e46402c38150c90fc01f78a9595689ad2dce2753eec1c9ed5663ab1bd6d8b60bf8155edc6a9519c62

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 db08a9c7b655333a579c2c8443110285
SHA1 6bb601548925b49562a794ed8f672eed0292810f
SHA256 dad2d27cfd05fe7cd8ba8bdf8cd192ea8f1a76d35637d71b861647b25ce308a8
SHA512 6218af9b8eb7a48dd2cf8bda0d07ca8014d85a914bbf37c85bd7abf5bfd81206a53cb6d4c4f70d421c9c721709903e845f6fe48be5420fc509886202df01fc4f

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 c06d1af49112704fde3dbbfa2c0401e3
SHA1 40d82de1fc65ba19f1679be3aaa88985baec0105
SHA256 33fef64e3f4f8fdcb35f3e4bc511e7bc52b614650dd5e5a5142abd05c06883dd
SHA512 00f65a4a915bf8b6ee65f58f72dd8971f2e06b82c4973b4d3b2c90d23d5155e63625a19a6295a2d45490805d586e22f6a01f16cf4550162c420c6ac524304799

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 e60b213a31b29e66b8ad8874064231a0
SHA1 0d3620499f58e69b66aa68d17e5f97fa0b612dab
SHA256 13b846735203b9f5664a2c26593d3946ecf3f4b80550ef13e0e65b12d192efcf
SHA512 f1044632029b72468a6dc89023586ae1f88f558af722d1ce7803fc4497af3d2e8bec839ff2a076b04450445bbb24791bea5a607a70b54413d6e2c9775da12c7c

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 6e0d9d283433b21cc45e404dca39e32d
SHA1 19c950bdb0c08374c8facd3e21d0578ffcf69957
SHA256 2144dd22890050ee7a60be84720d139af8b2d9d8e24c5f50e90ab0066345ea1f
SHA512 e9faa381b18a4b50aec112b92a568a1c8b47aec56bc517bcc1547a08d7617674f8ecbe29115e1231b2c498cc05161ae79bcccc7781c713051be3da4523f34d80

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 1d97fc5027e6444f7f363e47c97f336c
SHA1 d544e839ffd28e6eb63734a65686655d6f1f6aad
SHA256 c31aabed5ee8ea944a4fc2644ba66c8f048d389a63632f2091d8586647006cf5
SHA512 a84faa6c575ec0f0bc32d95c646f815b79fe244bfc54be94574949cb75de36730a312b723311421dc3d6772daea91ef70eecb4d2073b0eff9688cc72d0957cff

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE

MD5 1319acbba64ecbcd5e3f16fc3acd693c
SHA1 f5d64f97194846bd0564d20ee290d35dd3df40b0
SHA256 8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce
SHA512 abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE

MD5 f3228c24035b3f54f78bb4fd11c36aeb
SHA1 2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb
SHA256 d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7
SHA512 b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE

MD5 346d2ff654d6257364a7c32b1ec53c09
SHA1 224301c0f56a870f20383c45801ec16d01dc48d1
SHA256 a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255
SHA512 223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe

MD5 3a3a71a5df2d162555fcda9bc0993d74
SHA1 95c7400f85325eba9b0a92abd80ea64b76917a1a
SHA256 0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8
SHA512 9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

memory/1300-2578-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3332-2836-0x0000000000400000-0x000000000041B000-memory.dmp

C:\DOCUME~1\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

MD5 05bdfd8a3128ab14d96818f43ebe9c0e
SHA1 495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA256 7b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA512 8d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da

C:\DOCUME~1\ALLUSE~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

MD5 44ead684bb87562ad730f8b257c1b975
SHA1 ed8db7d905f7919ce3c8be8dc3c0893f77f030b6
SHA256 e820b4780baf63d35d86ae12a2a492131eb6c738c485eef19b8d470887723919
SHA512 b81d68a94802faeffbc4476a4da3c7a3ef93600de35aac421ff973b2108b34e6f24c169d03735fd28949c0b407133d7cb7a7d2be50435365ae29abf5fb6217be

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

MD5 b1941e75f409572576662aead3f96a65
SHA1 9834ecdc6432136709969f12de6673bd71ab2840
SHA256 f7fee20c23b231d3b4ed84ae7d99d03d5b6ece12c2188f26ed844aba88754f2b
SHA512 eef712a9adc38e4a6935461daa759fc59045a866aa3d88d59f4e94a895c70bbd38dc637d8b223bc6e54827cc59561ea856fb8c69a471cfbf6c210b6dec722a98

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

MD5 467fd36c87f3df356d73ae1ccfa9d488
SHA1 aa19e66aeb4f6ef216a2164a92bf8454dedde013
SHA256 1f201389afbabf8ac390769f28c0ba729a7fed6d6dba56918401eb2107d86f06
SHA512 c92da488cfa4280aaa7e2a07ab1854f3d4bb3f82bc85a2e23e88b0975ed78455c7fca7ffa3ce6ca42e74640ee24ab8ee4dda7cc539136173b9d95c2477e7bb14

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

MD5 2c35de647c9a3e1c3de45c6af87656c6
SHA1 f44626ad37bf94592c7d0c50ac3ef25462bea5cb
SHA256 aa8be2aabd766e40691cb37cdaa96db414bac44595124230a93d49673cc86477
SHA512 e39bca97d12d4de89b80ee2a62ac82168ffc9b16dd1cd7e7db2e968ba77be4e1d6fa53e2d4156c58fc96a5630ae536bd3d0050adaceb89b542667930ef6d2d7f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

MD5 c8d891a0350368995ace8f448d63d79c
SHA1 ca0429b992d6a51c9eaf1c045af438fac0ab698c
SHA256 a1f61f7a780db952c01face07faf6c3d141f1e9e3535b1bf4c793f3c9b138a4a
SHA512 dff55b1a64f987d235da2f6b0ad10cf04b1c918e9aad19800a39256091a258f51d9cf2500bf67bed97e48eaa43a1138984e93e5c7e7650889b0f44cb306566d5

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

MD5 2663af1d779f6a83cdd34ad79a372e3c
SHA1 dab530515325ce4e4c35f623b3edf73d9e6f6df9
SHA256 7a82a27e2d00aefcc0600ac3ec79f8b898be6e5024d2993b68ae8a2559d6e7b5
SHA512 34633be2de94376a3e5cd17793aa381d4146fc53f9f6164db3a070de5bf3052f6de4a516645b565d1c61e520a0060b6b74f72b632d1b568577c03d9d643c6f25

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

MD5 d283d2e92ad56e874423a1714fc23fb0
SHA1 c11839a4d1858834e679a35c24ad66f691116f20
SHA256 10be40e66e14bfd4a838341eae84b6763330379315d30f767993dde980c4028b
SHA512 22f8919995f248b444699a8015c847977bbc8a59a5e5d1a483664b24dcb480d911a9cf45b88a6b842fd43f0f3269045cf5c55d7680422111366ddbbe0fe79986

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

MD5 d6ca1db8c1ae4f4b8c2c8806e1f2fecf
SHA1 78ab7ba9736cc1ecf030c8568838d07dd46dd69e
SHA256 d0632f7258aa87473d87665fda77563c70d8766a8bc8e0d162665d42e29bba5f
SHA512 878117aff48bb38120781ed97cb1ba75f02f9f5ff20847afd746d4816b57016bc38ffb296d1dfaffd141003936a3280380590f3af7a2be924cb7bcd8dedd2dcf

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

MD5 476b0a8838dcaae4dcef364ca9dfbb4d
SHA1 6c687aa822cffc030567d234cd742ca56c2a21d0
SHA256 14818e24df626facb02163810f986b17accabe93b733cf8e35d8467434f28be8
SHA512 a43c95712778dff50dc9ccc44edea9465e4988e84415d24863d5dafc50fb79263945d4f5fdba266fb059d75bbbbb0a318835c83f022906753bd78648887f01ed

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

MD5 7cdeb39bcd9a552c38e378d9ff9e5a9f
SHA1 992134ccd1968eaf48f04c7bfce624528f7356a2
SHA256 f20eada15d7804f2c55b92416afedb449a3b0b2414054688d3180d40a8bb144a
SHA512 f7671311b1d1eadee732a41f0738fde5b71e425504cfee061ff0fdbdee1e74df78476cab37846c6cae592630fe9eb8285f38c5dd7bc84f265152b4ff9395c369

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

MD5 8bf87508f350513d211d4dca2571a16a
SHA1 e8774a47e28c15b531c95d4582c3bb0aa9689110
SHA256 07c12391587f35883e6c461fbd35a9edc80bc9359ebe0622f2c417d6afe2bc59
SHA512 c3410b2e8a3cc3a476ee27f7379dca13c13b660dd8019086a5f4617b20fcfa95fabb0a28b6e0beac7960aae775241de9a442cd7e5db40bb37f75f2b1524d0c7a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

MD5 46d8a4727a8e4f5ebd137447b4c4141f
SHA1 ffd851d7cdb84d302980732d90eb4de41edac0d4
SHA256 920f7b86ad78cb4f65d8d8918141a7c6c137da768aa81a43b1f9290f28a700b8
SHA512 9d20bc0ca3b182d237cfd2c1f82481e77f211c40b9b28e468efd5b3cdcc8c7f1648d00613dfb44044ffea522c12afedbeedbea83049f0fd50075eec1b11fe3c4

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 3dfc81c33656872d9f325bb4d2848054
SHA1 8419cd773bc30c3e7e0e3d065eadecfb163778ce
SHA256 13f955d51a9f1068e8d15357e32fa55b0845e319f817fedb60a67ca282a612f6
SHA512 cbcf95899d65fb65bba047c7c0e587270cc855cccc27df2d49d491795a40d89cc02402cf97efd1c79d453e6edf385620c2def6270660db0e7f54d4813d6945de

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 1c099d4db3eb71514c8842e60941bd16
SHA1 db5b981867c7235b19f3fbd743b606c212ce2ce1
SHA256 53c9db30bd607fd12520e21dc6f809409c301115863c31615a85c96ecaae1d34
SHA512 44a32e76989976a51a29017f3acae0dc92e743e2eb71ca6d861447856d88c85668a17ddc235cfddbb7d56c508508ff581dd4b058b2899fe023256aaff310539e

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 0196f829e7bae7e8d5144e51a6ffa999
SHA1 39991db97b4308fc038b640ea5834ef829e49153
SHA256 63a26aa6d1935b422fd1acf627515aaf278425cb9ee5b74273361dfe49804774
SHA512 590935693b85824b985729d9be40e12e75cf6ae7b58e3caa617431b9d746b276c07e868f71e43278c82d59ea0a8b58ebe38dd7a28c56bee0046faa1a206ab67e

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 ad519eb6ca347b8d1da72fef267573ed
SHA1 271034dce9a1b41a1a4e32715c09030aa755fa7d
SHA256 ba2fe7a472944be05b5321eed3090c99f32905b7ae25304f3e2daf90c144802f
SHA512 d43adb78bef078af97c94bd412705a6512eecae07d6fced8750ad2068e8b1b68a3d4fdcf8d97c72afc03d521907128b26eb547573804c073609d289eb807ce53

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 1fadfcb61e0dc539d5bee206ddedae99
SHA1 d104c075cd5135b5c4bfca3ac84e594e7ec94197
SHA256 66f6e21d70d84caafbff2625044aa0fac2ae74e26176ee6a694a1ceb364626b3
SHA512 082ca89331793739ab5e98f019dab900e6e1571e453fe244043e0895dc3f5d941d07b01a3fa0ce080cc57e8fa2077f2cb90cf61b97fb9a9c1070d0e0a61b26d7

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 50669fbbbfbe3c41bf5458606fc88367
SHA1 52c9ba8270ff372410d948dbbf95089ff2daf5ec
SHA256 a0387de92d953d0aedfbca501515d322aa3335f1f0103ede7e880aa327bcc484
SHA512 d9bc8091d6c67e5e224eb9260d4736a40ed36736fb104f2049d75a597092b51e0a24511aeeb6ae6cd4ac2feb0c5bc162b1c63ca5b3aa19ba21ddf986a909f433

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 4eadfc2fa79ff8ee46907706b832d745
SHA1 80929746231eea4984e26298efdd73b4cc37b37d
SHA256 c3d2be3fb21bd6bbe204178ddd9ec6fe722f4fadd0c3fd85486f9df8343c4ebd
SHA512 5a4c02defb10ca4c5e5ced1f6796724bcc79148342eb71f7326035d006f783534b6a88fe1e966ae4688e53d95f43cbe8a4e7dd067381148a15a86b9d1c84399d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 9dfcdd1ab508b26917bb2461488d8605
SHA1 4ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256 ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA512 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 92dc0a5b61c98ac6ca3c9e09711e0a5d
SHA1 f809f50cfdfbc469561bced921d0bad343a0d7b4
SHA256 3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc
SHA512 d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 12c29dd57aa69f45ddd2e47620e0a8d9
SHA1 ba297aa3fe237ca916257bc46370b360a2db2223
SHA256 22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880
SHA512 255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

MD5 322302633e36360a24252f6291cdfc91
SHA1 238ed62353776c646957efefc0174c545c2afa3d
SHA256 31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c
SHA512 5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

memory/1300-4863-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 d47ed8961782d9e27f359447fa86c266
SHA1 d37d3f962c8d302b18ec468b4abe94f792f72a3b
SHA256 b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a
SHA512 3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE

MD5 5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1 b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA256 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA512 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE

MD5 4754ef85cf5992c484e75c0859cd0c12
SHA1 199b550e52f74d5a9932b1210979bc79a9b8f6fd
SHA256 da6de758d909ff5b7fb150a4a6a6b9774951aa2bd7c93966ea8951647386c330
SHA512 22c557807b81aac91c65643abb73f212d13f7c4504b6bb14e82bd9cf91319f2daadafa67425d91fa95f1d39c3700684f928e7d68468cb192c4c0be71b9f9b5ab

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE

MD5 1e09e65111ab34cb84f7855d3cddc680
SHA1 f9f852104b46d99cc7f57a6f40d5db2090be04c0
SHA256 8f5c7c8e0258a5caa37637b2fa36f3bd87569a97b5c1ecf40dab50e7255fcf9c
SHA512 003176cb9dd7668b1b40e4d60d86d57c1a9ec4d873382aab781b31c8c89f0e388f3d406963f159412e2828d0be9f6daea146a252d8ee47281dda01123c9e7ace

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE

MD5 da18586b25e72ff40c0f24da690a2edc
SHA1 27a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5
SHA256 67f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e
SHA512 3512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE

MD5 e6aecae25bdec91e9bf8c8b729a45918
SHA1 3097cddcb7d2a7512b8df9f5637d9bb52f6175ed
SHA256 a60e32baf0c481d6b9db3b84c205716fe2e588cb5089c3d0e4e942e453bf086d
SHA512 c9a6add86a2907f21c5049613fd8300800e4a949a943feea9ab36a271596343328bf0856e3d8dc4784b1c8357e01c3702761b8d9a3170ebd279dc4e1f1cacb01

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE

MD5 5d656c152b22ddd4f875306ca928243a
SHA1 177ff847aa898afa1b786077ae87b5ae0c7687c7
SHA256 4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69
SHA512 d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE

MD5 c7f7803a2032d0d942340cfebba0a42c
SHA1 578062d0707e753ab58875fb3a52c23e6fe2adf6
SHA256 0f201a8142c5a8adc36d2a177dd8d430eef2b05cff0e4faefb52440e823b54bb
SHA512 48e3e1eb3a33c1b8c20411209d8ed261c00798393f5fdd691d3fa0abed2849d8eb241bedcbeefddfebbec292c7abd254023e25df77c85b46000fe63a7324172b

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 a5d9eaa7d52bffc494a5f58203c6c1b5
SHA1 97928ba7b61b46a1a77a38445679d040ffca7cc8
SHA256 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512 b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 5119e350591269f44f732b470024bb7c
SHA1 4ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA256 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE

MD5 27543bab17420af611ccc3029db9465a
SHA1 f0f96fd53f9695737a3fa6145bc5a6ce58227966
SHA256 75530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c
SHA512 a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE

MD5 11486d1d22eaacf01580e3e650f1da3f
SHA1 a47a721efec08ade8456a6918c3de413a2f8c7a2
SHA256 5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3
SHA512 5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

memory/3332-5099-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 eb008f1890fed6dc7d13a25ff9c35724
SHA1 751d3b944f160b1f77c1c8852af25b65ae9d649c
SHA256 a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090
SHA512 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 6ce350ad38c8f7cbe5dd8fda30d11fa1
SHA1 4f232b8cccd031c25378b4770f85e8038e8655d8
SHA256 06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba
SHA512 4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 301d7f5daa3b48c83df5f6b35de99982
SHA1 17e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256 abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA512 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE

MD5 41b1e87b538616c6020369134cbce857
SHA1 a255c7fef7ba2fc1a7c45d992270d5af023c5f67
SHA256 08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3
SHA512 3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

MD5 5e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1 f52a554a5029fb4749842b2213d4196c95d48561
SHA256 5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512 dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 7c73e01bd682dc67ef2fbb679be99866
SHA1 ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256 da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512 b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

C:\PROGRA~2\Google\Update\DISABL~1.EXE

MD5 7429ce42ac211cd3aa986faad186cedd
SHA1 b61a57f0f99cfd702be0fbafcb77e9f911223fac
SHA256 d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f
SHA512 ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1

C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE

MD5 d9a290f7aec8aff3591c189b3cf8610a
SHA1 7558d29fb32018897c25e0ac1c86084116f1956c
SHA256 41bed95cb1101181a97460e2395efebb0594849e6f48b80a2b7c376ddf5ce0ea
SHA512 b55ab687a75c11ba99c64be42ad8471576aa2df10ce1bb61e902e98827e3a38cd922e365751bd485cac089c2bd8bccf939a578da7238506b77fe02a3eb7994c6

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE

MD5 d9186b6dd347f1cf59349b6fc87f0a98
SHA1 6700d12be4bd504c4c2a67e17eea8568416edf93
SHA256 a892284c97c8888a589ea84f88852238b8cd97cc1f4af85b93b5c5264f5c40d4
SHA512 a29cc26028a68b0145cb20ec353a4406ec86962ff8c3630c96e0627639cf76e0ea1723b7b44592ea4f126c4a48d85d92f930294ae97f72ecc95e3a752a475087

C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE

MD5 87bb2253f977fc3576a01e5cbb61f423
SHA1 5129844b3d8af03e8570a3afcdc5816964ed8ba4
SHA256 3fc32edf3f9ab889c2cdf225a446da1e12a7168a7a56165efe5e9744d172d604
SHA512 7cfd38ceb52b986054a68a781e01c3f99e92227f884a4401eb9fbc72f4c140fd32a552b4a102bedf9576e6a0da216bc10ce29241f1418acb39aeb2503cb8d703

C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE

MD5 cdc455fa95578320bd27e0d89a7c9108
SHA1 60cde78a74e4943f349f1999be3b6fc3c19ab268
SHA256 d7f214dc55857c3576675279261a0ee1881f7ddee4755bb0b9e7566fc0f425a9
SHA512 35f3741538bd59f6c744bcad6f348f4eb6ea1ee542f9780daa29de5dbb2d772b01fe4774fb1c2c7199a349488be309ceedd562ceb5f1bdcdd563036b301dcd9f

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE

MD5 674eddc440664b8b854bc397e67ee338
SHA1 af9d74243ee3ea5f88638172f592ed89bbbd7e0d
SHA256 20bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457
SHA512 5aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7

C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE

MD5 4f197c71bb5b8880da17b80a5b59dd04
SHA1 c3d4b54f218768e268c9114aa9cdaf36a48803cd
SHA256 a1a0bf09839e6175e5508271774c6d94f4eb2130c914ea7666c1ecaf1a6fde47
SHA512 e6104ade74dc18e05be756e2a287b9940cdc98150ddd7c562b61282d57070e1d7272316469f1e1b294d3dfbcf191c2692de0d45a2fae59e73c4c039d80f3e002

C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE

MD5 e4351f1658eab89bbd70beb15598cf1c
SHA1 e18fbfaee18211fd9e58461145306f9bc4f459ea
SHA256 4c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb
SHA512 57dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

MD5 452c3ce70edba3c6e358fad9fb47eb4c
SHA1 d24ea3b642f385a666159ef4c39714bec2b08636
SHA256 da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c
SHA512 fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 892cf4fc5398e07bf652c50ef2aa3b88
SHA1 c399e55756b23938057a0ecae597bd9dbe481866
SHA256 e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512 f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 9a8d683f9f884ddd9160a5912ca06995
SHA1 98dc8682a0c44727ee039298665f5d95b057c854
SHA256 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA512 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 cbd96ba6abe7564cb5980502eec0b5f6
SHA1 74e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256 405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512 a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

memory/1300-6624-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3332-6793-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 dc5af267b827027144fa9adb565b95aa
SHA1 3ed818bd4bd2cf735df2bb6593e1c1eac331dbcd
SHA256 2142df46fe17e9ac416145f66714cf6d96b9024b83651b5e785433eae51b82f4
SHA512 a37e7fa817a610cd1ea09661827f7bbe51a49c01909b6be503a5e5e23b1c9c90a698ffa023c0a93bdc81f85fbc0aa435ab2b2186f2f6013f61dcccfc661622af

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 46303c6b809ef040209b05c40b566caa
SHA1 5bc097c708b30a6a682013f215635a6b1f064583
SHA256 807a6016014f845713f9df93a7b7a6b7424226ec8eb63e1796875dd634d1712b
SHA512 3d24cc4482c581c97628d8845e93d7a54f15037ae04b04febbc5887ce63d19a90099ca7f0777455aa8204b8c8d51980f9ac407473c72cf8c1fe63fc7fd3e0b52

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 481c35c5fd5f62a873174a797b370801
SHA1 889611eb262cfdd0f8232ec86076e064fc8cf8f7
SHA256 686bbf173cc8c7536a6b7dd08eea594aef6e1e0d0fd91e3dcec608e983ae332e
SHA512 803bfafa7c38068c7c130b8ff91e6963718c382fb422470a15168cf1046f5ea735d3e84b2a56bcf1655fe2f126fa3e454fc78cfba01aa0052ac7f6a3593f27e0

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 3b6b721ea0781c1ced89793491211e87
SHA1 4b3e33e6fb1c58d1b7d210cb6e58dfe22d81be4d
SHA256 6115fd5e1bcc15b4ce4cb1a889f533beeb2c2b1c36674c117516b45d5042ca58
SHA512 9059d6b592f21ff96e54bf57dfa956e2fc6bc31ebcc68bc7927634ebe052b47d88f93be92eeb74821648c74e106a6767490fb6c8838da42989c4c769618ed718

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 cacdd6ff150ff59d934be941a92e32df
SHA1 79c2eece617917e334645dd04f0b065a10942484
SHA256 9f563f0e59d62b56bb03c62e65c865a00a7164cb22d35fa5ed1aaa2b42697ef5
SHA512 e887113c0617b30584c79a7c5516348a37c9735e308cbce59232a79bcfab95b2b57413ecc01495d4c9b710c43d82d7e46bb5a24b5d39d374a569a63f35a6c8fd

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 3f54248ac3c0508bd7ac1eccf95b3207
SHA1 77cf40f66ec3d6e8671e5d2e4e8226834071300c
SHA256 961cc8d09b14da9a7be20f8222d861777e215df0b82307244956f98add9c4c34
SHA512 fe76594866668d90b63a2015e7f42eba29a6ae6621082fdf9daffa8003812042387dd6a97605e139d791f58d83e1c667a92ae342674426240b71b79cbd7ab07f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 8c9a0971ab6966965846bcd966b4b247
SHA1 92c4f0513fc5fcff4735e6d22f44751a0f0e9ba2
SHA256 05055d71106c4a0e2e85a837f53df3aaac69d50d39c8ed8ad5968c1fa8780b19
SHA512 3365d9e554200aefc304e7697c4d47099d090c4b2ec5e2830c4610b616e91ed3d3e111be6a3c239add6589239cd067b02b923859463f434150a48c5e160e36e9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 d95056aab7312da20ad67edd8bf1379b
SHA1 077746e3816d0828d37defbea1c614d791caa7d3
SHA256 ba93e4dc2df0328bce59bc4ffa402b718e3f816203c0d44f318843a9601f61b3
SHA512 d1eef9e08a36b47bd242f23acb44a2346b53663b97ac31cefe8d2f854d76537a9c40d0e84215f17ebbd3b9a086e7e607abf661e4cb35783f2e7beb9d3a3b6961

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 2f0545d301aa6ce8decb49a247c01c62
SHA1 32b1b1597a42927263fb8f265e656103b264efc4
SHA256 9f1d10b3b2da516abd4302ef752694d7a90d2f91d4ddf3319bac8bf1bd8f4a70
SHA512 e086306f67d52149634751b2b78ae0f1a3bd6da6105078d57aea6475ae54e754e392f6785bb3e50f2db67eebf5334433af741e6379a69e1e5b0882442d2b5634

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 d6d1904a0985292cfa92ee36241a3344
SHA1 ddec6eb31a50bed92fa058c728594cb56facaafc
SHA256 ebb412d5c0f7445f96b5b37e32a0a3ec381199c8fde24989616bc2d93c39ebd2
SHA512 342c346d56a0acbebfdaaa879a98d5aa529fab4d4110437b1b1fc387ba9bc9a8a83b0c8804b9a9b7dbe89d120bf5c78b7659935ef9c00ead4706d1ed73905092

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 e05a646fa4c8370eba5a92d993bb0c71
SHA1 9c9dc0e632936aa76dd543788ad0685a33cc0029
SHA256 8ca6d6175a98aba59696cd52548fba36039becb757e8ff58f3aafa2d911fc66a
SHA512 09fe5f1f81724f673e5b2b181b16773a70a7bbd6d82c3714845774d386d5a21637e999c4a2edcaf60b25d6c98a958a9a63f8f27b99a72a2c43563c63a8842f86

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 f7a1f7bcea06e25c4da2c521a61ceb6e
SHA1 baaccc154462ef708b5dc4173d3f43d6128b3b77
SHA256 d1bd405ebe047daeddfc4b8220ab9b785f09431972ad3a0b908113f7f99b8ee6
SHA512 6c45fc30567a369d88dab687010c42815d470dc07007f5a69056e3b1a97a2b5df09c8a5974f25961ba4a375a8175cc5f9f7ac029f718876b08c5685cd92161aa

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 f451ad6a1fe9cec63d81a08577453b13
SHA1 3aa33eefa0699e0cbb8f3c944b1e95b47b9d2dfa
SHA256 496dd1f57aa101d3f3a0e45c00d7e07f1c3fd666227d93a68a80849d6a6fa67c
SHA512 69cc82b9e7ab134eaeba6bfe617c60b6ba776cde804c6fb9edf3e84352f746acbb674ce7a6e1ca9b6b2d5ecb7a0ed61b0166422f7285d6051fa18a688258d52a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 6de2228ce2d24bcf5d27771ba81b4e86
SHA1 f68c1522002150af8b3806b799e13b81d817d48a
SHA256 659493ab96628eea275d5093bbc608ed580375401973796d2522a2bbeeb8a77e
SHA512 bc94df62d2a4e103445f2c238f3c9e5f5b0cb7750ec31c9187dac22c386cf1b22471f5d0f16d5b591b845ffd2dc6debcf54407475bd740f820e8afd628e15a2a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 1c9073a3b6d303c065385db6426da7e7
SHA1 cbd8ac40722a42674d321708cd824ab0893e6c47
SHA256 1828572cfecb836de3b21a2ebfe3ea3337c3444cf1976cb92fc0c858b461fdbb
SHA512 4b51cc6b3be8182ae0536ee2719e53998dea9992ad1d3ef21ab54b3879b7c26e1abf28db103b0083a55ef72434062658a73a6c7e69fc34de884e5d49b3db470f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 cbca5fae88cbf8a2ba704766b646b182
SHA1 f3509ea01553f6af0557044efbce84cc3dca52fa
SHA256 cd623f79393a14bc67451527605d275b494e4b902dd02812e2a14a71dde6018f
SHA512 2526606a01016bdd8e4b54917e465fe369416b09e4be16a2b4d294bb3aa9b89f560abbf17e7f585fb2b012c9c54d439e339f026af36d930bf3e8c6b55a2ff68a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 3950ac5e9eda4c4997ee93d3a0f5d48d
SHA1 56cdb103bf33c5433167823d018e24f2af5eed39
SHA256 d681c25dafd4d3a07785b242e5c81a1fc601b86b632a48b7ed43568c61524daf
SHA512 3c2003c3a076938d8534158bdaac869ba40d316795dd4792aeb701cee3e7311034bfa8ef06857431989eeeed6eaa85f4f8b4831d4a7c63a2ba149835a4cba405

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 b6d6eb69fdeacd8da99dc7f1ab866a6b
SHA1 15ac3c7d2d2435e44a7551ae80f317d59a997dda
SHA256 9adf9a233d8c7b7a41913aaf46cb1f9f9cecc562e8317282dbe0a73582ed6b54
SHA512 cd2384e8d6aaa9327ed666fbdc618fcb1cc718f8cc2630676a449cb7a5f1cb1e99b596dd09ebb8193e7bb28eebeb8c3f241ccf86601a25a5b0fe6c0f8467fc75

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 5e4fc92eb71a5fad97b873e2bac6ad32
SHA1 a4a43dc0d3b0b7291cdcfbe1480423e889c8ddc6
SHA256 07d2c24fca76d5c772f3e6bd4d48242778dfc7cc8bf3db161563667a966b308d
SHA512 c9c6a6b298d4f3087670dc4adc01b4d8b6833309dd4744766cfce6faada97dcbf7da2d33e35015767c8b4a5ca76ce2b54c27035bf3d2e981934dc6a1e400f4a1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 1d10e8eea81828502ce6bd3d4c97534a
SHA1 e977711167b15dd6693de258853503e074e3ea46
SHA256 1f4f50ba360399d8ffc3fd85e519376978405032a4bdda68a1c92b9829819e44
SHA512 c89103f43d19be4a7903de3dd09fbe2fe2fbd366615effae5c416524789802ee71fc1c9e0c278ee18708355be77bf981414d6c988b64bca93f86961bd41b8859

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 31beeff0b08247242ff4dd4abb5e1696
SHA1 60e91c8b32862beb9899c89788b7e03521d93ca5
SHA256 828c93512f767384eb3a0af3cd7005848836ea71187e804ad6e9a055b776f762
SHA512 fa51d745661ec0c48dc0770cf274251b92115f7ff7e7e87308f250626c568b55213a1d6a7f304ecc93465f0bcb4de07351df6e9da40841fafe9de13e2f2a8a80

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 5989146c5020b791eda637de1ce3642e
SHA1 ca430b312a3902e56e1dbd7e293000d8ea16d9a3
SHA256 4d5727017e0d83307a58ae1c6eb6f2b41d936db5b3591a0cd04313297b4a183d
SHA512 0705348b82688b59eeb70b6116c643549ff9ff68c9208071093bb22278833c52ff24ab3dfd26d59dc2bd848b5bcd176c25f6ec34655ff02c025cdaefcab7ea91

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 c4e3b9eed4f85889d38efcab5ad72dd4
SHA1 8c490b5d58a35d3b1c77d203fdd57d6f320d5aff
SHA256 e74f68930f2ab7beb0be082d766d3f92dc0253d91cab87088afcc151b757b326
SHA512 01d441e8ccd73543caf985cf58006411af1745bbe20f2e5839b785f783bd9c4753db42402e1eb1752c85ba56826ee0b6cbb57f67dae555966ba23904af0c2f95

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 f67dd59685fd7bc3fb06ec281226ef0e
SHA1 6e6675ef7985f2a21e50d530ae781f3640b44303
SHA256 5c75b9e3055bf62a8d529242d57e3a9a32c6266f3ce11d2fa0a41838bb7b8021
SHA512 c1e6110947a309d01ae1b6eae61d41af5043f163ded6e1b59559673ba437e361e11f8244bc0d24166283f512302c2c491d99153a40f4118da5dd1361a4a32926

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 bc15b1806b2504026babc2f6566362b6
SHA1 631496c7b54b53fc02a8ad15090b3612906be37b
SHA256 f4868ff5234f3747b41402c1686937b0c3d103d7e5ea52bcb34ab482143bbd1e
SHA512 564d0e9403f9918518c125fdfcae7316eba3ea71cef0de02837bc323363dec86487b2b1ce8c7f31b0c94b98658c259c4c57e739ea66bbb266823752b8dc92d9c

