Malware Analysis Report

2025-06-16 03:35

Sample ID 240608-b4ebrsgb94
Target 1afbf2ce31b157382be0dde94adf1ca0.bin
SHA256 910092a3dbf2d67b4f09da87897781da716f9b94afece41b5c4f23cf0ff4e10e
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

910092a3dbf2d67b4f09da87897781da716f9b94afece41b5c4f23cf0ff4e10e

Threat Level: Likely malicious

The file 1afbf2ce31b157382be0dde94adf1ca0.bin was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4877) files with added filename extension

Renames multiple (5362) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 01:41

Reported

2024-06-08 01:44

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe"

Signatures

Renames multiple (5362) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Classic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre8\lib\deployment.config.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\nb.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\charsets.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\FindPush.snd.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe

"C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe"

C:\Users\Admin\AppData\Local\Temp\_.files.exe

"_.files.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1684-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 452aad9d34884c3bb6f937506a6da106
SHA1 38d18b8f9e184c7cfead2b540918df505badd3af
SHA256 f7bab11c2deeaf4c2c8c22ad76a1ab2eaebe0ce2bef16867e2b2c573062b2439
SHA512 15ca280a5ca7773bb0e0195b6580b719eeff75ad39b876cfd37d42d07053703524693396e6e3174c1cdbe551fd578270939b633a6362f1ab1eeba25e4ecc3ec3

C:\Users\Admin\AppData\Local\Temp\_.files.exe

MD5 2f84e7dd1439507555c8219c7a4d1810
SHA1 56aec2f8ff6c727cfe0256249f255f77349c9855
SHA256 a4f0de2a62c3a387eaa8e89ad87d2b8a273d52df6d009e31634438079be78a78
SHA512 d647cec340fc32b70d9fc326dcc78ce6705708ff4b13272e6008dbecc07671c42c6682d840952a2bba54d8ade7730c5469424e89e65e0dc60a4c469359e43edb

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.exe.tmp

MD5 86dcb70049bede7b9e4142470f29f696
SHA1 549af777ca599e5e3ae7907bc372834ef5b76867
SHA256 c287214f02698392075111c84cd1b0ec2455992a283979b7af1af99d0aab7e8a
SHA512 fc4c691e57257a86268f435375fd7afd55a0ec2546fb302efdfa45ec5da91445747bd054d00a8a534213994b02dbb9b6f350da4e5610b5cb2e100a10f3aa5d03

C:\$Recycle.Bin\S-1-5-21-711569230-3659488422-571408806-1000\desktop.ini.exe

MD5 b7b7c5d8b8aa1d499c49461c4ef39b6d
SHA1 4f155e9dc0357aad7dac0a1ffbb39130ed133dd9
SHA256 d63ce50b177a520282491e0c55723d7e5872ecb5b89d5d10093a6795a07c19b4
SHA512 e2694825b223879b5d36b080da9604b8d099e567b67d1e82bc765b6cb9de57a0d2c900aa607461e38eee36900c7b19ddba340e4bebba219c10e0745747f46d58

memory/532-14-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 73cf61a78f6f764473ad2dbd0d95f098
SHA1 c03157bbcf3b40fd4400118a5d597a383cea5c3a
SHA256 0f983eb76b5c7268579c133c0cac13e5d2445bc318b7010cf8115c25d3ee362d
SHA512 34de1b5cab74fc25f5cbe076e1b61a80bad703bf18f90ea08108bc91540f65b8822e57c14d4fe86e13b4d0be0d4d11a2767912c5c649d7a3ae65ad25f1af6e98

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 ca964e1bfa7d5d96999a92cc9d065889
SHA1 9dd97ca83b60ba97fbd0c954351d31e58a672b72
SHA256 813458500fe406904a08200c67c4aa361faaf3492673b35618c7ab5cdd76199d
SHA512 b8f6de2f98c762ef568a5da87b9cb838ffe84959a51af68d89a55f5eb6d7bcefb510f100334f62343ea32fbd2695420c705bc4fead4f11af1a22d901c62f3d16

C:\Program Files\7-Zip\7z.dll.tmp

MD5 328d34d3698cf7225b4dbf881bc8072c
SHA1 c3065f6bea4e0bc8a475a2fcf0da5c398bc8f0ed
SHA256 b9120639e87180731bac82a1bd396090516cfd63151588e614380de25d286efb
SHA512 8e13512de776bbd4c41adc0c2bb10c86cf7c7cf2d6b9d54f174d2cc9330bfaaf5609af43cf422f13e4a17d010ceafb90c1f726571a02880ccf33b837d16bcc29

C:\Program Files\7-Zip\7z.exe.tmp

MD5 845a5f4574234c5494ce9a90dfcf6d0c
SHA1 ae496f679a1c428a9658817691202897ddedc078
SHA256 74d79bc022bf39fc54fae6a5b59bd85a4cf6294c18c6df4976f3ca6775ed575b
SHA512 b960c36a5916b2e871aed863f828da08e8611435a44f04396c08ff96f4f710d059ff255902cc9da90fa122e996863594f4223667efed30ce16d52f6a2af614ee

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 84ef5a7fbe55466b16440821ffa7bade
SHA1 c822cfa33e9886f9f78d61fb63ec6b49b2b31a0b
SHA256 55f6008bb47037a5c5eda35a70ee069937b31ce915cff3b0360c34af17c21765
SHA512 529acf6b78a128a1f6fda2c8181b1e120e3a0c2c39056b9522426ea035eea8ad04413461ff20963d0a7ba9d51699a341d8dbaf00bc4ed94dc0bf9ef91e83a8b0

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 d915234d038e151765ae5eeba1f1ecc6
SHA1 ac1363f9fb2d48ab5fc59a7524849849f74cf61b
SHA256 2ff26754af94f8b4583fa14ae3124ea8775bdd07f440e514e5dd9988ca9344c1
SHA512 e3830f34e6d915281905f08e8a9dbf5bfbd8653548e30a434907f06eb39e5c31e96071bad3d595db50c8c324a432c1ae84167e4c50bd4835ba8dc9684d005732

C:\Program Files\7-Zip\descript.ion.tmp

MD5 fb5df6f0290fb68dc039590c9f56f59a
SHA1 6bdb349949720a760b10fe7a380276796c3461e6
SHA256 5818188db8f0deb208132c3b7342babfe933af805192be21efaf8c6499f5cbf7
SHA512 62fcda1fcb82dd4f10e7cb29ef7b833604d2d2d5684fef869f465ab1e80896a718b408eec9c26b25de63f1bb70a521daeaac4b18ecbc43b7540cf5fe27f2aff6

