Malware Analysis Report

2025-06-16 07:17

Sample ID 240531-2b5w5age38
Target 61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704
SHA256 61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704

Threat Level: Likely malicious

The file 61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704 was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4702) files with added filename extension

Renames multiple (4769) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 22:25

Reported

2024-05-31 22:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe"

Signatures

Renames multiple (4769) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\McePerfCtr.man.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe

"C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_.files.exe

"_.files.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 42e40118dca9d3c2e5a5e36e4aa2de6c
SHA1 3b834011af9ab595a05fe8789156ffc37e465af4
SHA256 6d98ffbef11ab8beee1a1ba05a2bd78449983ddd2a2caf202fdd92439d45631f
SHA512 3453cf7f6c10b2922fbf905cc61924490cd113337114491abbf11b9aba16f0c0d963e787872f7194147cb8df982a0b1f94459e04b837cf355ccb4de4644aa244

C:\Users\Admin\AppData\Local\Temp\_.files.exe

MD5 1363af72e28b0b0055b403f158e7cca0
SHA1 62ef48b53f051ae99ffd9788360783f5ecfa0b56
SHA256 0ce064ae00e5c50d6e910ef20fcec598be544fe730f8d365e1508a2022117f9f
SHA512 d81b85d48ad5649d16b3ed3c9e33f52057ff8daeaf0b38500bb0748db36d2b50205ba9689761aa250e7765aef7b4ed9276afdb54803e69e944e900cea3577b63

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini.tmp

MD5 af146e98c8d52defc80315019d563bdb
SHA1 107cb59aef80103e7c1269d0456ef5b716e6bb14
SHA256 41dd5001a20eb2545988986d0d227a9620d01650c226170af972549aa20b758e
SHA512 ae65dd2b28d4694bcfa203341c0c8c5959ab750c1d89bdf1bba179ff170ec37c7d4f8f28d16b035b02aedbdae247f184525596be2c0b954dc8326d0014bd2320

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 516dbece9638f22f41eaf62345e67ab5
SHA1 3f7d01b3f80a1fb490510187b60712a7317ba789
SHA256 cdd0cbef6734e57bb1762110ec69be09fb4abcfad9aaeada34404d61569f1109
SHA512 7a0016dc12e5b209a26db6f2a0c1cc8c9fe23b76b0b846dcb02d2529322fe966de6f75f9725b59eff6ceb71bddcaee8d53956cd95d1cd3d262ab5f6b744611d5

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 6c1416661c20240c8f276c2abf722368
SHA1 3e526e3f146dee785b6aaf4d2a3627aea7932660
SHA256 85b6e578fa37e2b119f84645bd276b35e46f3d7b800901f8ef091561ac4fc4b3
SHA512 07f97a2508f7b43b61cd2e84d85ef80e4dc755029cf59754d129b9de3e68cda85e6a030bf9b0f550301a56e368da7d329c0179b2991df1a4126832dd8b8fbce5

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 6bf4ae1beb6345da3cfe5557d040fffa
SHA1 2a09cc902022989161aadca76a77b2679e94e1c6
SHA256 7518f26717c74526f06532cb14fa5c6ef4a51e0b08625492a3ad604cd7b8e7c0
SHA512 9ccfbe5ec94831c22669f668465d1b7f07e174bb68315b9496052650653544057652212de93621d5e3d18e8ebbf4c842a1f7e30ebd5ee831aafc15f7ee8f4378

C:\Program Files\7-Zip\7z.exe.tmp

MD5 294443ab2be5b816bed050c9484fcb8f
SHA1 31142bd74538a55c9fb4b51dce04c1357655f935
SHA256 f9bf77a4681f322aace2fa028eac877c7f792f7cf9aa15fce022d2030a79bf18
SHA512 bef5b576ed0b640a8fad9a902f7184aa423998d95b8e1fc0a09aad0c817851746bae13c163e3ee520ee5f80d20067865316e4e9e6c38b2cae95276462257123e

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 b251e20db0231feb02e5f0e1295c36bb
SHA1 1febd506b12b39e3c9198e69745d63694a3fbeeb
SHA256 b1a64a5dac458474a0e120c171833f57af3b504a80d8984b0654ba2e04c2e9af
SHA512 f219095edb4bfe55da0e0e7d40b24b4def74baa63be864b0af19cdcc4b514a4f64f51cf7c8d084d1fa05add3a873191e75c80005d8ddff07c675a4a28f47d125

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 c04d55489ea49ee15db9371e17fe7eb1
SHA1 8f79e87f270d0e0ec9e6c3d499add52f2b76cac2
SHA256 6c447405d3b500d9dd2f4bd6a1e6c183c158b0128e2d2736f391717b9006035c
SHA512 c585cc09a87997c877a9182421278ff99b55d71ace993aac091f74c0ace915c61062854b3897c33e4b456f1805a333115c7bde226eb72f002ea68aa8d786fa5a

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 038b79a68d4ece880a2d4640f049e5af
SHA1 2ee058197a001f3284d4828f2d07350b70715f0e
SHA256 765a81d23d38ace7b2925fe8625fb98193bb85dcbc9eef9b5f7c414bb219b8c2
SHA512 2892d1dcf99286db1ec65b04ae76471c6a3582ad7561ecf7eb5a1500b26ba502ba96ac9e11a21430dd8ed68febb91b18a411d951360d5a06ae6712548f5546e2

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 439b5f1b505af35653b2b5c778d8b5da
SHA1 52e621fc47e593d2a6f94847f40af099caa950a6
SHA256 7b1a679d7e3f45bbbc6ec6acc5891e285981f67730dcc9c207773f85f8de1828
SHA512 75a5822372b322435241f567bf1d13fa3cf9950ba4a05e145e33ec3718e281f5554f89067a662a39d826eaf8ea48e96383d5bd45d26cb00ce71f0d7a1ef34174

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 82e56b6ef36297713f3ff58e69b4d365
SHA1 5c2630a3549032668a565674c0e59a1c2f42a7ac
SHA256 35d3413430c5bc49f7522a16afc277efb2539dd800153d4c4cdd7948f02ecb9a
SHA512 ead20e418416458fb91d124511609ee02060bcbde91dbd726c724f5f9f2e52a578966bef6464624ca8f017b7acc4868ba0b8f621c0f92260d0b6a23288787d41

C:\Program Files\7-Zip\Lang\ar.txt.exe

MD5 f07dfe6aa1dcbc38f8bf2185d8f1785b
SHA1 3f7838ce84b82dd6df1e2ee0382fd3fc20b7e791
SHA256 b3de56067b78739586a15ad8c176e4c9c5315b7f04c28ad587f6f4bb1506ce87
SHA512 7f65a31b06d3c32e0b31459c848ff6992ea533ee56b869a006d8e89e76c8983e65f2be3449b8fad10789b567b602eac29f34b1413b589e6e08deb9044736fd90