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 236eb62a5b10e7513b8d19cc3a26adb7
SHA1 7677f4f7b4ed3a77a168c34276d8a6bfc815412f
SHA256 61e36b3c2a831f01c685cb2e2c38805c4e0a9e842d98647fce278264e8ac69cf
SHA512 e41fc7c94349ad74e166dbf2d33ff56c2315e5b22fb01705a15e4633b9411cb6775977a77a060333dd5cc86da022cbc2a243a329799125093cab33e542d45528

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 85151318b992004614df12e1922e75ce
SHA1 4d5767e47a23e7c3e00acdac35263828917f5bfb
SHA256 c28f483e5d577ea059e5ca5df09ff1cdc34189a1e50b82429dcfe930c3a700d2
SHA512 e9f846515df019f7ffa80e04f910693c6e84792fb30c36e2800711cd7270b93ed2df356218d1963f5e2bb88d9469bc1e5f5f5045c18d60354d37a499ce37994d

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 bbf54d5b65ac2539ebc633746b18d83f
SHA1 e993b982b824f1f4607f6cdd7911bb8f1dd88fa5
SHA256 7aa0967bfc3c9670425def6fd12578e4db5bea95aadabf9950800fdadd4ea9fe
SHA512 1458da2b681a8e50a7bac11885d72af268bbfc8e570129ba26c32afb6c6af9511392737d1fcd101bfd99b8e8f4d59032a25bbf6902e43a74af5864a5f27dd989

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 af5a1018c05f8b86f42f04807a23f1af
SHA1 695c2ed9755bafe4b93ce4c6ea9830bd9f117c9c
SHA256 1d4db43aa54b2964ff1b361b1147455b1e56ad890b07fd4f52fa63f1b0f8d6cb
SHA512 bd4cd72fd6b967238693e2400285830bf9cc1f7dbe6dcec5eb26002a42eb6fd0270fe63b4f5675f4369f7a26337f4ad9cfb5fe3064bf9064cae21001a00fe8a5

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 39df0e1507d649d99f594673e57153b9
SHA1 c3efaeba8c74bbae7bc9ed604e5a837b2ea05a98
SHA256 70b0ea3d13cd190cc230bd6022480969e7bb7782a062b57e0e1231de3b3052a3
SHA512 c8a3edbaac3e1b02a9157239f0e24ed489a7241cf2665ba3a7974de0d69a8d377c709525e7449fe6f36cfa99f4298df577c999c2933d7ff8cfa05132cdf02514

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 a4eb845d5cc3e02dc7398143d3c30f8d
SHA1 7f0e2ea1e8d7d4941a7a14f3e8a8e3c0e7aa0280
SHA256 334c8144d2231d07825271de41653c80466f833670c45fc7f4692f458c56adc8
SHA512 fd8443a11baae97989ae8be81e4579c1a726470cf3196d07956ad72b9c9586e8a59d2d5530c0e5ea92d12e67177b3f6e964cd7721d96f326d7cf06ee44d9c548

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 663427bd9f8203b8d319fb764ec1f112
SHA1 ea5f93bd56e021136720b9807e6fc287b361d58d
SHA256 2fccf45a8ea9594abe3e4932a20c77805a1e504901ab7a3e89b684c7c5517970
SHA512 f31b8a07e53c2f4d093a2ac74ed74da80ff92bd26da0c82fc6aab41fa432622bfe869ef0ece39a27f9204f4fe02d278030d3f5c13be923605d83e989b69b88e7

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 af6e42d1317aba9278f198dd798a04fc
SHA1 4500af685dfe6db8bdb4529f7d25271959022f70
SHA256 1fc79f1f3a8d01377319fb146c3e64c7c41d0bb61b10919a128238b7ccd31fa5
SHA512 40e2cc81c2c35a16dd62b7fd4d28c798f1df2472f7c717c7822b82dcf39c11489f1a58d7795a17cf92e3d21784be8523677a54b81a65d10af7b19ed2d7de0c21

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 10075c2b8d5d6c394ded92e989852ad0
SHA1 10e2b37315f6e4d42320fa47362c4d42c40ba087
SHA256 08f826046a47d4dff0613d04581d738827e196e84fdfcc393f70d166342f0e05
SHA512 3a5983afb4660a67520df8508e94d815a39b07b5b05771c6e4d588c0d9466434d0e6737660944a768e7ce242eee20ee31d781a32c7b1b7dc3f8ccc6ed6fc3ce7

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 2a4f76b71b4fd4138046c548045e6e99
SHA1 1bb062c01c0fd5870b25c205077721656b512ac6
SHA256 fcfefee4e8f7cac1f677697ef6d29318b16690beb9a13d5da2309244ee45fad8
SHA512 228872eeb0c2ffc083b637912080e044f1ce5848526ca08dd3b7132ce7ac09d01e6ce5de2b7dc6a3a058354a1beddc72c9413e7028778ac28d2699e8e44cfd87

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 1da60472945401e4e87f228d42e681bd
SHA1 bcce8af4e452d85765894151f479ffe331a96a25
SHA256 b309ce381efb297d72297d2c0064aa3d17e6c166a6ea1b1381e3982667a6de74
SHA512 44512e287d890cd4936b703596fd889b4396b82d56a912d8d421f435135ab71cfdd8fad14ed67212d7e6d9bc2fdc0a0f3d6d35e2a838f313075afe97723f28e9

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 6dcd47fb1fe9b992673de241f5f333d6
SHA1 d06a208d2820e5d3d0372255aef0d729bf250e63
SHA256 3d253d825d29eb867f607c52c10ccac24854d245a71f485d2f6a2669aae07f87
SHA512 d23bc74907d4181706ce3c6270b28d4e42eb55c02276d52a1f3bfd4782157bdbba9a64ca842493b6d6d88e847c9bc968289f58e9a6a26e090fa822bcb4c37349

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 9619199c8ab7c56074647537e3a623cc
SHA1 c8dc545449ed31c9980de57009a8fb3dce2238ee
SHA256 7a6aa939762838e97ef90e4aecc918b17edb4c2cb1b10000fb4c8125a1097417
SHA512 3300dc49c34ce27d34af218ccaa6b2d22bb87a311770632294bd35622459f8f1fb8675018d22f93d841d4530a6ec8224ff3c87e72ab48e9902414aae718e6a97

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 da37363a99fa9d41f27a1d78f43e15b1
SHA1 a5380f2c22822e520f4c9698d33a6a29b4550a28
SHA256 cb8ff7dd0e9596adcfc4a2d9fe1a026d0e64dec52ac74b4b7b8ad6c3d234a247
SHA512 0a964bc66a2a049e88f6ffcc5d497870ca4eb6e9abf8ff8bcf4d06dea8e4f1e40be87400261311582d2a1af38d5902b99f91d4ce3142197aef96e0bb402e31e3

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 0f8924fe7c8f4cabe3ef90c33a414d80
SHA1 2a885a34760e44ec829c6246376ab611be8537a8
SHA256 f9b5f4d694d27ac306fa296ccda5720de275610286039b1ed7faf96984c188a5
SHA512 d238c0f4568194a23a5a6c6441282cb9f042c40594587e420960af121be1974fd48de13cac7fd4f5a4156d31032988164f26f6bb2fe5080fce5e2d6394787c83

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 29380f2ac22363e95ac5793bae60f973
SHA1 7b05a0b431099a5feac2d87f5d45b0564414e76f
SHA256 f618cd2ae15534f0535c693ea172eb824716f18eb4b05fc39637a43544201931
SHA512 726e42e8c7fb8562550c4ed9ed3c340615cc6711e2162f552ae86bd8d0abe1c526acf047ae8856665d875f65484cb9da7928837ee771ae167e515fa0142ab53f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 544004f8f2f347b9c781409ca91f370a
SHA1 ba48a6ef29c65e21789fa5e1b1999a8c417bc5f8
SHA256 77598e55304cca092718feb06cd63263f319a6baaebfa3c941f42c18fc25499b
SHA512 9c796dfd83d9b66d931c33f2899f8952391ebe7c50dc38de3a8ee84173bf3088e992c880d8b214b4b22b89ede5d47db8067f6938bec7072d07350b6a5becd8b8

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 3749791c625b0aeb1c9fa8c591549300
SHA1 84506a518389463faa05363c999e30e75a6ddb99
SHA256 ce752cc4076deb8e4996592397cfd95d6e35351673506b01fcb9183c7d6f3eee
SHA512 21be3683ba7ed1fe277c41081c052deb45bfdee6d29ee3ae938966aa065c60a6eb44146577b856beeff49a17813fcdc6f9e0c7d5172d19d5540d827b5b487c06

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 b29d7f9a2d8f53fc888662ec0a5d1c06
SHA1 902ff48ca4c2cc85dccf71c979db43079ef0fa69
SHA256 f43decc88e126701d64c8fef92533fb0436da88d0e58bc66c43eb8ef85f646ad
SHA512 df8a55013d9311d7ab2bf8598d5758ae5a649bd212b24bb39c80032240101cb9d03a0dd25c16132d629c34dfc3b4241ef204a30a26f9747add9df099af724338

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 09407437577821076a9785a9d6eaf440
SHA1 dc41d5bcd02bdb33246fdf239d4c3f302dcdc6a2
SHA256 ca8bd54094e4f10505af1429afcfa5e1b6356b8d2981631bfb2c7f552f7534ea
SHA512 9f076ee2f0d5ef8ce37dadc335f0dc41a2cd1315dde2775b17dff279bebb77260267582b834664d86cf0068080f3cf2c20d7ece9e0735802c0f391c81174cae8

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 bb8a8d004cca20cc4e54eff5fa1cc365
SHA1 2e718628ed599507767d8527e98792db630c6790
SHA256 a6b8a8d6da5f2faa1107e27028f6b3685403babf3930d6b3fbfe1116ade3b52f
SHA512 06f7e1f90bbfd63f0e8d6ccdf80a07f5d079cc811c045afe6800436d4caa181bb48e227b1a0ec75e5a70c9f72082e3793684a9a5ee018086928d30e442b5c2f0

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 35db4f0475d67b6a3718b0a154ab8732
SHA1 e34ee523c014c856315ed9adaf2fd2bf71c955e8
SHA256 cf284fb51cc5044a4799683951765c607b546a53458f150a8be09cc1624f0900
SHA512 945cdc32ce1d690e982189c3375e06c9d68df2982c97ee43d14688afd8ec0b4d0d0e5046f1e0c275e426b6789c2fbb6b9089a7dbf1d8f6ab6b5b8b2b7c90c96b

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 7c32c6b9525025aa090fc35ef2be2a33
SHA1 fa7f9a6d2949a614cdae02e206494bdb5e1d6154
SHA256 7931aeeae3c7d5af98039fdcdc786b08a26f74fab4b487531a6c4c273055a774
SHA512 65c4d211c7ed744d9e6995fc61491604a193d705e7cddff9389c5c0c8cbfc906386065ecd36c1ae05802cc38638b251b2043298629428f6e8d95623afd000ea4

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 803216a816f0ffb9c78e45a844e0a007
SHA1 69b8b688caa1607706e7ebfa440e114f3c05f670
SHA256 297282f33b1646f2628bf710b44a797ab2c659bd575c33edd7de1986ba0f7253
SHA512 7ad272c20f36b695f399e558bc52b4ffb539190096e9172dcb6a11700541b3d3c91f7707259696af739ad4cf139e62d328fb3675e409ffe4d0346238da586ee6

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 da704824f90ede7c83e2e7f7b9414a00
SHA1 5a0b0e2926e0817041629cfd88b0009a97d6fd76
SHA256 2853376c138e45d8fef2e892e778b2461a6308fcd222b2e51a768bda8a4c9d31
SHA512 ef444eae52297f33b0531fb2dc94468bfc107c4015579520ff83bfe10a4eda8005b6f6d8987be7c87d12e26e73c2b2d72d75bbf796dadffa0a1b9528a1ab1194

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 b4f471b64ca9bd56e6136f0f5c686317
SHA1 8ecd94e429b50301b82f625677340deb07b2c7e8
SHA256 90bb6a110ad7b0433049ae0cd674b2f6a5fbf4f22808173fa21da4af323c074d
SHA512 34f42838abeffbff71bc22bff1939c45bdc32a99923d4a6bad2e2212e5b198259746275b40b68d6f1ed6f492cde1bc0e1db3a1b597bfe05b26a8bdfd609335a3

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 fe4b648e02f27cfc2a57b39f6f9d9cb9
SHA1 72dd2d0d7839311fe61a94e4da01114cae138aef
SHA256 36bfdcb3b74e904fa3a48b89e65d87bc296ae3c456f2e37ceeb11e8383f38c0a
SHA512 69179dcf60531efdf6acf9ce81a545653f57a3a6627d54b114f360b29e5fe4ee4e4c133aa0d96be43e0f38ba546ceac5c530f3a15507366166c5e0f81623ff29

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 541b01b16f76c69725d3bed0bcec7e2a
SHA1 79c04c37b1cbf14dfdf28a2830604589c4a252da
SHA256 c72faf16732acd2536d59d3530b3ff77bad68f5bfd7379084be7369e4fb82dde
SHA512 512139f1991c2877deacdfc898d9ba5fddea3a153a17d81fa1cf6b8e449d23277f0041a535328df39cd66cfe0ab285554bef4ef2279a874ec18171a773b83255

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 dcb1196d0702797dd2f9c31c5035b574
SHA1 2deee5ceed0a96ca64162852677a20056e3b9692
SHA256 339d28660c2bd516f818544ed2fdb55bdb9e3dbd62ddb36a50cbdb7eb55bb096
SHA512 d65f91cda6cb50fcf91d2ba308f8f90941aedcb70df38ab4a0c6f7e3c05c7bc85be7bf152e6b95c1afd10a6e437fd293f47205c39a222a3c8ee15e9ba99cfdb1

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 942211a360d1d5a65fc7e1e9cb0ea0d9
SHA1 79dc157b6b20652278f69ed1f106b12c2aa10e2a
SHA256 03ff6f6e3018a988ef0c87ea6297b5429b1bf5dcfcec57cd28ae186de24b270b
SHA512 2bf057293b363c067f65807d068b23143df3d8fc90b513df6187432eb6224d2d4c7918a51bb03289bac0ddd043903788cb6e58675ba68dbf3b63ae66f33535b8

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 17f48efef2bf9f841cf8ca4306df5404
SHA1 b86c92255bddbcd788a446c86f5182bc15d097ab
SHA256 56f66f5a6048bed2df7a04ca27a4f34eaf49dfc3c218cfb3532273f53daf0323
SHA512 674d1b1b6e9c0217b63c57883143a931e91639249ef987b1102d7e8daa7485a52d9c1f9e12162a79aa813275d7698a2ceee3cb61e24ba7bcc7b2f949b2afbd44

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 453e72c8b0dd94e6f3e7a1b1607fe8aa
SHA1 a1a026d6d3bec0c56fc1bc267a789e206684058c
SHA256 f76a067524946602fb2a8c10fbc9f46852c725c3ff98eee93773b322393bea5a
SHA512 0de352fb80ebcaa5428476b04e7872bcaf4df287c0e6cb305ba4723f8f4abc21adb80cf1a33095740249ace78c331a469ca79d3e953c43b6251130fe8bb671c5

C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe

MD5 43846baa3f3203a91f5390859ea0ec6f
SHA1 ff9a2cddfd31f1a647fda7fe9b7de024dcb1982b
SHA256 a6d22147c3adb5297cbd6ad428ff3418ee90b57a2114e35c0cccbe1108824135
SHA512 d08d570a9018a38df22c2415143998e9647eeddc360ea7d6e4d536411d59446e01961daf827f8bf502d3c05da5910a915d150c60e8f48e599168e5d3340b0769

memory/1300-7471-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe

MD5 97de2135350d335f7e212be2b2b59e18
SHA1 fcc6306580c6002f483dbe325c22ef5a38d2216e
SHA256 97468a9ee9157c05f1d2490f8b7096ade591400ab04a561b3e880813a78b1460
SHA512 34e1a0cc25bf44e5ec7772d737832e8654a03ce35cb8e27c93914f8bdd1899f6d7e4a035f2b0a4219a0935085d67759340bc170ca551968e92cf8812bcbfe167

C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe

MD5 541f067e87a702be470cffa28eec6847
SHA1 6100dbbfd7b07d0f39d4879c581606b716bd0ae8
SHA256 139a1fe27f2292697d05773541d9271103b07e2031c8a915c5b26e98d196ba14
SHA512 50b457b9b326b84cad647ed9ab2c7668561b27eccfc3d769e6583520d400e77bb3e9168243930e0529d80ec48d04205488e1d941dd841e4da30131944cfe1eae

memory/3332-9663-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 2d86716a6dc39a2ba398ff5662b9de68
SHA1 1f53735a13dff7d2e94883f5fe74cae3bf247137
SHA256 24e32c2f7420a928c54103b8f9ef2e4a075ddeb9fe7482ce4272fadd23d9feac
SHA512 cce7efbd6de88cd49c4b41af472f0128e811aab98fee8a1fac446351a052f1bf2db8f6391cd3d9e9397f1574ebc6c461927a1133860fb0118f62ada0994da703

memory/3332-13000-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 67cf77c1307e4f93d0391154a7253c39
SHA1 845455ba88ba4a061af32f7eee2bbddeb56cd4fa
SHA256 8fad1cd7cbe56c9bea36e7c7b36c2901c492bb8e8ef1a3f9f00147fb48b05fa3
SHA512 d57fdfaa5ad3cb400207bea5d1f1f5635709821da7a1d9fb5f5ea600803a57a3fdf4c820cc36d61545476aa6b45164a5b95ce4c780f7dd99c518bd8b5815a547

memory/2656-15538-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3332-15539-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3332-15541-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (9105) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Media Player\WMPMediaSharing.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Jamaica C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\splashscreen.dll.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.LEX.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02214_.GIF.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13 C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\Journal.exe.mui C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_fr.dub C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252629.WMF.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpsychedelic_plugin.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Couture.thmx C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.IDX_DLL.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\java.policy.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35F.GIF C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.EMAIL=[[email protected]]ID=[0A6172B017F62EAA].biobio C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48F.GIF C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 3056 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3056 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3056 wrote to memory of 2808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2072 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe C:\Windows\System32\cmd.exe
PID 2892 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2892 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2892 wrote to memory of 2720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe

"C:\Users\Admin\AppData\Local\Temp\0A6172B017F62EAA.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\ProgramData\biobio ransmoware.txt

MD5 a7cf708d497dd6e922f91d33d14f7600
SHA1 5e4f3f5817004eeaf4bc14a0168d86ed7fcdf6d4
SHA256 20a5f1f3bb4614433712df1ffc67273465e766191502b8e932321f1f24fea65d
SHA512 d27a32dfcc0835879ed45e221e9857c1165de03a859980f0e29ecd6d5877d832577f7d6b584aa96e24caf7ab7652387d713ef2293412bd10b6b65567ed0bcd42

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (9123) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSSOAP30.DLL C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\THMBNAIL.PNG.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98SP.POC.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01058_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTE.CFG.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.ELM C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18213_.WMF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02028_.WMF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143746.GIF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01545_.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107750.WMF.EMAIL=[[email protected]]ID=[2891E1D4BAC70EBA].biobio C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2960 wrote to memory of 2228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2960 wrote to memory of 2228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2348 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe C:\Windows\System32\cmd.exe
PID 2504 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2504 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2504 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe

"C:\Users\Admin\AppData\Local\Temp\2891E1D4BAC70EBA.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\ProgramData\biobio ransmoware.txt

MD5 91fa1053207971e936e6bbad0c7e8c27
SHA1 61a6300d327ae6eb276c6143f65a58c8f269a67e
SHA256 f26d98cae64be561f1260f5cd1c2974a6dce9ffca484461b985ae1107198848d
SHA512 b2794993d695cb6950eaa65eecd44dfd4f8ee297dfbd0ef26532fa9f60639c466bacd18e557798e3e28535f4812f1e928bd4862d6bc39a3f014465836d88b832

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win7-20240903-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (9108) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCNPST32.DLL.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\t2k.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297759.WMF.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Algiers.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\attention.gif C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\notificationserver.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.INF C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\Sidebar.exe.mui C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01772_.WMF.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXC C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.ELM C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\bing.ico C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageStyle.css C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152560.WMF.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14533_.GIF C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 2284 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2284 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2284 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2512 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe C:\Windows\System32\cmd.exe
PID 1748 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1748 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1748 wrote to memory of 580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe

"C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\ProgramData\biobio ransmoware.txt

MD5 9dd4c0412b91c85abdcd4925e5a10577
SHA1 f34a9a8a866d410d03bb26a13652c0754658d40c
SHA256 b05da8fb81352f7f573a1f010068cf0346ff8bc370fe14ecef1da1805bbc3138
SHA512 deb3f6bd3a982cd5396de1239c2b7d63a6640608c9a9749495ad9c19bfe863106a153550d3535a7ca938cf6c756511df026ca9cc9a4b8d52424b222e69adaadc

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win10v2004-20241007-en

Max time kernel

122s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (11259) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLike.ps1.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_2019.430.2026.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dom.md C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-200.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsym.ttf C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.ComponentModel.EventBasedAsync.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\avutil-56_ms.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ucrtbase.dll C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\zip.dll.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Safety_NoObjects.jpg C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close_dark.svg.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[CC3B1F89FAA517E4].biobio C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe

"C:\Users\Admin\AppData\Local\Temp\CC3B1F89FAA517E4.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\ProgramData\biobio ransmoware.txt

MD5 35e12534b477dbbc950008d0b9e48b2f
SHA1 8c8915df37f9345ccdf65df19401955a666adabd
SHA256 e296f4114f97cd3dfbbe03ea3ffbeb2d53578a417c9e9d02c6f6ac850b96c85c
SHA512 4842b68f65b5399cff2235d00e84976bd95a56fb739d3dadee451a1fc8469fb2941ba3f899c59a2dcaff4766585bdab19e9344d44adbb85c5c7302dc865b6fab

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 cd00a4bb635628661241ba51c4098ca5
SHA1 4141d88b79850fac30705553af8770eb8ba8d634
SHA256 d04331caf9dafc3fe835cb3cee5f34a6135dea77ab23cd2e5a77d564dafc6c84
SHA512 ccd946489267e4e71598e055fd1502c20f03f759aaf9a7ce7e4c89c2b0b72dd1debb81927ce370932fa1d41a733d8af9ea3ee0176dd4363f6df59c89c9e4f917

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 ee0e44effa15f1592a49a6ab068d4b56
SHA1 43da26922d9420fde3608f1096d6be345800f67b
SHA256 bdd0191bf4613d8b7edcfabf7cc18e0213db5496fa003517d37c8c506e254cf1
SHA512 c36cd0e017d2648c1bc50cfe5b5219ce04959bae5e2387f95a8e33c2ce4c38582c8129b4a41ccc9fd3b030a78c01d68f7bb1c3b9ddc69e9d18c5710b446fa62c

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 dc414391cfe3eedf1e04c9afd55edcb4
SHA1 1c0350d89fc0bc7a433c9568e7d652045a32afae
SHA256 69024e51122b85fe4877ee69c287880c24918d2a313efe5e38461e02ec476c66
SHA512 04e8dbdf9ba05a446277c980b7cc77aa6a7387ab9169964fdcdd2950d73ca045ea2145e3a95e7e84c959b261a15901fb192dc85dd67cd09d1b259d6d12114f0e

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 7a7f503b2a8b185d2d2f25dd422ada09
SHA1 bf22290218542c7a44557241afe5fd9372bfd4f5
SHA256 09cef35ec3c9a8467c68af7b39516318528a1cb3dbb44ba9df52aecaa3da95d8
SHA512 29511d01eebd10a47bb74ae2e0f7ed110ea5b993fd5fafc2a6933cd7fc792bd7a842933899012f55b4c0be6e4132ef2a3fa99aa57809e146a376c2f30dc0eab1

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 25eb36b2b04948c1a274d27332896e29
SHA1 74274e70fb4efaf4a1d53cd7c4ab0127fa964c5d
SHA256 f9415d7fc568a2b4f0a6dc2a4d3a02676f754f515bf2ee9913926eb2725bb162
SHA512 2fcb5dd24961c62bf2ed6662daa84e4e6ff13b7992f9031e71d4827287269019b8f36177573fb6a2bb75dcc5bb14eead53f1107e6c83ad6c4e7cdad33ff38029

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 341753a668bd6cb768d29536c4992e4d
SHA1 6dfb97c5caefa4201063b05efa16d41764f2429e
SHA256 7f037a2324f10f7226678de17b98b156106af4a584e97e28884462ede9c81274
SHA512 d9368315b07dd0d1e6b314260b31072856c4bac8d5b6ea3dcbfa5fd6e5c7c05113e7cd819ddb5b124be84ead0026c2eb421938a41b82f8e169d7e050fc3cbaee

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 6ca8126760c27362fd66328ed9aee4ef
SHA1 d7a561dddeefce6c1b6647715ae6ed576a37c430
SHA256 413e8cc0ed2ac9f53997201375a1297e34aed6bcf778035d2f54e24dae38e963
SHA512 ce5fc1ae4d0b54058d6b38c49a5a38c41418eb6035b9ecc25356ac86b0b23daaefca1c20a529e3da11bb75c888dbe723ec7205c3700c733bfd5ec58785c538da

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 d19db38a51b8a764580a21aae9667179
SHA1 89b9b2debac5037d222feb854030b7ae205f1e3c
SHA256 c0686e4e75ea40cfc86d585876649b8bc86a90ac023ce5342b0c5d3fe5704db6
SHA512 b47feaeb78ba6a9cb9251f4668817f0359f65d01bae1b8e444b8aa0adae3c6c8ebd9e6fcb92630c644bbee50b56c88dfcd35121812ad56784fa2dfe41b124ea0

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 0225904dcafb6bf9e725c5d2569aaed2
SHA1 c8c4c12ac46c207600c9d95264f7ed833cd1f878
SHA256 42e0a909cf765235e8db1755ca080b925dd9850b22f2a4a062297bba9c1f63e4
SHA512 af9b8fd35fc00628058cedc280e972dc10381648e82a5f715d6a52ad709ea17cdf955e4f9efc5335c3314f865e70c9d4dded14d293249c555883de6058ed85d6

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 580f0735768c934b1cb7bb4c27afb844
SHA1 55b793f49996b4c6addc9c7ca1b298390a70d480
SHA256 d45a9f356e363fb42a25e51af3aebc4a0a50fb6362cf2f4534847d14f5ad8c38
SHA512 5c9f4b187a004ab9358a829bb7c01645cea348e02f892c204564436a491d828d991244aabbb919b29224d898a71d0311028156c81c631583118c2d1b0b3893b9

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 08f9e414f860af8a7312d15b2c8a49f0
SHA1 332182bef946c223ef93ae25df921e8c60e059a3
SHA256 3f9363bf00c3fbc7058fbc43fa053110e4a3e662f6d65943556feda074cded98
SHA512 2c0e3cf07b1ec309d290c60c47b7a05d9b5f769c1a9296657c383e0b7d63ef7d69ad7c5eb634baf42769196b49cf7c756b6b0579a1d586be6cf138a418549a6c

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 cc267f607ecdb52aff2f124093cba796
SHA1 5dba9cb26fac8a1ca76e1f0e93cc0500082a6ea1
SHA256 78716f3d5a461af56c722d6bc06b75f48c9596a6958e7484c1cd9ea8663e3e45
SHA512 3da37b85c466ef1f083215374a7b5b9f9fa1d378854ff21f516aaaaf6641aa0caa56f58208ea1037f166bac0e7da00c1f5c6a54ba85dc97d4f572a4ec3a96263

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 c92a956596c5838e9f40e5640082bb5c
SHA1 bff0a3c71fd482cc89bc449cb53bbb1fb2bced01
SHA256 a8cd047e42d21bccc9f8da51b29af2520aaa61ebf71fdfc4a978424e6180a138
SHA512 e4824bb86d1f00feaf3d6e2be56e6a8557e8ea173ed6303a866493076f5beef58aea7f3c1af9d4e76a3237333824f4da8a4ee2d4e2546c484205330b093b46f5

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 16960a97c2a1683878947fec392b768d
SHA1 f62974ef1e553a284498b542db7bd11c7ce94334
SHA256 e28790c105da9675545914271e3f8728eddf8546c8a7bee93601284d5abc9c19
SHA512 4ac046f0d9667e36a300806435c27aba605f95488e69ffab4367395060cdaefe192d643074949ec9b34d2e6c8f06053b835199ccdc637a4f5b6836a619684bdc

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 5b61d1a637b7393e62373ae634352201
SHA1 e59ded37a33e5aa3a36167311eda05bd0a5ff9c3
SHA256 e261a82ab5242b10af36ec5bd64ef983a1c022905b7df40afe731277c4ee8fd1
SHA512 4f1024f1f5a565bfa210784228e1c7b7bb10b38f2d02e53b94df2931bab49717eccab3524c22881074e1485c5502bc06136f6c1107e7173684e63dabb4ef4fd3

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 183953a8591a4aa7ad95b23560ed4bdf
SHA1 a893cb7714719e0f53cdee0e940388a0331b2fa0
SHA256 8dd73ff451ee797717f1f98f8645f6648d517dfd9bf16d34edf989466696782f
SHA512 b680a42a530568e65a67d78ea673c420010821f65d62e17a408c8081e3170a7d89c832a7eb8bd648bb7f3c261c76aff945405c7387d7bfbc4ba0384de8ff1abc

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 750e8bc153a60e3fe591f17a3823dadf
SHA1 13e9c2c747cacdfcebe2ae8d630e57c936ec6a54
SHA256 7ba9698458d9028e277f8038f7039426b0766317c840b194fa378566856baed9
SHA512 d4be637277845d9b0a2f133d5f134274e49dbeb17a0b607cde745b29634c6c60cfd49110f72e81f5ceacbda11edca3dec23aca98039bda344f94949a6b64e7fd

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 db808b6cf6d3cbb4f3dd55f7d9ec8456
SHA1 cae19f40fe3141a6c4d31473c871f31075a4db36
SHA256 d1d1d3b47cbf1606f358278c2c96201f6b254da86195089abf3fe96742e86361
SHA512 25c5e03e890e98e5c92c94f1382a61aaa335ff93a1018ec527ee21e265f61d9a0b621ccf9d9f7b9a50b3a3afbc313483f99352fb41874c70771e5c464decaa3b

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 f1c09f1a28e352d64f69afc40b9595af
SHA1 a7cfbf0f639619fcc58add8c5615356cd836817e
SHA256 b9d38c6bcd2761b42ce566da6b435545729cee3208bd6db804b59003cd7412ba
SHA512 a9290fafe9006ce075320bbdcd1c60194800620516af101b651e88c217003056f054e7d8e1907eb684c1d2a23ca8f529fd948b732858dabbdea3c5b0ff5a4686

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 266f9ee4070dcee4739a779ac148fd95
SHA1 1a0bfc7eb97f12faad9cdd5dc8a68e31b489dc2b
SHA256 09d8c99cacfce9ff1b457aa2e56a171508451ff6be82befaf2e744ae3bddab60
SHA512 592cdcc6c4a28ee62af585336dd24669d5ebb06392de8c75c6004523274aad43cec5dcdb605b5917fd51a82d3c0f05537127e74675cafd669def1e1d042876a8

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 bf0bc74a63234d2095d81f5b23cd5b25
SHA1 41f938e2ba417c004c279b78c57eb71a58da445b
SHA256 e343fb28d4a4d51c9d63b3855879e92463b32ff74b73001eec2df49b4668c302
SHA512 ea85f866ed62baa191c0e6108ea2836fbd3da91252ef556071e68e6f51387144d9c0f0075bac2e139a30fd089b98b896234b2a138f18ff39033f218cf40b7bd4

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 b452d804f89f6511d9b11ed8c1d27398
SHA1 13364a07e7e2a5fb6acedb97a7171cbd9c0b87c2
SHA256 0a464e62f8516fe5f01fd19ed5ecb663e5d4d8913b4569ffffb1c8767a49d450
SHA512 dc4e3220f3b7fe004858533d361b9163e2207bd16913e493f84ff5c7df14a2eea411b3d84871806d94be0ff40ed7b7e428427b56389a1416cf56dd05f660948c