C:\Program Files\7-Zip\History.txt.tmp

MD5 d795e387e8fb64f4ce5a8b267f623c13
SHA1 1a1e5649c275149826b5a231a82378cc0e2dc69f
SHA256 8a4551400e887e8e96a94aa36532f09801a33ddb3bee9083c2c59a5c700fb9f9
SHA512 7ac3290a5bf024c96de9f14e125caa70c59996d442cfe16f596ff7abbabab6c351ca51b0773a0b52bb9de82690853806b5cbb8917e347ccd3546639f5db3a1c6

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 4e0e72a16a8a453ba1ceb7bd05ca4b84
SHA1 e605fb61fbdaa9c149f289eff35bc029d8216835
SHA256 97a8d127789cb4d862308a9d86708c20e4378a09d91f5567402fa8e16cd6ae75
SHA512 74ca9ee449b125573437d17f6e44c5e4a3d808112295c712e810bed627a4787f5d693967f27f7c4e1addd09ea5cebd1e1a14d5f0231f2d2bb5747b5518abe565

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 03c89378eefd16580d971ba4da3ba7ea
SHA1 8d23e98d5ef687b438a6a3714956ebbb2f915d3d
SHA256 c5dbd437d56d2fe34fbe8d0bc93bbbfd3fcfe9a53ca6e814fece9d021867f5cf
SHA512 1206038a73029a7067fee63f7be1417d95e4477b6f2ed01d6614235580e1766c3cc9feeb77d94dce5182cee9eb38f1bbd495a4f5e5454f722dc14f04dbd2cda3

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 fcce5d7931dfa0bcd50ece76e9ada2a2
SHA1 e18b00831120564a39e99618eead05e2158c7d92
SHA256 1d2d9a37d2a5c087f5aa311066be64741cd3c3c701809e459a5ba9d22bbb4410
SHA512 ac78e69b2ecb92efcbf60b27f6e9da1a01da5d96e6510010bd40b876b7859f9096f79f93bcbeaa831b5d2276b97466e809cd72c8029f4b72fbd885a50ab7be07

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 7e9eca51aec34cc3894486f9910aa5d4
SHA1 5cb4be7c1476b1d48360108f2e9cdda4126542a3
SHA256 ef4ee7cd88f95126321596bc2d7e2fb181cf053021e7a15097fc0daec4911b28
SHA512 c48f596b4ce5ad64a23466e2e6aeaece13a8a99650c9dec89ca9795af233bfd7526bd8981904eb3e285fe2d12b7c24e80f96472256c3266ec8c28dd04e9ada0c

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 b5c42df5dcfcde5a532c60a24d565c0d
SHA1 e8e6199151cb0a9a8af9b271327a66d1162505f0
SHA256 e9e5a9a0b1326990175359f84a8f1e70e897b2758e126b8a72ca288fe372f862
SHA512 5f76806b74120ca8dcf6a71a6ae48fff8cf5ce76ac1da411fff8c583d52b11d65d487d79b3fffe5475dae21601930e9f8abe0939ed8d4a4644585f8f7fa8c1a3

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 923a1416082bd80b2e011775ecebeea8
SHA1 c701c17e3daa1d76bf6b5681ef3c12c6b6d35662
SHA256 ed48fe24af4a8bebe5d44ee3861d1aad6ce530b33ff38e3605c3619df62f3028
SHA512 3ca1aa051db112abc6b5562bb740253f8343dc98a729ccec880c589e7d9369e9cd3da256996847890ee694d9905934cdbfa2f1d4b8654f0bf9ff4594cfc37cdc

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 0103ba32a41d4b67dc6d76837606932f
SHA1 2d097ac170b3c99223c936760a28941ba26d959f
SHA256 b329ae8a90ca6fca55ab963af9643cd8808683069c29b88d87e7843a6d440711
SHA512 64c62ac0ef9a1a9abcd01c9005350fd6c9df21d9e45f0b2c1b3dfafa558ce55baa1af518cd5846d291db3e5976172285fff5d66585ca6aab07af71c80214b30c

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 6724fc3d51e14d5125e0b29e10bb9c9b
SHA1 2d9bf218165139eda17cd8c57f2e239b08c4306c
SHA256 cf29dec8c0432f25833b83650ba6998e2d44b718113b17e58cb1baf7ff48883e
SHA512 2f8d18e94ba6149288284e9c599534cd7874fdd2844e33eae54127c92f9177c08abf3fd4452547a3af7538df86fa3b66f01f0da5f46b82b4d5816af061fca761

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 0c7a739c8624691bc8a4520242581031
SHA1 e55bc8840f931333eb6b7d43c64732bf8de97330
SHA256 2babdee175cc755927f40a53e344737593f37764525dc2e555551330c6604144
SHA512 419263d208d9c575881d8911fd26a8aa81d51befca4a6b34e7ee711fb7612e67e40822f15fe29cc7b786706c7b19408b8ea37bad161d94015dae46df25a8d84a

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 6c72fe4a0c42e23a3d4e44fb9cfefde3
SHA1 312393ffc22affb1f573a270b65122ace0377b35
SHA256 d5c284a1b0024783e1341b139a270b55092867ed9bdf87d5eb2228be33ad5f36
SHA512 c65e68b5131734ead313dedeeb45cf5187fc9e6cdbda53216227c78949c70c45a68dcefbcce433967501bc6afa8308f2afcad8e8fd26428ae17b3b8130c6bfe9

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 a9fa0376b4c59b7898ebb8828f9e828a
SHA1 5e4753bb11603debefeb7b97db7953dab3269701
SHA256 ac39b6585139124f33874b5ac9e3716d937fbc453fab613cc3852d09976d31c8
SHA512 99d4aba371458da73d9b3c993ad3a53d605f95a2010bbed8392de0c9f154f04332f2e6e6af5fe0818dc2cbd55b4852572c74eae62f954f971d5a1f81cfa7818f

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 2796d992284b537c303126fdc97cab14
SHA1 267318a3b88284c878398087f0b6ddeecba51737
SHA256 b64bcc87ad77c05794de81b528f1c7143b7660a62e72bf2dd64c6de26cdc09ef
SHA512 73b2340c0756b8a339427425cf142503024e06b6ce603ca3f5e50dc3ff7f29292676741f4a31376a72a83faedf53e9532faa52bdee5da4801cbc9c5be5f0673d