C:\Program Files\7-Zip\Lang\ast.txt.exe

MD5 f2d81fbdc64a2e7a123dd54f136bd096
SHA1 54994fc289ec0ae1b2fb610eb2a0bd7027dec84c
SHA256 2b56b2ba456eea2f79ff4b961578f6d7f2c7b120e3faac928af1ed3330430210
SHA512 a68a28a4b0d95c6c2cdc88096a352125fd196013c46ae6aba76ceb76119e723c1683e69d77cf9ad558b535b2877f9267f4939eb05beb9785a52824f990aee016

C:\Program Files\7-Zip\Lang\az.txt.exe

MD5 d39b6abf36440a813a1d1d082e8c3ec1
SHA1 1812915b0a9411f08405a3d27ebbf3b61a06822c
SHA256 8f2a9250b26ef7d2917208ab869cf55517a92c10c3ece81e05b750ec855117db
SHA512 ff0a74ef0decf58c92d072c37c28094fe8042743b185f66e2ce6b7937fa88e9429bdf337e535cee5b6bdae691171aeaad5f2c89a6b52e8e2a04c7e7245d7dadd

C:\Program Files\7-Zip\Lang\ba.txt.exe

MD5 cf41f5d6add28a10cf8076f52a524a74
SHA1 112c2b0fbe71d1cc87798ea32e368eb9f32cad3f
SHA256 6c62a0b36c34411151be25948f2a2f52c414ad94ae50a66b310d6f30d7768b7d
SHA512 55db78eb9e92bb7ecfd199e8aa3253ba34a141d9b3011220b72a447c61b89106521757e8b4e1b4753493fe29a40fc5ffc4e30a64d2a60dc607c467185b06e5b7

C:\Program Files\7-Zip\Lang\be.txt.exe

MD5 c763f183c3350d53fade2bb2efcf06ad
SHA1 45bd719475616f75314b7a9886c35156b8658622
SHA256 52fbe09743412ea741b8ac42034ca54b06bca20ae22707749041cc83a488877b
SHA512 0dc2492fbba57fe1abf8f38bea5efcc963c5b4517b8e4ebfda4cf9963ee6774e98d79400c75a650e135d23b2912e3c6967d6fbf58a9e201183e9a706441d268c

C:\Program Files\7-Zip\Lang\bg.txt.exe

MD5 b12f433fafeb4dd9865ae23efbba29ca
SHA1 12b5de9e527b80a0777f111818c307100552236e
SHA256 9155a1fd4c8d14483d117eca89d1c493fe79dbfa32e242d3796a18f9b137f4d4
SHA512 3012d732d537a37db1d67695a7750d74052d2bdc2c08e6dd4b27dfe4c1cf05064aa4c3c7a2e4335460d0978897cd0685c7207eed1959b064806332877d0929ae

C:\Program Files\7-Zip\Lang\bn.txt.exe

MD5 72f93cf87e4e382b6092a67f7ef074c6
SHA1 01eac47e0e35e22cab2c46956f4ea03a41122b75
SHA256 bd16c7d58150cd1c02511f24b71fdc41b9e1f064365f7d9e036f37b42ea3bb26
SHA512 5e6eaf2553f08d7e4152ee47157e44d8b2f36c4d35acbe26e8b2d513e2079a68f3c250f749c2ea25e9115e814b83ae7bcff8db31b142a415830d99b73bd481c5

C:\Program Files\7-Zip\Lang\br.txt.exe

MD5 6608d6a351bf3e8929058986736705a2
SHA1 04ccaa40860108a03f36673b816d4a2dbb768ec6
SHA256 e8603b3119601e442c769a52af62b63a24cbcc84543dd7284aa63d65d90bbbac
SHA512 4ddf3621aece3d417e8d800fd052f5566a3023285368629cc9f063a3937f028f1622112de7953e227fc14d4df54e5ee1e1ceca009ecf670a3ecfc14d18bb6afb

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 d1b63efa4a09d443739b2c42b9701ba5
SHA1 9706fe9c175396633b78321fee2e374cb5dbbd5f
SHA256 b1afe6a2b8e24c91ba5e910e887bbd6d0709d813cc2d2df9c1bde1dad9b4430b
SHA512 6174694d585fcad37b762e2cc8fefe026497d3dda5048fbb188fd54f4dc9fadd00d845e632719a7f0668b856b32fe6b9870af2c1dfecf9d420cc14878c8ae8d2

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 cd49d220ae07643120c3942b884c5f8b
SHA1 6107c46e192eb250eeef2dc6f81f357d0214965b
SHA256 dacb1cff333b4cb85f15e3f07ce8dc4048891c55bcd3d4dfb9102d53269b7f1d
SHA512 e0f23fa8613fadceac9891e318a39472f4c8fe7905017dabef764615207268d4dd763e6785069f7e4919bb6b5fe8c8b119e37e415fdd48fd3128476e8d17a6d4

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 8bcd4138c4425625d461bd8eb65c1f32
SHA1 c5b7c14fffdcd83ec3ae6c90fdb0083b3d8deb63
SHA256 06c136641dfc46a2352359c1c13fd4ab91fe4ebd4c602ccdb48c9f222b17e3c9
SHA512 af3b273c2da25f5d6fd3fb1e7f2ed15b91298be895455a0a0c8c24c30777d3da65b46337516f5b1b1d8c60d4e326abd37d3e7eb3e9a30e7b2dbc4478397d3a65

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 6774442d59c92f349a3c52c6f5ee5c2a
SHA1 5cae9a7ba70a0b380ff571337a118655c83a19fd
SHA256 1d52bd52115b430bad07ded7b3b834aa33748cc1554e4f4066d111b1babc7f5a
SHA512 115e6fb61d49d58d72b76cdfb851f8e4eb477599a24906bcf9e86bd76c1845ddc48127bfc4ebf224dc064b012a544c47e42e38ad6dceb6a87473171438262d24

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 916f13333900b49561eb7e5bed157f57
SHA1 7ab29f343ef3fdb756b4aaf8e324762cd1cf6fdc
SHA256 e92181958c7ce4125a72e34618dd4275bb591d5a8de16f8d59044f80b35f8d40
SHA512 03a9027a37b3317bb0c7bf0a61c78b99cab9d0d82f75391e032c59e11efc161de19bbc111236aceb1a1f0d18a8781eca8d2ce4632af62b20c3fc31c943cafeb2

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 fb6fae5570db31e27083f846860d2699
SHA1 00cf28b239fc7b7ad6bcb73d3539a1af55b32df5
SHA256 ff97defc6311146424a2fb8a98c6209f44d90e221aa353f105f8fe785d15b7ec
SHA512 9aef5d41e70f943cf242ced292ad0f85e2598ca7f2577366814c1dd22ba19c882116029b4b242e80fdec286538f9361743231a76aa1e886571f8aabd45559315