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 81c594d5475d0bb59da8fca84c916007
SHA1 115fc6dd31d55c8d10e236144b2c5634ca79cf2e
SHA256 1f42868c6f5620a1338510103595b67f8fe1476ce4d46ac74b0eb6937ac03f32
SHA512 46d2ea3fed4fb72aa205f94f20667bce5d30a9994acac8b877ea4eaeef24885fd137c05404f5e146b65292035db0a8a07e032f3a3d62285fa0095cc3f42a4e20

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 0101cb03a31790e5138e8d4422b16e89
SHA1 16f380b507068e2ac9364d4e2fce2b5e1ad28ece
SHA256 248365c11673d32dd767f0784841397690c57e6334515f0fc6cc6f6902512d77
SHA512 b32e0e1ea215c5a72e0219da41d60301c4ceb6f3d8b29e3bc178bab6ea6724a8b25b544bcff8361de710528b40cd3b699ce2dbc8a98bd14fc905674d1894d5bd

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 e122e42af60a6b24b80a75be136dad7a
SHA1 eacf502148e284e1ab162ac9a9535aa1d66b458e
SHA256 b232cd80739607a5b93eb7c146102e4afe2c048ed71c7a954790bb5658fb342d
SHA512 b11de758e424dd151ad14724c28a1fc14eb041ed5ceafee36b9ca462c18c7683db0c735d4795478ee992c05b185936fddab93772293fbb94cbd280b1fe2e3261

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 f68b3520821feed91b30247ca3f3bdc0
SHA1 fe4ed0fdb260bebc679a64636fb5d05e22acfdd6
SHA256 c2293314cecd6968af885fe973ba411dde4b724ea4914678a711690c7cf562e5
SHA512 d616a1d5b14bf1e703a2b86570f3fc08e3faa4de363febcba0df715a50fb907b55c350a46434f6c65cfd50e8dd68dd83c08f37e10d119607c9a791dd6ef7b24c

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 f8c00a1b650ae3fdf4cb4dea0222b856
SHA1 0436d2d52fa712b2fed40a31e751d51762a79819
SHA256 7ee28e0246bdb0146c50a164c7b4fb7bdb49e61c08c1912cdd949ccd37e9bd09
SHA512 2e8fb0bf90ddcf36d3772393fe9b8c66e124e3852afd480480b615b82866a02e329f93570a7c1a9f4dcea9c38ec77a04af1d4ab7d6833e4b1bedf4d154281110

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 ade5e922b6e1feeb8fb2fac31a5eafa4
SHA1 70f072dfe49822a72a043659490186cc319a3a3a
SHA256 4125074221bba65c0a39990dbd7109e0b39af674f148f0615b0d4da5253a04a3
SHA512 206d79d82669493d906db8d70fbb374a70c1f8a2b498c20a7f57ea9852f487ac6f1e1f9b4faaa797c3385b3b662ff528dd590f844ea616d2429830455d09e94a

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 865ca799136ee3de487925c55866b7de
SHA1 a95b3e00975295742f1d4083748038cd746f432e
SHA256 c0eae566c272e4734a0000a33c1c7834721ee92dad1dfd93c13400837d462c70
SHA512 5e77b6512e47b77237cffb12ed50e6e7fab610aa63ee02a52c8be52f706826b3d4ffc72f10927e70ff5666218b0842fe7fed8ad5d7956150c6afbc518fe18555

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 f933a3a76ead7d2eb6d497c6d97e3822
SHA1 ec17f878409ebcb748d474a702e8575c686d8f80
SHA256 47e71be8aac1e28b747d433bfd2fc9a9ccab59f43e515dc6ee1d2537258a9561
SHA512 7f5470181e72de30bb0f1dd9c5ee2e79ec3c12352bc54618876e978bbc5819624e91912ad552daf876f3134cd3bf03084edbd00021c8d9b4e8245e27ca4f37cd

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 676bc58a79761583cd8a73843b818b1f
SHA1 f01718a168bbffea8244aa96e36bd0eb9ed5a7c7
SHA256 2bd44d2cfa4cc62623bdbd87b57b4f162142411d7cde2fd69826e43cb1ebd1e5
SHA512 9df7632565cd275b9f26626a0e26ff03e97efa40f6fac824097dbb9ff3ccc06de553806824aa2b44202f18e18c2180a2f2634b3b08fa902aa8674024074934d8

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 323305e742b1a3accb8980bc0ddee26f
SHA1 6e909969261489745db0b5c0d23df1c3f2d22bf8
SHA256 5fa193dfb3b4f68a0dbd95478474a6edfb75b0706dc77aea0710f117eade213e
SHA512 8663cb1f15ace6376c6086c451aa0ea048b818100e90c2912923ddf567be58e9ef5fba486775a322813c6b5d76f92014bd3d3972df6a299764a294e2582a0db2

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 42642007d1b3aaec6d1e4c3c09ef7129
SHA1 51854f1b38c4e0ef4e3b3d5bc12bea764a3224b0
SHA256 96dea471b93863db7ef049f13571ffb3eaf1ea3e577580ce5d129f7a4761fa36
SHA512 5f7184860dcdc51fc6997b34ca85636cc3f598618711755d3171a34d61ca601d0fc9eba67765f46aa578155f8534a20fc32671c5fbb62fb6bcd3580a720ee9a2

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 6ab409707d506782976fa387d3444e4d
SHA1 c37d48caf8cabf79dda5a9541eb43019ab4b62e0
SHA256 fab6ad0b1e071b688122874ef58914d65398540941f80fccd08e12220cc9253c
SHA512 022c192aa40732a4eee188556e6a8d26ef875596d11d20a2b8aae6fcf1b000cb1a77b7ad7c445fdfb8a116df710294e8708965340c0f54a36d5da41ccc01076f

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 874e5bc571313194820c21a2fc64fe26
SHA1 6c4e0d6bbb2e88e392025df9f111faf3f6b38b5c
SHA256 c83ba0de19f0351d4828a7650c9e5d878f2211db4f146b307b0f65a09e4a7142
SHA512 7ea4a79a0a33705ffb334cf6a1f0a3550ae563e694fec3f45e59aff0ecc0fe418d8700311c9d3e4da0c497a373c7f0f2c8f1a4a3daec4105b14e19e46c63b2eb

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 aab62cc74e63c5575540e6141f88577c
SHA1 730c95bbbebf107a7a8e8dc5d751e9049842cb4b
SHA256 ab1a89f873ef5ecc55d9b6ed00f945606dfba4f60feb6ca8924df3a6d5b333c3
SHA512 e0cfb47840715fc35414470f060bc6d38a37b5b5aa2b647eafb97e7a66d4183b1ff8751e7edc9fa124e37c31fa0f633c2889ceaf8085f449145523cc3edf1903

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 32cdd2d33a79538592c69bb87df112eb
SHA1 26db5ea890698633561c4a8f8ce24a1f37ccd064
SHA256 8443263831a33f7815a0017d9e5db23736528d485d576e4f060f1cdd8901fd09
SHA512 d44764ba9a2bdee6810214e8efd744b63dacfe615fad437791dfeb7750da1dfc1b6098ebdeac14fb6d6cc4109971caa38099289ead560cb404af060066e396e9

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 9f5a7de274f6a27458e3cd75375bc30b
SHA1 94af04e7200fb705c4109ba386b4e2af9aae4f1e
SHA256 4fd769d748d2267c3588cf54a7ce9e41db3e982ffeb26eeef47f3c9b53c4172a
SHA512 cdea97a47d991b27e7a803a8f84f1c013d1f44cc2f5acd08b272a0f916dfaea0899b83ec23c86dae393afa767966bf52b2be5d7ba9f8502c338d41279411bb9c

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 491bcba32abe3120587f1f1a9065d04a
SHA1 ab90f7758917ab13b3b8aa60dc09451f0ddb5db5
SHA256 6fad22b69bf2b4de4bb7fb0f3f6eed58c505d71d7b60d5d57354b0d286356e20
SHA512 fcd96ff8abae766da0d21f749bfa9234184459699a24564139672fa99bead39061c06df8e40921cd07a0792a833226d626662d0fda8d20428d7df0e15e478991

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 188f122dc20cf651eb4a951a20f62651
SHA1 09882b45c861e8d9b39b77f279150403444bab39
SHA256 6e223df1fd8bd9cfa8f49343daf7a261a697aa24c41172e6d90498388e261df8
SHA512 d694d9972c33727b797520ce25ce0ab6287cbe0c82a0421e03018471fc4eb68cf23c3346ae98e9c7e7d6a152172ddf385ff2c01851014c6667b619bd5e6528ef

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 52a84c3d46c4f6b19c8bfc95ee797e25
SHA1 6b84e53449fcc7d71fb48bda8d2a50fb82e3ac50
SHA256 a328b45838066d1d89ef7614c6ca1aff62b00482eef4cea221865a71c1ebc500
SHA512 fbd406533e5863485892b2bb91e20a9dbd2358f09c2a76216b7e887fa4ec0e56714dfe18b793999383499e14fb3272a61ccfad0c5a8a9369fc4ec7da2096e588

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 fbdf635f8824e7279b48f201cebf05b7
SHA1 fd8695c80c6637dfb8cd802a9efa43bcc1a7f9ab
SHA256 7e98c35d0aa78393ce9e083c6d3a53a603bedfad41e90b5e4f868dc3f0c33cf2
SHA512 a0f96f3c0689cb43745e5f710a722f0a3183940f2d8a75e7454c55808e7f57504f6ecc8c3993af76c45235dfe1d9575fa6ccd3ad49492de31d69e8df681c255a

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 f99d21284eeb846cdb6e0a06da87cb35
SHA1 c00ab7116699ebb2ba5baaafb89782cfe940ec9e
SHA256 89bd63de058cb2f580f59f5f646e53e23a313f08281b7827cc1ab7b7b883ebd4
SHA512 e53be70f0d6aa79b367c96455e7dd869ef4061ee3059ea35b1a7c6e56db9a8284186fcf9ada0d23d0b4b9b7a0475d91fa36327621bdff2a4a01b906fe5eb4a86

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 b7d61f1b6ba587a3d9147c586ff95174
SHA1 e77a5bf29a5f2564cb4280e1cf975a1e73feefcd
SHA256 23b1556d81de627b139a7ac2780859e10fcdc2c7cdeffbb23c15407a9ce4c676
SHA512 021c04f565cb9f07bcf452b5d83477c9e3d402fb9b2de1b474673e68f74fa3c0eb6494d179e7f7c7fccf2ab65eb53ef109515886bad05d776ce582283ef8acb1

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 fec028080a4030c5402aa42502bced7b
SHA1 f145a6baef91f8801d3180878a614f359126b7e3
SHA256 efbfd91d9524a47acd40a2e081853f6e988669865f961bf9a882c3de73caf079
SHA512 7b317faad60115e18d0f43da830c9525f68dc9d41b3341ccc4fc3b3c9800c4d1ec608e1f7b8213aef02c6b68f1eb6614ee0da2897830829fb7f8f5884b6e8eec

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 b19875277ade43c5bc38df7e94faa9e3
SHA1 77c648fe98c9a8877999924ff87d75ddeb8e80d6
SHA256 63064acee21ec7c0a2efecf0f74e954d4314cf44a068197c1026e06dac33fa6d
SHA512 ddc222cc6a9b275afd9ff5c1a3cc7264e77c2be48709c8372c5332cb17dd1747bd96e4da3a296a10fae7a998d358e3bd7b6b024b4ad0820d0802fa118e886ac5

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 3c37dae32df4e13aa35da21dcee6eacc
SHA1 096d9a569585e376ebb3886436be401aa9837754
SHA256 70e5388a95bcbb431e2ce8aef5da913a0519a958e01f7dafe2584fae88e06eb0
SHA512 6e9cd8015ac09dc480aff0f37a6fa83a17f9f1a7b875f85a4e1e80779cc965ec89e8cac3f296699e3895abf5836c22f3a4254e3e8b1175bfc9d100b657410aff

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 e5e3eb396c2a173ab4c85882c0daacd2
SHA1 127f1b45ca032a2f1225c1b17c1d8d8648ecba02
SHA256 616413b2be8244fadf7cad63076c3b2236ab3ae9bc87f4a4ea8679ce7f0728ba
SHA512 59b9911e1355646b6bd3a62c3fb76fa0ca5f57fc86d27bfb1e43b54938136950fce2ca1ace9bb0d294ead4fd3e06f3d1c97adcc6fc896ace1523384c52688a2f

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 4edf48edff5df34ccc01654ab61132ca
SHA1 2e447d77668c1949e83f850c9ae59f41a5d5c53d
SHA256 1e465063ea2a8048b64db643b809aafe2f0391f6fa78c048481d12ec100eb5e8
SHA512 ca66c3fd59fe96198ab8ed7051c13a57cd3266f4b4e35db7f6fbcb713b610b7e03989897d5830a42fdcc960260e18591fdb35b77fed98a4035d9b105ec0f4377

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 7cdbe641496dc35cd1787a84ebb100aa
SHA1 c4cd2eddee55183cc7cf01c4bc66c6cda8b20e6b
SHA256 a5e8d24b5e5736840238f68c0f491ac427035b1d711e8a3916f8cfbe0ffcde03
SHA512 c31fb28daffc5aeadb1aa2d7b42d4964f36a9e84859b8624125239f5594c444060ad3db6cabba5c4d357821af8f07113b2c972778aa4d3d618fb8a572ae77efe

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 6d96cc32f0725439b462101169cbb350
SHA1 e2a0890c51b41439ce6a24b93fcb74ad2fabd4b2
SHA256 2c9968d1f1df91b20f70c557b82c078013d8b2df3490b7d027534cd3c37f8d59
SHA512 27475b0a5e2f4f5799af1f287a36b8aad196cbb9e3b7812d01f406ec699f01f017a4e24fa0e476de483848aea21b3365cd08f10d5a5ac4020faa2706e4e6297d

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 fb0c096c18c454ca58b52e66766526a5
SHA1 f35d59b24e744defec377d41aea785e8b0b95f24
SHA256 a2a4c50b84adb942822f15533295894cd1e41bb8f31eb9b4f982405ee9c0dd73
SHA512 ed3253bef3686cf2a6512d214f05e49ad1b59b65cf4c391380faf3c4542acfd1805980538ca742d36a041be27b57435d8139564e80c843d70313bd1f4fc1a1ab

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 2cdcd629c604a3af6676fa151c062d9a
SHA1 a7cdf671f3d96a5b256dc90bb83754f3d6c98321
SHA256 3447bb45e03a2106b9f75b853696d0436b3e2746874956973c7aeb2aa76c94e0
SHA512 e0f62d628349facca5cfc7f67d5eeef1e5c655c8842c73630cf19b0fcbf76ed47dc6c989b8f3c9efed4e79da80485a0dcd6c4b8ade14bbf54d633987e8a89369

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 afa1791e5db453a656e094bf7165df75
SHA1 190d9cd6aaf6f2a4ca17907011e21fb6ce4e516c
SHA256 9239d65d4e216ddfc1b8c3e8f292702a0dd9e9daf49e1ebed082579ac5821d80
SHA512 fadf8a5eb80c82a2861f5e8fea75baf7dfddd3de3e3112f81b184a6ecd9fda2c467ffbd77a7902afa668aa8c2df335e9bb5311058258f0932b20c54da879cf90

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 2b40b3c34f45d1ac23a182582126d2d1
SHA1 ebe0aa4a69501acb680ddafc480b858f2366a361
SHA256 c93d1750a8d8699526ce92257a7ad6d86e35c58912d0622c5d09bfd69a87a1e1
SHA512 17d150b1d9177632334366bc3f3b1b5fe47300885e325a1d9242439130f43881e52aa286f23cacd89b083870d74f5a6d69beaca6c094d9b6b39d925211f65a88

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 b9e0ae288bc0f3a07cf044f0cd14bd59
SHA1 f07159bdfe8cc8019ee6088b509625de1bee53f0
SHA256 ad7c20ff33f6e3001576dfe971393a328ddd18e3f0c409e9cbfb62f0643ae87d
SHA512 8a6b58eeca0c763e8b6568bca22306a9049a7014e05a9bc9051ba05972e466af3b79016386b3aedbe460b13d530b1aad9bab51e2f7822012beb09b0ff077275e

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 13df2eb0f391ca0ce1c543b7d886657b
SHA1 389f885d9c4b1b83cd1e42f64cd0e29255987464
SHA256 31155014b6c036efe7901e4d5ed040dd086211b33e8e6b6dba47896d7024f1be
SHA512 3841f1bc01826c7ef7c589911a802f6467cf66cc16cf2174465a6db199721d7d32349073406178b18388a500e0da43de325774464f3ba36d5eb6c7d57ed122b0

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 d8fef23bcca2ada10055ad2f417909c1
SHA1 7f6a2cab88fc29b1d5a0b03ba30ea11c07ba40b8
SHA256 16fb55ed5ea692b4d2147c1e32b48828e7a2e5fe5d2177c1f48aab6d7605563e
SHA512 08f5ec81c893cc5179453c05315f52892dadc3e907116eee0bc2e82a1cf8d0b8728f95db06660fe33ad7ada68e19ef77481834535180b6c8e0416df54b9e5fca

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 8754cecc1e384146588e0047473ba979
SHA1 58147a11c90b3897591b84a4112851be114040f0
SHA256 cb4ffcc07b4b955185252ad89c8d9dd22380b783617abfe01d3e27e2eea61682
SHA512 8a829504164a62b2a0d848a18c729c389eec216ab5aed29814a91b774d2ff28e7375744f7211a21b08437f21169e012c13d8fdd54ebae416932fd4dc6d9385ee

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 624efeaedff3ae0b8bec755c9022d6d8
SHA1 b9a1bee7ca6e97acbb34a788f5313641048f0f4c
SHA256 9ef7e4f7df70619caa54382b938e43572fbd115d077d27f917f9e5e2b4c798ff
SHA512 1a2caa72f87997f4332bf6ff4f63f051e50bba54482a54085473b4cdf4baae9289310f10da4dce1767593b73d4d38d7a118d4c20eb757f9834c290e0d556cb5f

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 c4de7f027c7f510f1936bd4ec53d398b
SHA1 bf6251557f54ef769aff58e4b9a76e34764c1adb
SHA256 db48f96a00e061525f1e0198181d1336f56731c9e9e36e65bc3702cee6143aa3
SHA512 62716270b9d1ed4ecdf4132d99157f2b177b0246cd0ce22f1589106b60c4e5d4d3acfc022baa4be73ebe70573a0009e03b6a9c43a13e2e2ebcdcbe180cd7e3a1

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 e94b5ee2c53d6b6561ac04abf8ea760f
SHA1 4e1be82f18bd932a53466ab9e91b9b2765fb95b4
SHA256 25fa02e2961ab7defe05408b8832a8a34b305f1f29357e25ac7d836534efed36
SHA512 a65b9b47fbb8434ac7d69ef43b0368ac5b437dbbf800d4ec5879ba8153eeeb457bf5e04ef67aeaeb11f87f7f937dd8101a3168b73494ea30a835a5e209e90597

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 48a6b0c551c52417382062a6b432b9b2
SHA1 065d1bf45f2a3b9dfcdce18eb1233a21d1e9a205
SHA256 7dcc2c42d659061fe6d71fdd684e7a3e4b31f3a80f02bddb6feffbe654a6f2f9
SHA512 765f9eb0cc4de2ceccf53491d17b3707e1691ae15166eecabac69eed0b34dad8432b7f043e8d0699e12c9803d2bb717abc84f577f0b7bb4693a008bbea840487

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 91ba0b90205a341ce2657fc0f99d59c5
SHA1 f90c2698af33a61fe03f53f4884c0520b026ad75
SHA256 2f89484751b5f081981c67f9640e1bacbac8f651a13f549b0f3e0997faacb420
SHA512 41689834b456b133256998aa2d3d63a9e0110f918c8bc4fe1d41312aa471ad791e6f34c7750f8663b1edcc758da8271341eacbb844abbaf5acfdc2511c7bd0cc

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 2b883cf22d8ac9f294021e71d2132964
SHA1 10141b46c8df19f5132589e9d2e862f8c29cf56c
SHA256 0c62c532f12d372856a2c3ccd5fbd4c3c691fe135cdbca218d248c3eeccfc05f
SHA512 cdff85089e01e19eb9976b6e1aae5998b865696b104e555f7caacd705f33362cabab8a7c9f1d8556e130d46cabdfe617218fd0c6eb93b6c1b43f1393ca432929

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 ccb89960ea299e239533ec5cfa799a6d
SHA1 a46008a0ca9282e8b8447c8cd70d68eb4c153171
SHA256 806185605fc31efca766b5f1049d83a23e57db5675bdaf6026c7ca3cd8be1077
SHA512 ecf497a30261223311b3ef50e454e659438e505bb5172c9dc20b3df3f775a4d6fce2b4a9b01b19f114f156699e40748b62f2922fddcc7ec8bd86dbc5b3c4e939

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 972978d68017621a2e08b234c01d343c
SHA1 fb3dfd3fcd0e26122643add712132fdf6cd12f31
SHA256 956561468446200757c35149c511e85bac28d43caf780d8e451886c9fadef045
SHA512 0ffe7269f399f4377fb4fe3ffc6d0038f9a1a465feaaaa7b74bdca129711a8b9d11e8158ed2f2cb19586266b5bce15edea87ae651891b40bbaadfe53d570cef2

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 c30416b98b01005e7f7d489ef3e2cf95
SHA1 761a3e18a46c8142ad5d939d653248f08a7e3330
SHA256 28e8542143a6de6a9162309669f608e41d87be76b9cff3d09ec1973f13635dce
SHA512 4523996b4ad95970f9f90ead18533422fb07c7196822c5dfea9e129f7aa2825bd4dda08109e1f960c580c32c9f8a3301334f0ebd2ed99007f06d064eda5aff22

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 085ab4d21468f8c42db10a4c677b706c
SHA1 77ffb58bd5fb0874fea9bdd273479468368208ef
SHA256 a971b6d2793fdcfeedfd6f5ca18bedd3d44977f826129fedc31d7aa88fd00607
SHA512 f37fb4d21d33059cec8d220d600fc9cbc85127cc23a463b4041beb098493158688bc8c640b0b5fd5f5b251b7ab00c1ba6567b43ed0253da42bf18828ce755884

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 eaa078b7858eb9b48d61c480cd1e9fa7
SHA1 cf6362733c5994b712c72357be1878c476312bf0
SHA256 64317f6ef65d065d34af71920b18e06fade252ec91a743c82e1f949bf968eae2
SHA512 80c0946d3f1ead29973ebb4cefed3d6c31738d2a548d93544ec64204932aedbf4a8dedef031b192aa0b363ff488d49a9cbe8acd3ae80f4818f17db3c05e7df88

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 1dcb65070fab379de19f44faa24185ce
SHA1 0f0c604b2f2e07927bbbd3d0ddb66d3c94e12547
SHA256 403bde23cab7c1365131bd1074703ecfe0b18e4fb74eb3186ed8a4e99505d47e
SHA512 36e02acf1adab85b83e156eeca4f73f8e342585792f11db84e66eb878f08f25de45045d17856adde1446f3805c5be2520e6f1f7c66d84ba848c07cb9c1657695

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 712fe6850984e225c3b801aac8176e48
SHA1 5234450ee406e36a09fa24ef8226390e7daf18ca
SHA256 f896f3bdb9fc78d78b26f827d4c04537df9c81484ed5c207a47284466aadfabb
SHA512 c0f56f68eb23bd61a2aa4405e20b8f28cb1959f5b4f8e45345c4a14120e56c5aef3f90f58f2888d3f8d08848d834a51dec513b993e8a7586247f9d6dc0ef1838

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 310ac0d4c1a688e8de3375eae0417659
SHA1 d263a055b46c064d743745e922070a18c6a37a15
SHA256 43ffc791f006191f1dde0caebb43c9f6095f4b2d1737977144f9bf13b47f5db5
SHA512 e86f5192175c2071538598aac6dc481f806fae4e90d4b6db18d4e7c9e97109c33da8e504b917b36bcce48b49316e5123e9b4debb52004a4142cad05e208d0b52

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 8a78d909603e59769dcbce648dc398fe
SHA1 79e402aa7252d28e14290fb5ea4cece9d87547d7
SHA256 50950956c2484ac2374af4614b8dfa328000ede910cd0e284bd461c553a0b180
SHA512 bb7c201932321982b590d40035c19c9d02d0b63615f6c0106e1c01bd6ec25fd18424f3265a738f27924b32faa7ab95cdd1c2a8fd00eff52c199ea037f8d49e1b

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 cdbf606965f54ba57cad003e88fd0fea
SHA1 63ec4e73317838002d164e28ce053f914cd615bc
SHA256 237f5223ad97e734cb625595bd089a7e3afa834bbc32902c67beb16bd6eff3da
SHA512 33da97f2db7cd3e9530e3f7d56c626a6cd1d737603ecd00620d3f297fe7b6a4713c19f59de379ace54e256ce9b6defc862d280701ce73ef2240371db7f88a1e1

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 a58da1edb0101eec3ca50f71089ae3fc
SHA1 44013472885ecc2f0fb910a09baccbc363d3a28e
SHA256 14b27b31383217b17e18f9efe44692c32c20bf9980e1523117ef3f349978b905
SHA512 c22532f879cde05ccea843da8b1cbe390258da45d86c60220bca6d55dff8c307dfec472e9278448fdf3f296f80c30ae9bb11ca611238ea110b4433eaab65bd64

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 3575feed814bffbf89e930404e8d4e4f
SHA1 a9185a21b1e0657eb37343d5aafc761015f8e437
SHA256 823d9075b0481700b10c413175bccc7466ee8d149398d1b5e990faf43481bbc4
SHA512 a08c3efb09ce945460ce6dad64aca98f8b4c1aaa33830b416dffad6d7392b99a4bb3df55ef6dda82ed72d929fb21e76832d4cf76ae84ac640613155a8e840e24

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 c450246b2461a36e905e35e2f5ff0e44
SHA1 ff650825700e34a4959e5ae5949fcaa8ab23dc62
SHA256 9de40fc0df4c9e77ca41b7caf1b3bae08c44d687c2ce72fef9b238bb3aba5863
SHA512 4b3aadddc6499cbef50da0f0a2fc1df314878fb033cad4ee24f24f9725cee7e178d5917352f8615e502219dfd58728af29829f92963f2ea32bd2acdb5c757c81

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 dfacb0e5708bf1c81760b7718fa39320
SHA1 281c553e49ff35816eaa07e9a44da32c1b645c63
SHA256 6800c292bb9f8d260d221de7e31c629b4f7c4209f0f2ca84b551a521d12f92ae
SHA512 0a124252981a625596b012a990b1335d23170fff64cc4000dcd238984d6dab1c57a057d5ff87911d86902bb11a78cfd64a2e4c7ba76cd7f64d17f7e38c975a4c

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 f982968151d374c909c214403f89f300
SHA1 6c2fe2b6f6585bff3c6ca067fabba2be67f06e92
SHA256 8637fe09cc1db07997b4c9b2dde3ccede2315c5ff402db0bfcdecb4bbe42ec09
SHA512 a19f4d7b87c76e9df0abb2d6e73c1fabf4c18177479942c1c75c3ec69e227c1ddb2096cfc32edf7b391358fd97cc15eb0574b67fee49e29a2640d722bb6a8a91

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 024adacc7d0007af005e256fbe4603d1
SHA1 b9437e7f2784a1cfe3695de2454589d2ea2ac04e
SHA256 bfba9c2093646e7fc3726af0db4e5b9440c89aefa96eaf371c8db1d7779edb12
SHA512 a9c2bba86713e5150158bf75c583b5c4d4e8069df5d88f26152d27c6c4e962c9351f58cf53189d5d577ae3c80ee5f734531fa4e6694674fb77dc61a7d2aa2886

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 e7fb59ba103cbf39827444038fecfdb4
SHA1 f64fb098e642d076fc5aada423eb61813a294419
SHA256 29217b3478477826538cde75a88fc9be94f73e834071715228f0277a8c857536
SHA512 5e6a4170b980765ac5df1a972b265db19f2113b10eaed018827e3316d2c6c27cd55c68990aa3cb1e4c37af986a5e24c889a72d6664e05c6a8719e766e8f36b46

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 45b165fd67b554ad1e1cb5fc9ebe4cca
SHA1 b69a93c8edd6b88eb0e54c1e31903678277fc7ab
SHA256 d547373424c3d3149bea31ac5aa716526948cd24752d3379a9926ac54ee683a0
SHA512 d36a17aebe38daf3b519bdab6645073c1017f7ff5d14b747c13182b80d5c6c7132af8ceeadc22015497a22f2ea5cf7fdf970a46cc01706ca4df7031014f8fbf9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 ec951328466d081bad62219cba4de34a
SHA1 47cfd31e981b74672eff77466397062049a16169
SHA256 d98e0570c247e865bcabff637bcec5cf66f13d9e526f3281847a8c065072a6a0
SHA512 8cf5d963d59f9b1fc0402eb7f5c38fc7ddaf7e29c1acafc46218d385423be0747433252216a504d26edcbf20d5f80d9b76003647651f5bb62358675dc3b2a839

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 eef8ed96c6bee2f85394c824bed6cbc8
SHA1 e8a24d62aa7c34163edd6c80d0b7bc43cddc8b52
SHA256 4491f7eb3a9d114420f270a8230aa5ed5c21cb7014b3bfc9160d843972ee14ba
SHA512 c6330e5a3eb1fdb415011c3e11a5ff6e15f8e526cf7cdb3d9553f75db1a2b44a04b98335ee0f4fd5d589d9adb440b35843e0081e38a94aa4c982ccf52d27726e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 2b1219df1f7a08fce029452307070b81
SHA1 94b4571f49df9f6fcceddf467019fce772e779e4
SHA256 13983c296dfbadf0cbf6ff51de878a836cb6445c27e7016b94152532b2f6dd65
SHA512 49a35e27077e41ae565bde890b77c96abfa23b9eff5e43f8a27dc4335c986cfa07473c12b8253ec841e15a547703995e2c34ba07d627fc4220a29f1f933d1170

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 c110db3e4eb1e072edf5f895606eb278
SHA1 c4f55f85668f0b92476c7a563d9da26fc8d82bb3
SHA256 def3d5bd7bb27bff9dd9805c0e222aacb773112096d45099ba0b7df0275eb831
SHA512 1c1fe2b9ff727cd94ad2bb439f166421283c82b03d333277a52ee726b99abd9e39c347eb011da08e856d0db99669129fcf65f7d61bf2706add2509d16e7d952b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 ab15814ec1369b31552f11b1a595bd39
SHA1 cac21401b5e5edb8ea029c97149c889e9faea8d6
SHA256 16e159f84f52ab00e7e911022b37149793f612a17435606e0bdd42a50d33a2a3
SHA512 498688524b5ddcd129d3b2f586b40ba7e8abb67260d422e22012709b9e50a0600ec8e62e5cb20274927597cf4cde82c66fa9754a0dff44e6f62a4e30e4a53e3c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 d846da058b70eb57536ea2c2b146cf20
SHA1 6a339f08b83b3a9a20ce854e7d844a2bad566d91
SHA256 7db91bf80c213ef84f1156187c3baeac5a9a48cf77ee375486a724807f4a9434
SHA512 9b80f6224642e475eca61d0966de98dc59237c4b0107a127efb6474733aad422dd8caa58fdaa2708685ca5985e57ed54f2d2644495276ca7fdf631d1931d67bf

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 8237de8a4441dda60f1fe88d52203389
SHA1 9c387a1e320d238771558729e1a2cc07a4a23219
SHA256 b0a664e1c7dd5bb3f47cd075b88cfaa5ca0cc131f59cd492adaccfcfb49816f6
SHA512 272c1a55c08c0985f81e3c8da0b84d41808dca7ac88a3e0f6d55684925865f45ab392cf831ca0fb64083fd28391eb0fe569c41d00cc380775a89acc51a1c2dc9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 5aac12c682e1bc4116396cb8c7adf96c
SHA1 ac82b6d400d45636d7fa0643a6b89f72999a8e3e
SHA256 3b4b618f44d5c4865cf53939aa72bba7657e7dce5a8c4d5d259c9c31320bc4e4
SHA512 641772e251d9624a3edd2b278b9c3ba83d4dbfac29569806363f716f9a3a0186212802149140af23c2dee1b6eecdd771e60deaea191b252cffd4d78b0d91a10f