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 b220330b7aa01e69d0663a4db58ea77d
SHA1 6c066f88f94c10d122f446711c3c846a29e99696
SHA256 9b530052ef04a670d21f69252903e8dfda80d9f28f2e36df90c765137f367215
SHA512 1a1cbef2a2f09d0c07ba95a2cf739905141fcbe4a19477525f5dfe3f8c7ebfc306839867abe8b20c37b7f58d74a770b68c99756095ac9689897fec1344787b85

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 d5d9706de04bc39ecabc80ea23b71b74
SHA1 39274a185c7c9684ee1aee8fadcfb5274472e5b5
SHA256 3a1f7d29831d4370cbe90cfba34d6bca300bdfbd4bff19fd58a31560e0ebfbb7
SHA512 fe0bb2ccdcad676102304381908159d95394a182f5df03497c14a52062ca7afd306594f961cd10885cf6b3e9ea8a5b182c2c97433a98578b7bd22564db8dd2aa

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 45c76fc2cab82cf74b3b4e244cfffd2a
SHA1 9ad02f0b12d916fd780a08dfbc441e410116451a
SHA256 dc5d831424fe597c6e64501fc7b417156f7595b9b3b9cfc0da5b32847f0a3f34
SHA512 722158809d72f6f4a62d2302aa807f0b23c44a994e304f17506403520245a18ae5e3966f625d82ab6145825ddabe61e4a94ad0491b7b15798f0dbe45b719b32a

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 82929538d87c85bc236775959353f361
SHA1 f70575be796ca12486867b650dda96761f029a31
SHA256 7c7a5b8cb78d4b292e1f08e5389e18027266092acfc2f8b705409d44052f6278
SHA512 8a2aa2764c8582fe625bd8a034875f1f62185ebd65a07d2a0ea269a1b5db1b800a3eb686281eac85e72cb24a5fad0b1496386e2dcc666a3250194f9d8a6d1bfe

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 124e99c7eaf74c67fb4a60233490d276
SHA1 c507a3bc0d715e1b59e243bd30e3aa8280a39500
SHA256 ec9975e09b9c69962c6291f8e381248b2105031b2a75e3b4bcaabd0f7d7d630f
SHA512 394aeb5b3ae406612064dfd30636306ed3576501cea9127b1f5b52c707b8bafc53974b6a4d45e55d28b5db53db90111979686b003419e089752b892d6fff5124

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 6e0af752d69b14164e908100e89883c0
SHA1 9a91a97a6cc0fb40f026ab39edaddddee7930567
SHA256 37b797e6df1496b3dacabd9dccc0c1dc1a1a8fb57c662c1c07cac1a982b384e7
SHA512 6570e66f4ace0800714e490fbc6c7e96b9ceb1aaa26ec44ac643ecee93cec7d9e3c4b210fd73729409bb57d00a69dd08254da29c63697a137a0b8826134e0da2

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 04cd07547493c586a38d2d932ea3e6b9
SHA1 e763fe73f909b89bb54dffe4c8e39f4fdef41b07
SHA256 5cb5f5c9e263f40e35bf615615295223f9ef3cfa74f795f963f5a31cf98eba13
SHA512 70900561bd201a0b26bde95ed791a41ccd4b3d4e3b77a14b2c62af593c9b4e27a8529a4c50fd209cddcaff2cd42349d13b03af0438b56d3563f343913588724d

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 5eba0da526c589cef372901b27a061d5
SHA1 0ddc76a9ef1c383319293322055e02e3260ccaf4
SHA256 73e0807d87e76c6b1f02aeede53654487a29940972c9f8c13ecd41a11bb3b98d
SHA512 554c4d9ed059e9a5e4392a5b361768821703a5231d9a7c640212770a9ac866542610d9f3827835b013c9fb6abd92499623c601cb1cba3db00096c7c6616beba7

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 4188813d3775aaa555a21f547b24ba8d
SHA1 7c572b86cb593d15c67e2d55dc5425771a5b033f
SHA256 1d66daa71de3076fb25a4203853f912180ec6427c76d86098bf2f470a1596cff
SHA512 02e5d8ef439da80a7c8592eadda2f632c1c5575608bf5aebb1ae90745d5e3123343901bcb7f5e1bb53c5a3097f9766e3dd333120f82efd9d71d039c67d4b7b0d

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 fec80f6a9a2e346f888dda15d643d287
SHA1 885388041755166248f7129c79d51d041ca13c48
SHA256 c71bef376b4988425f9e478a589edcf3b9ff05e69e33622180be23c09d17c48b
SHA512 ebf10542ae75d1fde6cc10a43ed6b8276ecee174892f8a1f3bebb142238032e3d17e52b2373bdc23e10bbd0a4d4be82f1bc04467c7e7f280d3693199ffd4dc38

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 72dea5076cecbd3369c11023c3de4f8a
SHA1 c8b2236dae16608fb58b0e3174b074493d8bcb6a
SHA256 7aa95147576e1b828766347afc5eb713b2cacad342316f9e928e4e6c97eb53b5
SHA512 c9899a849ce648c76e21a9470c8027d289e8df583b492bd7326cbeb59f6c8ad6b881f8706d5ea17aacf9e2d14913ba1261a0f3235dd6b895209db7b2cb119ce7

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 5b0f581e0113abf5f4f4cefd0cf9a2ff
SHA1 2bf2581c056dcaea7b368c9e1dd9af84d017019b
SHA256 18c695d1479f294e0cd283702137d6aeed83662915b6710800fec101a3ccde47
SHA512 b9606720dfd9480911fe2b0b8f27bdb207e092023e37b829849844f3413e47bd1ea1190f64c55f159ea6ff65f3b1f18fddf9f532a5a7bac058cea3fb5d20c3a8

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 fbf91fed94e74f0f39bcab10e1c3d9b9
SHA1 e13dc380d4f799a975344d279e7baa45ecbf4879
SHA256 0ada322d9a90cdb9c76370601f47911c795aa8da85779d9ff5196ca242797bd6
SHA512 fc709620a1057231958f71edae742d9b9c76bd349e6725e859b7db527cc6495d95111b7f7c710161a9adfee984793be31ce26c71174f425a0211c32e5d3f484f

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 ba4af41e7075a90a221906bc507255db
SHA1 31a9de36bed42b0ebcc42bc247aa4e8d293431b9
SHA256 2c68d98d7c2b9894805e19a0c01aa6292f755149fca5e801a4da1f83efe71112
SHA512 7efaa89ce9ccee3f4e117b33200e8212884e157b614d5f641f2978fd2bbbbe2c704c33f51a022c657a323f29cf0e03b6d684009fed473c9834ca86641f0f0865