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 82de69353515175a57842417a83020bd
SHA1 93aff644990052fa103b0d432cc79566ae0c5834
SHA256 a2f9f0fde99a3e639b120ad3e2671d25bd73e366842acd523bbe4b5ff0c2a289
SHA512 61ed5fb9058675d235b74aa9b9d127f3bd8aa8c6e9544d0f9d064aa28251fb69844ad5ac0da2799cb4568985d766299054ca98ba9cb6ce478aa3e097825ad3b1

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 44ba2a8a233a6abfdd617cc6e587d2cf
SHA1 d4cdb669fef7cddd245061024a68bf056d11cf10
SHA256 76a960cd76904595e3bbc2a9786f1656dbdc438be6e211182c798b700a0e193d
SHA512 df6aa06f42bc213440cba202711c8b66fb043382c7d73eadd7d91b083f765739f176b92fedfe5a64089f621dc337191025caba9f43ed92706e95e6f3caff5e98

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 453d1f8c3ddee2c01ba8269464b7223b
SHA1 a831c4691021105b90ecc608636d9bf8dc40f5cb
SHA256 e2aa6d9b1fb7b4ad246b3a705d77374edfd19320262994ae00818b6f4a31f532
SHA512 8aa484f34423fdcdc701c92ea1febac0883ed83d79ae0a0a39c1f42a2ea37b2514ffcc6c59f225ced7baef82ef621046a336fb2b2401110061e9388e7d50a5c7

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 5aea74d183fa0283288d741c3e55433c
SHA1 68af48c85c575320595ef3fac64a36c60320ce32
SHA256 15f9cf5c266308e2b2a5d7a706f1cc078e54aa6365ca1614d9fcf3a410ca734d
SHA512 3987ad4f1e017bf6ae591637af3f37791beb845ebf05d833cb92a1eb194bd7db349972d2cd23f16d65d14057315068fa8221aac44cfe04db979274405b33ad52

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 47d1a6e6106be790654a36b8e8268dff
SHA1 55b145a5c957aa90d783b79d509c0b98e68c1c0e
SHA256 6412578171bd9d149531c751b88528423aeb96ff4aef00d8ef6a3f147d216e61
SHA512 7ed21cb39e8b675d6e7fb975a925011a77aefd5d06ac5a8d92ea41f53c01783cd7cc06500b49fa29528bf8d97c2fb5b7a68a62f711bcf139c59a6526ad2b58f9

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 516728357f4bc5d321cd6225badb34c8
SHA1 ea478d60a4bec14835d233290530ff83c0dd20bc
SHA256 ec64187538b7371976aad06c0b5719f7194b94c2705dfb759f1eae622ac46c7b
SHA512 9043b7a928f58f1a8303e3cb6dffb27b65c6b3f436e55f146ba74a3f7f7edbf6f08ddbc7c78c315f4708169d297c099cd453e7235192fb579cd0758aafbcb2b9

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 eb7b25c6e98b6d55abf6a2b8327f2584
SHA1 6f365a160f90fcf4709cf84048b2b98093507f1b
SHA256 0f1458b41f97d746ca633b138cab01e003ddd94b36fb85abbb2cc87dbca803ea
SHA512 93e560a3eb910ee471c4d9f22cd7563521c7496719210df2792ae0ba0aff11eb277f4457858fffc36912eda1161bb19d5fcde3604859b826d71460d859802dc3

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 738d23ff1cb193a447c40f66a9622ef1
SHA1 e45168ac7ae86e6c8d4bbbb4b0e502a39bfb8dc5
SHA256 54b759086f1266a5042ad11aa0008df049742d28216f4296a71edb7d9d994b52
SHA512 84bbc68adeab3b5449d4fb74f7ebc272e0af2f4092fdf9829bc411061cce6de1c7a1bbb1290cb843dc8ed03b90a29f66c2313f6f1ddb151f16245f07bb2c1909

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 e1872c106e40e0aed7dcb94c156edca3
SHA1 61c783c2e8553fa22b06ef1353e8919cfee3f082
SHA256 0e0e4d45c15d409651244145a2682f041b9a5a466e88107e0caa2349adf1c3ca
SHA512 e18c17102ba82b11cd6b54678b63cb3e7eccc73bd53a5fb6a260624371327505e1991894d41c94207a68e80ddcde606d970d44609737d43743401dfbc2d5a717

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 efac3b24b474eeebff108fc44742c38b
SHA1 78c35bd25b15f163fed81841c95fcd431eaadd0a
SHA256 e45e9f0ce17c23e6f62a6b641ec3e1f01b98c6033205c47435a56bd28df41999
SHA512 2c8070c34e22fa61d9d25f0c0a314f1a08bdc9c98ab89d9f2b75d2a4ad4c7343fbd8218333c2d715bed44f69af049c49fc0c8ab1945faf63e59dda182304717f

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 08e9403ef835e17bbfd9d22533e42929
SHA1 ad346b5de6d63d67c6b0b2ef53f8a2fc156c6c0b
SHA256 53236e85550001b7a943d755c815a42bad76bdc60a8242244db60c85db8ea667
SHA512 e4af5a05ecf99fb7cf218fa363330a235f3238cb5d19d893f3825d25a0505e59820edb77f9b4c674fcd4ba282478f804dffe6c69c5eccd669805e46a89651f02

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 ce2a9aced4755e6723570e6d6c8b06f1
SHA1 48db67265d08efd02c90d9b36d9cf0830017420b
SHA256 0183a21e4682075accac05abc14d325248dfba084ef98e54ef9b7cac21550018
SHA512 4be1748ae97e83854008c55124712ef8f962b48524a07cbb493856457821df7b3637d6fad51889583cb7865701e2a2cd8aa8c1ac4650c50dec89f710a7d02e21

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 c4042dd7b4c030034080584588c9a565
SHA1 8b362c9e51ea3086f92b82daf24560760265c737
SHA256 cadc055b83f6684728e0dd6de5e8c6033f880c3052c1cea6d76ce7a5e8a8737a
SHA512 dd5d4e12e4e57b13f228e8b935ef91d50b541ad20591ff75f1431c31b329ff3d2ee2bdd34bd91ddca4f13eda1210bd301f826614df2eaf1ae80ec0731abcf2cc

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 0c0e98300ed839ccab31b825cd301b17
SHA1 7991148e5110d97983e2c354f746f1ac32d32ada
SHA256 1bd9b7a4b8fd7d92399222c502065cba8989717825b363e218ec0b0f3259dfca
SHA512 19c8ec018cf831068373aa72e30d0b67b4e31698f88237790e6e1ff8dce0123758db9a9bd3c882d620520096efda736fe4b09552576545a310b7108467393fde

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 fc016f7bacb783e2fd33554679aa93ee
SHA1 a5e89d980b80cc2d3f32e3a80495b39d1cf34b66
SHA256 89afdfc5edf19c06ed2dbb5ca79f17bbe3f4709b6c40a8423dce90680a0b1959
SHA512 81bda9bdc82c4dd8f97f5e2f4a92b8c943c2e7626d9bd0f44ddffff944e28a2da872cea8863851b4335e5ba8817b4b3e25d7ec933962853a63c4570dab247e0f