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 576db7e5abda0a40e8fbe26d01f47018
SHA1 2feba4fc9c4bf459568dd0933b602fd629391685
SHA256 a8cecd9e028f8526569406d508a5044bf7cfebf753e2776a8ff45ba533d82b45
SHA512 240d1de308c57531aa0281009df8568effe47ec254e5eccb79000bff53448fc3c942ba6c9bb08b537baabd16ac53d6dbcba4daf2fb34b2e7f4bac78b1c40bb16

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 1ad806fe14d8fcca312b29214e87afaa
SHA1 8018618cb38b37c324ee72dbb18d3da508740681
SHA256 e5f8a24e5c8f1a5c4b7fb9be2c8a14f64709483e1e86677726aa8f5dc78bef89
SHA512 bda7260e168529b23ddb5e3fb7e926d6e5443261ad7aa2e483d2e4e57c0ae01c289c4437b0f315e7956ff0b50ec424ea178278185de50828c2f013a64d9edcec

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 607852a39f9ac65c8f9fda1c3df0b819
SHA1 7cf3cca0cd7fc40725a5d6a869774646cf843e1e
SHA256 dd5f2790a64b2ff0fae02c54c0408aeec21e462f6349bbcbe8c744bff1b00f20
SHA512 7dc73a6cfe87de7365ab42598444e6fe94c476262fc97215492ddc738140c432a55ad57064cf7864ca28f9df803a8a4238b3c870026d61c8d08fa2c818b00df6

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 3071297b38547f1aa8923f2d4dff03a7
SHA1 a6eed6f0ea3ee529b01e9a186fdee49a15ad45db
SHA256 a855d8040737f20833b75b183b066398039329a61e9fa7c77d9763a43458ac2e
SHA512 419f46171021c9ca9d0450154fae0e58b09ce5cb44a0084aacd20e77ba387bd7e1f86b3c2deae6015ce5a9f9ab6c89e59826b5f917b429587cee6f001d7ab0cd

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 473e53c7744966274a1940d27cc97c38
SHA1 2189db090a42a2bcb541d8a9e1ee89519966c6a7
SHA256 6c26e0fc9ef3072192fde0bfe0f8a459c6dea4a746175fbbe4d76bb845c3a9c6
SHA512 07bcc76653447aeef9141dee3ca8680a32c3c1a00041356c7411524069e73b64ef6e3dee14b7903e503962a998a1ad7d94924317a9a4253d4b9b93acfc05963d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 00f0378ab2cc5b3dc94f146c170d1f91
SHA1 19d71792e9b6778586beee711cfd7ab16739ca6c
SHA256 dd59a1c56d7d0d468a053b12e63e2ec349be5231d984445faa608ca865d95d1a
SHA512 36c5ea2fc61c30a5a00be9f00b3941e634f07ee959cc6f6cd68811e224e0556248537958da7c1507c7861ecdfa1840298a773f2510b8cbbbd2b06a4d3e260157

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 94a56498e1670ce79aa88119a0742d13
SHA1 b56742e51566b6c760aa86fda398027a3980bb7b
SHA256 044a32310f64c0c30d1c2a9388b1ca2d9862715f1f3f0fef9eacaedaf5c86d66
SHA512 a9cf08c7ebab4313d285a17ae89f7e8ad656438ac47a2559103ca6bb8c95f8d87600b57b85617318bf34d84a4f124564f1ef7be081a179a0073b44912f1ca7eb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 aa0c3c4d43e07cc9133c87b94412412d
SHA1 182ba730da5b2921286740603b2370eae1e29e38
SHA256 98c667de125f40bd9a98879d11d276fe54fb10c1506d9154c709d5e7f048d6eb
SHA512 dba80af92bca08c5b741f9801cfe0f3174fd53f572f462eb5e9e4538736e870252945e9401897ee144caa182a3886b20615eb8582f5a1cbdaf81c538b24d7deb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 e7b3474edfe0c96ccf3cd35ce565b058
SHA1 64522a06cb7f0bb5e83e4882e82ad1fb77aeb7dc
SHA256 dbb5230fcaad9432b7148006709a382361490ccc7e3431536fea4915225f20a2
SHA512 ca1726f56a635fadee066c2708db3a2ee4f6c943569af68d169047a3e40deb19eb6c35104e9c2992d57b81e6d9fc1105eac41b72a0afa8685fb394a464c5043d

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 8a93ddd390ccf4244e7600d78a9373c3
SHA1 6d444a2e3a4accc52bd9fdc722294b5d9b9c8011
SHA256 c1d470490a03e839c7cbec12ec47a1f893b5412da3012b09e2534f47a375edb5
SHA512 d54fb0638767f9a4de6f35a7c00c4c4ae9321eb1370973d0b4a709024202911502d06567740697a14d65c9de9bbc7d157fdb370d25f529e33094b5677f314f66

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 f7a4257e4fecf12812b0d16852eaa3ae
SHA1 b5534b9ad430abcd5c6fc2d81577ec2d1cfe2ad6
SHA256 aba7639b2861fc0d2553657aaf31021217fc2b45d6f1bda089c46072a13f8f7a
SHA512 938f9dc8b068c15c50c2409cc2dcfc67079a6639106e0be27412cd45bb556ee8e47fd1ec2169f515da13c37932ffe993987b0b39e80a5b7b94d322caf2c26455

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 1043b21c1f401e6ec582d1ba3727436f
SHA1 5c53c843aee4a9f1cff74e4c8da7e3f59a230abe
SHA256 e0133968b256c9b44e466b78e3d88844ea90c1e7af0ce5a413c570517bdb40cd
SHA512 14ad1bc8901720f538713e82a86849f70058d801e1e7867002732fd1d653f440fc5f2e04f06d17083062a3ca8c999f7bc1f7f9968cfca941d9d24eb8a9faa4eb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 c7d2a17c044c63e949352d00f37b59db
SHA1 c0e769e83b05c1ac01c587a98e60776936ff326c
SHA256 2ff3b5bd8675158337796dd0b546d4df76fc45ac910f55e79407c3d86de37179
SHA512 fdfef4a637039ad1dadba19bcccd6b6b7083e8fd4fdd10791c89b1523d19b9e8c5d09f2bf99b96afca89108a86f47f27518a20b3b5aa03b6a04debc5188097d1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 981b758ca716a6a20c182c905de05c9b
SHA1 d9647a621da90ffc26ef0f9fa82e1112e42d2e8e
SHA256 7942d5f54492b602b23adf30dd71a7a287c33bb105eaf491a501adc79e1028bf
SHA512 861242413f9539aff5da910a7a939629760b06498ecc68833e06e7fd0cda0adf582454a0f1509e9fbd10cb12dcf54c132cb0f951dc673f4b5fd311ea3fceca65

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 f0ebec801152a501d90446ef720e73e0
SHA1 6f179df53a7b0a29e0d7a036fdb064491e2af4a6
SHA256 103277cb5cf7f3399163881b361a3614e4bd387a92dad031bff9c03339cf57f9
SHA512 40a994c3ffe5e94bc645f8d8dcaab8283b5d84908fc5dc4974c621a55bb14e968ffb54c178bb3db1f54cc212ab5f9d7ac782f63022c0b1788400d61fdb8c4feb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 762fdacc9f94021309f8be4d746b1ca7
SHA1 786e42e5306eff44ccc42a7ca71ea91769ee89c8
SHA256 37a7aba05d26595c97e9950c5a592d1605175ec798ce0d06f3bf17bf2ad9228c
SHA512 529ce3e4704c4deb2e4f9f6b5fc11294d22b69579e73992a7558da5fc7e8c3cb4abe42596531fca6109d22bf511b9fef2972aa7a57177a5dd8bd38794384a821

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 a98f400c6da3cde4b74d08831059c4c5
SHA1 83586db1157974ca1fa541f9cd99d0a8fadfec1e
SHA256 2586e26cb607d83e4abe2f7b3ea9362930de418c80d614222c2144e76aa1b1bf
SHA512 9b58a97adff0e45c738e209b9f72b9ac23ea0c11ec6c172ef0c6a4bb4c691f81f65517f688f07654a81a418bf54e762b74ce88a2d6efd459a6777b86d4ebd5d9

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 1e1595d31644826b11b707bb46f0256a
SHA1 8e7f327316d02653a61df103ef866d8e5baaa0aa
SHA256 8503190bb061f066861d76ceafc32b62f6fe53b3e7c08e9a4779702b29dcdcb9
SHA512 0293f726615492c57438cbfb8208310e93dd006269bc96c27ef10d792d449647ace0308359f28b58c9a0c2ce3c6b38eaafdfbad094527ce94822b93e8dca6d20

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 2f72989a036d973c3f05e8be4e726b7d
SHA1 4607e7132ba2eac55df8ff57eb04966f8e4c9282
SHA256 7ba262a05836f1fc351300031e8e63254846cc0751df57bedcc8eb70b968075a
SHA512 2229a9741405c1b36543b2b3db1ceaf971bb26de1393b9a10619ef2fdc984946d8e25b587f475676cda78df95335ae3a059383cd75a046cbe90004d7a53ecde5

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 4167de751cb3a95fc180640ba23bdef0
SHA1 8804bf3a2592fd8a68ca8a16ed4c644183c3ecf5
SHA256 8e29c90fc8d07054ad6670a0d3b08f4ae033864aac3e92a7d563d92554dd5ddc
SHA512 6fa5a3a68eca0cf66994f284e016e29441f0a4ae7e9a86dbea5d82c1c26077912250d7060c625cf387602551d4c00525b89ca8c5d6231ac0fc6979ff279e5af0

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 60e7d1d6a3a134ffd76a44eb092897e4
SHA1 8d824a452c0d53e76a32a904aba5d22aed199e7f
SHA256 83e34658566202b5e592c5a86b4818a2583582cbabee24b0c014f2736544ffa5
SHA512 33a4c5dce64e5d22aa57ad5ded641d6baf6e5e81167d0df0b218cf3d914105924b9fcade6a3825bafa85adb5159f1b7f7314ff2076faffbb00ddd5f4efb5e3d2

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 febe87c58f0a43dd077aaccc833198c7
SHA1 d023547fe668ede292a940ec07e1c52ad34f6aec
SHA256 9ecf0686d9a8851cd7fd33ed23dd3451f56e64ef5623f4b19cdd486ec7a7ae69
SHA512 ae7c8671204b62f16d4afc19f4d2b2b07fb298c5d5f93907cb11db1f6dbb7df00962e7e26f37f4f90a634a8890faea8038aacd27fb7a81fef9a36bbaa1a29679

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 0d8853e1f4fd027c3757cd48c8bf93d3
SHA1 ceed972fe7c711e329113993bf85f6b4de9615fb
SHA256 56c570612fe4cae1b5798c5eaa541719f399082301f70d35b9525283747fd8ed
SHA512 db0b577ee67742274200e0d0538c7c51f1ef9bc66dc306afd017dda53f5b3c3baa268fe50a9889dfd867db5d7e259055faca241c3bce3e44de61ca6337d64916

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 fb311bad4c582a10ece00b012709833a
SHA1 72358e3916e72f9281e06ecfad1081a04d280200
SHA256 34e6aa198b7fb7f502e22c26ec15f1b0b2f5b9b1d03b859d776ceafbf261da28
SHA512 2a31eb5417401ccd86662239f0d3a19a86a95aa03fb6a3f0fc9cc5b3651fda18befe21d54329d3ad4f548c3aa3c77cc3979fd7359490dca537d3de05329a8a57

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 d9f4273d99932dd616e1a3db7c17a295
SHA1 e9ccec8e1241a849278aadd7600820191b4cd9d1
SHA256 ff279f695d9097f923deb0b2bbd4720b7a99928a8ed8ac83e782634cb3f89663
SHA512 a3bc49108f8dd7900e71b2e904a67d3a67a610e6d1fc38a39144da081889ed8792e777e301aceee84fa8d9f99370949b42bed5e8ba1ca8ba090f123f9ad2b61f

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 3a154d6cae2c877ff5b61863309a70d5
SHA1 755f29be63b05274cbcf76f5219ce6a49a5f60ff
SHA256 be6eda80083c8ee988dd91532b41a126dbaccb6267c68a6fdc988bc022a0a167
SHA512 8b7b8efe002f2f8dfc018902442fbfb37397fd8cada9f688aac0f17be4c371880a790d19f4e2147121366c2a8c76e1a9d7df577d45e3d98a853a646424fc6d15

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 9b88963707df7028bab16c651edb1081
SHA1 2b0e1aa9bc678287ae1bffdb4c32ed449fcde1a2
SHA256 9cf9e9ea367dba6cf65e71f6a7b93f9d9aaa884fc6b7cac47dc1372d3f0a8aed
SHA512 8c082407565245562e8448a8ec6a4f707d59f43a37198cc87302af5fd46723cb78fa8dc84e244bc1460db7d14341567956d37f1bff0049b4448fc5eebf8c9082

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 f3eb0917aa8cecf10df5d9c4bd208273
SHA1 9c180da07de5d875568df9b68880b5a0f3e1b799
SHA256 77ab0e03448f16ab74cd3b55d762b33659006874808d8e8676119f8e8a4a60cc
SHA512 14557f5afe2c1162b99282f8c6cb3c8ac47f30acd509f4b0a159a0680de0a88ec3e0043e8a945ea7efa8e723bd7b264d0715181407c7ab95cf4e6365d8e13198

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 7e7f29710a9377be76f74dd37f3c3640
SHA1 6fe530ae5a987621cc1176cbec0ecdfe1a3b0b59
SHA256 6f40e1ab0b34fcb7b3e036b68915790e7a83335a4462f507cc1454a1857499e7
SHA512 ee94e3d9a19383553d379b70df3bce970080be21f40171f2641ce3ee7f70a7c7a3c3f5bb6a99d395b008ee737506dc9bcc5c44a946ecff0ef29428e9b91ff5b5

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 cffb4e2bea477ccee2d6011de2544246
SHA1 a30f1227ad4d40d8ffc2b4a30b35cc20a786320d
SHA256 5862ffb606afffe47db998aad53f0e947ec404fef164b5d34e3f84477e1fae49
SHA512 163491bb83e905eeb3ab4fb487bf7c86ea835ec7ececdc18bbdafd874e1a91e99d930efe5057e12641b3ad03f969ac0bc71b9be69ef43879cc5184edf6345f7d

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 2409dfe2c6dc87cc826576b695750838
SHA1 e7594f38baa4b3950659a08f05b6930a142d8d86
SHA256 650dc3e4092bf107f5f51097cdba5a0efe310509635cc59f54cf054e41d43f15
SHA512 615a239242d534aa001b48d0abe2e94b3e644018ac4146a99d953802c9fb6b2873f749cfd3c14aecd2ae83f571dd0cf58e9f3d1d12845be42590b3d1ea5e1192

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 a8cd47019f3a5f34cdd90cc86c191206
SHA1 778bdd8ca0d6c968f148eaad0e6f707e421943fd
SHA256 e4e6b2cd919dc15863c2693d7578550ccdeabc8c3b6e32194026820a070820f3
SHA512 1128bfbbf888eb7ca3b52d700842c64f740ea52d534972dbcbcc8a81b3b30df6a5d041ef5a5f0afd5cf588d21cce56462c24a8512375b7ee56d99db2202c4d9b

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 104a3de6ba4c43c4beb3b2e36dc68377
SHA1 a7e91f68c24dc583b4dab780d45efca9c1bfa7dd
SHA256 ba8cfb2314bdf89bc6d453b50c49584d81fa80c7725907ed4e6ac7cb34f6bf02
SHA512 d2bf849912c75d45d8bb84e273e7d8847912120b1b4210d2a84b4bd243bf7995b04b7864f71bf89f62137caa60656dfd5d518c073cc8620c8db1ab28db14da62

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 1f68381832bfec67f976e8db70a8ad2e
SHA1 f277ec1fcd5f77ed18e635ef42e13753a8a46b0e
SHA256 78f48f5ed6661e2586b8f85fd9c4ac31b28cd4bcc903271ae3b088c884275f39
SHA512 34625c06317012a86e551792b112c6eb18ba7cbc9429d0dceaed3d94d091b619163d87cf5025f32d279fb0f3bed233706ce1de1257c2956b31be260c327c1b07

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 4f363f3135df0e73934d896ade7c9855
SHA1 35e114b33a4e31da041241507b36dda0cd36c240
SHA256 bd56f816cc3b8ee3492d6392634e08543eb3a61d10058e64178a0557acabd71d
SHA512 4f8d6bf20c073600c95c21f2b49b22cec1a61b377eec565415150650d4a2567490d277d73e1e581e6f04faf0e036fe193a645f05a0224c78e811b85edd78ca0d

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 25983e56fcf27dd4a66e7cfc7dd61736
SHA1 7ac85c62d52b41683cf4c7bef0caa0778cf94402
SHA256 a201ef7604460235b3f1f3c19519b1ce2580ce4873de11696d0c066315bd1759
SHA512 c4d93d7c6f76cbbdfe4afb93f813b5fc687b8419aee8247cd27f86c6ed07acbb348d34e40681f716e0f26cdf6d3916246d29d536c43f3b890876d348347fd726

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 44f41adfc16b2ff22932e3f8d13ccbd5
SHA1 1c58b8ed1e9df3d8b62ce0fff0a9a1408ab64239
SHA256 a497a583f92a30e1d3124753e3eba3c624f20544f7800038b9da7379ec642558
SHA512 ad47a49660ba4b4f7576e72b707c99f8cc50fc46f8380f1c5e268313f640cc5ba0f40e504c6082980267e5d03cd47296653e097a24b97886e4944f55dc497c8e

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 3d574cc1389a4efcc7f972d019403b20
SHA1 c8ce0282aebff7d9d4f26f6e37ac6ff290cb7bed
SHA256 e12f50d87817781134e98f154eadc8e22547d247922a8aa0fce78c84691296a7
SHA512 56c68238efce8d2c29adacbf14fec9007fa3553e04cf6bd2f8f67764cf4d1fd46a83d299ba168caba6f06e31cf7cc204c6e467838c1d6615fa08d48e694f5128

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 df7eccb3ac312bb0b0526a35cb88935f
SHA1 4b890ad0dee6d54b0d605aa2945db2e39ebc5daa
SHA256 6b8a85fb5354f9ce43e76a1b0ade34dffc92e2570e507730e55915d5ef0fd837
SHA512 5c6ee7f7e1fc1d76d9f6e1718112e14defeaf8aabd8e7c5df81bcc849ff230486ff453b2c8c372bd43a4c2be8309964dcd8f10374c505af365fb49dd9ea18131

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 c358eabfa70279d6978bb0c19df677aa
SHA1 d5ac2c5fe32a5bb3342fc6ecfff72ac1e7001403
SHA256 fc6b48aee3d4736493409eb7dc7c7e9d0d6331f025aa8f50505d3e52daafe604
SHA512 dc5f06085c1f6ea0fc1c5fbdc975203732e17b4e5143a8c6d87a7cf45f6176c541fc84dd1fe18142ca7c09c46b333018cbbcf20d837bc7e6ca4a5260804f2e5f

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 a96c588f6b46a9fa99474ab7e75afe29
SHA1 3f54c730505bd89b9dfabea3786687ff1914d5b9
SHA256 b5d4f0cc375740d768420cf5b73a5eaab8b45dce7462f66ec6aaea4329a7c8ba
SHA512 5e9530ef10f0ef1bb9bb2469de33c52b388145eb7db805c0846441002dd7f4dde812b8423fe4957c82a6547bf648876adbdc5f1802470dbedad29c57bb1269c4

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 2814f105ae1200bf64cd0ab9e7a2d32b
SHA1 9c9a0e8ab78c2d0b26e67962e9bab3616334377e
SHA256 4cc3677e5a2d1dc47ee354a4df9cdd07ad995af5d4bf26e8c1239872961dae00
SHA512 220a6850a0bdef8715561d5e0a86be4e95fb211cbfd47a588aca817d4bac9a58e778968daa766776400ce6756267d7b27852c2703c3bb6858e4c8626d48d6cd5

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 03313d09d612aa1e304bc793667bf892
SHA1 d5ed8fd637f352f2d1596e5d7a59ac5dbe175464
SHA256 0d870fc6a39e1652c568638dcb9038e41c7786485a31f8fda9dc167b472d1414
SHA512 0505a2027b182d3878009126b656141ee3beacc4019332abb40ae2fea99d73af70b81f935c615ef96a42608c3cc4898b5d9e348949353769e880d58d84177d78

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 26edc01a66b7a20a81671affc5cd006e
SHA1 f968234714c11ae4adcec0a13932edf9dc99af15
SHA256 4b7e4fcc9e53095b6006601e543d6ae95264d065d042ca2aa29fda2caecc546d
SHA512 3f9bf5dafe57af7b87d56da7c68ca7e0847866b3c34661b210697f8db9ea4bdae70c9a85e13bbb24b984c3945ca42e233ba4663f90a3d645d9fd2619d410d280

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 67128eff068d5308a1a872b847612b5f
SHA1 98abf2d3a2390b3c8a70c3e28214083d12a7e070
SHA256 3504bdae3088c59bf10c3cfd10e03282d476c8bba1e7e70545e38477c11b60d1
SHA512 6c50c9ba36568107afa1c4146a0dac2a48449e92405a72c0d4e664f60874fb3466a21f271d4ca8f3ce5f27b7cf563fe1fad58e53d8bc2b15c2b1e45f7b10651a

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 df0179c8d01471f65133deefba9bdf15
SHA1 2ae558f2060eafccc00a7c07b65ee2f25c2d8d6d
SHA256 b6d46b0b9d1d6a81edfec80cde4c9eed3f129ce31903d54b0af6d1bb21331afa
SHA512 f2f484c2da1c18bfca96d3b1a408b85b92f99545f97032955bc23187c9e0d600c90c03ba4c6809c1570fb58bbc256e17e096e5f3646ff7139bdf8632845b6cea

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 41fa23f33a477f4987a88f1ceb33d503
SHA1 4b5bd41bfac7d4091c0117cb2c2ec71b66b18a3b
SHA256 781532bcb9b35505207a5572ec2fa2ba9e9f6c5c03d6bdfe16a6830339c03161
SHA512 7a437231289103139895455d95af77fafc647ac12eb23ae862739422950031e3b01cba114b3a47e9a736e0ff3ae6407fde22f1cfb710d33654d7a28b9d63ded4

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 a27a03b336edfc22a5f483225c694017
SHA1 5b88908bf371be89ddc8e99ee30fac70b28ae3c1
SHA256 d1b58e30662f37dae10f4e042e7789926aaa1d8a050181d16da18a6fd8bee113
SHA512 e0b8d253264cad2cf4a19ad6ac7721ad3526bccb0cb128c4adbdcfd42015636b93bf4ea572c4d5d65f18711f54621d94b321bef36f6199374c4f30866b2a1ba5

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (11282) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\mesa3d.md C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\s_listview_18.svg.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\AppStore_icon.svg.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\offlineUtilities.js C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main.css C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\177.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\Platform.hlsl C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-150.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\sqmapi.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\seqchk10imm.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\195.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\meBoot.min.js C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File created C:\Program Files (x86)\Common Files\Java\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.EMAIL=[[email protected]]ID=[3472CB2D1AB89AAB].biobio C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe

"C:\Users\Admin\AppData\Local\Temp\3472CB2D1AB89AAB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

C:\ProgramData\biobio ransmoware.txt

MD5 4cca299786028771f81f76d2c8cf2eb6
SHA1 e475afddad2af29b02cd70281c834bcdaf12e4df
SHA256 324014b0ad34a853196650fa9a9f1fba91f597f7d7038f144561d68524edc53d
SHA512 95e156f0e55af7aa6887857f0c54e466ff5f26e802043e717f7e7a0bbc83840d7d745a7b9871e2ef445c85b0d1e482f5d75b2d2ed44aff6bb9da2537b0df584a

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 d018f5d26aacd18352ab5b2a1c3919fd
SHA1 ede77c16adbe0ccb5933ca190bee24a844eb95a6
SHA256 7730d57e3698b0cc2bf1d15717bb11806e6a39900a299af8622fb3397e76e6fe
SHA512 9e8fb0b3f0638943f40acfff719c77dac6b447b824b77e893b611392c1bfecf4cc0146a1c3c032f863873a088973be1f32fee6a769ee034ab142ac69fe66ba54

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 37d66b403afa1919c4e56d18a745c55e
SHA1 f3047460ebdb659042f0fc27abb5db669af98661
SHA256 7614ab9dabb0227941c2c99ddade921b1aa545bfc8eaa682ab23b25a509c4f0c
SHA512 176ee8cd412ae8791f77fb987428cf2a231d9d00c576a11ee971df168082f9f159a81d0e71c5ad6085b5ca80025cb52cffbf32fc569415044b2d21da2611fd97

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 e870687ee8a7918daa47f742c7ca1311
SHA1 b7f1b694c5b2eff62ed6ed301129e70a227fe0cc
SHA256 c1771e3ba05b0d897ae728ffe5b971fcbc92d7e12bae07f92acadd0ac81d01b0
SHA512 436b3fe954911557e79d2529e7649fcfaa0853d8c3c80bc748096c3993e820eb2f02cc7ef5acfe86906f8fb1606609910f385f6626b297cecc0a6eaf99563ef5

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 c6e4fcbae9981709b0fdd0b48082b9e1
SHA1 430d46458cec68b5e72cdd80f55c2de15d0254b1
SHA256 b50d966b79ce5859ccee830d55150bb58ac8e60917764ae422f08524c384dc20
SHA512 eb4274364f7df0fffc9d6bdc4841c319b1e8a8aaadc2c5b9a0ad368c8e42f545adde6d6e8cc6fffffc80ee7dae7d84a8148d179d2aea186482bf8bbde2af440c

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 fa818659a165ac776ebb1fe57a589884
SHA1 853ec2983d9f792d4dc341151d98f572512b5269
SHA256 9f66b4eb3c115834fa821c6c099409fad6a039d2dbaaa855a28d5d5097bf34ff
SHA512 03cb03770d6ae1801c0a4d845223a60b0efae32191054d470d5e4bd397b2534a1553020bcf2727a75488e2f1b639dfbaf36d2794be64d1b985f619e3ee20f1d5

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 7aa5b0b97b0c69866c9f53e96f5de2b8
SHA1 9b593f5876d0657d0120f623fc2e9e4321db8398
SHA256 77a3a1e978cc59f8f03993eee00f322102daadfdf35beb3f56961b7705629119
SHA512 ca5a1042f58e078528ef4564c39f93e5df5ab0607af8993e229f8883480a367aa7252aa976bf6d111c8a6f4f65123eaa01c9679b6d5e68102c5815759877c86c

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 6623e899bc104accaee131d60dc45680
SHA1 b296d4238d585cf217dfab438c30a4cfddafc0bf
SHA256 079e7cfb9820bc54f055fa3c843c55e5901989a81bc4e106563c464d4ad09a62
SHA512 9ef4d4e52c133ba65c5760f4f6042b1a9461a2cca894c1d8e81796ff841bc8193d03df89a26520091366d2b64398dc5ae6d498c4cb029d4e7cb9bc0f1b25779c

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 69a5dc69c93f01e4952900018da56113
SHA1 f981d5364939320f9cc22f32f873375cac257efe
SHA256 958ba33d43d1270b2adfd53083e2f57dacde387e39b2ad2bb37267ce82f679d1
SHA512 27a5491831df07d4e23b8ba61332c3ef7737f85957c6a38e15c15566107845c7d347a90ca34e38dbf171e52210f5d2f652f2a40638534469b6cc91d97b3fe3b9

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 71e95fab5e4e2e995c741613327cc415
SHA1 6c67d5b9455921d589706aa318ad989c0530c0bd
SHA256 edfd3b0a057d2f0ed78cf7d2165664fdeba6f2bbbb439e093f7ee9358abbf94f
SHA512 1f44e251150a103d44323f4cd6e9fb4d31d1fc2efbff3acfbdc111d9311591c81b702f76ebfbdd31e3776665f92f39904b193aba9159a76b039ec57fb99280d1

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 7db4e9b095b4e8c61e23061ab127122a
SHA1 d5c7396b4cdfa69725ae1516a1c99af3533aa814
SHA256 f8ab9d94ec0f421878de3708782a0d673068a628d2d7a962c412ebe9dd4bb02c
SHA512 9bb33c9ca2753e42707e293959efa9a63289372d3010bcd8425f1ed993a8445398c4304c4c29e0cc05d4804af3861386c53d45095affa932dccdef2efffbd210

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 3a72af353a7e620ef0ab67c52c1d9b93
SHA1 e77e015913bb6ed03f2a9a26bdda8c6c3b02e9fc
SHA256 4e481b5c58958c0a51c245215e18a28eae45f2a19693e09b4e87b10b7f0f06b5
SHA512 ba663e2adf226357a14183e9f8998981464e9b522b496fa2ccae18d5c0dd7bc234737286523f61fe148d37814739580037a34c8cbfc75c945f12f0fde720ecc9

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 9b5110bcee53314ef4aea790710d69a6
SHA1 20ea13ff913049419d76d390286f79e5e74ae6eb
SHA256 c9f82b0c52270741905c843be41a2fd8d75823906676f232dd9facc515347a35
SHA512 9e5dc7587399405d355df999b456bdad940b6e55131f26c782ac5a4829614a6a119d51b16cca985deefaae0283dbec0d62af41519c9a7dfc3b0402573f503939

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 837f079578debfd5294b9f1f5aedc366
SHA1 47851fb7087f8af67bd32dbc6c0aedd83588153c
SHA256 da79e0d312a4c1c943b08d855e878ea2e8dd37bce3ebf5d60b2fe54ce00a7725
SHA512 5e636337547f9147cfb5bec9c4759d34ce54d26066c840ea4d8e2fea9a6bc8412fbea52db94bdf48d9b0b323b07db1905a8cf267d1bd33bf3e18a9ca74e12e87

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 3bcaa6c2b99c8f590ad3ff0c4fa3679c
SHA1 7e4b847b77afb3d5f9f3ccfefd40fdad3cb0ed80
SHA256 08486a0d0cdd85dbaeeac8506124a15c16994e0b669d75d6c02053dc05f3e5ed
SHA512 75b2f1aa05185d5546b78963d9fe42f62a1ec1b9052273739a981cde7f2a57c856fc908d8f71472f18dd959a8744b50e12e61250429822e5024cdb1a14e34894

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 9a6eec12a83bfdbb63de05a8bd6354d6
SHA1 c65a1bc70b9893c7ec0af58a9c9476a6c64322f1
SHA256 1dc22ae72926c485d1e1586c03080e420e170384e64a80602c96e0ecdfff99b8
SHA512 3c4291350f32e595c7eccd5c13fc5b45e6a8fd7e1c97ad757a8ba14193aab6eb86110330953b038136f3cb02d039486b97d74b3f8ffef33993b9a28caf038425

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 1f0e3281ee15d1b037e72107711cd115
SHA1 80d19a7bb0e3e9c4c1ce748d3b952c8944d2f93c
SHA256 82eb6125af5a15bb8ea25827085cbf030a591ef34fba58789245e8206a7cf43a
SHA512 0b10f1427bb20d95fa6895b87bfd91877fc3a6c8c355a541057c1e48dbb5fd6e848134f3d9a346811c556a538ad4ba2cf133f78a98a12662b2b4d3e5b95cf612

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 ca9f76577400da886db115f9dc851cff
SHA1 d5fdfde2e60da342839f0d2580e904d9f65fb7de
SHA256 f7e51a2a9f639ee3c0536bd2cc7d63ac5c89f7a1f3ab6c4e2ced8cbafc4591ea
SHA512 ecde2739527f082714bd7309fdefd034bf3aff2163e8c9c1a2b77a66ec4b64ae3d1464e8ae642b1f9ba4ea1452d23118c7162dc74800a1d29373ed163246429f