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 fb6a0999b6b9d2f1dd939a1f4c294fd1
SHA1 cae114722e42f2f99fcad1db88be01c10b737eba
SHA256 d2fe6364bdac9f7a6e39ba3afd066254ec187cb5d896efa415f98d2705b08778
SHA512 53b53ec6a6515ffb7f2a4aaca9b9f00513108b827cafe2928513949b511c95ca7c761df5c7e90c49445b05b683e10943a6143b20dd5320d40e4865d49322d3bc

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 7c3fd8ffec59b9f59caf98f949cedef8
SHA1 7f7ec97f645331baa8dcd216d76670f76eac1b2e
SHA256 8485fa715b82394b8ee9d4af0c55c1f4eaf2443f3c01ea1d4bbf097413387f7e
SHA512 2ccdf56d28f25f718973a3aada278eb6741e26891cb91ed88d47ac002fff541d39d19dfb379dc6cf18debd6ef50986cc61ac7ea03d0d4e840b5a395f86332995

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 52dc0cc3ed4237ed9817422f85d0337f
SHA1 e8a81a51479afe5c1795e41cc6346de2b3f55b20
SHA256 40c71a554dc9e1b98032f24ddcda9fb216edc9db22dedf1462f3d93cba04acd2
SHA512 f3649c3fc0956dd846fcb25fbb7f0e5b48d7d973e7b412f280f9809353cda603987860907a7d0d3cb5ff01e7565f5172e0d3103843f702afa01c4a917b7df0e0

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 96137f6cd1d5c32b04c4f3c72fc1b56c
SHA1 26af4157818c4f104e2f228b2c12c23f06e17412
SHA256 ecb68041314287e10993aa7c2355022213ed0bdfa82b553aee2d56f0baacdd3f
SHA512 8bca64fe5c0a58a0d539e00bd20736a3b8f164000d6a03324038b06ee71d7894eb4b253db8e948097435c53e8334f292e39fec8e8dca73904af8c18d7167e572

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 e5c52d236a05afbbd2ae7cdedcbe828f
SHA1 cbd519e6144edddd9a6af747cd9722725f99c585
SHA256 bc10628ee8c3014189242d97818f33b775897104de6469568560df9392ae9927
SHA512 22eedbc1e71e709df7cb16f24374fecb1fa7083f25f90af5472a26ca487541f9b0c67c100280610ab87f46c30f6f4822adce4a1f401654c3054771a35995e8c6

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 02e268479c70ef6555df0436b7b3c219
SHA1 754da03813136a52208480ab52f5ff9e8beccd3f
SHA256 84db0686f039d8a4f00d511553d89b5cb41f04ef696bf9d66d3f46d8d0f6e53f
SHA512 dcbdea7c97f7a279cf3731d1f9d3f76b0ce0e2ac15df2fe9fdefec88e74b6e6f605381131428c2f2ca66b1427c8c7f63aa366ab4371153283fb720ca8766654e

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 62f3c336daa3e42010675624f2d712e7
SHA1 284ee7fad9c8869ea57fe822e7029d35d6181ae3
SHA256 c4b84b09b2cec2cc3468e9a3764d3e2675beb7ba5f09fc882d876df4948223a1
SHA512 a0069395bddfb7983850d70e68585df77454b05fa1f75e0716f0a7616c39f6c5334071543dbb26668bb3737e028ada914b1e9524e8e9b667ffca987c21f11d7d

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 b376cf74590e75e033734a4b9fb25a0b
SHA1 168eb27b22c688290ae95b2e7fdb2cb0c77e494c
SHA256 f2c0f2638eb0c26a188d29daa25635bc454f0d9ffd6b5a983cac887c682bceda
SHA512 d3d6b8e5ee0e661bda8aed7091ef292b0bf633c9493cc41a4b43dffa6925ad51b151a862f76c65d19e0f239917295b0ed9d563d50adb6f67e03c424064743eca

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 736d59ec1adc89db2c3ce92c9eb97a18
SHA1 a36ba6c3290b2c4eede960eefc0f3265f42f472c
SHA256 19a57b20e1e9b4ce76f7b3b3c418226523a290450e5265515f4ad7b8530da0bc
SHA512 6d26a1a447b24460f8215d3908bd76bb1767fd05c525d7af30e5cccad0dfc60bfca0365117d00299239c43b8e3fdac007c3db787b12098bee61669ffe91db410

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 2718bfe33d4ce50da46b690ff6e6bd2d
SHA1 291fdac933545589393d6b0214bdc1d06c60180e
SHA256 2497b2bd76963d9e13d155c0602ed9cf7e9720402589cf425b6ba66597ef9aaf
SHA512 b98764d1d0ac9a905b02001964a82d5cabb4802fab68cd1489b789383bc4aa61b58b1d440e62730a1e9574b3fc2f23a432e38c1ecf7244ff7662f461ecd0c091

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 4683436edcab1992116501bf5fbd0b69
SHA1 72402e59515f193bf929fd406d954aca96830a23
SHA256 142b56f3a351be2c61b0b84c709e06bf9d7f8ec0b3df9221196c48956f67152a
SHA512 b37f81e26ff8a3d9d41ac556f7ee3e9de31a9fa848061ca8c9bd696fcdfd00ecfc23054c3e81e156465cbab3acec5b4462daf3da6473abc91bb778076e3c899d

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 376c8011c15edf6dd1ec42ea4dde692e
SHA1 7e770375f868910915841e566da8d0cca9b282db
SHA256 065e1df2db34be70b0f668c9b3ab649b81c986eaf9e87b643098f9a95093bf18
SHA512 781de1a8bfb30df9ed13ece8f09737bca7b9a9299c941968517c7764d477834a16d9c23c273920adbab937001a77f0dc05faae873e15175e6623a627304fa3d0

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 ce489043f2d1dfcd2798c919b99e2c4d
SHA1 9aae1ea8b5fd3ff20c798c4eb534f7e4ccf16882
SHA256 d7adf519e8eae76e8f3c8e149458931a4ea1855fa1c0997cbbfe23443e848647
SHA512 892c89d08a848a05d416b6f46e1b8471911e9f183f55319faa4f90077b3f4de7bae279f4b32631380292d9ddf2c16fa822452fb0950ebc1b270dcbaef51072e1

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 53bb5bfbdbe2d96dff68052ccc95a5b5
SHA1 3e1244f8eb7d6705ea3c4314585f0fe8b225ea7c
SHA256 d5479a15c496d5d6c43f6c3d1e8e903c64a2392914d438cb9d2065d5b0b4edb2
SHA512 9ed3474c35d0dcf8461f45f2fec9b917b8a62d066c73d115f9fee04b2eeb51d078831119fb6ce960735eea24ab4407e34909ee0662ea01e360cb0d7542b78c76