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 763efe2c387b7652758ce12812a292c8
SHA1 1288d7c8807e77d9fcc3c64ff533116a5bbeb0d6
SHA256 fcb4b049df27a8f8449dea5335891aaf6aaae41deb622529af99e57c8a3ed404
SHA512 6f4c0f3c8a469aedc87b87cbd1b36705aa3b00a9db1f93409b9124c4eb24364d4adcdb5844fb8ba9904977635d48491e711cb89ba2bc26eee927b257a99859fd

C:\Program Files\7-Zip\Lang\sk.txt.tmp

MD5 0be1797c46b3e72c1178b4f8122721f8
SHA1 1c8ad2c794ebc5f20164d53d0783fccca4bd43b5
SHA256 1856366de2a672a8a42befaf7efcc21b8997b283a5c5400eb5c1dc2694b7dcca
SHA512 5ee6c02fc825bdce88ef3509b740b2d469fc21ec1381d711afe8e1d30452a0cc56e5f86820c7d24ae8ab523bbe3ac7c802754b1d5ca3e5f1e80366712c39b8d8

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 e0d1ebd05b542c8113d412510b280c76
SHA1 2238d763df996f5079dcaa5c286e3a2e50939248
SHA256 66fa91b6581cc959c9eff36fa8fd1c699d7397e943b0374d080f2b1ba83b19a1
SHA512 e4d3969ed7985700239a19cd9267833fab7b5dc0eaa9ded256fe051126cddf80382e5bd612eef02676fa175df1d9bed36a16d9d94744b44daaca7ff30741d828

C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp

MD5 2e4441e022760439b82dc855bec2f33e
SHA1 67f7b9b2c72c586ff22dd15339c4409051a3f222
SHA256 a3d9366a76f9d1ade45b67874bbf02667db78f2e53bf3a4178d7cdec841ff013
SHA512 2a571ff33cc08c5c4e1a96ef26bbbb2bc670907aa0f1d3d873c730cdc0beeeef74fcef1184333343fc5a14351d9eee059e776919d4fd2db41f9946d09677c98a

C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp

MD5 761ce3e654738998b78d3e4239558ed3
SHA1 350ed2b7f17bf5df9eee4fc2208590720659650f
SHA256 c8c4ebed55beeeb76f9dd0dba3994c8edd6abc572aa42f70cc28ec4690c993c7
SHA512 ce9492d249c4f3190f294e655365886f99e58be6c5d58a694dd49f5e9ddbfbf3648b5e0a303b0f649160ba415bc0c998eec35c2c2b9840029a8d4dde3b07ef2e

C:\Program Files\7-Zip\Lang\sw.txt.tmp

MD5 794b38945f14b0a398065504ab5e33a0
SHA1 552f1fb2281b155697ac6daa83f4fd06da2a87b6
SHA256 eec04f899f10b6386a8f4508f00e20e1babeaf0235d0165b5b2ccecacbb66210
SHA512 461098c5695697b5f3e76e41af3e4eec2377be146dc3fc01fb2586ccd43ecc1e0aeb9a60eac22a3b81a29ebba3c42f396740bed53820f6d9d4c5e521675d85c4

C:\Program Files\7-Zip\Lang\ta.txt.tmp

MD5 3478728439220f5da06c83e740d4d054
SHA1 560b372ab32ed3da9ac2431713afd2886900e658
SHA256 b883c51cb4a4559c46ef1364256d8ee8ddc820c5add15c0bc5d26e8f0fc77edb
SHA512 ceb07a73c8020771c2fb9fb35214b98e323a7e686f550782ff5d5cb1ff8d5933f4053e6eb3c0f68ef0aec03ce2ab7c312c635acddc3458333655c476a283a66d

C:\Program Files\7-Zip\Lang\tg.txt.tmp

MD5 cce0d8aed11b1e21367e72c253747aad
SHA1 da7ee2aefde2a6e77ca1615c51c42e03cb388dcf
SHA256 8e6c269e2b0977ec852b3a07ff3de8105db151f3672fcd4c301179fbcff61609
SHA512 8af572c05ebeea964ae67ccfdec40db89ce88706018158b67e54b736855518465012a1ed8df5e64bba3e16bd12a8af415ac1816748326668cbaa03c78a50b1ad

C:\Program Files\7-Zip\Lang\th.txt.tmp

MD5 5b7d390ab000ada62e622f7e8270d873
SHA1 c1b96f7d26af4cb0985c09cb4d25f2c5056e7157
SHA256 fece047eb7644715d071d053a82443d55d7e74870cca728f73479661980aee95
SHA512 bc52cdc450fceebb53f802405881eb5d88954084b24da1433b54d64f5fabd5ad9d464e73874ff7df82031dc4e1af4755619818dd6b76556cf70a3b7016d5bda8

C:\Program Files\7-Zip\Lang\tk.txt.tmp

MD5 03cb6e8b7ec118f1542c71feb2f33f45
SHA1 8fe05c06002617bb759f90f9c2bc1c8b3f1f6b52
SHA256 ab4981103ccab115a4b940e4d98589a83984f427db72b4c28bba3f182ffb0bf7
SHA512 121c890276c9f783fe4f8f28b56ec46cbad0b845d02ef6cbc7f60c53ddccc76fa40be2fdddfdbc4778c7a31219eef122c7fece749f21d4ae8a5413ce3696f2b4

C:\Program Files\7-Zip\Lang\tt.txt.tmp

MD5 3e6502d7f33f7dff13f7ead8468e516f
SHA1 3191b069b95d792c2e915be755d346e38a9aa8fc
SHA256 73ca3a577d50446364f6c1e073e2bedf8a1860045d5371edb19c4563e8e8b855
SHA512 78202017b75e91f0fa7f50b540eb7bfeb95f6927da4708c4dd51d3ea1fbb612e3cb2969aff760a3d5a7a50791a1eee9b954c33e135545db27e48a725858a4642

C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp

MD5 153ffdb292bfe72ea5bc9cabbedb1da1
SHA1 00b25245af0f94ccc313b5a91dc451bdf9310852
SHA256 56b8d20b5a8753738973d07d11775bebe61fe4f93dba8706e3b5571bfb3dc414
SHA512 16ea8ebb73b7e5ead981e9dce766f154d9870752be9f32337612b34836e74b5c6398e474b5ae5327b2e7bb4517e4fd048c5b786f3876d21a92b6a9dd86e4bec1

C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.tmp

MD5 1d087b332bcf8cf86bd3bf84e15515b0
SHA1 b5bc957dacb925997547248e82b39a75dc3219ac
SHA256 cd1008831656fc9ed346c1541f40618c88765c54600affd312ad3891416cd0ac
SHA512 b19d5d2ea9f2394abae8d6e6d6565278bae58245c3cb4dba4fae3ce700ffa774f91180e456d275b617486ab707899ad57f978b1113c6f21a2c8080a65ee040a9