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 87b3be8ae5e9aa8843bbef50a16c814e
SHA1 d11fa5a5c9b98cc5cd011f0cf24172ec3487bac7
SHA256 bcbf167debf64df1b3c4a8f5b1075601143426ed038217b734208300f2d7cce2
SHA512 2ad7cd2ec3b453434d6b3b134deac2247a5665698d863b583f78a32990b539067ecc31e21b4d4640357eb927d5ab6ff33260b2030df8fde8f5508e660d483419

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 daf035fdaef9ccdf2b1e29934cf4c39d
SHA1 0c4df0a45356be50c6cc208fa1c0f88e2c9c5263
SHA256 acd790a888708788d2dd91f3ce1fcb5b59386c96270b91a09464a2716d5874b5
SHA512 dc4ef4efcfeea7ff8a187de61cc2e0371fbfab10a85c518fc39fe19ca271154e2fe5c364b37c6a36c0430b95994938f82fdb77a6b6670905f46c1113c0d610e2

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 35bbceb368af7c3e30dacf99d7d26af6
SHA1 6befe763ed6ea784e32055f90ebf79b71000f5ca
SHA256 487796ee5bad7fc377fe5afbb64b7f533cb96fb82c2fbed5cd99ea84b1a55a92
SHA512 12deb739a9a1742a2421d38af7edfe3473d1f6c4eb79b49d2f2d695ea0bcd858a8d7b17bff36c5f72d82db531e3233f427b0bb2c99b8f648ce703099158ae64e

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 3336b6d608ebee7c5444176096af6b08
SHA1 efc55769db6b4431d11445db9ec74c385890f89f
SHA256 1ba9f92707c00de071c00fa1ad13fb5363f4235b1aa2f522b47ab00e19872b02
SHA512 e0c59547d5d27b98f721ba643dd10a44581d9c5891cf935cd4b98faef42cad7ba3962739da869df837801a4540daa3350ec73aa823b743f91a7c807fd490b6b6

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 0df251d59a642c0fe0b89221d4bf5c02
SHA1 659cf5e42373aef03a0839414f404027c30385b1
SHA256 f36f27cedd68d4376466f6b381a64639170bd65bf7c233bd0d60e7661cebe838
SHA512 c7bae101172a4f78672c1fe1c7f5854e8ad4ba6a905101c8b80b923e2c3a451c79bb0bb3ea17657a3b1bb0d41bff8753aea97e6e98db5e73245de542cfb48ead

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 fc8b5f7912ce0234d2d4765121dff855
SHA1 94802777674536edbbc604930df2e3bd63daf1a9
SHA256 2de78e64754ad4bc6971470a00cdb0c133fdb4177bb858d835c7e11803cf5a6f
SHA512 7f686878cf5a6945a9656d951c84b463f283cfbc91a35507300a769c160ea30c3108606801ee6eac2a75477c56e503ee0fcea420d7e273568a1b8f424c239c19

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 7185f541801297ff7f5e3e26d7d375c3
SHA1 b95ce1ad294933a78691e4303cde03fe9695f29f
SHA256 0420a5916521bfd9e83fb03599a6f7a6f1d5ed39440a380a0625f7b8eef04385
SHA512 364fca76166d7c30545c488972094bc4eb66a6dd6fd7d9cde8a31709dde6103dcd1842ac54a9bd3a8488b02b38d17657fe123d596d7a33972d16638918d9c065

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 85755234097667802d05ecaa5618c66a
SHA1 0e722bde3fd4f3958ae51a54bf530038282511fa
SHA256 09416606b191c322d6f091d0511948e5cb4f36730baade740a4f984a08b7c587
SHA512 234b80eb6d2e255a19d4d8b64de52e2e246f56fd77c4bd934a5821bc073c0b031b5085c9623677e652118ec9f8ad70d85f23875ea6c2d2c421bd8fdcf64609ae

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 631dbb4c270924f8c5b9410a48e6d39f
SHA1 e4a52e8f065951cb01f55f8315378042c70de68e
SHA256 baa96ebb4d9d410c370e33fdb643600e696cf04edfc5a4cbbe8ceb8c8270dbbe
SHA512 44ff15b9eaa967773746effd5cba85a500f12ea7367244aa08bd8e9ff87b6457c7b1cf41ccb81ff1a538d4163e4f80208fd7e0f11d7a3b75c6597c62562e2775

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 c7cc1b55fdf4ee661f017490a595bb08
SHA1 dfc3caa790e9821ae17d1937332e0080616e9033
SHA256 baa5e016e1e44a51b0c69045a23e95654e1ef7737c586ea42d6ccbd7196cbef6
SHA512 68219b6d1f7f5f50bcc20000261059728f0a43a04ac593241fc14a8b17778c5fc0f8c52f20cbcedec25efc0a801ca6a86f32c04f86755f570b53c75ebcc2b031

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 a5a1236217707d13acfc6d7a1f31ce30
SHA1 37a909f8133bd88701164e435438f9d0760c1608
SHA256 d6f89917b177e1d8031e98ccdfc7927df6ca3629d4eec7c41bc419ba5fd4e8d3
SHA512 15c315f53d3d114b5e3e4b5fe8908cb4b68a670c88b7368d5fd5d8d4e6793dc7875dffaad4032f5f0d3d8e41e57434b8649d07cf15246b6c76fca3654e8b1d13

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 b56eec73f5d0af7e7425762cf5ea94ca
SHA1 5910e0a0fcfc6f1fd0e34689a809220ce25a8560
SHA256 aecf7f5e083f3bff6224c2780173de3aa0f52e843e115af672b5ed10f00eabb4
SHA512 7136a60ad92be499e798b8d44564010633319cf162cfb951f7f7551f795db90bc7cf66348eef9ad4a093839ac096c33616cebf205ffa8461f0e1f75c181db392

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 03aee5affefb219cc2b0ef11a62aeaf5
SHA1 8a84f9378d5904e681e65236718465358757e61d
SHA256 aea349293d3f2c8c66a77c30d7518e09a1ebeae48dd00b5b8a0ea4eb100fb122
SHA512 b4cbd4b11e1112b888d2bc99d1a0ac50d76e6f702523fb4965032a54a7555154403385d2cdc83e41063787420c80282128c120a1aa0c5998cdb6f774d391c7c9

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 7ae94d40797c5a467fd4d9b0dcb2578e
SHA1 f6e74c27ffcc06c3606f23d439aad5544a077c59
SHA256 5b68b9caededde6fea53ef3134702431b630f9a90df88718712ddef3efce9904
SHA512 d58ece36a06366cdadc8e2151cadcdd55d6079495e57a9c2dd8541b6d001af81d4a0d594cdff6dc11ce12c1714707bd6ea3b5176fbe436140b5c13af210f13a0

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 7a0a8be95190e46351cdf4d8c2d27c83
SHA1 a3c855e012caa468052a87ca2c86f55c10f3d88d
SHA256 b8968db056b42261c8d90db3c13b6c40b6ae2cc34ca5c6d9a198b5ff04e13ef1
SHA512 8044ef84a3783eb20324e50885a024bb907509cafd8b33ccdb2dbf99ef5c6c483cb0cd1b5fc97095063d418f331b1c60705cd8f80bf39de4d1f811cf054c6448

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 7656c55ea27dd171e0578ebaac047577
SHA1 120e5a256155686ebdfd508b043c14d0c8249b5d
SHA256 470be67b68706d595fceda7fc1ad4161587f122b3b22bf609fa3d6f43b02b514
SHA512 6387e7066dc12267a805a737d522c9c098ede235990080612f8be3398eafc468e5d89c61f32765acfb65b39d938f423aff757aad3b9dee39e141c5fe3e942891

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 fc62a2f598e82ec22ca729b81e4c2a59
SHA1 c1f7ca772f5ead68ab77130dd88d6b953f2a98a6
SHA256 f16938382a822bb5257bb9b87f2d7228d158ee9dfa3bb0bcf3d54552468bd249
SHA512 a538d18fce924e3fad1de5342af23fd184727bb120708752878ec9709eb9cff794d264c9f1660c0700ddcfb878e4f2ee4c7769682cc3e7d6153ed18bd760f85c

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 724b0635cfe095c667ca6133b28799f6
SHA1 7e7abe05ffaa3ff838794e01d311ba03216d9ff5
SHA256 acbea09540bc9a6ebfdb1116993f0e48e520b1ea0c5866e554ad50f9db02287e
SHA512 952cce7310ecbe6f8a5c9f25aabf223d416aa55827ce6c6146ad99a2585eea2d20bd7afd329c5d89d77b1b24c837256c52b0d50679a46c18f97e0fb83a6557ed

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 f1a327a0076fcf0c5f419570c71f3dd3
SHA1 15827e0291f9a70c8a569c3571569e3669029ffb
SHA256 4cd1dbbe1560f3c30095287ddb12c82782ed7de5dfe2970219c1b6f1df52c366
SHA512 d4001adcc9cbaae5f96540a6553489f9ff542722ab5e11b2418deec2a78e10183bf01d13cc0d3860542656d19e4163aa3c8250b4742c97b85dc00d78565e35ac

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 17d4b080a56a39f9c19d525459170b23
SHA1 0e2f1b9f48b82730e213db960b3b31d000e2bcc1
SHA256 9c3d4a75d88bac0dc1cb62e0aa88db0cdae43404bb806ca1559d8c0263b66bb9
SHA512 53d5bc7df4db3fa552effe5e9c70ee707fb0edc89651672c916edb9fe6ead7d2a5d223bfd19ac901565f0f914b23b9bf67ff8864673f72c83e44c590596978c8

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 51538e752c5ff04a725c78479738cee8
SHA1 bb9ddbe6898a7f2c7bebfce4e27d2113adfd75e1
SHA256 cf12393e563516b6acdb29cecc026301b5b1101212396266871351ca82e8ede1
SHA512 f189bf28e3546a3be0da36ba42136325850713c1082b2761fcc113f6e7430b99b3a5fbf198865ce39c3e2352b7b7c9e6319f02f9a70a6a02572124de0ab80fa0

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 23a820bb0c2df408a2527390050fe315
SHA1 4d42879604248cd0cf2856200926c35a233eda61
SHA256 1b4fdcf5045cdd92ec6cae635d9154ea40697a4f770dc65ad883d1b862b3822e
SHA512 66198300cb460825e3853926b7ab695c93f234b72cf174a2c7fc98ff0cbb1e62bf3bd4b60bd1712037c2865c74ac9c924f9125b9693a503c879149b6e73f2924

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 e0e2662378ee617cd3b0e22177545144
SHA1 c3466bdcce65567f23d7ee6c772313e70e986d80
SHA256 55d8f2d164512c2cbeab4ff2a87417a45311e668a370c7d045e6665d73ed33b6
SHA512 71cada8c3a49dcc52223053a72ec2d91d7dd4f68741f7a639f5273021cf3fec191b6d6b76676ceae1354f9d9e63cc55dd226687ec6f50ae80deca00b55b48215

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 048d68070445d77cc4829ed462f2be8a
SHA1 792e28503f51b9a6699781ed17112f3ae6e5ae26
SHA256 8f5da0e051c2c442690a22380a23d7a2bac9b4e71053e213810664bf4c9b808b
SHA512 646a82ac624f8c2647e5597df90d38af4530db8814107a7190c25dfb218b1b0757e9510b6a84eec284e65bd8ff3af46f83731c9957ef150409c26288a1778ff7

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 b4530dabeac0d605b65d7b565f6ad071
SHA1 33130f317ff5dcaf0ea0ba8bec6a3c72149c6b51
SHA256 89d3ea08e2ce1779ac22e63ebf07a311eb6f231ed3c50ae1b71e8987eb51c6c0
SHA512 45b86bb4e62f11539d16be2598af272f0c62508f113ef8a8c907606783fc877c8a8b4cc41bb9fd6fcbc2f8fd5d6c68c0e386393b7cf60bace40526d5e6e43693

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 c3b9f3e9ae70f5adf3c5753f2871ecf9
SHA1 f057c46c842a149ab4b82b81e8816b37cdaa9460
SHA256 4f9bd3ab68ffdaf4e3365c172ebf72ca60f760a6a3d235ae504622d052b350e1
SHA512 da4ec11d9e5c25e18868bc4a950e2c55f21b1390933d37533178fe6d54de62fa0ed2dad3b8530ae4b03335bec15d0f9d25d34ee8d690c0a9683da1557b1b426a

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 17703b74b6b9dcc36c02be1fef3ae428
SHA1 4890fba8b55e024ae591328af64e4d3e9e9f6103
SHA256 facfb300f53d8122c384cbde2ea79afa5beb286def783d4077be9cffcea23000
SHA512 9fc7c3ef5e0c9c01d0aeef670f96435b895756f00fe45b709b501d532c5ef7f8eb0d25cad2b04af4dff5dc8fcf5184384618baa628fa44c6ced5b82de69e430a

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 fb3387a1ec8fe0065a727cc6862c855d
SHA1 784f88736dc41afff4f5d36df2ecf2bdf5057401
SHA256 046d638c7ec04907658a570419955d0c48951addc56922bff420d227b5ea1357
SHA512 a34ee71739cdc085a2df4a1b438be51c6a6bff8a8a231f7c18fb4f2e2e22366c4501c2ecd32b8d2fc19d598c7c1e8ea1236296fd8509d657de6418b401d2d92b

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 a1825205e3e1b54ba35bf184fbdfdd68
SHA1 f06eff87887194cf2a10b508b39dde124f9f0478
SHA256 8d92039d16269233f375ed4e907032128b1f362dfdddad5ddad63465d4ec665c
SHA512 07ff85a72e1bbfed2e71a7960329d99c27236b0846c911d6810f541e2d14638d66e4827c32f6134c4e055660406b91e493b93e0f9bf64b183b8a25fcbdf6c647

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 b1014cefc6d4aa6fbb2e1295cd97969e
SHA1 ca101b62d676c43a1463d8125a38e744c6bbeb1b
SHA256 ae3be1cc327d14f144b6c8e83513351e9c0aa37fdd762509de2206c9ccb3bcfb
SHA512 db0e42a374172a53d65fe953f9a90ce667cebcb972256ebf30c6f361e971b5ead3e2e8f55a34bb84cf8e69b6c96c8583555b9b478098b9a1ee67ab8999f647ff

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 98913ee07ca976b5ac14afabcb5e3a85
SHA1 40b80488711a8e95d378a0ae2f0086e0ddb3fc93
SHA256 16a0520c18ae82af8e1658c6d7d88ecad7f7c5a9d2fdcdf43d89d43f6ce22826
SHA512 131c42d6c694f5e5db6b6ee98104e292f19efe7d803e07e2658f36a6b075c2625fc1491732163823d88325b118dc1ac97c7ed0490eaa87db4f7ba42607b0520c

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 192cc668a2dce910ec08a34cf5dae058
SHA1 1c95fc758714e4e2d9b8cafbb6353f48914215fe
SHA256 14dc4dd38dee06a6e877d8e5958341dfd7088a0dbfa9850d5012b8916c959c4c
SHA512 12ca570afe0293dd9cbb0486877dba553d37641a402e861e78c559de699cc8fb8c7005bf66434d2e69cf4218dc7f41875395c5667ecb015d0f54ac74b0117d75

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 8fc633af14509a97076aadcf7f225de2
SHA1 8a4c624ec89977a6a8a845c15b2f87f51d06b169
SHA256 b0e5f80f8bd16b26e4844fd3f562ec35086190cdbf453102345a5be2e0f4e160
SHA512 f746178c33a030342d43e0433aa5e492305e660fec589b1ae636f8e85ba746c5d227ae23061dcd728b91f9a23f53adc62f25fa4b97d68c865ddd12cc692f5fa8

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 36aa9f0febd3c0909ec2bb91c5a47cb0
SHA1 1385183f0b7ab27a4ad751d4c4375f9645aa6709
SHA256 0273913e995d2b3608da20fbc678296f0fc8c839b17eb2782500825a97f4db36
SHA512 ac13a3a02381eed340bf50bee153b99b11e64c64cb20c3607a781ce9bc42e84e89be60b683f2c5fc6bc899d806d82bcfb4bf493a1f15d14ceb10439dbd7e3ca0

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 71398f285b0c51f72b18e45cd2ed5785
SHA1 a3ecc26b123c19d90ea964d4279afd0484fb1de6
SHA256 a611daa58949c9b2dd5d663ad5836055acc27b06121f39d5b69246e8a1f62923
SHA512 c532b27a1d49409cac6bad2c20527d041efb1cf44c3730976a2cacbc3f2b49f6a5a2d6071630b2f3d990f421470314dc900088c23dbe6d3f3b435b5321774b6f

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 ac290b60e3a348807216ceef824e133b
SHA1 72aa5a10d2b1ce47625fbbbdfc6f37ff56d3833b
SHA256 3990c9ec24343b4db3322495b0a2b4ce0639ce894ca0330531e25f82ad921ccb
SHA512 0b77f530117ccdf90e0d298f093ba1d819db21441adfd1df6e27466721f1d6214a453290796ab68b1cc23c40ff567061bf168557286cf7a0bfbcb6c639cf5863

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 78a3f08c0daaac836fa651d40b97116c
SHA1 3e3bebcfd24f7497ef698b17739e2ac126f30df1
SHA256 9a2f2f4834e679c0b654e469a0ddd83e68ffc975be7499e70db995a78b56cde8
SHA512 a99c316e315d78697c4d9b18c81d04a1027fce23f7731b1d9c835e69886e19107b16aed5b5ec73c45bf7a41ffbdc0d630e335b237246f45d2cb2fb7c30771ee3

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 61a05e94c534c260ffa4f7c07e486555
SHA1 dc72ce18eb2563e8e84104a706c503f4a530e1ba
SHA256 954b5ac14399c142d92135c39b2978d8932b46fc2cd0b9b4cf74ad2e4b497b14
SHA512 cd51c3af94fa4901756e920035c7a0ad5736f782bdf054ea11759faf6fe133e7be3d09dfc44b072ba319f75074f3b7a9d53bdfd1d539e75d5a29cec30967df22

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 a57f45b119937cb875485286623b3a49
SHA1 d68410600cabaac5a7f65aed90082ad12d5e1a4f
SHA256 a39cdd59200c8292646be3f9c4aa7081d2d2f67ba4ef1156ba942317731c80f5
SHA512 0a2f2ba5bde906a6cbcee9b0819d33977075e6a7a8355b121f4c79448c05e5cbbcf5b3153344446b41a6b9786e6575fe558c5554a55282dca75042fbbbdff144

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 c54cd9c306bec1cc8eb4b7040081269e
SHA1 cc4845876ba82341ed9f85e5172411cd467f9cd1
SHA256 7da2ad9c8da17d357f718ed882adbd4165ff658ade01f5a4752c508b1e26cb6f
SHA512 231a0cf80dfb86943857a161986cd3f72a543d840de085ea961c80a8c52fa8acee353a3fca1a63e15b83f32a54309c0ff0247a1113932a3ee41cd4588e945c61

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 5d7c438109c7f8f33d23a61eb1ee3e58
SHA1 9eddc2516b387dcc268f852391fb3e97626ee6c4
SHA256 bc1eaf19df74c03632e7cc25679d848545650f7091e9fb49f735dadcdeeb6198
SHA512 561d2f482f96476d2dde53d02b104c0652688856fef644f0cdd441b0f69d7c3a9f09ba4002384460e473e14646258d618cffb2aca4acfe3f3ae001e242ff14cc

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 44a7ddae6d4140e0a97b455dde5f4bc9
SHA1 bf31b7fba10c2ef67f9e2686d55307f1434c5896
SHA256 6b52afe615587def86be944ddb0834e08aa5f9096a2ab8e94c2c8fb337630dd3
SHA512 2feb93569f2651980b6d128869122f42727e0d37a7a8fa78f8a833ffc6380bbfd72413a6ab4177ac27c3c59d4d94833325959017e044ae9261c126a19cea2087

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 85de2d05803f56654def5bb3bdb4c065
SHA1 deead260a16c6622780a2c9a07e9500322a04f85
SHA256 a4051d72f977fdffbd3c3d22dedacbf3b9bd5e077f5f049fdf33a1d96177a77a
SHA512 a8c56a34e8b9b8c9e63679fd6ed3b8e14722133a65d8e790ba17a34d9ecd2ef48423dd442ec82bd7ad0cf8acc3cc6f10fb4586eb0c895b2af17a7e776c9ab8e5

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 d1bd8a8c48186be0e9d54868c792cd1d
SHA1 c0cddcef7f649a3bdb992b84c050ab4dff8a4746
SHA256 b2f7cf6e867bc378a0f61c0a7f7a6f0ae2dfe677d73b89a5d3eb7eb428141112
SHA512 b8125ccbb04832e285954de915e602a43648213c561bde64c6773526b007395203657af7733b4c82a0fc27dbe243237956d954871be46da3ba65a72d2b0b983d

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 d387163396945738a0c08f0f232edd42
SHA1 ceea5db8a1ec8150500d94f6bb854acc4da7f7e4
SHA256 af41a6f81d01f9580a8b974196ffbe45e527066188be2b08a37110d382b64365
SHA512 9d657c8caa62f9da0c0da98bd1e84b6efb11762f7ed190a89711c254143a183c6a6ff58b62961c6f69b818e6b99173c91d839e7fb7581e1050ca5c3e68bb289b

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 4ef3d8db74dc242f0f46e57bf2c28b97
SHA1 c156f313a7794ca671d72d63e976158b26709ee6
SHA256 3976621a21de62f557c47aa6285031a3a9a96e2e6412e124cab1255b6adba9b2
SHA512 7544167d44fd2b3212c1bff84b00376d11907911f6d7f7c7d99335698052f7b5babecd40787188b1bda16f9a28d6d4be342e24277e14a026172c1a31f832d545

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 70d3fb68b1cc8009984639a7628673a2
SHA1 10c5d1ee1fa502c644c52fbe88787c12f9236748
SHA256 c417f3425631896f4a6e39fb29c082d53a7554e332460c5960d675014ad23a45
SHA512 810f059bc39fac5e06cc799096c658a6c177f6bff5fea4ede509e451fcf3f0c109bbbd74e2bf1db0274824251be1f4ef724da10df99cadddc651bd43a127b574

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 b5dae06da7bca6a15774549b57e956e7
SHA1 65a30b5357b3e201e1d11393c5d8da0d1f02c0ae
SHA256 dc0052fd4fa2805a69028049049812e629ae40d14b946e7cb0b64ec0f5576459
SHA512 408606a304523fea20feee98b6739bcb3e28a6a829642b153632201672de6a6baf4e65893582618bbef2780f591bd1dcab57c076477964c44cdbe566e70798c0

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 4eae1189af1d45ec7f2ea04cd60cc21f
SHA1 8dea3ef199d0f8f8cddde442361bac2edc8989fb
SHA256 d40ca1c508dac45c84577bd38d3ce678d9dd935122eb7e282add3dcb470fd97e
SHA512 fc580cfbd144263d2ac7c81297e129be0d45f6fe5f4e29b3b1aad1d148e3925ad147be2203c52f2385e875601f6e453daeaeca89e49968bde2fa4991070cc8c7

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 d6a8090da7a370f0804fb76fe15c303c
SHA1 9beebdfdf71db9297a5116b6995791024c285434
SHA256 8e7a66574fd6766e7462d377d9b0294071916ddde986869c0d71387d233fbee8
SHA512 9f5652ded9bc51b306a12702a5c0f3c6ba18f276e9c2547f43b5d51fa0e2a8ead6c3971fafab644493b2801e830b6cbba8ddd605bc356e0ead69f52a724cec2c

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 19b2f50e81ede3f108d012e8c75b9ab4
SHA1 bc4c776656fa89c3eccccdbbda5c67fc8c9d6858
SHA256 fb308cfbc8cd920142e9c2e23b334f283b92e695136183b71a72758d3dc401a0
SHA512 89334dcc40d2bc82a8622bb5c911380ad9bcd379639e26b75045548d76876e0cc225c6148c27c85f0c97f5f5fd5209da2bfde4081c96ac7b057e1132ed62664b

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 420c87223ca229b1684e11d63024db52
SHA1 64b0bb494f42b598502501acbf158e85e90baf24
SHA256 f989bbccf73a2d2739e42bdda7aa94928f5bbf9483eb057cac512550bc829856
SHA512 2d36fd7bbc4e47eb3fa025cf004c531befbca69f999a4f83a0a2162692ec7748837573333ddc64aa2ff65724a0bc019ab19ce100d09ab8b33cdc1fa2c70e2ed8

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 04a08df1a45b8bfea2ced9f8920520c9
SHA1 7c54ac290c10af5f8c5a934364e1facadd499c9b
SHA256 a71c2f7b89278be3383cc52bce904c69a049d08809390bbcad32c817cdd490f6
SHA512 68475afb43bc309736c6498cdfcdb10f35221713c53af8c46eba8c98b645895d41d2c4ef0d70ef1c487327d483ba813452dc01819ecdb5701c00f160ec6dfb77

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 a7cace72c2f15c60298006a089183b70
SHA1 c4fee6915b15c68d3f0f15db5f62b1d0b91297ec
SHA256 97747daa7995f1b5b6531b58ae7055b7047838908932d0d5eeb32d22f17d89ca
SHA512 c6725ca079a1714455d25910d0ddb6fabe5313e453b94251fa3d4acdaed8674a97b41d42fda5ea5e8841885aeaf2d1afd6b1cfcceafdabb4108dc168e3f5fdee

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 41dded6962c4d4c9290b40fc767416f0
SHA1 879e35f0a72c459a49c41e865e741562293742b3
SHA256 c282cfd625f67cea3a051aca68a8d7522784639c7c8560302eab61e434ccd9bf
SHA512 993150c20fe6f647a770285a1127323f5243f7f08848ce3702f549dd60cbbf903b4d7ccf84330e9fdfefe085b6c9560b5cd91983101547f15b33203ac7b88c6a

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 3644b1d7a45b12edd8c5bcc24bdafc02
SHA1 abe77b151d434d0ff878ec872b841bff83699c48
SHA256 cdcbe425692442ea785ef45875405db09cf6f7730acafb320015fe058efdbebb
SHA512 35e78899220873a8e634b9c284462e7884e641c1603e6634824eec9b2d62a470acf610d21bc119d5dc11e4ac9ac37d484139a202518fd2beed41bc7a2481ee16

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 c487c7a39e4ae3cc6ea31d16b5411449
SHA1 633f0afbd918ff0dc717b1b05d1b67b28fe56d2c
SHA256 35961e1a71181c529b5f5eed4f43f018952ed8de5a89237cc4ff8e6539f8af47
SHA512 1ce51413e7534af16a09b98e67b5e7cc076272f93cacf2921fa9778b4ee8dd69a0699330d14a84765578ae0a6cc07b25861d2a47f72d30fd1af160f81628ff6c

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 2fb448a3a5a9bb3fb1c6829767373504
SHA1 04312248763d4ecddff10f2e4c2c664642b707a0
SHA256 7a6e2d57d5c72b39a227192538d80e8a9ae78c4f59c040637f26b2da642e7f22
SHA512 91b0b5d62d52c56d76a6fff3372ed84f05bf8fa2ea6d900131a276e0a4c60ee2641e4708322b17c953ba92c1be28da5d5fbe130453c7b2b4ae24a95cea5cda1b

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 69ad3a26e3fed7c1ba67a397657eebb5
SHA1 258e0a78ec978eeaadfaac3bb9963f540fa15c0a
SHA256 0dc9e69ebc0888d37bf89d945ffcf4c123001e523020956c8c4f196a99078feb
SHA512 9a58c0de994d36743341a329791a72867c47f6edc3c346225efdc1d45a0a4450ffc84c6707adcc2905f76d1118462da5c01fbffd5292644a799b1e79fba52ede

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 85e7a0fdc36baa2c30db522020b83959
SHA1 ac6c3f09887ba5d511dd1e560a042b60ad567aff
SHA256 e8bf0c61cc10792f8d7c1821ee1f5b636f6e8eff187387d6781af0386ab8e669
SHA512 45306c2f23e0ef0497bbb6e447efad67c759e3bd6a5de91c30e821b2b23724d65c8160a54ae15af52b228d51e9e4bb8a6df268a811ffb76b5cac35ed1156ead0

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 423650bddb1e34f0993838a70c25534d
SHA1 39497de5fac0399a81615107bccab5bb9b8bd30d
SHA256 4875cc0830641fed698f305db983f3ed4e603697476c5a2baa6d427b49e6d4ef
SHA512 317bf352533d4934aa7adb68706ae5198a03ada6502e44d303086c448778cda4f14efa8a33b0d7b67dfa9b5aab4e11595edf0e2d67d4cea594c325ba6f593ad0

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 a278ba18d52cee47ca36b2da2e96447e
SHA1 3f20ae776b02af3cf33ba7b9a3cf3bbc4f353f10
SHA256 298e62961185f2dc4ae75e7d5c8fd7a3c5f5943e310221deb6682908fc9daaf9
SHA512 a1a3ca1c512a7ac957c69a2693440016bc7479d70b63f641a28a69d03d98c3a9188c82a18493afc259b30e1233145eb752a9f9bea62a6e32e0066a17d513fbd8

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 e5a5abbf65ac5a5182f77d21fab76f6f
SHA1 edf25c95e37f89082254e70a7f6e6a9bf1ab738d
SHA256 d60c0ea048ff82c929131273ef9659ad839e4e90864d12f703cec87c61506fff
SHA512 6baad8ae326526cec1cd9cc43affc78220a5b10288f0abc397afbe8f407de96b58a47c8d20188d9430edc607915f2c45278b9c51225f98f08f00f49790edbc3b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 b9d200f027afa7c48684a0eb169b15ed
SHA1 be5e360175a53fc5635a84de8b26d11eceafaa36
SHA256 b39f1610e9d4f703a264704b791061b469618063d73ed21e971e8d55700fa02b
SHA512 26bc01a160f907e91fc820f867299f579434cc1992f741058ca209e3f374aa74e33212fd2476158327f78d1bbb7cf4ba8a26e8eb15d875a927689a05bfebc1b5

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 09650512767b6e45c7337d07bc7bad51
SHA1 9f14b227d1288feec96ea31ed4c3c95ad37ba4c7
SHA256 a3d5ad448ff717fbe77615d61cee2a3ef167ffa1425dc1a8ebcf9ebf80bf7ada
SHA512 ac85451405465768d06101b93f65046342f93c95b5223b173544e3c2a3c43305f8c24e4b059f85acc1596c8d0876fadf5bda01562745efa57fb6916e9450d998

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 c7464bf7b7ab9abf7cfb8dbeb565dd84
SHA1 362eb79f84e6f89246b97a9d1dbf6cb1190ecc01
SHA256 566fc870709d5ea29b393d8976b97b448c44ac6d551b232a1bf791fe0380b50e
SHA512 cb76075d527939d545e1df6bee37b5cc20eb3a3eb7fa0a1b4be1f8425ae539b81689669be47f0d271cd31d88ec6f3fadfcb11b6b7785304e216c66c577e6ec10

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 6891f0a0bc264e7331b0f4648e0876b8
SHA1 84c9f108d979b0b50d6b0900666423877cd1952e
SHA256 fd0256a5a349fe519876a1b19f846cc35a8210d5a45d405f819765f7253892fb
SHA512 93d2843336030ce12faa5e460c17c49d70f0914190530a483443a25cacdc80614903c443037e2fee3b287a3a205bdeb79ced60887506645595a9a8aee1d4d292

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 7532938392ac004b82f90ad6e3d4502c
SHA1 0df74385ec06c88efbd4bd143a75e7a48aba3e8d
SHA256 d557d30e1c0a23dcb21c83a40d17f1b3894a692f178d191b61b3ac2e57c0c52d
SHA512 2970d1bfeb3c5384fd4ee1c398f6e08a9a0feaf13ea3cb93d220a5a7d2a4784d21d5f632b3172ff613c95f894b7babd9c28a3f4022b8c8a9d4bc4eec93380167

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 54f090713dd57954c59b150f5b14a170
SHA1 1cf2eaac30315d98018fd4097f8a7f28ecca5b20
SHA256 1a73f1b9a77024ed5a2a5e1990d7d139e377460ee91b088a0e72876ad4403dd1
SHA512 91e5e5b1ad94d7a351f8a11358f4c6c67de515db2ea2eeaf4a79f44f943f149848016fce75f75dd2c7a0341fbe8cc7afd1921828409819b6f411ae4be2341208