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 4f88e7a910c352258273d260bd1af54b
SHA1 1a76b55c424c696d755449906ba091c63f1463be
SHA256 03e5146c111c146cfbfc216cec43a7a5aa46089b99a9cde828241d5ff61ad6ed
SHA512 c405ddfe8c79c8b626e4aae979590548651363b84ddcdf82d24f40fbef6b79e45de4de43d06eb8e12a2375e8e63164eb5aeaa87078e60ed7302948e9e3a87496

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 4f01a1c961dd3e1f80226275eeff1847
SHA1 5ef9e6b83c05c45dea3294b4d1cbcf9d4a4a02be
SHA256 f5fc6a39034c423055fbbf0f1bbeccd042c0ecb1fc17966343839787387a4c88
SHA512 e5d9b129c5827c156ecfc728bf2ea272be98758d38010672b88da7b0dac69b84cda578afcda06a4928f41115e584bfeab6fc17f1bf105233bf83cbdfa28e8141

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 ac4e454555e728c8b4d36e91fc027830
SHA1 390a5eb360c50473b8f3df57c3c09d3145067e30
SHA256 54c05c545fa1accb023a6638507cde5bd2c070bfd9ed0bb59280fc31676f4174
SHA512 bcfd4a5d44fd059cf56a5160bbfd4f963f2e1248157e4e1194c33ccd021b19d2e5c51c73f2ef09ecf57dbcd28f216eff105ade28cbdf426bf569a61c47ccf5ab

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 51d465bcd7aae62a254032410613353c
SHA1 7052d35a3bf6fa158d33b4cce79c5e3aee438eb7
SHA256 2a863a655d43902dbcdf88f316cf021e8e26aee968556729344a25b7c63b386d
SHA512 251db6f4de38dccd236455094626f22346acee5e40fd2cc906f889239afea97f8e97ddc77e4eda1ab5923f734360a13e40a45f2c1fd41b887c2352b004f2e9fe

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 9d593bc607c1b1649abafcc9d7efa1ea
SHA1 b15e4b05d607c127aa6c6c9ecd07f3186a15ec55
SHA256 edafc2f95ec35e061be4b8ad2bcac7a18d2d8458a552bf36ea06e9d98066f3e0
SHA512 759de628cced7d90054a442701704147e5151a36376f9050e3c57493498b4c99e8b53727c20ae0103acaf393c95687b8d30c28bcfd639aca863a7f6866b84461

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp

MD5 2e8afdbb5280e4ee755341aaa0875736
SHA1 06a439f27a46794675cc055adfc0652d0f4bff15
SHA256 131f6dd980a751d82dd1efc2c708aa0f19b9cebd565e7c7879d70851ca800b69
SHA512 759affd0241686cc03a78b54c2b5c6f1d6aed68090634b6acda5b2a3f933d7589b19b5e32e346b69c37571a7c4830b1e2fe51744c17533b0bbd1a33be5153683

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 01:41

Reported

2024-06-08 01:44

Platform

win7-20240220-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe"

Signatures

Renames multiple (4877) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\MET.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\setup_wm.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Urumqi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\javafx.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Gaza.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Aero.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre7\bin\libxslt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.EPS.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\CET.exe.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A
File created C:\Program Files\Windows Defender\MsMpCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\_.files.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe

"C:\Users\Admin\AppData\Local\Temp\1afbf2ce31b157382be0dde94adf1ca0.exe"

C:\Users\Admin\AppData\Local\Temp\_.files.exe

"_.files.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 452aad9d34884c3bb6f937506a6da106
SHA1 38d18b8f9e184c7cfead2b540918df505badd3af
SHA256 f7bab11c2deeaf4c2c8c22ad76a1ab2eaebe0ce2bef16867e2b2c573062b2439
SHA512 15ca280a5ca7773bb0e0195b6580b719eeff75ad39b876cfd37d42d07053703524693396e6e3174c1cdbe551fd578270939b633a6362f1ab1eeba25e4ecc3ec3

C:\Users\Admin\AppData\Local\Temp\_.files.exe

MD5 2f84e7dd1439507555c8219c7a4d1810
SHA1 56aec2f8ff6c727cfe0256249f255f77349c9855
SHA256 a4f0de2a62c3a387eaa8e89ad87d2b8a273d52df6d009e31634438079be78a78
SHA512 d647cec340fc32b70d9fc326dcc78ce6705708ff4b13272e6008dbecc07671c42c6682d840952a2bba54d8ade7730c5469424e89e65e0dc60a4c469359e43edb

memory/2088-13-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/2088-12-0x00000000003E0000-0x00000000003E8000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp

MD5 75d35e71a77868acaca3b5e711e061da
SHA1 5739a4c00609c263be9b61fbeff76b92d63b7a63
SHA256 20a7c95c8a3334bdf491ee98a56ce82a2ccd20600d4a305a3c63c9a85dccee61
SHA512 3fb4938e3feb7d664db1e45664b1d3eef563e9788113afe3dda7972b78b1f381dc3119695412c84aae2534505eb718d2fa0017a06c4cd15c91dee1c92eee4403

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe.tmp

MD5 ddbdd3701add5e4e43d9d7fa3335f007
SHA1 3a6f3fa20d7eb92fc72bcd9d361491647405af72
SHA256 3758704e1666b43d2987be5c291924a5abce77bbe39951a0b0f6864af46d74d0
SHA512 0edb2090953eab7b027759d6550b085d06bc6955c0eaab468abff9b49803a12762a708501f31cbbb6b2b62e569c743f92eb61a84c4ca6be8bd1df3a903b2b724

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 3497fd99dcad2de15c58461a7be092b7
SHA1 5f5b9f117c436b3782961ca1d25e43ffc3991518
SHA256 f44e8d2e29c4df328b959d059e811a53ec6e37764477f23623ec8dcb3d6e45b5
SHA512 53e45f4c9fd1f51d90ab4248559db3e90467e0afdf93383e915a1ab04c98dbd06a64715fca0351b067e6589491db6c451ce4d9a2d5170042c5343e32110c8ef0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 d0a5454db958f108184c886b1ea1152e
SHA1 2db26828334fc7a0cc36fbb86068e0e02194ad56
SHA256 395bc676cd4f65ea8d0125cddb9b7ae0ed2d19b26777ad491a26503552abde35
SHA512 83ab001263fe4760ec5da23496982b8de2ee42999445890643f1c4e8a81ed567c666f5cfa8018c2af7b107ff4eda93034160ed2d34bac495b330dc859361feb8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 cb3d5ab1ae6583cdd253f704f5c26c36
SHA1 39ee01efc8483dd7d2ec3eac03a750a00ae17373
SHA256 0db4e0128427cac268b1917ec9ccb1b46ebca746b9816b4465ad61fc42ef02b0
SHA512 bdaae32b43ea69fff452d41e7adebb4cb16ce1be405c81a148e5deeb85fd6d2a113f88fde2bb572d2ec6cd5cc943d331c72c2a7e7c1551061ae278b8f1a3d270