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 22:25

Reported

2024-05-31 22:28

Platform

win7-20231129-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe"

Signatures

Renames multiple (4702) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Media Player\wmplayer.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\update-settings.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Internet Explorer\msdbg2.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Defender\MsMpRes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\sbdrop.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cayman.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\MST7MDT.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_sse2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pl.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Users\Admin\AppData\Local\Temp\_.files.exe
PID 1848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Users\Admin\AppData\Local\Temp\_.files.exe
PID 1848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Users\Admin\AppData\Local\Temp\_.files.exe
PID 1848 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Users\Admin\AppData\Local\Temp\_.files.exe
PID 1848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Windows\SysWOW64\Zombie.exe
PID 1848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Windows\SysWOW64\Zombie.exe
PID 1848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Windows\SysWOW64\Zombie.exe
PID 1848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe

"C:\Users\Admin\AppData\Local\Temp\61987dce2d12e093cd565c854919012607a7a1db9baca87612226ef6d3d18704.exe"

C:\Users\Admin\AppData\Local\Temp\_.files.exe

"_.files.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_.files.exe

MD5 1363af72e28b0b0055b403f158e7cca0
SHA1 62ef48b53f051ae99ffd9788360783f5ecfa0b56
SHA256 0ce064ae00e5c50d6e910ef20fcec598be544fe730f8d365e1508a2022117f9f
SHA512 d81b85d48ad5649d16b3ed3c9e33f52057ff8daeaf0b38500bb0748db36d2b50205ba9689761aa250e7765aef7b4ed9276afdb54803e69e944e900cea3577b63

\Windows\SysWOW64\Zombie.exe

MD5 42e40118dca9d3c2e5a5e36e4aa2de6c
SHA1 3b834011af9ab595a05fe8789156ffc37e465af4
SHA256 6d98ffbef11ab8beee1a1ba05a2bd78449983ddd2a2caf202fdd92439d45631f
SHA512 3453cf7f6c10b2922fbf905cc61924490cd113337114491abbf11b9aba16f0c0d963e787872f7194147cb8df982a0b1f94459e04b837cf355ccb4de4644aa244

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.tmp

MD5 c7046ab06959456e177637add1b393c6
SHA1 0d4670872058235235915706f7bcc65b44fcf98e
SHA256 a674348c9540280817a3bf353732ee620248a9a8112bd424948a317d0a8d078b
SHA512 5f75814c7d15ac68f81942c636f0136046a32ba1ddd3aeb9ab11d9647e960ac4f336e6424912fa8b6deecdad320870214ce22adcc5935f943f9bc15047194592

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe.tmp

MD5 d434e42146dc12f5a950ad6a18c3559c
SHA1 aa81c0264e438c8f18661d4cf1897a2e4a6dac0d
SHA256 001d08845cacf84252436bafccdc3b7d22552b935a4fc7e1eda006f038caf532
SHA512 7b9076b8f645d03b97f630f033effd82717a7a13a47bfea4e5e845109a26ec82fdf6d93741d907159d9d0d2577ecc4f92e1719d644a32b32f5b223331535abb7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 4dbc8cb4ffb46ddeaf1c404903407951
SHA1 42109daadb81ea5559aeba5c5ec3bd4d87aebc41
SHA256 5b15e9eb45fbde35a66dbfa06c9c76153ea14128edb060a11cd4a1896b3c8483
SHA512 278512356c13d73cf10d124920e760fc08485df9daf7a8d0a2e45213022095e13fc6c271d7c4faca22cf8de1169a1956c627747209125e290a665fac6cb63866

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 c1561ead51882ad656432c0fcd9e4beb
SHA1 f08c658def2352b099c67517ec3d945f7504e7da
SHA256 42fbcec5afa6db4f8b79e8a886480d815e823bb86997ee6720bb8c9a54822de5
SHA512 2203b430ac531e1d74ef47cd1459bfc9927a98d1b2d084428dc307305167f2043239e1466e4fc3dce252c36b1a5fc36f1f67a6fd5d3d18f149fa52116af23438

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 25cb65b35ac11b63e05e8367c179b3e0
SHA1 3cc325ac0dc2f6544738853c3f85884604c7abb6
SHA256 8f4c1bb08d0ff163d738f5da71d25e606276894072178c85fe89d62b8efcc8e3
SHA512 cbf9476a3b6375f134c793065257da83676e1ac88c5d7d3bc445988655e7a78784c21972e986adb6b63ecfd82937b5d1755bc0fea80b575574188ebb2ce4ae14

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 bc4c5281a7dd354da0ecd65d3d058122
SHA1 234568ec68f86ef328a05f1368a6417f4d21a6c5
SHA256 5fc5e300d4702b114aa0f2ad3c34a3f6d9ded69881c4610174df002c7f3428d3
SHA512 b14151245a337f772cf904a00ef08906d9209f138a8843d3f34162ce1c8163da7b652c2d5e6837f81137f5e0d0ee9a65b1e66ca5f6e017db6b6deff642cd3c52

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 003efd35b0e3b3f2284c698173cc6f40
SHA1 04ec88c1039871f0ea9a56fc2b55470521206eaa
SHA256 ae9ff62e9d6e9f06b38d4b20fac87ad3d5d2a9dc16faf0c8f3d8270497f35574
SHA512 deca586a57ab036a557b4d7aec6f877263f8f6a58b9e684341b21e7a9090f5bede72b1ae26d9f7835dd944700fbf993f524193717071ebed09845381defd82d6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 1a72349a89a3553c7b54662f5b32752c
SHA1 eb659fd011a2ca45860de886714e0bd4dec40716
SHA256 da667c84be0c8fcb4c5b022b0248bfe78b69273f092319627518857f249d9a3a
SHA512 8101a93be44ea85109fac2a7a2d8dcf2f270c79cf0d1fd7f88a4bd191aa051089a0c1845eb9ad78dc836a4090c11e6859774ef27459f686ce55345ac1b2db4bf

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 92e2d4d23fa43c3384132acf74c2e13e
SHA1 d43f1bb9f1842855f978b29f15cf2d83ad4156c3
SHA256 b39e4231c07a0f78cefe2deb8cd7b2821c1fd044b632de9dd7b2669103254c6b
SHA512 38959882bd2e8adbe6a6bef2537e92620bdf4f651198a8efee52810eac8f3b8249f735b2ed917aca72fe37d5a608bf7f5ee39bde8a339de7908734b0986fb9bf

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 5976bc3a9eb592b73a22f4dfe6c94ede
SHA1 93cbef9f4f3107142bbe07f4d65dd0bbc453af4c
SHA256 c132f89adb7444a823f4ae0f646b2d081b076bc564f6f778dd2e1921e6a68fc9
SHA512 594461b0689045bde13b2daa8a987c7a96a713ee1694b7b884f1871fb1e72f5dd8e9bec92911b5889fd09df8d1c6d957971b4f125bd836a5a32f278637c10254