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 52b59a420512604f9e4b0a07e6cca1c8
SHA1 0f4f602bb48f70c9095590942314511cadf0b412
SHA256 94c513c177fc6ed20159306e74cada14d4c50a1f70192a91d527f9cea23ade69
SHA512 e761fde05e5d4ef30b77ec5f5d5085db704963142cf49c8f88bac199ee4c49e15e69374eb2913e11e7fe1b613fa2f0875a1ed898bf18237c32421977c3e9c815

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 d7a8da35f8e66ac2ebac8e31a5ff3705
SHA1 42de854dce52c1c6348013e37fb1dd1096da1266
SHA256 27070ec6a2a6f39b71e47a4bdc7f8507530315376227ef35d114014d20a4869e
SHA512 649f3e65c3924de3b533d3fb07ec887184d999c0fe87ba61bdb576f905dd187d0a540a93fea54c07e180b75f9ebbae2cd57835c57a44db1607ea3511e775913b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 4783fe1eb1cc1db502ee14bed07db10e
SHA1 7aace3c382757cea3b8b3720c930bffee3f938ee
SHA256 ab352ff76157351407a9b06f95e6b9101e5c899ab61b7b6dee888226bbe7dfc6
SHA512 421d949aace099605a518d652a0029acecc8125f46560e31f75fd781a9603af8f8c2f7d52a062f7df0fd8c1362eae0a1da2703438f26c5fb70e15f0a266986a9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 57fe45ac74c2bada374ffb0bc961d802
SHA1 0a8ba1417b45121cf716f24cc88c038cf0ba0941
SHA256 2349479f2a9f4d535a2a825fc896e452f298af6aaa0cca13788babdbc04c7e10
SHA512 d3ffae65a2acd6bbee823410b574db3156e55982fd2336f637396ff481c33e7d7662594cd306f1a5baf119a6cc40bc150b859a6149b555cd1a0e245953250293

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 45175f6978cafdc930475ca99624e522
SHA1 fb68fe349eaa4d71ed7f41b89e8d5e6690bdb353
SHA256 2246b772ec5098579d7c3f1a244af383e05f5ef7ab82aeacdd43cf44a9d4c47b
SHA512 5f64c85acdd034bf4663d93644d88fcdcdbe485fd53d82cca5f6a2dc27c738665638c1f628a1535e0d5bf97695475e918a3c81a76e6bd8bc065f370e34a08805

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 74eb653c10eb3ef19c24cd717e0e3132
SHA1 a72f45139277264013160243b797b339de7127bc
SHA256 8ad4cb9de088326ce0badb4e2eea4c0da534ac9c7813984fffab57072a739fe8
SHA512 b6fb7fcef91f6b7a7d57dd5740f0055d616f2f4bdf85ab3db5f1eb2d5ca68e994ce72fd186427c8e1bf67342d57df04759d85f841a013170f900eac5d0900eb4

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 c3e628971faf35fbaf5e50937ed16818
SHA1 c05a11a29dfbae2f91fc8b5a6c30531cd477e23a
SHA256 33a78a7bcd3531ff72c396699595b469b37f7b9e7e90262379e1a73deefb26e4
SHA512 5f2f02f8e109c644c65287e8be1b5b827232fc87b3fd481c895a3e68f2f54b51a8578af3179cba1fe203427f2c0f8745eed2a5b3b6743067a149b3c548895643

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 349e245283b648f0a1214ff17d4e2e68
SHA1 e17d3eba9be26a24a0a28bdff653254e07cb3802
SHA256 4702062a86c4aa36f03d918dfc8457654c7b925c17722b97d582a30576201f71
SHA512 92ae0ffc3149c19d93194684e7a00a7a3d05795ee84763b8e1f5eb1b5ac5d5af13b8beeec7ca4855fdf918004cc2adc51ec6cd9446e48a8c53bdd26ce5c08db1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 d02195790724739bd6a2315f16fd2eed
SHA1 bebb5dade4a6072a9d05543513b0657be69c718d
SHA256 38316070a6a1f0a6008e7ab2e9912b4c8e1d41b8b9afb7425827ffa5fad3aa56
SHA512 e8245be7df8d1f798f6ff93068490aba5e9a95e99f767529115a5c7d96301195ea7d1362348d135b83354a2c3b34c3fff09944c3d423d5f63f62f933c0e7802a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 b5e91646e67813494016f6088238867f
SHA1 dc530fcf06f300ed62d63747047873b0cb77bc06
SHA256 c752e040e9c13670e4d44320c787f890b31dd0eff444ff3e4ee4fd507da03518
SHA512 581ef8fd98d7f26e13ee240d74f5a13c0bfa23d39affa8dafbf532ace5607d9a1f880a607f681df929750a92ccc067e9710b17ccb1eb1fae4ece4c1535104bda

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 3e402f76ae436e0f2c506933a5849ba2
SHA1 0c4577fc717e6a734a476a64296a91b8b495627a
SHA256 2018465fd0751542c42151983665eb747516709592d572244e3641a0c4d23465
SHA512 46930b8cae48cc45057e1d1177ce053710f722a2c2b3d99a9597b780c04a877d049daa614bb2e6c21df9426334b4b35cae39f9048cbfdb2794bdf8d01a82e683

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 aaa4874ece7aa98d8f45b763881f5dc9
SHA1 072542f7865b0689f364094aac5e0d22ab37a446
SHA256 7f332866abfcf693caa269eb8726f39f0e5ef4ceeeb1caa16924d4f6c44e218a
SHA512 754731fcc00ded0d12a23a994d9d4ebe71d7f54e63d77dc5da700385889efbf2607d116ba1f29af4a5e4a2239395a06e4cccdfbc88ebf669acbfdd1c81b3aecb

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 670084e60e4e7f8e53746fa3084cc570
SHA1 1c35e7db847277f0cdd2808f4a88e39ad9ad4602
SHA256 972c1b780cfd46813e20fdc72cc5d2f9c5043b88d28722d7c6f65942d4aa4e3b
SHA512 787e79ca4c417a336a6feeac3a47b34ac2dcdacddb014df4cbc6c77cd8df67afb63c08bffa1d8a52d45e0a48dfe5663d53dae733a4bde915a0d33b912f21420a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 d24377a3fc5dcfc6a4cf0b04d2e108d4
SHA1 23b60989fb6113ead576f0ced1a5edadb2fc9761
SHA256 bc464763c0d73405826ecf47928b1131a9787120223a6ce99e534a8879ce3c26
SHA512 bfeb8c4c25c65af10d3a036cee2f8e5763aaa7801340467c2f110c0c6e32a2045de7c92c203f33095f511dab823a7c8336e844bd2bf32cf9172e7ad846c3e460

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 df0069267f6860c90bf2c75cdcf23ba9
SHA1 3456bd692cf952b4a361d2af0f7fdabc576b7dd4
SHA256 3affc455b6da99171b3e0810ed19250d87e203b04abc12dea8bb9febb52024b6
SHA512 dd755add1b7608b67faf7df842d3c945e81a131e27dec72b76844c36b0206e174aecd01ba0aa7c804b863cfd0eb4a2a4704907cd83e9a02e2a22e3add5c3fe95

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 8345c3ca0299de5730f7cd9cb0fd4f0a
SHA1 8cce8c3fd1c0c7b4cefbd7f2d92e6a487a3356b5
SHA256 1f32670c58f7f923b7d8dabaa9e79d6a13d81a84cc9df845e76b89afc57a96e8
SHA512 79db7fd402a239fe62c1e92c67f675c5e512e02cefda8fdfaa698c1bf88292fd5e743bbf6a6074fb7e1e740b452e7cbeb19bd725a91107884fd2868be951e4b0

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 b1fd1919377cb4b95dffcb3005b62476
SHA1 a6bdbfc47aa1c0adc4b9c15da46b3f631d7df77d
SHA256 cfab345cd8396c21ee909f8e3c4a7531e0fc795e5245eaffd7f58c72af688c86
SHA512 e5ae8d6ef809d7bc998be815cc5be5c6328c3e30824179ab9d7d4efd4286ccb36eaa12a5197dd7019b562cbedbbb2aceb5fa57fc7c45f7bd9f21713d6d33fbae

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 a1ddb7b5a82c32e935f455cf3032e728
SHA1 8bbc08d8903c684a9493476cbaa4fe08412593f0
SHA256 c675ca14bcce6736aad765f3b530a998fd91e5883456083333502935f3a91ce8
SHA512 91f0d54df95abb4fe193b724b9662c5a07c96a45ec5db2a463addcb9fa49e1cbc2ebc3c9a9066482ff735a118331c725b2345228a35d1d008c6fc75e660897e9

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 cb8422751772575a3e7b17e0454f07e3
SHA1 648a410f208020ef08637ef7e56936e4e6ca0d71
SHA256 970827bcd0340f2f27c1f808b63f4cbcd2b2c90c8fd5d89164b428f63da2f7e7
SHA512 f8fdfa99e1b54d503a4d4d064d2f0e6d37c7dade354a241338f4cb3d6e7e68d3bdde3b83082d4ae74330c10c50972e1f4dfc19bee9954f2476c2ff15ae90144c

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 1a4bf9a8596c5c71f6d989d3887f7c3e
SHA1 e06768757ea0097d6390dfa06732ca79ee2f130f
SHA256 aba93dc950a670241293ad5b9002fae8cb9597ed458de331b8c35a5d29218606
SHA512 f4039278192970447cc2c9061b181dfc017702ea635daa2cec17ea690b8458f78fc0bd77897d66153be3da4a340fd1c65080f07d5a1eb324afafd9bfc15970cd

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 c01eb45e66fc7e35229ba719da118fc4
SHA1 e68b266105d9c120cec5a8aebdb542465a4ff82b
SHA256 673ae726acfef6bcd4f97b3c6dcd558fec516f0b4b9004d2cf1b93b75d9d2ef6
SHA512 f0e7a17a220f821abadb0e20ac4cee33e3b169600c2928ae8389de5718715abaac260718eff684ad9e1ef8bfcef2e36a0b08a8806e031a5ea4573ced2d71d903

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 96199957cf5d1af46a9527d44b138b2e
SHA1 cd6f0f1bcc721597716fe09959d3d4b3072a16ee
SHA256 ca774206846959402f8464a9aad0f8b399dab45ff7df816dfead9061fed32ef4
SHA512 54a253846ef2f3007ad399def96e5704a6d9d5fbbc0cb169949297c8aac60a011389fece68cb3ea048b2dca187453d8e3d501d65f25cdaab861b76dd2951b020

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 4f00a16813dcafef92e866dcb4558007
SHA1 a73b275db879bb670a5a852ef0685184e7e68d30
SHA256 696d7e7abf724ddeacc3095dc30e687d66bfe4946bb9c787cc2f7999d8b61afc
SHA512 62e2dafcfd02edc76bebd4444f5941c6bfd39981f244ac11ddc73d79decccd782551a49afa55f6f05d81ff22e55233858196ca2615e8709c091b9ad21485c6b8

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 0d3924feda1c9521140476cd809c426e
SHA1 a0f5e9257f481f7591304540475f60e9b6d7aeb2
SHA256 4a4799af1045f5c2c2bf0376ebc42853bbf32b41b421010deee57e0dd2c53840
SHA512 fc0baaf704249e59860118d715957e8c1d9e22145e2e253f9cfb7585a17f969884f614be82576f4fb0e057c25353ceaa878401dd0e7699ffa4953e38cdbcb920

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 9c9b2a70072512ebab9a06464e23c0eb
SHA1 d8fa138c8202b3410f4f9d81e342fc898aaf6cce
SHA256 dc62338d990b3f47523aec71e3433d53236b8abe2d5ba8485c61c5a8debc9b14
SHA512 8aedec9f80146bdc894ff3bf64fe6764a05644b8086671744dc1da6715111700789254a4393c0ab8a301e0fd61a668c9c65daaa2bed29d657cbb863b4a7038ae

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 71504ed8b81e40f9edbadb04297e75ad
SHA1 90929acc6ed628fc3b54e3cc604ad861d6e49d96
SHA256 093e77b5a2a38285eba1790354c6ce17d2ed6bca15e52c23f2899483f2c38c34
SHA512 db313055b3202cd00fee8eca945388959477dceb401a232594b5c8ec7bc84b6c81bfbd100bc98297dafe1c11201556ffdaaecb0e57ec4597aa142df888f7562f

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 d1d64a2b15ab8e012b826681699db8df
SHA1 8df1cced46889a68ca1e537d2e84aa8b161e6a94
SHA256 2f088d0e5627bf50807a7e2fffeb0bd08482567cdb4064713a2341a97499827d
SHA512 704a65327f68e8a6a493111ed7606c6992fc5e8fa3ea3bc683f4a0f30c02ed153c3a86d476d0958824effb9ddd745b17d24f3ca62a04af33ba74f8661d6fa04e

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 3e9b2c45680bc326a724bdc92f66ed16
SHA1 090108b885c63629d6f432c5ed863c3345f54fa0
SHA256 b31a596d0aa5474f9b877f28b549aeb88a2339c2e9d977eab28b079c9f398617
SHA512 aad2078b4e888536d11de9e1700cb6182c225aee251e3002b26218a27c019c013b9c44658b93e446e2c92290d19d4aa1a3d67fdac9103e5cc6af59271f2d47a1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 552ff6591179b9c15acd290c41d25986
SHA1 c03f4de61c87d16b12307840cdc113eef2188cf7
SHA256 6a02dce02d3d3c92d7e88b37f6a8b45d7da7552b85863e94665f7fde9cd01a67
SHA512 a051602405b0f89035407fdf9b4eafbce36c3d57e487222d8948a638408401bbc8f6aa22c44f7bb785d290587d77f9a21c2081f9f807c959c2a2a47c1b39b881

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 a22df24ed113a085f20b5cc854a32737
SHA1 59835ec622378235ed035853490d6e24a3afcbf7
SHA256 9f73278cf6de9f297264f72a9d803c3336b79d90cfb5838cb2b6cd4471a73f37
SHA512 641c99dee082c4f2b8b53d53e2181d973527182c07c6e0b498d85f9655056087a7f78b8c58fd2d2b227c48e9d1b581bafa582d4acdd646719b924ba8fb6e4f60

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 3fdb9aaa2824665437dd880ae6deb9fc
SHA1 676596869ba915e48258f02a240df3f391be1ba6
SHA256 7a8ab16f2775a35e761cee354d3b120eb4e2092eb0e614524799f3304504c027
SHA512 2acf8af879393882ea877cca23063102032ca868e3f9da7a0b5cfa62ec5bf7efcefde09d502e96035af40695498936e187533caa3f9584e8c2b1d50cf81f7c46

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 e969156b4562f4d938556dd0458e98ac
SHA1 98a56a7618ce01fcb4326c7eed8331341951ac71
SHA256 630c442a553983529535c3f5ee87e06a7491fde26d187eb423f05d05c035c1aa
SHA512 c68a0e412a1992df4975186e04ed7b5fd8f79e9ca119dce526796c9f85a93107c70e665a2230125fa10a58eb5c97202d69fb6e55dfd7a4330031238df73ec65b

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 cbd75bdcd7dab0f0863a22b276b5c412
SHA1 6e4f2cb833a0e5b6c7037ae8fd3f68c2716ac652
SHA256 6ff7cba60e6d2f593f79cc59bbf93e476555e6ff0bbb7ef039d4728944bb061c
SHA512 c1a911d4d810263ba28d27f07912738658e9c913d8dbb68e33ef477050015a3990e845b280ad2bc98cb414a20a79a118b46e0fac4d06922b2596552824814a8b

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 7ec7d8c7327c2e907f39175f45a80f62
SHA1 160a3f7a3741aaa24e126431ceed5c11cb6bb514
SHA256 acfb13674599c8e184983d959eafce18a5d23eb6df942f2da01a6a51a2ddabf8
SHA512 f179a897394863b9a062309ac9e0b767f5739146513afdd69a804c5d1e50e2f84ec7fa858fe144b72a14af751689909cdc6a8550820763ac931361ae47b1e68f

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 ef60a586fde6653dfb7f113a09bf8989
SHA1 492e63ef804023e085e3cc0410704c15bc2a9aba
SHA256 70001bd844c74be110d3ef7860e837b6572e0b01f7ebf5a945c5a20896e13044
SHA512 0b687b20ffeadb94e087eb9f59c44fc1e05c73fad2c0ce6e08af33feb174fa33520515d50287c918453d5b005984577c9691ea4bff76386821f96ab117d1c52a

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 f9d4e8ba4898b33a9d9f7d899546d972
SHA1 1c59ab734bb9415105c21f552142b7b9cba76228
SHA256 ff67ae6a0617621c3988458ca8a4f03890ebc4af46df490937687662de1d81ff
SHA512 daa2993e4fd9d227345c1d0d7a0bb2908a82c130ab2e9fb61ce47af30a2e12bc7c77e00afb8e9745d8b2184622fab13b40a920567c8cc07a1a193253accf03ed

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 89f00b6ebfa574831a03bb240a496790
SHA1 6ad9ad01b6aabaff95812bc3e9bbdf832cd7dc15
SHA256 17cdd2e9063c0b0cd694d1c4d8bd638ad03a86b8bf2a445854d1e32499cec53f
SHA512 1083150fbe0d13bb48c3fb95518d6730e402bc43a40209ddf48b19b67a558bed23746d2d7d14e6628950ea648d03972dfb69cbca0c7595ffc53c99cabd1b80eb

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 89d3ea189297bb3c8f3c1aa2bacb9d03
SHA1 8fa49e312c9f4a2f21cdddc79b9bcdf3142ee069
SHA256 0a5e50559277e36a9b6065c5ebdfc542ff591fce9a812951544ba932b27c1406
SHA512 8c2113169701bc4f3845192a0056cac67f1c9ec659e99a1134ad531a011cf2ce3366c18880a446b1354684ba169fbb76196fb12f31754889c631d476cca02f1f

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 ff3148455ae0fbd47436b0d77c7ecfd7
SHA1 efaed6aa8fcef377433fcd45f0720b6201137fc2
SHA256 2fa25ec38ec09952ce7f8d8d0431cb4c5403e7a767e49c12a93695fcd1d57961
SHA512 db4189ea75b5aee393d1c9d80dd57f3693dbf2928c58fa7f6ddf93e290bc2d0c973f742007c1a62729a3d3eac901cd56aa6bf2a97b38b5f93375962c3e33d5bf

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 1eeb7f3e496b4c67d5663c6ebd1b57f8
SHA1 567aab8d4397b41bce3d51746b9e298a090d20ef
SHA256 3f90feca49ad90ed2ff7a3f765f6c8a520558f8b970a02284bb5f96de1afbf98
SHA512 08a2016a5acf4025f654ca07a7234ad1f6ddedbda65e9da1ca8013728bd7f9fbd55228bd702bf584bacd865e9abfb97586c8c6ae407ece8d66d27d9d3d6667c0

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 837fab670fd5c421bedfcf74164f356f
SHA1 d5bd136b91e3b9a037379619570d1ce8a33e371f
SHA256 ff08f920f760ac15c4a49df95e7ddb281401756458846fe389550d5803791313
SHA512 70146cde602668ff6a3a9e8aa07c202b314164fb706c5e0e3e949d985a7fb7963a3ad23862fc075522b1ffbce6275d0dbfe65925ee3f005d3d1f00b14d7d507b

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 84a5310ed07fae46e6a810544786ecc4
SHA1 d03a055f8de96fb5e6a1899991ff6fd2cb1ea483
SHA256 99d92319c899be8acd78601344ad45b663fece5bd2e32499597d6ffeb491f988
SHA512 73bc69f6b3432bc513683d6a0ab5348a139ddcfa8944630b4b04504f75f3b711a9d05485252ba5c29d7190700a8114cf8fca99fbee56d3dff35effd31a0e6704

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 974d21c63862e2ecfcd75fc5b2e48b27
SHA1 250a254a58207899a6832ee541d1fec5ba704e2f
SHA256 ef71d1bbd0f31cb84e86bd5e4fcea536af2d612c779599df7f999fc558e0c909
SHA512 913f146df7f2f0a26c97674163cd063cee92178968db9b24a4dd3e918ea45697871c468477114043a8617e9f353608295ef7f797d020c2e5b3de0c8c26c962dd

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 fd65a6b5a7f4495a37494f131d152186
SHA1 d6f9bc004832af2b9b23a4886e37360100202c38
SHA256 5518cae9b872a9007adf507ffecb4baa06ff315c1b28004134e731bd16ff82fc
SHA512 3689dced80150034fac8bda133920f6dfa258208671741b0268fd505728f4885282f9267bcc9a2cf0416b1923e4246c4e91049394ed3f45b3b0e8482b73ae93c

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 5f00b1bf497de974fdc5c47920e1482d
SHA1 0861ab85c25beeab4067543af6894bbc5c9217c3
SHA256 2b372307170620b761c3f92846d77e2cf5ba0fc1db5134127aa6baa3cca7713a
SHA512 a2e9da5551c2b28736ca23600b3cd5dad77edfcae12acad88bbc70bbf5a623e30ebfa252beffbb540f372450315727eb26bd26b7b706d497cebcc7f779846adb

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 81b93801f00c95e473851f99b224962c
SHA1 0ebc01c9f06497bc101fcab4f2227ed23bbbe9eb
SHA256 5d283925575a878aca4a733f92e02ba659040a3bea330df8f1a42e1dd473f4c8
SHA512 b14ca2163cecf6d6b97a6671081ea3760a2567efccadad79881e9380a9b0b2106b55e89d1c62211b4738328328535172cc9dfc4218580d851fb1a1de66b4fcf2

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 bf83b8bad36fdd6a76d7e5bb71993f66
SHA1 87e776572253fd0a371fe5c7dc86b24e87d8c087
SHA256 c7ce817c3e48ae19c48d5fc7b0c876b582d2532b17da41110af8aca0561cc1ec
SHA512 2ab5a4c0497e7436097e1e9c2308f632dd7780343bd5b78c2c761486910ea58a4b7d4be05fb7ba5da1ce3ec79ae113a90a3b4350d2c8a20d48474d49e2b7f6dd

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 b7eaabe0f1679b6a0df71cf0653f1d88
SHA1 1ccae8432b29476ece85a5df1eb94a6b0ea8e3ce
SHA256 90208b46218ed0949f5f30fa4885fb35c47361c3ac3f5564caf67e06b38db1f1
SHA512 935cc1946cec1f07a7840a519064c6b69390c5b4eb7127dad743d17dcae836f61befff836095a2b19fd73aeda20607ca7a83ddcb8c2031cda939f94987f12ba9

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 bbe3ccb5def33cbad7de4ba451238151
SHA1 e13be62efb73fc1df3ef7ea23448d0317e53add3
SHA256 599606b9bc1ac924b10ec2e50220b5a62c7c01e7c8ae0a051749b3a7341c9a92
SHA512 05a31c9fd75bcb49b268ecdb82a1a0b5530c06e6e33a6fe35a8e010a51a9d3172b3f88f1d976ffb8f9e2d8b67f353a170b5c2cdd4ef714766afdb6e3f31e0ded

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 3202cfcb0929918175f14007ea85c3e3
SHA1 178117c6764eccbfd3a40d816204ca8cb3e5c92d
SHA256 dde3a676bf2d4325e2098d0377be480be2474024fc159087bb14de5daa14d82c
SHA512 6b5b3c76a2e93adaaa98e394a98b0f731b282b2d43886341510d3757c914c654015502ec505256211e64fa26c8f2a9c22c92414acf13cebaa7a29362732fc216

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 54ac7a23c8d82cb8ce652c5c1123c7a0
SHA1 e1c275dceca82a664f78c49011d98123075d1244
SHA256 a3a5f6487d536053a8c039522d853f975595a377c48cf2501edade0c00a109e7
SHA512 31ccaf30765b6ec24e16569284f8ffa62ec75e0fb8467e568e01603278275b646d5e66edf08d68a27044892d331377d72b2b419e4ed37c919a36a31e17ec57c1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 689dac399ef2055291aff9913d37ea23
SHA1 43956c4bf6b1b65de05354193767ae64a25cbd71
SHA256 7234f45b0cbdca7f4d4c1e1b9a85fb52428c19aedb9d6f5fa0817d66c388231f
SHA512 6d8a2b1d4d404e9a65be038115446bab456b0c938b9ca58cae40473266995259bcbd2ef88dc4c9c59c60a82b08de24846ed2d010b78a2ed57c9cd1e1aeabb420

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 a27a03b336edfc22a5f483225c694017
SHA1 5b88908bf371be89ddc8e99ee30fac70b28ae3c1
SHA256 d1b58e30662f37dae10f4e042e7789926aaa1d8a050181d16da18a6fd8bee113
SHA512 e0b8d253264cad2cf4a19ad6ac7721ad3526bccb0cb128c4adbdcfd42015636b93bf4ea572c4d5d65f18711f54621d94b321bef36f6199374c4f30866b2a1ba5

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (11279) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Xaml.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\styles.css C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\glib.md C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ky\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\LargeTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\skchui.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-250.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ui-strings.js.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pt-br\ui-strings.js.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\EntCommon.dll C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover_2x.png.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\ThumbAerial.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.css C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Pester.help.txt.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1 C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe

"C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 168.233.16.2.in-addr.arpa udp
US 8.8.8.8:53 res.public.onecdn.static.microsoft udp
US 152.199.21.175:443 res.public.onecdn.static.microsoft tcp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

C:\ProgramData\biobio ransmoware.txt

MD5 9dd4c0412b91c85abdcd4925e5a10577
SHA1 f34a9a8a866d410d03bb26a13652c0754658d40c
SHA256 b05da8fb81352f7f573a1f010068cf0346ff8bc370fe14ecef1da1805bbc3138
SHA512 deb3f6bd3a982cd5396de1239c2b7d63a6640608c9a9749495ad9c19bfe863106a153550d3535a7ca938cf6c756511df026ca9cc9a4b8d52424b222e69adaadc

C:\Program Files (x86)\Internet Explorer\de-DE\iexplore.exe.mui

MD5 9aa8b0a16d6647b3e5218facf90d92be
SHA1 5374535f6aead6640b60143cb77aae99cb39116b
SHA256 87d467edc009be8181b90fe1085d9f234c430cc4a499d35c87c97e7e490fc555
SHA512 bb1b4f1297848b6e05565c2fcd437bf66f0fd9aacdaac45a230c068e3a862581fca8733ccdcf60853c184e3205fecf427b1f573d544fc1b9cbe87d0562a316e9

C:\Program Files (x86)\Internet Explorer\es-ES\iexplore.exe.mui

MD5 4d650433b3a105fddc3f39e6cdfebf02
SHA1 16e57b7cfc9d0b2ff331b2df5a37889818f048b5
SHA256 b19a3246d1ffa26ed44162a4bd0af1915f13c1ebe977d18ede89704dd8d82743
SHA512 76157da906ecc081181ed9b38f257bbda3c3f4438e651fcf6a4d8ff258385e28d8c4481f129feeb04698e639561612d8744f4102804b9cb3fe153dc59952d2d0

C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui

MD5 6ea303191673fa199883367efc7696c1
SHA1 eed53d2ed74332109e773244df340f98d718909d
SHA256 c8fb351349f2152096d296a8b4771feff395bda782b1818bc9f46e71f40b36d4
SHA512 7a3122ccc8b8e08592028943fe83b7faa94e2a6823228a64071a0ece352098a21c1e47239911eb108781dedd0f4431591be4d8df2ff87507c36807d746e06b38

C:\Program Files (x86)\Internet Explorer\fr-FR\iexplore.exe.mui

MD5 0894496a9ba1d27ad89b9c38fde34e2b
SHA1 a967612676ab017d7c0bc2b6f11a320f92838113
SHA256 098dc68276e10a63c2c377d520c06a29f25a4ef52c2e8b04a1ade073ebdd9a99
SHA512 8e23ccbd80185a3f838de624eac823d95c3c7ad345e1b2c80b01d9ec3aec1787ad1ea29bd779d58ad096b835459b746a0744ddbd06025bce885fd5b56c1897cf

C:\Program Files (x86)\Internet Explorer\it-IT\iexplore.exe.mui

MD5 8fea07b749a4505bf723fd2102a0dbad
SHA1 cf0ed37ffcd755f7b1980303634ca1f54eed19a7
SHA256 4de1741c9f0b0ed1839306bd0fdf5d161b5412e41d937ab51943237b0aa79813
SHA512 9bfdbe3c34f578d47a0ab2b5e949033b472f4270b8208b4b84dfec4e262070d3f12de9e79f5686328401f5474d3435d4137b7a3073bd24076e220337559463bc

C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui

MD5 3ee2568ed0e81cd8c6b5171634f8f0ec
SHA1 14276f1ba91972b36a3a505bda74ff50c0091b80
SHA256 0aae025aec8a7ee4b878b8733cdb50754369f0f15eeb280f8ff0f1752bca1124
SHA512 f831294a38eec7b1293e8585383221d20eb0191648e983decff5b8243cafafdb282188c52599dbb6facdceb9b615a4238c9d9b7f4f1c2c1b8cbf4018aa602f0d

C:\Program Files (x86)\Internet Explorer\uk-UA\iexplore.exe.mui

MD5 ffe1860c72802a258b84b4c93ac6b21a
SHA1 ebf7569516364a4fe223074bec6c3838fd817186
SHA256 e73cf364214f8bb971b9cd626ed49bb8178541460caeb4f15bd9c47f5c74af0c
SHA512 83abfe59e5a4ecf7cfd4b8fd347677cbecef438cf670322cef1626b84b0e6bd05ac2ae62d8878919c6619b2ce29500eaab4d482d1abeb101294415df33369fc2

C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui

MD5 ba00deda6d4404ce0b565e62656e2688
SHA1 028d1b21148e86ea05c0fe47f6a2c75010ff2452
SHA256 82dafe0a6dd4e5fb08defcf3815213af8a8549dbb99a90449e4c7c067f86a077
SHA512 f799b6439f8ce4936d4004c98be227695de1a7e1386e3f3dab2a40aa143d3ac37790c12bea968f4fee1fd51f0a6df7e27ccdd98049ebe72be307459ffcaf37a9

C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui

MD5 54b9cf2d8a4c17e55ebbfc8b9e0e0310
SHA1 410b72f486cf172333d600542c842736fd187e4c
SHA256 2323a0cbf23cdd861fe0ff2cf49a9c4b4e0a4feb80f2815762df25ab4323968e
SHA512 c6a5c9ec50ae40620ff227a330b3fb75d3ab42a51155dbb7a3ccfa073aedc583eeed100920cd52ee4596eed999363c4ef905a6758df638a6d2cb0d0c286032b4

C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui

MD5 f7b506690be14035101a22e7e06c222d
SHA1 59847b625f573b81fae7090a1bd40567fc9638a3
SHA256 bdcaeedc2011efab4ff61f1b044bffb7e48a2a44a979c94b84c9a6863b10b7a2
SHA512 4c060c165f3872c3546b5e2f64fb557578c60da8e840df8e78ed5960200252a4f4f577e7ada0b21bf3c28e3e2cfd968fffe08d45618747c281da229675887ae9

C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui

MD5 00a65d86043c723ab2d72134b4284356
SHA1 6f8e1ebce439a44a115c5eae7a4f8c65d120c902
SHA256 f4f74da13be7928ea79feeb7fde5618e5266009785495b8570ac6d75ff1b530e
SHA512 f7a6583be5ebdf2eb24003fde75c5ecfac7e9cf9bfef63e83c2281b3845adb747b2758e886ee6e5e6208fa7a67551597a1fad6ebf49fdeba1e9861ce113cd235

C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui

MD5 bae4b08782857e12aea3878cdff1c71f
SHA1 912dec0f1e75f6decfe6f99c214707ca4a35ca3b
SHA256 9c63111fe53568a2efba9b6fbc9b75387458c5079eb6aaf1d220f2a1229b0414
SHA512 097543db9ae7aaf907b510665b8a58c4ebdc60cea3b8608533a529d20aeb765e8027c0cd063dafb1542d49723698bb2e9437c0b3c349b9b810d341842cd87ad7

C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui

MD5 74f9f6d7a491d6bb53471b167ed60d17
SHA1 de5624658b9b60eb4dc20c52f5666b62a876c762
SHA256 2467a0143ea6749ef87a94e2c4172400c9595bb8b197fe98c228c629771bd1c2
SHA512 e5a12697815a5c8016c1f0dc794e60e13e723890342fc024888a10debba295f15c50a23379e0125f5b2b928a29314eb6abf50457f092de0bb4da6d9f4df0f2b2