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 73581c9e2e18033a2a09a0d71fd900e0
SHA1 8245e354ff3e682d96b4d4ccef4c60b8c2bbdb94
SHA256 947131e5fe79eace6a6c9803f03b003baafc6389add3a614d857278c1620bc48
SHA512 3371f6b5a7f192f4aefad1827f063cca97611bd451cfbcd44e72d5f7241e08bef3a8b530d5ea8db4ee5586020504eb83055c64d015dfabee770263f4b20d0e62

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 e52750db4144c06f4281c308a2d34850
SHA1 7c53a8de31a4d2a5354fbef623c55dd161dd8e75
SHA256 06c757a746f5c63d372634edc9bd735e5bfe159bd3d6d3738967cbd04d767b2a
SHA512 bd1773e954433d595096939cc88fd9dbb5349f27e267954bea77a07854eb5fdc74aed21e01b9e2e9c4456354cb4f9c63f151d3baf4d7b937c72c3231d960ee44

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 8bf37824769398d426d8211d7188d903
SHA1 27bd57f3b1b4156fe295a05312dd32f324a58016
SHA256 c404e666958ecb26a44066869669d6543cf30af5e3fa65f0f9c841f94ee293db
SHA512 9b90440f3f500cdcd7d50eaed938b3c755be33f4cce8f00512c799e7694ede2fccaa8123e457aab049bc21795e3e8e9d388b251c70d5266f5834ef2e30ab04ea

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 09114f370fd463378050bc506101a730
SHA1 99fdcb39fba97b05b6e14f28c1de0c7201b7895a
SHA256 4f536fe0f7de696326bed4c6b1a1e50fea236b1cd030824d2f516519f6677048
SHA512 d25d350a20abfc67b5239c726d299d22b0316a5a03047f2d86b1aa16c6cc19c5b884e9ead9d73c15408b67430a7542e1ad136c6a7c8a7711182be8d0459bcb6e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 5287b5c458a609a50063a8ce0d2df94d
SHA1 77dbbbd6f0b1487254f821e2809aab6f243bef0d
SHA256 ae7d0f7a52bce22b57f115685815466199dba9a02b89e4ae34f88e43bb5f22ff
SHA512 fbca732b48d0c15af219f29a922ef4a9cbe738ddf0495e4bdf9143f90a6f8c14e2cfac16884d844f7e08920b1538a7ac3189de919199a3548543d495c4b06f88

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 243d8fc9bf81224a77ae3388a6b5a7c4
SHA1 756365769a09675074e7611fcfa9b9775528de49
SHA256 a95371158cfa5c826e1c0e57e2b193c5c93511f9d0fd435fa7af576de1ff2540
SHA512 6e56444faea815c44c50b8ef2cbe820c065504dc662cad3ec826dc6af16924d4dcbfe2fe2c6aa35dd0865424c3ca1efab1fb0cb5348bc3071f7de9ee2c92cf8a

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 740f47ee7e5570244fee8d6c4a9d7836
SHA1 798d49ff93bc8d108075df79b622c91f11259796
SHA256 d651aa08239863b03e93b4392e1f1d6339c6bc8f322351217ad6d3ee7b1e56ef
SHA512 c85f2523eb0d01ecd669baba9fba824938821a4e1bb0085137d9ccc202a72311ad8e3c2654983645deab133603af97bf21d581027a209897cea6384994280f10

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 6ac42c3b91d17fe8498eab4cd258f3cf
SHA1 becad505439dd22186105c6e322905a05f0f432c
SHA256 266672734436b9452b408b658a8bc5b3612e9b6762277ec54b60673a2526c903
SHA512 8e01651d193858a58f5940d191f6cf2819e1e2e6a42d2f75cc9fecd322de07bc9900af1ddcd68cb1a905c141abc967a854bfbd0614c1adb04116dfd9819c0cc9

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 a85f56e27ec6c41317d5df5eb1c90e1e
SHA1 2518d950df89d1e046be2fb49eabc7fbb69a5d98
SHA256 85f090fb324aba076027da48e2f16f4025d517229a19182fce546f976f087786
SHA512 9b7f46926e3a3d621a7202316909669ed3bd8516ddb2ec689cc099beb83bb3ab8a927f4bf527e0edbdcc59100f7c0abb809fcc62299d01239aabc93587eaf7d2

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 d123e10ab66278e55107e4e5426cbd81
SHA1 a964c5a47d6867f3dd92353c78836f97bd3972d0
SHA256 2c77208fca0e976b98052fa6c604cde93e11a1a8606b35b2935f0bf8c65a3d4f
SHA512 389ecc037566ab0aac6f5e45dc0b25650a77f0c4e161fd4887279b83075ad1485d3d249448ce99394653eaaa264b06c565d865e524269785677cb91bfae107c3

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 7275d3f4038f7a665e0e4bd89576c112
SHA1 a9714cf664ad588d192b4495cd766e597cbec518
SHA256 452c969a87c1f86f7265f015b7885b6014b10fd0a56645263f03c7bb33de3a18
SHA512 422a2d092996b3d39b5a526410d34a8a94255b914cae7fb898d8a9db29d69e83c67cdaae084ac2094effb3b7c9be4815562524bce22338e5dafc8dc68582a448

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 0802c73385805cc18711d368a63e5dd6
SHA1 01a906a88ac35b00b5ff2662181c51f3445e6590
SHA256 98dbc6595b95c247143ce20d984a66337344f992d6cd6a308794d1da44317578
SHA512 95f19c49b7dabd9a4ae6846647942aa0b2b95b0eb902143b10415b79942bd34966aed1b1f62919bb50c67bbd438a0e19bcd2d6c90870ffa8f4aa77b085cab7e5

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 c54c436fdbaf1bc71a584ae7e4a5646a
SHA1 77ac682b9eeb9dd7aaa298e730a46db5770e45ad
SHA256 a1bd461fd89a0970dd519cadfd186f0b99312ed4fd2b6f2007de80897f8f7ed7
SHA512 57fd227e0bf0a9f3e98b4c2ea6e7a22ad939672dbbf982d814645ee7d8913ad72fecde50dd5e6781392dbc5aa22ffdd71899d161448bfb8bb1352d8f4266c644