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 187c1c13f0c1d1010330ee7f33c284ee
SHA1 9c79966b92df8c09b3ad73ed48ae784808588b76
SHA256 24f8cda4d792663661273fb8de6863461bed95f3790abfddc52e8ecfab1b7b2d
SHA512 53b16d2018f1fa459357d572599b8d2c920be7b1ff54fc825e73f8e1f98eb94eefe463501a657b3f58cf0d91cd400d8d77825fc89b1a7eb290225d882799c40a

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 ef2bd9c286a13c71a18fad4136376dab
SHA1 07824b72a55a5cf900dc9c26f9484ef35e30da5f
SHA256 f037f5537b39283f42526238c0ff6715e0908fd93977425363fca926cece8271
SHA512 81f14d2e78d934648371667272917774672d83ccd126312821d82bebefcacbd569cb98b140194ad30c8afbee5976bc91d7f4e505a819665a91eb71bd30ea450d

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 700bfd90dfb9d125e97bdc72f45f81d3
SHA1 9369f6a3a11f006f5df4dfe86fe51fd66211cc16
SHA256 a1f9559e6e51b984b9dd78fa6d8922104333549522be6d5cba300e4b50d4a882
SHA512 dbd5296cbac4c5f1ed5ec9e2c4d3b3fb9ddb0c1f081996d6069106977aad094e97cdf07ed09018657a48a96f451fb3214293aeaae54dfa8e8e4f877958150e93

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 5a76dd7d81e29ff1b293b4d41c7992ee
SHA1 94aa74c34c25f21174f5516b6660bc0ddc7a8c0f
SHA256 02f1ecff9ca92c046939b7e75d43fed5acdc6b9759ba93665ec47a93e8281749
SHA512 9d08805c515d2f8986734078b1e0345ca25a3ec50b9c8af946b13070a56534389918004d2c1c15e75317f9f3a7df64e22b8e59a8b2da83ccba9559ebeaf5f2d6

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 92d7270a1e0d1c8c99cec3c2b5c3413c
SHA1 2f2c877685902b500e3b4345e50e7e0b8eae6a24
SHA256 d0e14cb90209d9c3184915562600bc0917954ace4142de2af395b31ce3b10dd8
SHA512 071e8d5feb75e49069e5b6e0459c1cbad71b2e0557d97b91cc55fdefa104f44025039eb0da23bb6e425627ecb5f341ae00168c88b75df746e727012c33f1707d

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 4e8a0e572a6668e02b089eaecc6fb521
SHA1 0af7e07a05f3a4d7f10ec1c135576cf25a46825e
SHA256 dec7a9f3504a7439191a46cbb3d6b286183c55ed4ef4ffc089bcb27ab899af2e
SHA512 9fe4aeb359f5c501e976f8af45eed25fba4aac4baea33f16dafad83339bb109e619e9bbfc517740d5529531e34f426d6a48a8f454d0408994a69999df49e9225

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 d1c999e85397d93b525999bb7a82cec6
SHA1 fcb50f2694d8facf323be811fbfc89048bc16cb8
SHA256 58b1962c1687b961890949b245e552b47d2da973a43b65f91aa20e9be43294a3
SHA512 87bf18fde6628f8b7c7dbaa056e692d3423b3c2dfc6dfe34892f5e209ec82c0d3ef7193fd0f9837ec2c684534b51828d2ee7ac650c60dede1560742fbcd0382c

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e612fa6205483bc906da21175d52149d
SHA1 5e74c9c7527d9d9bae40d60f8fa310971d26c933
SHA256 0f7f3e16d5897bf72d64df1029cecee90267f0d785dd2b00c92f577c85fae89c
SHA512 3a5004b11c353e532e6bc3a63127471ed30d6c53ff739ff7113988c0c4b6c1b82838a9f54130fc62d97f3dbbc2a3da97001fc581cdee40c60cd30d1c9a72797a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 11797266d68540bfe5c1054f9c2ca41d
SHA1 c0d6aab5fe6643d08d42f04d9463278ff27224ae
SHA256 8a8b8754339bb256a7bec80d5844ef2deb49b4398a5fa34d71f0b4d303de41f4
SHA512 f7fc3d56581f14e4a60fc212d1d1701527e0c2f837977f27b8631c5f706f7dfebbefdd73dc9292819a5c8d73c920d8cf36f9e2959a52bca83e3c1b1f8f463251

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 bf1b2244db94a96b117d7607802c4c8d
SHA1 22b4bfaef0646e642abafa3fb557dacfeabaf435
SHA256 961e2d5c7d70da456664be294dd8877283d3aeaf34a50534593e39061c6fd16a
SHA512 649433e126664b4ee2d4a143213b7f32b0d76ec9b405c1da5178808e64f708dda2bbf03586075fe56e40fc07ebca4e6168eb22cbcefb2c36e9d0cf40ceca8dd0

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 00838441041e8b0501ea29fecdd2012a
SHA1 28d5be99b06b7768fc16aa74efe692ebdbda085e
SHA256 0217c6dafc179f0a434ed66c446a54f820624110733daa94b64bd7bb4a57a957
SHA512 7ef8a64cab394103e49bbde07f2b8e1b6cc26a7b3830d88b8681a816d156fd7c884760d2da2b184dd385f803ea3cfbc406a639c47cb19cfa6f821bbad838a37f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 db02506a8eb2e9f556d8559a1c90e3df
SHA1 d62bf97bbb569e02f38446969d80cfe92fa95473
SHA256 55f6c164c12ff0699190a68f4432fc7de5eb2774cf821bb70920f8af5a05a3c3
SHA512 5bdf5f544078942efa2e263492d581928857692824756394ec10f04b49e85e19b4740fbb9afa68446acbd81b98909bb3fc45fd36e8ca6be62f247967b28b1322

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 f61192995dc1f96f7999c4f55f31b949
SHA1 874114d658efb67615dd5581f8a4946ab6d0f20a
SHA256 5c54eec4677182c74504ef4d0f13a2e7c076781e130d630143092f2ddfbfcf35
SHA512 bd3cbb0a5f25168cce5c431c84499169ae4f035f74b65c476c695dcdee48802ae5eb7ffec6c2b0bcb952bace83c64874489f2a252f24b3bc336b319d0819e007

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 6e521c8c51d67761024d7f56114f9c12
SHA1 1f73b7823b6de8e272301f36858e1ac517f25692
SHA256 a63efb39bdf06ee34a74757a11a65703f3c6d28b7551c068e661c6f675824921
SHA512 9e0fead231c5ca9b23dc3ef2d92b8c38c724bca8d0e52f37ec16f3024497ea5b8dc020fdd374f3db89a710272f37b4df26cd7ae7078e7ac4e6a5dd443a3976f8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 8ced703b1f817c7abbbd63cc3d192043
SHA1 da4ee104053795fc5bbb6b0636cc05134e66bf7b
SHA256 4cffaf1fb5fff7cb534f6dd3debafc66c80e04f14a544e85dd2617d72b8cad62
SHA512 a102b8319763f4e8c1b36dea418ea76bd6b27e156bfa3bd66967675b8458898ddbba6a1f078569a3f995817fe9f519e255e1a26144027fb5c599ebcf698c79bf