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssui.dll.mui

MD5 87660c745c003f112e15bd1d8c8a01c7
SHA1 06a389d060c6ebca6159ddac72dcd9f3f9daff5f
SHA256 fdbfefce81e7be7083af67370bf13301029c06a4c0bfc6a8c55c9f8604e36b8b
SHA512 a63c33cfdbe8ff854c0b2de02bde67ba79ae98df24c9a73c18546b417d44d7c7e9b801872c17c5d78fdec4d50ac440b40545a945c84740c4933480ec1eb7682b

C:\Program Files (x86)\Windows Media Player\de-DE\WMPMediaSharing.dll.mui

MD5 cf7636d5095d1588904516c8e520904a
SHA1 dd8087e8253baccadb3dd81c8858c60b45385793
SHA256 4b798adf284dbfb9d954c9ce2318b9c0af6d0d5ee854f485bbbffab7ec7fb466
SHA512 f8db1850dd29d60b681cd1026027e0cbf93f69aaf2c4fe3ce61196fe0fa9893ab75a0bb109a3bc6db573b7be31b005c32093ac8805f6c484ef3015bbe497e3e1

C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui

MD5 97e01436e7f079284b0ffc7a7124d7f1
SHA1 2466982857dcde68467a9b93fae15b89bde118ec
SHA256 d41d6798a6645de2331de162e37fab5e857c3f0e07b6a341558c64d967c02f24
SHA512 cdcb8171c3f78da3a533c9ad6a597ed34a6044fceb8d3ba86c5d3b7a2e1fcccfd27cf42422f5908c382c44397d24aea6da1e6412242125309108fbbf099ed4b0

C:\Program Files (x86)\Windows Media Player\de-DE\wmlaunch.exe.mui

MD5 6c81661c65e92c3989ee00f387ba9617
SHA1 73548b84b78675d61427c32976eeac0565770237
SHA256 02f3ef41a500daa4d1844b8bc94f21c3546f1c2f3346031b2bcf082b6c3981a6
SHA512 dab049c7408e878d738d982e8a930288897d92d3bf319dd97af451e0cfa35b8e83bcd53a945f4d8e9be2e35b787d265425d463430b1fda14565f776c662baaf6

C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui

MD5 4dc93bc1ac22592983b4331b14bfbf27
SHA1 b25aa476fe580ef0f40c9425c2479bdad2cdbac3
SHA256 7e4ba89be431a17f2902f91fed24361e970d976cc6057899c765d2b5ebf98313
SHA512 12d4f1cf56ad82ab486d13c428764a46b579e480bf9f1bd942f9fcecf3fe926dc43dd6bd81ed43ac2857c2ffa3500f2d6c9484ab23e365866ad3efd4e81c41e1

C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui

MD5 cbc0616c5140992e76b5d33db17e0235
SHA1 fa030f0c1455b6e0f08c0474a630eb0a8813e7b9
SHA256 97bfedaf5f1c30f870b22b84ce7c7dd713d0d8cff1550f43532c9f256ceeec79
SHA512 5e8c37ea988ac001770db02f90fe3eeae43a4d642b1458dd73178a1c2282275c73f7df08f535076d4d1d6346ecc98a56cf9aed92864d45df8e22125ce80a719c

C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui

MD5 38f7e4dee970188892be7ebe01f5dcb9
SHA1 a50cb5abc57c8054a03cb8e893ff9d4fb81df02e
SHA256 b13338c2411c7f0be21ad90bcb7bd6312471dc6284fa014d12bf9ab30135d5f2
SHA512 3e1f8a2ef5d08b6ef89c60e00311430e6a5429baaa6cea0db660767d2cf9a69eefd37ecf7e697721df0d085f93731d8c6e5899a30c60c55e702ddb7bfd24c2eb

C:\Program Files (x86)\Windows Media Player\es-ES\mpvis.dll.mui

MD5 a7f0079901c042b2ca28b2dbb34ad737
SHA1 5559bff4a40a3cbfdc5b5572ebdfc496d6e3cecd
SHA256 893cac7b4d187c0ee31761c3312de63965ee3260a0422f65b03bc9687c811272
SHA512 9ab417512bf4c5afaad4155b5d1123ab54bb57b2f65d81842ea40dbdc7abb41d5baf4afef21943ebd5a76c22ccc25078a0478d7424a540c310c518de9540f3a5

C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui

MD5 8cc280d209d3f32f75a672e6e89f4aa9
SHA1 ee003f9627c398d07f968162bb1cf8d58cdc2e6f
SHA256 b7da17356af4e15f3f024c2cf1099470a9a76d1d8df33bc4ba4d03a3b35482d3
SHA512 33163a677178961c3ad6b74fac6532d3a16659edbffae182966ad163ae1660de1a906c04346312a2c68cd624664154bc69f0ebceb53114139d8f0e6b2ec1b404

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssui.dll.mui

MD5 b38df0a55c97aaf9173df5cb7ea73c2b
SHA1 25b6c861dc21d690c182e2575d510440c627d637
SHA256 d00896bba6fc33a9d803fc3873e7d654e03c7fe177e4fc21272b3e1c6401b8cf
SHA512 5a9240eece47903a9462d4d3a228279ac4038bcabbf115c561bf0eede862eab45e1c3668bd5041b5d05c1589a4b54fa1f4ce7217cb4f23391ce919daa81e8b48

C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui

MD5 a898e975f327df2ee08d3d84ddd39f42
SHA1 f5037dc233b48174ee16e9ecd5f639df8de82eca
SHA256 e560b957c69359423bd2e34f80416afae679ef02d0c8b33d1384c7b41f65a048
SHA512 dd3ad0dd6cb2a68c7db31e01efcd7dae114530ac7e09398166e4c18f167cc5a98f9ca0f49871bace0c2f7773b9c7cfd401c0d1963737838f6035c7ef21045b6b

C:\Program Files (x86)\Windows Media Player\en-US\WMPMediaSharing.dll.mui

MD5 a7b7c964f565d9188164ccccc7832c3b
SHA1 a0db3553982df3c4ef3369a0b04db83103638282
SHA256 41bf3afc8aa1f6ebc61247b533f590b84796883c853fa1be78ddaa3ab9213449
SHA512 c4d9a97f0b712b50adc62e1e4fa5765830d69bab86a6e3def2583ab99cfdca1038d43f8046e99ce8df2f69d389651b21e171364173c4b7e8bcf66151de31a69b

C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui

MD5 3877ac5da2873fd14da557594013a253
SHA1 0a7634faaa949377c05caf5a614f5243b59d4190
SHA256 2517da68c5cc5213f22bf1d3f4ac805026b628d6c71b01b359008af8c289d258
SHA512 a28ad0a1190945ced847e03bdbcfcaecdc173bc609817ee205225424404b6525c32364e09af149e820fc4c40e8a0f7f794056590fa0fe5303cc2eccd6e5e948d

C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui

MD5 0dd7b8951bff9a70b3e5b8e60a69b413
SHA1 0f0b76c941eb49852d56bda9fda8f53611fc3bd4
SHA256 4c2c3aabeb65b3e1bfc284088b597d8e177ee59e52d44d030d795ca43362b6da
SHA512 1218d499c5a1b78af656d1707a44055e79a695a7a357440232b0ddd0070043348258fdc8f3fd27eacdf2cc2f7bd18e85112e30059e6654d2231a33af7b111bea

C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui

MD5 c80cf698b391c8cd71f87f0b1ff6eb96
SHA1 bd508e8a4bcdd7e6c259beaabbfa12571b83e306
SHA256 cd9c497c7c06700ab009e59bfc2526ab0197c2b496446e5d0b3e584b757c267f
SHA512 f6b21cf1669405029fb073146ec09af2b2062baa07925c2383aa2147839769de1b2c6675f79ed6e09bc2261ca0c9c6df25702f71954b75f544b2f9dca6d235c9

C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui

MD5 3c901036f8df82c7f19ea08256e48a57
SHA1 b6f66395611d5751044f3e4b069d3dae2cc4a676
SHA256 ca0dee9f16a3f29c3b633ee78c895c854077d10b26444a38ce2dd37458091a02
SHA512 1dd30553cc222bfb26378419302217207ae495165441bbc88a3ffb015a08ea1038da9478e06d42a66c10db38626f2f2ccdcc913d365f4ed4257a9e609a53bd22

C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui

MD5 ab2a354850fb6de088e268a81e7475a8
SHA1 2f43189eb9d3bc95f12958b66faac46be8baaf68
SHA256 fc72e28105e8c6207dafadc361ca9024bfb4daf9514d4e5994bb5445fa9e935e
SHA512 772f4b6b4b3452484033b540c513e60a945525e97e6b4a0be166a6dee56f85a50880a2ac56148bd87f5be0f872859098b83212c98075a1035053661cc8ac7d08

C:\Program Files (x86)\Windows Media Player\de-DE\wmpnssci.dll.mui

MD5 f8558c67b3a6a7e4ff61e5394e4dd9f7
SHA1 71f6f3494624aee1b2aef98444412d23d177a9bd
SHA256 00c3f93ca38afba26d38187717a7b63a7993ae19cfaa5783bbbdb2a7bcfd79eb
SHA512 2fa5a2c0c2ce8d1cda0499c7bf2335d6f97505046e3a64b4acb0efb918ab8451e587620be8278cb9c645f3e8e87077b7853f5fe57e39ae8fb96e2748fc1c2c6a

C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui

MD5 31b56d9f517ec7ccc122cf7e1debe59e
SHA1 5d6217bbe7463363a2851d1ada5945899d82b60a
SHA256 0ff172faa2512838846dd42d834552ad82a75ed3cb70ea954a36c5d923eaf3b1
SHA512 a970e54b45d51acf2780ca52f83327b186f42fa4530b53fa2a6c907b0b32c5f61c8db7a76564634c33a481e237771f49d564c5233a4517b92109e230dd950cf8

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssui.dll.mui

MD5 f91712ff635f406308817f8c7da7f7ca
SHA1 6105423137757493197a1ce65c40c17e71eaa9d7
SHA256 22f6c7b2ab1837de2b4ce14fff1a0d44969069920c70d6332f5d20a9a9ba4b2e
SHA512 eb3dd93c9285e868b16b241adaadda2e2d62aa671512c24d9b1233cf8371ea2745fe04c2785170b5f928a129bec8611e83ac315c39a653cfeef15834b21d388a

C:\Program Files (x86)\Windows Media Player\es-ES\wmpnssci.dll.mui

MD5 f96fe6859e1341b8bdb1beec20ac39a2
SHA1 feb7810ef3023b5eab5d0ea42c2f1894b681f330
SHA256 83ddb9abb70948026dcfab5c830544f742cbbd9a6841b7a4bc7724912647f86b
SHA512 635c6cff63c13ed227de75deb94e068f8d0d4551046baa6204ca92c9a4927280566ee6382adb0ce7a204efefcaf8232444aa70d0720b8b143cdaf907d26de40c

C:\Program Files (x86)\Windows Media Player\es-ES\WMPMediaSharing.dll.mui

MD5 ca90ead13890a63a7f77d60632e56dee
SHA1 645d8ba80cc90832dc31a2df7ca5d5c421dfb58c
SHA256 caa735f1479c4cdd070f35fb4b623a967faca20f63504a41b0907eb16bf98100
SHA512 22b4207ee4d84a5983c1a91af6e6abe57bd29197667f6c37b510021574cd61ae3a117c1f6051fe852461e7fcc792b8f0e571f71993b2e170e0784a744f982200

C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui

MD5 f225b363d4bbbe288b833c3e487b9d3c
SHA1 2241265cd353bffa67d4ffdf5cd87e63caec0947
SHA256 24ae282640821ef184a3fe9d3fa15ceaa3e60f9fc2c704765c1c10de63fad0d5
SHA512 05d64e5c4bebb745e2a567b5d4c7ece2c4a39e1fe6ac2a27c44d851def24f642416741d3042ceb0320f577d0cee4b5df991073ec58808776f69f75769cac0839

C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui

MD5 1407ac4dd984e5dab33800d6fb1fd718
SHA1 8dd26a6dee25b0954b1278ea148c113d64c7c3a3
SHA256 5834d1027892e3ef1ab5de7e79d886de9e0e2f1a422d9ab136e62906cf6a1037
SHA512 0ab421e7b4b912a1521e71ab05b728908365b0d32a17ce9b6503d214d07e10c9f3cc1894dfe8a2e2164d83b92c4120c7a88a8856efbb59291cfa1683dba22f67

C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui

MD5 1e648c81851ffdb4007371f366d0787c
SHA1 3cf8a835574a4350d2d9c82305a15611a5b61345
SHA256 cddd9e0bd88e44c66086bc7e95061170a39507f5ce2d220106d0766955025e84
SHA512 39ff12ba546a77ab4e49046fc12691dca59395943df2e0ff9b8ffa7ecdae3d508c0c75c4b33184e3a28bfaaaba87035c80fedcd2c7f3e9e5afc7d7f196d3e686

C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui

MD5 3aa9137845f79412a59cc5999391c678
SHA1 cb50399f218014da84976ac709b0435ff60b9141
SHA256 214835c916381d4b4ed35466f612fc5673f88a1331db19d77b2f15e64aa84980
SHA512 1c7548ce93106e304be21090ab3e6b91a0dbd4d4eaf18f9764f0e4a0a2298768e63a1fd4fd9f169c67d38dd0fce7ab60723e0b9c6074838dc1237017bae08eba

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssui.dll.mui

MD5 d8570e6de7367a361bd588ffc572608c
SHA1 c2b29c3a3de34180f8a873c9c0fb60b999dffc23
SHA256 057b486f6b39e3039343d830e1401d6888efe765326f37b01e217a81003b0d92
SHA512 c392b64d5a139b82e5e75be2c3181021a42007537557f613e2633f910b3bcf7513836ff03e390cb061897c4cdbed119147ed2fa5c1f3d70d14f0c53b922c0f29

C:\Program Files (x86)\Windows Media Player\fr-FR\wmpnssci.dll.mui

MD5 f58e70659c4b1d433534b104dc7e6a01
SHA1 7ba7198265bede303a527def0a80c7366d18a8ab
SHA256 6cc0385c48588ba778e6c509ddac725e97189d3e7bd904901b8db6cb1927f83e
SHA512 25e79ed29eb0346b34c17275ac784aeb3b29019a2f3417bc51f231eef15f171a11ebfe9312e24018af51b63304bd8017f5c0f088ed477210886663777ec323e2

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssui.dll.mui

MD5 60729d55584733985722c3c5f937d25e
SHA1 10a38bc824cf02f55d65e540a96a35c04fb04223
SHA256 a122110335f9d231f7512f71bc9db6ac52d4afea56403037d2f1cdfe18180ab8
SHA512 e1c003e483b322cabfcf828b78adfbd73b6db76e7c1227dba4eb224fe531db35e6ab5459ee8c8ba42215d8da53504738e714cd270cfadd1b6e40053cc013458b

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssui.dll.mui

MD5 d27906154199b50c07297b1360b043ca
SHA1 3b6db08997bd4500c01a53a0627d5da607defe3a
SHA256 7338ac86fe8771a87086a1361f2181fb5f6d2b74fd95c143ff441439d7dc0e23
SHA512 215d8c237ec256a5be723dfa7a80a0ab9b87eeeaaa37f60f9a030dd105941e07717fd1f4aa098323ffb7c93e98b4c30644528915e81f198e06d7df177286cb56

C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui

MD5 67fb46f30b5d987c736d80d2ad2b648e
SHA1 6bf20de127405c59e40c939cdb61119b8f4537d0
SHA256 a3753a0e8d013720a774d7fa40bb92358c06379ec646a541ea1ede0a632cabfa
SHA512 1f0326557dd2d90b01e07ce91d445b4fb694d9aeecfc93b5e46f5084412f3874c22b5cb238205dbad175ebcad5c623b321bd972e68d3c70d665c7f44d9c8d666

C:\Program Files (x86)\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui

MD5 54c18f2d5a4fc53a4e798526c45ac73a
SHA1 93da647dd4996bee6fb9ce05a168e64b64b3ca00
SHA256 d5982a68424cb1be43d71d294da9ee704dfa2b534785f08b51beb638877c6d71
SHA512 c9d09a0dfe8d21f12184162d93a8ab13075f11759e1c69ac7e336e487f1b4c8f72fdfbdc4af9c82f7204f1cb97562feae1da40ac0847f6aded34a67d5b2fbf3a

C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui

MD5 bd724228c47fcea80f3cbb55c3cab2bb
SHA1 a141b520e7418fae303db70d83b903c030e72cec
SHA256 e6e28eacd78d532f78745396450ab429cc74252ee561157ef1d3a3afaea05288
SHA512 6521cc46cc028306a3a7c6f3b39ac93dbaa0ccda1dafddd7babeaf9ef38caeed0798d5764a0ed08e49b9f4d18dc242c60c25fe25fde63d87ef449d46e678a67c

C:\Program Files (x86)\Windows Media Player\ja-JP\wmlaunch.exe.mui

MD5 2a29f24f35e45d3aa4ddcaf265f740c7
SHA1 6c8e3e8869df77d829774b625e2b2b7a578ed19d
SHA256 61a09ea342ea614babaa4365a610dc1e295420e2875e58f4629d4b81fe2e2f64
SHA512 d006df6bee60ccd99ac963e1b244294e40e26938ac2c71d86268c89be2d8e96ac3c6f77654e073ab8dae0d8e956cfba9bfc903bc7b65b3d3883dd69cf4b36268

C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui

MD5 b234da83b6a53fbd6cdc76b2c89a5d59
SHA1 9d456afddd285b827d1ba31164b16cdfc9fd41c8
SHA256 93f49faef92192c0cf5dd18446aef6ca77edc0319a583524ff8f504de2344c1b
SHA512 1c0f98a712b2cd0f9e3c941aa42ebec06f7039832ee433cd68ce85844022707e7bb46f8e5df21d0236ad7593bc10400eace72629cb4c6c1f502b4619bc0d22e0

C:\Program Files (x86)\Windows Media Player\ja-JP\mpvis.dll.mui

MD5 2063f2d7d6ffd9a9771f37a82f332163
SHA1 a87ebc477edeeae9b3207ba8d3932858421586b1
SHA256 3f79ab58368e5864b20d846cdf56c0536950e6665176207a0843c721e41647f7
SHA512 aebb310bd659c60da6bffe89225204f00fd1aac869df4a06fee53efc65a0a1142833ee5f57cf1804886a04d993cfc1de0525d878fa7b35e9d8867ea071634893

C:\Program Files (x86)\Windows Media Player\it-IT\wmpnssci.dll.mui

MD5 fc064eeaf9903f2102237b07497b0902
SHA1 a739338532500f952a38f928664a9476cd37e3cf
SHA256 1868aed19fc0566cca1f119be466ba3602c1da006a8e168ee4306f2342a72009
SHA512 13198e1c72f7a6caff4667794d0a98162d0485415effe0d0f9013d677c59973143e3f8844b32564fd21ce80bd66421e531dde8b3f1d6197ec81fb0b090d32449

C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui

MD5 e20c528748678a76a19c7a7dcfa90346
SHA1 a03128fbb5a109bde3f48937c943223d4ac983e1
SHA256 7020244f91d69d07aa9a53ca4a94076d27698f0f7cb7279e1b1cb5ca35e1039c
SHA512 6b8be95c021eadf4ea887732cfebda0f2bccdb365986a56ad2327f3a29f6623bdf6cfd7b0de15a531d4320390ee205f099a2b46bb9b47357692715b8caf2c6f8

C:\Program Files (x86)\Windows Media Player\it-IT\wmplayer.exe.mui

MD5 37e43bde3c2cd528e6250a74f582085f
SHA1 437dd2815e4d841955a5c0583bd3c79e976c8916
SHA256 cd83c93ff24a15eb6913a868cfa24c0c698474fdd0a024ebe65a966534954526
SHA512 97e4dd2a6eab45a0b2fb139bbd8cd3c6c3dd99f2a3b67ec376939408e438b8a6ad257470ee732640072767aadf4bc0ba68f8a3085749bb0e02d33b30453de3fa

C:\Program Files (x86)\Windows Media Player\it-IT\wmlaunch.exe.mui

MD5 596bfdef25c1bc133a3e74ec40681ad8
SHA1 c4603eee7892cbbeceaa65a971a44b0789fac1ac
SHA256 1035561e51c9f2d7f166c8e3e0e232d190a702fb07f1b0a86f39310042ff0176
SHA512 79322021849584d6c2e42ded6af3055ea32b56ae141115e3ad57db8723a12a1b70ce6741b0f11171137b4b0f0bb441ca65210708f1d77c585f92b14597880a4f

C:\Program Files (x86)\Windows Media Player\it-IT\setup_wm.exe.mui

MD5 816c49a00534f2dfbe2fb867f14c3db0
SHA1 489251e017edb64cff8f6cfa6d35bdba07d6f7c6
SHA256 2e1c9af24c096b404668e7ef8a63d791ea0081a721dccce6ff1a480518bd5bb6
SHA512 6e592a0ce1322b086356529796e1882d949c0e06d370b42713b68ef4ae924cbf1cd975613692797cc99371d740834971d3960072aa1df80b1cbf848ca0c46d89

C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui

MD5 2b5c24c558605886be0318ff808ed548
SHA1 98e961e47c48d2e2ebe5efd35192e2997c15b1d7
SHA256 3168c065c57cdd11dbb2d812eb5356028fb7000490f2964136fcfce6c67c3278
SHA512 d341822657e1b23100f9a2ca3bd4449dbfbc80e8e7bccd8a04c5475dc0c4164fae1fa8b0d0d9e667bf935a472f4b71582bb5a203638f234a2bce83a0a04bc95e

C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui

MD5 e35e6d526578368af64fb30970f98bcd
SHA1 3e35ab40b742783e448b1a2385a98c09750f3d33
SHA256 b5d9145f282b51e0ef93a89c979bd8f7a8d15fa159d8b3dea5f6a36108d2809d
SHA512 ca0ee35951dc0b6eb8570fe2e6c8b97d4da849823ea0093e6cc3b1080cba22d236724fa9d7a1cf10b8bf01a8b5ecd9f360f1c9b0a177916f84fd1f0a04e3e128

C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui

MD5 53c23988e9a7083be0c92c56d57902e7
SHA1 8f4c1cc16ec45a749fe77fa7278b4a1a9d4e8ec4
SHA256 b8c74c31d2c72156f0dd58bc15c72475854d359b468530763d97082f6125b2fa
SHA512 aa001a397640a337e54da3ba2d4f6117e29706bc58db7a4c27fceaabea6e2e6b59e508b570197548f04154c9da2c8fe44f9666fe737b7939745d1a917602a682

C:\Program Files (x86)\Windows Media Player\fr-FR\wmlaunch.exe.mui

MD5 3c2313182bff2ce70043cbe0c991a26f
SHA1 46f4f50dc90850dc036a3600afe5ae80d2b71e96
SHA256 2086bda12660a49f027d29e09f971e1dd236f54cbb06b3e852d86f91ad92a9e4
SHA512 9f7448728b467376401fa9195213bb20745b8087f747d6a241f7842b5f5f5c4df6b523fdc482d1aff9c900902d99e639d58737305f5645a6f4667a238adab4b3

C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui

MD5 d94c4b0c0ad39bc61bc5d68ff179f948
SHA1 2d7daef844d305548064a495fc0675b893eaee9e
SHA256 04764e37ef06bfc124f50868e532c2b63a7914df88dbfc556f371d30018c9cb4
SHA512 cf57cad755c5163603a6e64da30f695ec18710b68683b54327e900d95a659529e5424d3bc89e7dfecad63e55ef7bdd255ae25fceddd502e7752478c5eea782dd

C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui

MD5 48d7f32731391e0a77442ed2ccccdf44
SHA1 f36a2d2fa98ae85e083a4698907347b9f6bbcc6f
SHA256 ac2866000a859393b9b9e18c1a18583bc80c46ea2e72f7bd22674e926573e78d
SHA512 04f510c4dfd8f8bbac8b9408d681e9a23bdd739ccde8ac6ab6ab612bf9e74eadfe778a1ed7f66571679cbb76afd2ada174244bb7691e7cebf9917104cb21a9d5

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssui.dll.mui

MD5 696a0a129f8c4b1bedaed5ffb203b668
SHA1 c5e5752aeda495ab4fab601d53d1069933228224
SHA256 5303cf013ee95c345724d2393f2fbf7c20ea273021dd6276c98b2392affbc4d9
SHA512 4332f846e3558e2e87a2e021427b08f743f9a7dac2bd05f717bcc6c89ff4ceef2d4fd1f8de47ea2f2d3e8bbcfb6264935278b15b82abf1909336c1e0d156ea8e

C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui

MD5 236e285ba4494a0856e86348f3dc67e8
SHA1 ae65382a6ea32e7242a2a3b62f89629aaea1b786
SHA256 1b03e7eb925610d3b4ea7092781bf65d804a3c51c632fc2ef1c389c22d3cd19b
SHA512 2fce8e74ca367a9918c09cd285be1a35d622343155a958baeceaa39fe952929e6778896928545ba4caf42a7871fad1dd85bbbf5353aa2a17930fd950420d7102

C:\Program Files (x86)\Windows Media Player\uk-UA\wmplayer.exe.mui

MD5 65541ab6901dc92642006cb970ac28e2
SHA1 0d995e74ec0ea8288b202dc7c4779a87c4e550ad
SHA256 051f8e6936c21309d4a43701547cf4744f4db4d318303bf8cb3e8d3dbe49e259
SHA512 61dfe54debae38ba4d9b3c28792a37d0498998878e3786b454568f39786ef7ad8ed75cd32b91b942a2d5a80809e8f549ea118db69476ea3542380b696ea1c26b

C:\Program Files (x86)\Windows Media Player\uk-UA\wmlaunch.exe.mui

MD5 727fde31542c1580df51ed5c9319ec4d
SHA1 d6b231b284a5ce62d465a9afd5aabd42abd9ba0d
SHA256 96eea61eadbd0bbac68a5915be1bd627bdc8968b0356c88d4d6538e901ea3738
SHA512 365350dda617adf3b9454c2b6c532e56cf87b8ac6f37057221121dd885b9c68a7a9a634a06446c3627a59412ba6d4505147660c04d4db3605d7e4ad6928c17cd

C:\Program Files (x86)\Windows Media Player\uk-UA\setup_wm.exe.mui

MD5 14cd2edb21cb3709c588e40e716a6653
SHA1 ce25a4a3f4ec4573039f0b6ee39b7d58c5d8115a
SHA256 974ce6c24259f28d442dc3880dd289fe733624985b7c707bb30952104d357187
SHA512 1b43aa35f48d3c8ea71a46e973fc123590dc077dc0c737dd59bc4c2a9982b1892642d97c5803aae4d6346254dbea8bb84689edb8e3db9dcc072151dd1e074397

C:\Program Files (x86)\Windows Media Player\uk-UA\mpvis.dll.mui

MD5 4f0aaf73fc5301219b727418e7526455
SHA1 47ab3a05e7291f4769bf690226b0ea54bb6f9c21
SHA256 8c8e514d21742eca1a23430e418b59a41ae1ec021d600eaa08e76b9dcf2c878a
SHA512 621f220f6d0b89908264e2b50793af28f9d1b393602cf49bea82fe378c14a2e9738e2bbbc46202ae9171a7b7e796999df14c0dc53574a938d5103c4549f32011

C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui

MD5 f2f05c1c0d84bb1cc1e7b40ff27b6d46
SHA1 e31b535e187cb58efc984f211e2a7c8421208682
SHA256 e86658a783617fa9bfb3172ed51772178f4b29a9b8d9a714a3bbc286b4d4048b
SHA512 f2f5a3e4037cd2c5b6ab2ff5f80d10e311326dba592b07b0487aed26810f53ecc687dfc1d377bd9f25389d3f72921303227661c12a776ef48660b34b0d1c3731

C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoViewer.dll.mui

MD5 e7dcbea5ae844769d7efde891b490250
SHA1 84e88b33df566918e7512026269249cfdc78a8f7
SHA256 f3696ae88131ef2616548a0a7f002260adf4598baaf4008049e89f2f8a11126a
SHA512 9f1cb40f1dc2b6c715d6f57dcb2c6dbc9506cbc69e34e513221fd3e5adc832daaf2bbddce13d31182b69f49cd35438b797bf83c405ccd1608f6dd48232cb45e1

C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui

MD5 c8a6a161c993cd46d8bde1fd62370cbe
SHA1 ceb59f11c94e42b8f97e61d09956e49f01f60430
SHA256 a08c90126a0cc6d01b6c76bd21423b6a2dd88f22b9f7c3f964b6ac35f14ec2eb
SHA512 a775bce1167463e82451cfc8177442fd5cb4145de68c5f7cdd9e6fa139c8c6f787400c5b21afa1b2eb9fb14f90a8732f9fc1931559334bbb7053e6a9ad93ce9a

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui

MD5 8b6ff4a6d6f227969c1bc7e6b8bab5b6
SHA1 957499042fd4d7874ef309319ec8f8fa85df7a99
SHA256 b4542adecc2eda459f4c1353dfdc54867e699bbc3392db2a60b2d7f887491ea8
SHA512 aab0e633feff0c45574fe2d8c61b7cffc5ed2c873b9a89360911af1a73de251bad4c14298b37e84b606574af72f9b3f12ba2cae81db578432599e0e2d68b17ac

C:\Program Files (x86)\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui

MD5 e3c7d92920f5c7f37b444f0719abcf23
SHA1 b850b9c76d9a68739f559bee2d0e48eb0a88e0af
SHA256 ac450fb0415e2b7c68a00e8c37687fbb05b330d5fa9a8781651a1d8c4f13852e
SHA512 9453f748749b9da36e535e8ffee95f742f8da540bbd59dfa0ccb6a2c92707548cc97f811321b6acbe09b1af0133c2e85bbf910e76f9312220dcb759de93e5377

C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui

MD5 0cc7f505fe8d3cf3029d934c411e6619
SHA1 61704d9106dc9ded59def38f4e5d87e98fd0089d
SHA256 721de4a4f718db39f8ea56a9e79408f23f891ae1401a8ced78782fa3cc31c92b
SHA512 91ecb0c1688474509f48b041be7ceff7c0343d60c793f7f073203a93a3b6d81ed201b02af287240cea395c9b68e8e124edf1c55727bf6fbcb11cf5d0319013ad

C:\Program Files (x86)\Windows Photo Viewer\uk-UA\PhotoViewer.dll.mui

MD5 cb5432bb6fa74be5afe592acf48a19f6
SHA1 97d1c80764ba4dbcb4fbe7f21a8993b6efbfde7c
SHA256 bcbc3006a0a804cb237e755ce7d000c323f8d71945c0722833aa2fa884069fcd
SHA512 d1ca1baa8e21ee5b02109870fd4fb9cac3ae6d91d29adc7a5174b08e20fbec3c59f83f8219d4b3a4b350530e802b365e92a4638f3f05ef8e445f3a0806c72148

C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui

MD5 b268d70f2d236d442e405e86b2a08af9
SHA1 5e3c585ccb08551375fc7ea37ba91209378c356a
SHA256 bd80376b985f0596abd264526c5eb8cf4f25fcd92250f8344afe8c5e70fd0b9f
SHA512 6bb10fded974e46c56e0fd1aa058363f0fc3fa0fd6a8ab4a43f0519c671bdb35cad938de842f0edf88630a4f22631918f1e1b661ed4ce504aa55e6f6b867f643

C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui

MD5 d28b72cc5f098b0cbb697f112b1cef08
SHA1 572e6df98fa509e0677550a25894ea10c82ecc10
SHA256 7e8979f461950346f76e7ce04671938d286039aecf46ed75337ae2155e98fd3b
SHA512 54936613ecbebcfc5dead3d702efc597ee45a1022a1af8d669626f5236e4098a61410798a51b77368704f635fc81704c242c4046aa1fa265f86eb4e13fa55aa6