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 23e1c6cd6da4febce1af1cfa6c8db2fd
SHA1 e22b98a7cb6bf279554c7c1d6699edc8f6ddf92c
SHA256 e96f73d75a5f20c4fad9519ceba9b902db0b5a9f14ef9c703bf3754e16cb9cc8
SHA512 cd0b99329b2556a39aa71e13a8adaeaf8a323c92317e2c50a5acaafc0226c5bbc386744a2af70a7b489e9f95c52451b335574ead2b90a5504d6ca538953c31b3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 be419f9fb4ddddbe816af7cb117d02dc
SHA1 7dd3827dbf8391707ba7f06bfb6a94232583daa8
SHA256 a2853c0e68044b1b79189189ef82522ac71d91be67e2e66b1bb54fab50fca770
SHA512 2f438d7e30bdf5a280dc17d0f2ae8588b9c04879becd4c8c4820d64517d2a911da7dab32236d40268efd115c07614eb8255c575578bc5be69862b017f001067a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 97a53264c708ce18d84e9cca9e040650
SHA1 b33997907c21acf02f7d1b27311ec5e658e59949
SHA256 f41e81850b9c5a35ccec501b2993422a1fd7b923e9971c52f031511e3b13461c
SHA512 5878189862d012c0f02409bf9892637322eef38ae4da70309d9645c73953e72ed0342e7657c3de0130653c37c4ead85fe40342f592b9e253c70084cf770c5968

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 971fff0da861e6401a3922afd157e97e
SHA1 ebfe980bb924ad093cb09dfffd20929074f8f160
SHA256 9fecfae697d4664d04c9e3626751b4c042f9d2c88064b90fb5e1dcea0c0797b9
SHA512 ff5df3695c634fe8f522ef7fc41c840b1602cf137d781ff71b339cc0bfc15864003a161763110d891dfc26629ed9c4aa94a951f6736b454972ef6e6bb5f7942a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 48fddd4ff816d10e091c005954a54ace
SHA1 078145c2f19aa9c0d8978ea08d2435da7c4e686c
SHA256 3ecc0c5b26b87d8a5e6ae0f8a2f594d837a57b23ee98dc27706694e277921278
SHA512 b4423def1f19e3b3b14c5d2b0337c56180685d5584d4f7690f13717e6e108637d2bafe9855efefe926805ced94341b013660a578b68889fb774847007dc21c95

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 ae13ad06b3ee2aefa12d8e1b8bd5f900
SHA1 63c9dc892ca08349d4ac57d2d4c11b2265c739aa
SHA256 fc466af6b4d4d58b0aebe42271846529aa481551d3a110f70892482d49e8ffda
SHA512 20a507d3a79d2544c15ed853bed3fd83ba00efd1c02cd5c6b1c13a34ac70ca261f528ed8e7ee151d34a0a70624b474a9b4c8b4d3a2ac9de3728642a697c7d925

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 3dba3bc2b781d084693f4db9a0086185
SHA1 77c2ef2d36d20058c4262d677fba5e49b2a67532
SHA256 302ba31cacd9e2e6cd0d1e885965165f41ed70cb65f3f7cd65a7223e88c9efa2
SHA512 c4914984daaded9d30827d0e8a3d7960b27d0876791e7352a83cc474ef910c6b2e977485d2e969060c35ba486fced33bf14c9490fbaa9c9bcdab12d96220f3b1

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 0df88128bb9d69cfa82c5bd523aae01c
SHA1 b59f5e3f0d05140b835c6e95d8e26fdd5564913f
SHA256 a54be8c4aea69bb2219209cf058a2e1ca7a24959a8074cad0ae7929744e75f6c
SHA512 6447ec9a646fe1d231111ef95c6c5ddfa9a6da9f0f59c7d49258723820cceeb173d9e27a8d059be143d0243c5c7fae5ed6686bbeeeccc04dc7a2e94f6c7f16e0

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 3ffa3467d80f19d3eaad75e9f5b4eaf1
SHA1 c6a3850d6a27a0ff21589e4c236c21c2a985ef66
SHA256 530325327c32dc785e7aa460c0270f4102565d738de8946f7c6bb95ab37c3656
SHA512 eb22827565fc675f7449b1f39751a2df3b957f5aeb227bfb5c98b9926f39ae04745cf1790bbbf6657ed772404bf92590255ce387b7bb87052f6d1764bc8de0df

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 941c7fcb3aa2ac77a3da89375cef36b5
SHA1 962eb063d000d113a3284d140d73722196fc48a5
SHA256 720faffb388a62969dc89ec732472ea211111baa8083f9da1d590ec2ebb88e81
SHA512 4cd684a142fea33415f912f654951f3d97c14a6bfc91b1c38c77c7ec80c2c4700de19f1fdbeb43f3a4128204e25c0de87d59d6b7ea9852296aa547bc046ce81c

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 183c28ca4574172ffa1e486476dcbc0e
SHA1 dfc4058bb48ebcd40bf7f5410e6454c6207265fc
SHA256 535e6681fa0aef228638f11c00c44d478acf8f9797949d28023ba5db133c1af6
SHA512 2b85ff3f09326717099237b53905f63039a99d88c563ccf6521b919a712ae832eb684ffaf90dfc774e230d308a3ed83b5388a29f37214c1157ee9e48fdca9304

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 4a10213d164d5d3ec56255bb311f07fb
SHA1 8f7ed894ab52001d0bbab9d8532c597940aad830
SHA256 53a8273ac81fdc06ebd690c89cda376922fe94e53c927db06e79ecf18a1c7beb
SHA512 6284ab627e6361ee0287b0293d36181a4f7324ddbdd3bfa44bca89d667cb665ade6f067cce364a9d005ff9e8bb57adec46108288e44d54afac052e42b3cb8a0c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 00b7f82d1291b8f1365ddb86946d281a
SHA1 e5c71234a3eecd2c03f709f284316f631f611c96
SHA256 4d4b2e0e5a75cc6b4e3752ee459b72560eb7fdec099000345fbfe17329c79e0c
SHA512 b02758d50ec6b53a8372b1976cc00f2ee9cca9194acd4789ce9ff9453957d035476c74f0e8d3ee006f37d365edac91ac2ca81299cc5d0f91a36444d0bc023588