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 f1d3681436980009fa35e509a38b3a43
SHA1 145d24fb01fe37298c6681ca1e337eb5921f2f87
SHA256 5f1961ba421421b9522fc38deef9eb6f98b1cc64cb57516684df0e7e8a18f651
SHA512 a20500db3dae9ab0df8916eaf596bc9c54999f1e6ce8c22a8133655f8ba75dc909e14393fef491d62b013067424852d28f506bb9ebec66a6acabf3cc250d2769

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 87bec8b014441f60a481c37c63d8778c
SHA1 e61398485390a8a0c5440414252513588f019d3a
SHA256 c8e6aa43cbcd00bf338f0ba8b3da5ea18a31f566ef59793c0bb4a78ef9eff6a1
SHA512 b6f1869e813e52678e7ae8889b4756a80f74b1496e344eca32c5c9eb47cddd7654f4c886edea79a0351914b59fca2357de31caa01ab4c1b1d156b744787fd87a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 558fc3b9c761cc537c20cd61c27c91e6
SHA1 9c035ce38aaefe46aa2fec62452bc11dc3490d69
SHA256 47d130810baac7f3bb0b4de8fca1b674f68f891cd0803e7d43927cbb90530be7
SHA512 097facef0eb38fdcfbc14f410a9ed4c720fb884a222a406012f17082f6201f2f24279e8476e1101becf6b8552e72df5b2f35057ef7c2f10619b080bd3e1c294b

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 3369e87fcb63918ad4cb3b5caad63a69
SHA1 13e59ab6a6a376c2d64072b731ad0a2d9154c1f9
SHA256 9c67c1cb4b014821be4dc6f42b0bfcb815e29d0827e21e6a8d543114d60d2701
SHA512 56f7e63d33075fe793f4b09d9908bb3b62aedeafe8b2ce1bc6aa882452da91a162efe28d884296bce32663b6760afa866ebbb23b318c3117be399a0d05c74d2b

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 8c7b6b6d3b4c6f134a45fb294be42743
SHA1 03a88f791070490e7786bcafd7bef2b485e62bcf
SHA256 763570884ca25311db889b0448a57f8bcbc6a3776dfec6fd3a1a9b7265978447
SHA512 7957e2eb3edb5372e78a4da3016c611edec0082e1bf83b81c7bd0c39d769a5f2febd93d52b58be3241bf94293a3a2955952296422812a5a44f0b89d240ed06b3

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 442a6df0fc1690615e8804a3fddc33f1
SHA1 66f2abac578ba771855aa4b2b2c013f95e517fb3
SHA256 9efc0c3cde1b55a76d85c6294dd1d74a5a2d121e082d779511f2cb8ad0b28758
SHA512 dde554a2355ba64a21d95685ffd7126dc28f542e7b06031db58afbc7eccc267e0471b03ce57b203aaae2168a49509ac38bb64f73cf3eae9f2e6c9ab5a6f6e0e2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 af664bebccae58c618c03ffd3d23ddc2
SHA1 8f2a510c9b87d62383b060d787bf667722840428
SHA256 e1bb3bdbed7e7d57c8f339b25d2bc42a06b3064148dec30ae1bd2ec32126b77d
SHA512 c055f7efad46864ab083932fd4aa7528f30f611d8560bd9197ca456d5faa2b9e61da0561ac49d88a5ef08e9e5a79b1d4a715d31c6782a61310f0ac91f5c8f83d

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 62a1dab518ec59d73671f4b942a4066e
SHA1 2ebf49cf87e8329f4376eca7292583f4eac35908
SHA256 7cf303626d80164ee4ec8339ff17a6f45be1120217df46ca2e18e6985e8685d3
SHA512 5a16c1e4f4d02b50c45bd5e5504d18a8f2b52cbd687b3091f75a408d3d041c731ccceb26a021747b7b5e6c6ca43b473c3072b3e27987a14f56450bbf86e02f49

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 d28abf2e7222e2216241a0c7e8bfaf16
SHA1 91f9772dccb04c77267f4baeb9931b6f016fd86e
SHA256 be045b188a6a456d649995498ea4acae93b517c7ed3f3f394a6ca1295f3503aa
SHA512 76d2a71e99ddfcb0eb14bf18502c25967fd9de7ae6211162fbecf7417fc420c9a5bd55406b87989d681f50706c2bf5df0dfb8774905dd30bb1cef4e42f6ba553

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp

MD5 517e7e4e9ff644f5ff89dc1830c1f4b1
SHA1 5d35241c1f0ffb29724cc75fc59d53b551fada75
SHA256 037759d03466ebd3f01c39833cefd1e2bf04417757896fc3e933327d4660ab9d
SHA512 54dafcd9f620535c33dd897c884334d718a9e0eb57b5847e94ff27fe0c32b4afc596f11c4b4e5a1ca6941a5ed38c50b48b776396112a41fe67ba7c804ac18e57

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 695b16a0e9f4a2953cde6e084761af59
SHA1 71a23befc9fd97f4420a3f8b9042eba6e2908619
SHA256 62550c7ccb8c6f6795fc023e268706650b0a5918a446df3a1fc50b6e8635bec0
SHA512 00f6662ecedcb82eae52b19a9a31367912ed067c51153e343a7213ffc767d2a907098a49a1c19531e86cc3b214038b871b82e7a66eb104d99d5bcced66076eae

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 250a96f555bbc55ff74126bf8ff05f29
SHA1 be893a507fcf49bb92e0e8385d05ea445653c99a
SHA256 e4ea0758d1da5d6899b44a30acca6635add3a2e6c155899c0d9c0d3781960901
SHA512 d2f24dc0c21f670836285eed6fba08e515bdb02a1edd0475da2aa84d75afbce49f56b7ccd8a294414d0457ab3c77f42c21b92e54b018d30ba830b6800c632b2f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 ca49d2ddf8b3773a38fcd5ca7bbec336
SHA1 01e498d437cc36e30e74c06368506c7a6907984d
SHA256 0d41300c478ea973eac8d1cf2dc62f7ef8c4ec5b4cb12f61dfd7ab855b311e6b
SHA512 152a97c57f397a06dd5db8197f29a85ec6aa71dbe54a17437c8c890f341c4dfe23964a5978252c937069e2dc906f39dbf6b3fe88ceffbf9aa61c64952237d77d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 a4bafbbf026c41ac82ab0e4184047083
SHA1 81aa481aaaec485fc206a87673a5d64462ad21ec
SHA256 657228dc3361163e6950f456f3ac980b5710c2813ffa03ba3913adfa111e0bee
SHA512 e6fa3ccec499536a5df3888f26ad25a19880b9e79ac7d35b3a6910b8c35f7cfc7c0840bf38310314ecab700ff46bd9dfdfff0a2cd462d5231b2c4b5e11d16078