C:\Program Files (x86)\Common Files\System\es-ES\wab32res.dll.mui

MD5 0c3483901383b302475abee51ca6fc75
SHA1 1a794cded77c36ab0014fdaed83a48903d219750
SHA256 d150395ca2f0b90d12554d52fdb59334a6ff72a76c39838d4424a2add36cb390
SHA512 bcbd6d2fe52d6986e3680158489b467a0f197a70d20bbadd322361f6fafa9d9c68f8c8f2eea13a64bfe37f31c1bf9d2e550a25bc808cc41f6f239d352739a3af

C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui

MD5 75bfb8f980a90f1d8ec0707033961743
SHA1 2cfa8920ac28e47550e7b727d29978ced6474211
SHA256 9822779c439ce9cdb769e69066407502d3b12ddc9cb6ba9ad78b15d7c9239c06
SHA512 ccd3b6a7b67b32302a1d034f6764e0c8bbdf6bd446e62daabd7c0e662829f46e868ea8c0075c19b5d783f3c84236a4322c704b5f9960b7fde581a388bb7bcc90

C:\Program Files (x86)\Common Files\System\it-IT\wab32res.dll.mui

MD5 97d03296a6501368a7e3fc5b0184b3b7
SHA1 bc9f38ab8a2f05ca6700925de3408daaeb1ca693
SHA256 d442b099ad9827a8f3c67aaa06b513b94246f6f7eab64461f902f222dcd92b3e
SHA512 7907256f4b49fa89bde4fa56e587fefce0ab53d6e49b88b8ae171416dc4b875cfa3b9c5ccd8767d37778ccb6245f675f35f2c665037a1865df5b4abd2f8bf0d7

C:\Program Files (x86)\Common Files\System\ja-JP\wab32res.dll.mui

MD5 756cdc055d88c59db07513cd2c999e97
SHA1 3d07392df6f6bd8d063f1e325a4474795af5a35d
SHA256 5b9e92a59d496bd64b317e38391c9896fb1f1e617cdbc56ea6046229f8f16ac8
SHA512 f32afeccaaf6e57974eeb8a28c308c9c9265e1b868eff02a71d5e95b01f59e68b04d14df10a399fc337ca0c3bda0bb2fea64c16585179894a0a6f0ba695f9cca

C:\Program Files (x86)\Common Files\System\uk-UA\wab32res.dll.mui

MD5 4307562ca9582f6e25cb0f09ff22f3e0
SHA1 f0d1212dac715a166c0e657ea6ee0cec13ecf82d
SHA256 0bd249c75a6c832f6cba3147d16c9169bed11b1a23ef96429be48cc51f2ccda7
SHA512 4d625dbe3ba036412f20e1a8790afd4c6bb20715ca641411e66a069daf1748b975eacab812ed5e65351aaea4e85774cee77d4c5ff6e0463e80aeea8b1441b468

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui

MD5 b896867c4bdc44cce6e5654390c71e45
SHA1 1e62869d1c68e2625d7906c25ad6ad33a9cafa58
SHA256 dba3537ff7cabd3d6d8c5627d3f3bbc389dbc3c40efd5d408e3e25e20493a934
SHA512 477b79ff1364ee71629b8b9fed300c483f6d66ca92a4299d39ac9db2a37a3f6f858d2461ba960d3d651774397764d94a81f31a637699071483d717a7d9e83a3c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui

MD5 e957ceee9e007fc6fdd3c6bb5bcda0dc
SHA1 4f83a8f8a9e80a7747f7f0a3780289a418558f9a
SHA256 4cdf776ed1baac8bd266958494616a965530ccd9ee5876e5e37e8d65267f9a0a
SHA512 9ece90728ccedd7e6e7c035327227254d433a072c8a122c0cc268fb078e21217dac20caa746ce67d63046b837f6c7a4a5f81603ac61902b4907764c65cb64b9b

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui

MD5 a9098ac7923b592d7c800028a4ec2133
SHA1 d33d54ba494427e692d3397be5c7ad91327bb780
SHA256 2dbb57e32050f2b0856e45d3a877c0f0c6395af83bbac78bafdb8eb85b556364
SHA512 eeb4717a699abace3ea16f419c6cbf02d0e260f8bc145e0e05b71d6775c0d5696844adf9e1aa834f508a2b13b6434be919365bce655991737b514473d39754ad

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui

MD5 1113e1df7b5d7d82b88956e1e4cd7502
SHA1 b2e2095b9317e42e26437a091c97bf014b5b75c5
SHA256 7df36437cb65905bd37e578de2bc8a56947b62923463252d61c81a81558946e0
SHA512 be0ddabc5bbbd31a22b5852940bc8cc959373c5f5361e21a102740bc4a0909f5ff01dbaa12a0db760a5546d99161b9cb056c0f2b98d8c276bd6b3d9428d33a4e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui

MD5 e71b7c47c5142cc9504070c66483a666
SHA1 5ad3ba4bf877d55df7e55962b921bafb1c08b01f
SHA256 f9179daf95efa32dad59e4a46483865c38e28599bb4df48b40ada93347e2797e
SHA512 cf07d69da75b103f852b2332b36d9244b27ca54651bd8421ecd755474c20b8ae0960b9a08d79e46426ac2ce00a1a3147a0022cc3f80233a5effc1cd4e55f6db7

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui

MD5 52bbfa4b43683c2d19f57a2ecf34ee3d
SHA1 f9a91495f9420c15c5294891a8397a283f1fb44f
SHA256 02c3292f25001e520b649097f87f282dba8b5c32bee2639a97f9afe89ee7f4df
SHA512 96e560e101c046977472df097446ada04a2b53035efb90379e036bf7956d3065c0ea7c346b59ff1677dbdb37ee1f51c5188112402c5d78bc896f0663f89dc44a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui

MD5 64a1dce13877d67947a9a9fa37558a63
SHA1 434f4b5fdfdd2d2b952478d286e32bed72ac8b7a
SHA256 5e31aa9da0862f29387f14e458e844b86e21ae92261fab3706ac4cffb06b5f73
SHA512 95cdfd2de3f94616e4fde397964f768c9ecdaf07c819747effe570bda2c60344b34f2863ac9a6b868555000a8304d896a2b556734eedd6295d5968c75867329a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui

MD5 541aa400745ff0fe87443fb09986c881
SHA1 be9ebd16a87d5853c3700f989d4150bd444ba567
SHA256 678b5f07782447d972f7b257f262bb70efa4a3b1149984637f26e2d5bcc8e1a4
SHA512 9f1171051776e429f8f2cdee8b848fa31107310e58cc51d276d27e178c82ae5dd01e1f81fd7e92c49def82cfb381ac72a674e2152dde71e4b82eea7f7b9ee122

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui

MD5 62e627f88008b91fc86ff59981b771df
SHA1 d13f4170ebb8211b13419c00c823550a2d7a5dee
SHA256 7927efc49bb16567395715356feaa18d1b56c958b52fe149dd51b0803abd41c4
SHA512 2b5081bffe5fe9d2ac86fe4670946c99afecf87263d932aba75874e3943de22f918e0948fd2399fc673e64f0d383fff6c6301d5f841a5fe6022e1d1721459c5c

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui

MD5 d36a2fbac3ac6039687170b1ba72c077
SHA1 d855b9c0d0a9490f2657d1cdfe0abaea18c42867
SHA256 578003ca4b5aff7194f03981d591b5c8b113d100ba956b184ad778aca588b588
SHA512 34283c81a83423bbb1eb3001f0da4be2f07c8ea57290fedd0c03bafb1a64aceb0294cb4b11eaf3a0b017f2f57878d3f31c10844e0566c9224c47ba729073757a

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui

MD5 d596dd9fe071fb8bcda58ee082c0a52d
SHA1 c512782497284c665dcb57784fc8c84ac4b73540
SHA256 9a586fddc06cfe200144c62afb3418b8f5f3d8769bd7807ff0b313c272b051b4
SHA512 494967ea5ecef1e98bb1ae1bc483459fc357384ab7f7fc094b0153901909bfd416724e009eab791fd541f7402ac78568225e4a9090d7c5677769359a2fcc3152

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui

MD5 f2e7f1bf1f5b342d4cc159a4e339be9e
SHA1 cdc65144b369f5a0636dfff32a560fa478f704f5
SHA256 82cc823906edd6ea4540e8f820a10f28bee033d7e3bd751799d1f0f4eae235a7
SHA512 ddcc49ef5eb334b710e0566275ed70475b42f4ce82033518efe839027e4891f92e8602cfb63cd685013f2f46742b5bcaec8844397be37d5d2793a9c4b6690437

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui

MD5 4a33d5c8e5f5ebe017aa55d5f44d230b
SHA1 60dd29969145b197837147f3ee128c1eea263e28
SHA256 04cfd13265a998528a77fc40f6ef837c74e9d2eb86c234a0e9f482fc6ab2623f
SHA512 bf38fadb4a469aeec1b8f4fe8afeef039ededb5beb3296effea2627699626f38c7c89459a1f40dae6ad47a710941f266eed9dde9cea494c5ace7878867ee74ff

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui

MD5 d280a228ad6eeea9f32c8fbd6c4dccef
SHA1 01ffce78f98aaed13ec0fe879967e4114cc9b281
SHA256 c4f5648b39e5f1aba00e7e640efc68935de54952b3807d3f06b129ad286efc2d
SHA512 118bcadd7c5e65182bd11e6ad726408a86dd4074e7d136638ebb63f5cf3e11c2b115d2c33f58566c66f564441303701ea28e19a99ca2eeac814edc9fc375c3c4

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui

MD5 1845186f296b5dd240ba2fe1c38a4933
SHA1 3ec2cdc00910edb0da502566070bc955eaf00813
SHA256 05c45c6a86d309e67b3dbd8486e06cd1fe2025ff9882230c564043e20105a005
SHA512 81e406835610cdfb08ceea1998e42c399f1e2a8962afa5bd45b04d6c2ffe40f0a29791d6faab32e1963c7ed57d3194362df6349cb772d0019d206362d732dba9

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui

MD5 ca387dc9bcce8e3d572a75de398d7094
SHA1 3371faa363858931f96a127149a779767e3cac15
SHA256 1d57288430654bedcff9b5e1bee55da027fc85f0f281fad6db8433b1d0561a52
SHA512 850d7615c1f44a910e4327605b02b035066498ba75f5439067fd81b1bb6f0308e75bb8b6b3aceced9f7a47abf17fbeea2dd65ba9ea4de7a188c010f9d24a5fd7

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui

MD5 3a3658eddf24a438fb007c862227f1fa
SHA1 ff38d15ad2629a152c66d20363397c90737ceb70
SHA256 626f524a79ebb0d3b2acd5e901c3f365b8bc87ea52bed93af2b1567b5053ca93
SHA512 eef665f1b01f9b188d660691a5b689768fd44f579cf0b7c0407f479d694f6f680da70517687c9109232143dbcf83127103dc7fdc1e4c8da0b35dc59e8e6b0f53

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui

MD5 d739f8ba73f5380627543be48848f858
SHA1 fe3523393c00a5eb123910e9b2ca9d7789b1ccf1
SHA256 787cbf5e63f9a0bae3d0a4d353f4bd7e078d689bf036bf65183a762e4af96e5c
SHA512 9579a124a77facc59767fa6e992289a3cf85ab9ba50957968507d21d7f48be926f342414fe52653b1d481f35964206521a16f85a45d3416fc96260601cbc9941

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui

MD5 b0bcecbd84f9e206a38c71a6bb1d0afa
SHA1 4ac23b9eb94076cfffcd8d0a2af949d56447f682
SHA256 0d878212309dc3b98ce5dbafaacb19f0cf4bf76ce6c9f61fc103b9d165701e1e
SHA512 d72c9df39ed3c8775443099c81116354d0fbee06256fea4f8296753e970d0e64e32d7e78a58aaca74152b54c3cb9a39de3a911818279905f9e187720ceba0c1e

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui

MD5 6a8eac6556d1099e66dbb29b4132b8d6
SHA1 39ed784258aa5439c853a0aa3d20d99706efa066
SHA256 25091ca195f6d74923947020aca59b031956db33800a34029e90536b499004c2
SHA512 aa4fc338cb79eb684eb17ba0e977146dde0e192b57eb0cfb4c0ec8db5bc5ef50e08f61bbd78ff7c14c869b38f6f2c230b4d52fbe2a00f0f5c22b6c98eb6f5062

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui

MD5 f6438a93a8befce8f2e7d41130d65541
SHA1 8ac1988f73f5141dcaf148240937de70c73556ab
SHA256 6f811964604bd1613720e992d3eee451108d28001fb2c71ac1793dcdaf36a93e
SHA512 f9380f15e8461b6454142c49aea7cc078aeac8da63e1c6022fd5fd4589fd6f8bdfd4ff87b64a3bdfecd4eded882ae19c0cbb89da87c5204f439cafa6629336e7

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui

MD5 2267c3013f3247e9441ced87dacc69c5
SHA1 f578ffccca249b1db93af95a29aa92c5e3ddbd3e
SHA256 99eae74d0be6d8793897406af6cde0c0fe56a39eab5e117709dc16d7064a1e1f
SHA512 db37facc7fddf03a67f10e8f7083b96a6f188065e426b6e29477275fc0f82721f91f80859a5363dd6ebc0e581fe1a1c4b45e0fd630c0ee0d594ff1b2b927abec

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui

MD5 31c8534182e95f09e3e05e802d4a8f4d
SHA1 4daadff408fa1d0b68f0070f0501f130ec81b7c4
SHA256 c93b75344b075e3db69ba30756c1a51394e22fed35bde104412cef93e1e4c898
SHA512 10b62701beec0ad4c9b99f4d5ad82e9cda417a4e51d523e7d013cfb096d8af62a7abaac0d61d3c276633e253a02e2a6d899de6577dbe820e5c5ebf8de4da22bd

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui

MD5 60365d9984b83d7a0f2cab171966a4e3
SHA1 f8329db5a2974b920af93fd9fbd59448021db4b0
SHA256 f7fd7c8bbdc3272765ef9229d6392efd54d48bd923f5795924ce6de1ceeb7fb0
SHA512 9b6ac446650ad6fb5642b7f972edaf3ea421986acae7659bfdec91adfa56ececf5062ce2779958c947c2ff3fb11ea4326ce74fc0a7ab137a972fd41540131ab1

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui

MD5 e1e409c68be56bf18dc7041b4ccb0541
SHA1 0119919f2492b7bd2cb5f7c17c3b3937762754ea
SHA256 e6a37d3434b227917294c11569aa4ec67eada5f2a79130668b8b3f6bdf5652c0
SHA512 426c7e8ae78bab0ce2a4c9be24cbb1ce4fb785add73942c20b68857325d2925c15e2010002576cbb57eb9ffa28a45fde12952a59ee0570e9df3d1920828bdd61

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipRes.dll.mui

MD5 753c2734247fdcbb8d0b85da322811bd
SHA1 515bd28f1b57d30280f28cd9d519cbe7b4ff240a
SHA256 5092084899f6e0461ea64a1f919dbbdbe5541d85bfb6c01973502d9cf1c23eaf
SHA512 2954d495194e94617a42d90bf1c48b672b980398287dc37f53a6fca2136b10dcb6907ba0db24b42bb126433c991ccb0afb987f7523d8c3749b81a5bad2b0f884

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TipTsf.dll.mui

MD5 211405cede79326d4b38f49e31e488f6
SHA1 ae3816aa3761a854c8651c382600144ffd8d84e6
SHA256 805b74b7f9966791f16518084dfa0b5ebbed656f5c5f7038986ec1b17d00d8ce
SHA512 f8768c8c964b1c0ff8b167b6536d92642c8eac6f43ad738ac688fd694f7bdc42bcf5833619873339d836c15590e3d7107a3854b84187364ace45acb3bee0db76

C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui

MD5 49f26119dd0d06770fdaff496278ecc0
SHA1 eebf04d37a3db3a4251b8057f4669f5a28e6106d
SHA256 2e3f61027c761471ed2059a5839b331f6e35bbbee94b022b0ea7c7f7491361f0
SHA512 c86b5712928aa0a530b4f349e16868175afff1ce15da19460932ff9ef05f8202d91a73e33770d7ef56b41e82c884146e3581031c05992494c8a9374fd742185a

C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui

MD5 bd467c649784d98ecad19994318a714b
SHA1 8d2e5c42c54af3cc7c28c4794d97060148152728
SHA256 a8e967f5530faf87f5e39a7d0dd8edf1faeb7ab3ff776e970574218c84399be5
SHA512 47eec2e4a6bf57cacc6a9a02521ed698ad7ddd020ceb5502dabe8582987f9e1693aa671f5f8842ccbdfb6d9050e29f60bf70f0db4e958ba1d8654a736bb684db

C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15.dll.mui

MD5 c5bfb97c9a3f6083117e8a4444d06bc5
SHA1 3f92a94a441adc7355280a946fa2a590f8e8b234
SHA256 c84bb0ba9e8a512fca9ce3b1df337686b4e1feac0b8fe12f49c69808d857c871
SHA512 4acb598c7b36a1256fa60876576f171760dd77f038e51884012183fc5f30f8f3e14e80aedff6965bf0c6a2c2f1d62ae60e1ffcd22b34a6110c8bfbcf02506fc1

C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15.dll.mui

MD5 494862969a8afdae455842b631e20c78
SHA1 ebc9bdcb927656dc9cdc70c76e2177d912ef15e0
SHA256 878bd97b791688c05c9d10402551247344366811c2d37be3ea4d683480509f5e
SHA512 3cbdfe83f7a57bc69bb76c75c49d073949aa66abdca25fb45f45e3c39b1c48a5ece8b6d31a4c96fad4ed6440acd81c44d9477b0f9b9ae26d3fdbf46cf392c4b2

C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15.dll.mui

MD5 846a1c7a4affbc474c257017117e620f
SHA1 43aa8ac19ef346013e3bd0a7b903bc7e3c4b2b88
SHA256 9b443a4caeb09f066eb5beff469470152e27940f467b2dec0e320e5441d7cfa5
SHA512 3bfdfa353be27d3808df1f0ef50502d7846a6757132936323c96d7dce356c178429df06313d0d57b086932c7f5c828bdba7207b9b1a22fac54b24a8bae5983e2

C:\Program Files (x86)\Common Files\System\ado\fr-FR\msader15.dll.mui

MD5 90aba74ea53f0e2768a4289149a35d2c
SHA1 d64a5932b60e229f6cb5496bc3f79da384fedc85
SHA256 3749371e29e534631b4f18c463dc825d38d7be1bfffa647d0b9666c4a0e3a1f4
SHA512 40ac94578e18cd4b4b5a0cdc5a28d171539ffb424c11c84bb2e42efc3978808cfba3e1e8ce41698f5f9d5fbd173e3b63b24c20df88becbd2bd62a15713d7c335

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui

MD5 e8757e79ec501b502bb9565869ed45d0
SHA1 e50321a3bb86123cc78cd20d84fb7d4b4bbb541f
SHA256 dfd936851aecf6c03b5a86189ff4a206122f4a0fa9a63502a125528e9434b14d
SHA512 c3c4297601d8531d1ebdda3e5500f07314210fddf07626c5c253c14ba6bb54c2d26c4d916ccfe9e892a16bb2ce6efcf8f2b6be27d77746b7abb04bc31ecba27b

C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaprsr.dll.mui

MD5 3f540aef870b60e2c0f5b58644c12c3c
SHA1 555130a7f287463935395fc1a71ef3c4f52e4de0
SHA256 0bab2add772d32e24820db65f646348f6077ba2f5c4e60dab49fb607ee1221bc
SHA512 90550a3b0963bdbfde72b1291046704549a4b925952391bc815097710f173f37a5f09fba311e787e6002f0b78c8f7b9f575978402cbaded9441c3de71486fa60

C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui

MD5 d9af564a9d59b6dcec75e776badf6ec8
SHA1 81cae7d396e309b2982e03506fe87ddf91e722ae
SHA256 4d499a4dd6d3d2f3d7f62163e513eb609d5646e335f0e4877ab241c27f712fb7
SHA512 ad8db1e5efab581daa25d7c972db33dacce921c77d01bc2e8417bedc22add87641af931004a350a0e7d13ad3cf07eb51616a2acf99b5d98186646cc27c51e4f0

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui

MD5 fff135b79bab471eacfe9a828ab01a28
SHA1 459ef55a1e21e4fd5326c3fb0b335954adb32c4d
SHA256 62bfe2cf5c185c34a1a0573f8284a44a6714485400907f06cd3772e12698223a
SHA512 6a3abe51bdc432ecba0f17da27c1c993b42bd9111de13d6439543dba935a432ebefc24a2775f23f247bf8f4e52502ad9e52586fc36c50f96b9b18509ef42e77a

C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsr.dll.mui

MD5 1610b6f98a502f6f87f35e9f172bbe22
SHA1 0e5994c2abd184ce4369e3549b1427798d138283
SHA256 89eb989123523c550d3d0885c320e8f52a36a2ce7d9beb0ab8fbcdceea6729b5
SHA512 b43dfc79e78a4f5cbe7dd325e8bdbb2ff74d83719efc9d6598f82391ebe1f5bfd991b5f167a54aecbfd5eae57a3a60f0866b2db1256a1ba950745ddbff8c9674

C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui

MD5 040599f3a351d7511f07798f08e1ffc6
SHA1 0aa54c914f242774d88032d6c68f5ea986633444
SHA256 b33f06f2ce31de2352057cfa83d5657b71ef6edea9d277bbe3b96e215510c752
SHA512 b76ada16bfb1ba50ae80e8cc6b04c48a9b9a3d13150634f180e0566f8ae5e9a117aaf7a5db4d794341640b2ef1e64887df2cb9403df31f7c6bf44abd1d711af8

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui

MD5 76615d94a356142c503f3b0aac2a35af
SHA1 bc40cc1e361f6cc77b76e29108d9c02e67d3b23d
SHA256 c7440df10f6c878a63ae8a957b1cec4927a7ade7f8ad9a81ffd6454dc16a8571
SHA512 3c24a936b30b5059239453d7c9abff7cf4cea1123d465750a8f8cee4d01fd64423f9fcc5d745a015c52cdf36d38eab84bbfe31b9a127c7c2596be37912a6f8ba

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui

MD5 71e5c635287fbe689d51a8c3ad3a3a98
SHA1 a9952d535f707c03155b1a4b6100d69af69efbd6
SHA256 427f805d0567fd6005424c5c81531ed685de6a97ae3804398beec4c5c26579d5
SHA512 f56204ad0066e51597508099bffb6a44c820a9f3d112a439af7a17d780df719c44d546ea4f46f78b065a30d7758536135adfb50f9979b170ed4c01432851b05b

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcer.dll.mui

MD5 876478fbe975fcfdeeae8514b363c054
SHA1 e7450e26d2ddb3258b15c40c568249168a464828
SHA256 21d5aa23b525d7291f08031f2024a4b4ddf48b64cd3637fa12bec8e2fe84d6a6
SHA512 8fdfc486f1fd3473dfa9616f6126ebc36b68cee3de33c5d7eddaa351e1305bb12e1eaf0d698f931d5958711ece9b8b596b11c301219e194627149fd4a8e8b95b

C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaprsr.dll.mui

MD5 59b4dac6637bd968e88615cd9e0a38d8
SHA1 94853779569c7a6fcfbd39ade4e03b013deae536
SHA256 da0925bac267c714928653cebcbb2243226ff9c3fc469cb38f9aba3929ed9673
SHA512 f02e8814607128ecd66e1fc34ded83c28e24a9a85921a50fbc833ae888911b148987a3326ebd91870f5436950d147b4fccda883d439e1ee486a29b43f7ac80b5

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcer.dll.mui

MD5 ec5c2b06647d7a2c05632f84a3f780ef
SHA1 aa63d1c4950c3f8943e165c77c969f8961bc0fa7
SHA256 9eb8a64af3a5092900b1688b48a1bb8a0209515c99eb1cebc1af3ab145d3a946
SHA512 5ee2f6e1c3a1142e1ca2e73088e9cea6bd3620aac811e0efbb52c3634fdc4864092a013181d348a3de3c543b5608ff62d41b6470b83822cdabf8a372a8df590e

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui

MD5 45929c96f184b119ac1cf4c90c6861da
SHA1 4fa0c979e7eeeb9d05dfabe3efa4a7b09910cddf
SHA256 8228ab9d21f647343866120078d9a205fe02827ad116dcf7410c4d1137df2995
SHA512 0a95a0cf703c6bcd60ae428a5cee9f0a0e588a755f95eed312208bf72c73193619ae727336e8bbe9f4c06741ce2aa12a111442a92d38e122f6196335b5df7856

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui

MD5 de501e0a97d986f753716a3906f9f01b
SHA1 dbf237870b67e80c42001f3ea693bc39d6d8da1a
SHA256 d597812787dc821b5138c565f2caf180136120e66136ec87e845009b9efa51ab
SHA512 0a645398499549807f1978f25d1e10c8efa170244ed3635ffbd6b949961782c6398c62813ae3a8d8146bfcaa292ef6a1fd44dabd7f5d9dde21bf8097fa72eb02

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui

MD5 510afe9f344bfeab880ba964d22cc8ce
SHA1 9df84763e15bfecc9cccb3148876b366224b0f4c
SHA256 6d4d17a66b1135cdabefc1e14770f9caf619a279a11c46e733af3af60eff2eea
SHA512 87e4450c5cef5b473d003ed0dcd0c1b816b4c8bb9c093cac33ac5395e5eecbd965c8bbc2eff20946ff4f4a8ef06a4b9fd2b4c2b9c35200dd69288a02c893c55d

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledb.rll.mui

MD5 3d0d4d046165578be6d4d50338266151
SHA1 3ecea768f12510327bd17e73491cc48a51bf16d4
SHA256 dab25b93b4ab6571285311535e67a4dfddd685b4bc4396513aed2a8599f83391
SHA512 6bc1e1e596272ea7181fab469c15eaa319b26c0f00777b6089157fde4544d9f8139b1f223a5c8a4be3e40adf549e9044a4c63f7e6eb6b4c2c61d87e3618c0657

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui

MD5 64b629ab22865211cd4975de6f9d39aa
SHA1 a1eb1e9195e4d8afcea6d053213e16abf6b58bab
SHA256 62eb956fd63becabcbc46a4ee2b2383dab7cc71056f474a807b1121103e174c7
SHA512 d12bc54b27fd980183eebb6a47c57c5a3e5c4f51be1fbc13b9c0dfb7eebcfbb4a7ebc7a868d03c31f597041f0c01a84701d884f1f2b23fef9f9c1a3a548df93d

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui

MD5 4c3648333702446e663bb95e029d1f60
SHA1 c67b93df21f99ec1a83335a9fc2d54f842831506
SHA256 ed8c01ab63b4136b21793556d0d8a2cfc2e66f0439aa1ebfcc193ced545c7d1b
SHA512 a1c59188125c93b4e54ce0e6dd6cb64e7b3d671d68c7a394ac8f623b21d6312fdcc10ca6df1177c51a1ca6a571b3c5fcb877225121451e1f35c9d4e4a0f9e568

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui

MD5 85a9119ad38cd46425ee281206e22363
SHA1 c211276e23c3648bc66d88d5805242077ef26f12
SHA256 946b8f593b84a12880e0fd0d9f47a1677c9c50b2ebecc8c2de2d170c0f3b4c84
SHA512 a2fda73351cbda2769c757be517cbc81aa091fc8107c0181bf2f5c97f14bffec2a44f21b676732d7064c853bf3c660d0f7681e12231e71cba605443b28fb0ebe

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui

MD5 4d98d7c90e5c26d5aad01becc25f1cff
SHA1 1a542dc4a47082541e356aa41b5c9045ec7ab2cc
SHA256 8da5d1f0929637b9802f36620efb28ef680781cb9fad4bf83a74740fdfa5283b
SHA512 cca2a42484bdaf4c2d11177380cf8d9305b96c4170774034f231cd48af2c92e363a768f3bad4f3d905bbf36cfdd53f69b30946d6e9b966861b23499eb66461e3

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui

MD5 0c6d9f703040956b3da56387935dedfb
SHA1 753be22347b10eaa11d98a41c2b49c060a47fc74
SHA256 b74f96f7c12213e059772251d5ce45792f2e3564f1b068220b9fcad578cd6c39
SHA512 890cdcad09380d3f1758bacbf778b78c52713fdb6f5ed11c6e2701efbbd782442f88a78332282148379a053eb34f8fc81195a1660cec3e9f26478c8126c5a901

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui

MD5 571a52bc91767476868c2507181c3ada
SHA1 65cfb04af09da9cfb39b93a5f8409993424cec57
SHA256 c0d33bac2fd02a9244764b81ebfdb764b8f71346084b3681f0d5082e0b6c18a0
SHA512 a6730c63e4c7a13614a543335ba76d7c1560ec15e0bcf843b57d1fe20ec16809589c852c7840a505558030015411b8e68a63117e0f0ece4051bc141d17153002

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui

MD5 1136b54d28622f38988d48280eb29ea6
SHA1 3c4706d052b06c5de6ccf4315d2942fe262d3e67
SHA256 f32e1a57f1a43339e188196f92b4ad50b2ea4f020e9ebda8aa2256015c1a3041
SHA512 1b006b5ec28f6df6b468e4e3a4625b1b84c9a9f4ed87254028df098ce81eb3942a0a963ac98f44055627fb34192edb735691f01c2e9d7f33efac0aa9bd6b8824

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui

MD5 d7580dbfec79fb00a05699704e7e7504
SHA1 33c43255f5f61c5322ec403330ce977b0ac334e7
SHA256 51d7e20e3001a70813312d5694cbe8fcfc531e8601ba8cb7d60fb63832872db3
SHA512 87e77a530414267b8027fe200c4f04e5d93db934c823dcf234de6a834a7a2ea9aa13e2af407a6a422cf78892e6303088965462f314a2eb41072793463e2de859

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui

MD5 f60b3cd38cbc6d669d41057b0e96ae06
SHA1 beefc55b425f1536e60665a6226478aaac37267d
SHA256 be88089af7a6ee448e32c562d89135303a5bce6af807f012005b1d768669ec8a
SHA512 5a79ca838798c9df93edc203fd59508575ca1aef65f3c005a795d0a54324d305d2902a7e05a1d1f3e72f07432da2d194e696367df27787d9cc7dca05c52dcc70

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 a73830aa40a1c7ca00fe68ee4cbc4bdb
SHA1 f946b1c49d7f149aa0bfadebcc2d71b5706c275f
SHA256 47c4c606547ed578741b498eeba643d1f33b76b76629c6b59f4e0e422e440960
SHA512 72056ae81b6ee9e2d0719fb2ad1200f876d2c265ec9aa91f05aa62b9bc5ea5b1f2bcfc25e12ce2f8e338633df32b580791b69530e73b73ac3f344691a3f7384c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 800c619d129acf489f2281442000c361
SHA1 08a47fca4c09d04547c58e0781bf59531d70cfd3
SHA256 8933465438adc5c5193eb7fbadd6c6e7565d2d460fa517d0bc8f21cee49f4a65
SHA512 cf467ba93136084d23b3ad4df5330c028ecdb3e93500196f57c134a7bb3719fe2d4fe0e0f378e8fe10937e9c02cca4b4192b6e54d6a18721ced257478ec12092

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-14 13:19

Reported

2024-11-14 13:21

Platform

win7-20241010-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (9104) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Portable Devices\sqmapi.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\Journal.exe.mui C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01639_.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadcfr.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7F.GIF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ORIG98.POC C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\en-US\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKWord.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195772.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00217_.WMF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00006_.WMF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\biobio ransmoware.txt C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_OFF.GIF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200611.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.INF C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\Synchronization.dll C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Midway.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2908 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2908 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2800 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2800 wrote to memory of 2816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe

"C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\ProgramData\biobio ransmoware.txt

MD5 c8a67f8b8ce607ff54e7ea29fc000450
SHA1 4fc728744bb78a8c29f05c67e067d3af755c9cd9
SHA256 9a0cc9b664d21fc01f93ce946d8426cbfe4a38623e2b6fe06c967291fc9840ee
SHA512 43148dce167a73b32b26a031e97ca75b8f7be8bd0391217d855ed7ae1feee09a9a7a4f356f30d054a9c157cf29d25b24fff321c96f01cedca86cc348f3f556e9