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 174f28b59b9d5c1183a32f77b88aba16
SHA1 416a35189bafc8e901b92f9a1cf2824a65ebb1e6
SHA256 eb9cd69ef9c4a424f42c1f973656f89ea32d301ff82a4d362393ea7b59e6c922
SHA512 bd0ccb284665d231c9de274cefa0c13eafbfdf792de19f14874a3d9d7e9c1f9e5eceb05f39530bf3b03ae7f8a68fbd20804b7515d5536dd9b7c7d50daf1e006a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 757f446d1110661121e457273fdd2233
SHA1 1ce7a0bdb83880b6a4de8c95451a3e1cdf8c8158
SHA256 ac3542101457cfda48659ce1f428d7da17f3756c8b5c9874088fe30f0df38dbc
SHA512 da8306ee200f49eff3341c577b2071268ac1f9245a9fc4eb03d8583a739d92037467f89e6858392860e8beba2ba855372324ea307cd6fe3e26a51e96bcd29bae

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 a071b97c8111620791ee29eb8ac3c828
SHA1 ceb14f9132877e64157bce9df03cc5c794e138de
SHA256 a17ca43b51fef061fb914fa2eba4054b523f1ed92f3554a06fe672053518f3ab
SHA512 48e22a6f46b944b04da0e713c74dccf7025f592f268a28ecf0ef7453930b36acb6a6d2125fc8a3217f3debec882a93bc75db711c424c57cfa5ad24154967b24f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 923211a8e3c1182f592a6bd6f21cdb49
SHA1 a9e90d36aa1e4438ae2bec98405cf12ae9b06022
SHA256 693a926a16dd5d8a09793142a7b73b8c8611da57cf0f3ef5ceb6cf6917864c04
SHA512 a2ffab9ef4d8847d9ed2155da2ca0f30f416753bbbc84172fbd77c9b891dc012fd4fc40fe76bb9f6fc0128082cfe1d4c1fdd1bdeb5512281af794b9a5e5fa5fd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 0fbc4f749dc06c5e9dae119739505aa5
SHA1 cbe1c606b7fa79dd334c9ea017a1c539e46f5591
SHA256 c6ca96f03d84f4533c63f13519a4032907c5fb54ef3ffd0cfa9113f02056c6b6
SHA512 e5f8b8a8e515afedd346d1832dab14cd011d4b55ff663b2a9185b155961780aa7ec5b0b2684048d768b4f4aedec9ce1e39066723a6e200febabcc148bc6c65df

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 531729d9492c567fe640294f0c46c005
SHA1 14e43ae7ceb11b174c5d400038db7ebeb04a2e9b
SHA256 82f9ca79d28d2f0a789d8acd07cbcbca2577f90fcf47f4cec52e6d346995b5c3
SHA512 e2090e1dc4e1510f51db0132431617a26ee6cff96b93725412012c80a9f9cee74aefc724b14c9cb81b11bf55f262f402034f0303f617423b35c300f817169e04

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 5a9c86e70f274341b158083359cae7e4
SHA1 f1617c396eb662ea0d64881a46882e50e867c14e
SHA256 59c1573895a7d2bd24075ae187803673cf9f839a769d3e61e951fbc287e07553
SHA512 4d7af4f79f5e8c65335da5520c0fdce038907bbfcb48e44b058cb9761ee4dcc13fed4702198fdd4e46828f9d31162e0d4bfd93152dd8e04064ef13d4449e6ab4

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 a3e8af3103c6899c9e7395e12852f633
SHA1 8a3d4f2524bf2d51cc468b2c799f606e98427da5
SHA256 88834c41a373bb903785f474a947996750ce881a69744034fd58b57959b3a7a8
SHA512 d00653322878e303ed95751264d8cc73ac1bdaeddea8c2dece35dcfc9e90da30008c172b234a161cb06463f216d03c6a8974e28873d7bf63b7e91105a780329d

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 77c6b01070c86f1bcbbdffacd662c464
SHA1 f2003e1aa50c0a38c2ec6a4c8d1ac2e09c36bc2b
SHA256 e69d684cb80248a62d59e973d55ef89dd976a7a2f0f73fadf3561838b7907e06
SHA512 a540646fdde6dd6265a59412b1c4ac15e02f2b39c3f435edd6e1835763f49cbcdbe1ca4f79b91649d6a6220125b42caddbae676a2a6d0c84899ad979ccd3d3f0

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 0930cd2b6559511a144ac3d7159cbe86
SHA1 52bfd1c15c8d7d1a794281759e0f43ecf564ee32
SHA256 25507298e94539d5f938f4d4e2e094a3826b64615d84764b03b61838440819e2
SHA512 51d5038002d9a3c8ed54b795b7d769ed3c2f3a28da3d9b4fc94087ac094abd6915076dcf6fc7574643216472c2b81df81563c7c5ac3c45a6f392371ab8ff416a

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 b510c664b8e2e9b923a9eb2a138455b3
SHA1 ad3874ba7a9972ee2192561d5fc2ed11787c2f77
SHA256 f0248d4193442c7f672eed574945acc14f4a4920364da2b9735d4bcdc9fe2f52
SHA512 49b23000cca512e70ce1298c49c82c819695ddd06159edc87a1e92f1e552e1c777f670f735f1a1202bc43fd5a2058bb53c3dddbea7fbcb7f89dacc14d2b29f21

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 b6a541d0f04ecee07b498d43c477313f
SHA1 0d925422801e2edf82a3cd3206ba02a9876f04bd
SHA256 a6f5018a31a307f61745440e30b406aadda46436b1b2994172d45307dedffe50
SHA512 edd787aa45c49059a8950d6f39709c94a5109524379d6251f2aa487462d90c20bbe07c1b3c2093c120542bdc3d9acbab8abee57110e11b055e39f6bf642a69e7

C:\Program Files\7-Zip\7z.dll.tmp

MD5 06931216ce27d6f277d4e27a99d589ec
SHA1 60f448aeec9cce68c5ab7d9e608bb5e2ff5ccb61
SHA256 d0e7a3d02d5bdc93d135cc00bbcaf8f3b23ba7afe428da927b79060f01079c61
SHA512 125e271bea4091bd67d49a215c875946dfe4b42bcd3d386305b87ec73fce2c21c25fa620da2f156d83da6962a9cd8e33710452505f6b56de7cb1a71db51cd1fb

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera.tmp

MD5 f28e845dd7796ee468678f05df54b483
SHA1 c5c838157a31fd498e92383c32ce6b1525fd730c
SHA256 b569323ad48ee26bce3d50d6df6fddf1e8061a9355f6d698524594940aed0b2c
SHA512 20636952b8d2776f45d1345e4617344c327312f7489db6b13eaf9e64fd399720302e7217c39d973278dfc1d13818f7736f9ca8b6050f8b51e590544757045c95