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 c900c6c2a426667357d26b7a49bc208e
SHA1 6d2c541e5a2a3259dfe01981bfd9943a34738441
SHA256 507a409eaf6b93a449150738b7183a9f8ff2eab2a03c1943716b335af628cfd3
SHA512 abe132f18aa05aa255661df04f49ae16687fa6f861cb57b3534f670852fd266cb516ec3cd2ea0933c75240f6ea10b9804982f8a44db1aafb30102881e58ad344

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 92964580cc27d754f2d23998aab03fa6
SHA1 1e719b6eb5081d6d11595a04b6d1dee4792a3693
SHA256 6474a7d22bf5b8a408579d75af17b123004df7296f5c777c83b23b968be9241b
SHA512 935ef22424950927a75754af943b4516207a683aad609b8ae3657c8b2ac9c4005f976c1e1ec6448496945ce34aef40be4ba9ca87bc22fbef71d05068cd7bf39d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 2770469bcae7c651255b5d5bd5315147
SHA1 93871a4dba0ea91b1e7aac5fd5c709b81d07cd0e
SHA256 6c1f5579e38dd553637173c7d47d3081ce48cf69785dd1fd7cb01b83b2ebe2b0
SHA512 2afaa6abe74877a837b873baad21b9454e6ea400e358de2ee1f6c0165e9405a03128a3af16de2c41625fc6a1d163af1347fcfbcd9854e7db46293ceddf48880f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 c602ad4dbe453e6bccd87c63228c368a
SHA1 3cb090b2b94e60bd0b71a2828687c416b2bdf811
SHA256 5385ff1950c635829cd7b0990d8bcbea5fd67897044e26f17b5c6e2215e72943
SHA512 fb83f5f32e20f68cab24dc7e43fcafc990022d3687746187388f048cafc87c599a0de9ca7e0062270f88be64f11455d2e07bcc37308b41edd106b42087d0248f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 efd0f61a4d853a38bf3ebec8cb31b7c2
SHA1 ef00ca2aa2c8b24927109bb2e3cf140e5f2ff1d2
SHA256 e33256962dcaf0fd8e28e4d992880addff82dbbfb4397a426e126e3cd2622def
SHA512 70a366167d2d3f5ae772eaceea45c7b18e866b7fd5d4db351643c4edd50764108add1f8a63d7061c1ddaaf5077cf9ad9165ca1a6efdc0318bd8811a4010aa3f6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 3f7ac8f1c99df538c88f967b957ef2f0
SHA1 66c983d0754f79b795d07a511601c3f3ff6a97f2
SHA256 86ddbd8f8ec1db49bc707cf2e66d937525643e0c6e5cfe9a1b2c5420a9d35055
SHA512 f1490d2831b8e7780201c06d94c572ad8920c731784cfd5a8fa278184d884b878740ed4df060488924066d1fd956d482370ac267a15a5883c81bb01dfa33bc46

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 2e3f35a6103f72ec98d352025052d459
SHA1 1a7d9903011f255f7293b2b0e6748a128e825bd7
SHA256 a300df811932c2a2ee2cc933e0d9f8e84834f36f56124928f1b06433f6753233
SHA512 2caea36665733dd492b844a34d218371f12ae2fcd41203f2fa2093963c1dcb7e89acd5bfb6af248841d1b50d84ef6beafba835b0d13089a3b8636755ff198b79

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 a1008bfc7122f127f0cd5501e18105ca
SHA1 0471e4ebb985b370c1a82e71d9dfc41e94a7a7ed
SHA256 90c4754fc4702130ee8de30769f07ae689caa5b16c70e7e1f7be737da97144fe
SHA512 5ce4a2607bb6331c6d54d8729cd4a2c6b1313723646f8b2556998201590077b4ad741e8a9d5d9b30d7c17e299dbee3e60eb87351dade31056534330365f2f717

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 5b87ac51b6c072b83e695b80946f302d
SHA1 27c1f139b3094f972de4f4963ecd8b8afe1a1636
SHA256 b9a4ae0134e6d9131ef09f44d7e12074b8512b36f2b3ff1c799094f3bf8a1a80
SHA512 be0fd82c72ebfde1b57d27a7cfc94c3d43d4585eb0a3b21d67774fa9d53a70b1bd468f8e4bdc0d3d8a58cfd2071b0a203621911af6592369f161699fd454c9cf

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 ade78c256d8b5ae332a345f79f6f0785
SHA1 3d687d96c4382c6568bcc790c98c0e68e5a41223
SHA256 fbc10b5023e62617983345405903caa32618aa57ee55cd7a8ba9803372555130
SHA512 f23f0b67fb9611006e68e029d45eedcba969591a9369675efae541c978b18d623cea22fecfad4e17717fc739224e730ad687495ff82fcbaba5175e70d55d47dd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 1c6964862c08d975e4010ffca7a56cb5
SHA1 5c8393a92a0ece39cd8719a569ac734d674a4713
SHA256 fbc726ce34f48f50ca28690109ce94e2dbe6947cb163e64da7bb68bf2db67956
SHA512 f508029e238d7f8446f5c002edd942a920fde5e16bea6d09fa4da888924cbf3757bf8beb2215e212ebc49483d97525595fe03a8565ef0add4a24641d607f83ac

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 9c8b7a511a0cd49b0efc929f6c0f3ca0
SHA1 9cf943904b97c3b47dbc53cf23b7f04d620b64c6
SHA256 29c3ca0b90002db763e777464941ca8dabc9c96370ac98c57739453df866bdb4
SHA512 153a0bee43988d188484032316e432a9b591ec6f8987bc2e3591d40aed6d47b0543ecb9c861de7d965f16237fcb14bb4122bd91640020c7c7693645b71bbc3a3

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 dafaa47e57356220b848afd02a115a4f
SHA1 cb9b3c819fa4784b43b5b40b79ac01af78428e0d
SHA256 32f3f21fd4deec125cbc96b7cb3740dcf11c7227b7430df90c5e503fc293a913
SHA512 ff13d16dd23f9592836214c5c08c831ecf66344f611fd7ef51840f05a1f0425acff3cb54122e94aed6faf0fd6bc0d1f378e5d082b691f8a3a8622c5d9efd99e9

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 79cf0c820d19a687e4ff924d4771ef15
SHA1 6ee555db817de175fd88df13383be498edf36800
SHA256 caf5094f64c060aad98721682138523dd6a1183b8c57a2e2cad1add08d2010dd
SHA512 c8dc4ef417b96dca710d470845899ecfd613e1cb55e8fc5db16941303010ac79f0092d2f43c0c7ac0446b7f64983877ccac5325614a455f16ac1240b6a425009

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 643e163b5b1b19f9b87c545e01a754eb
SHA1 edd77a767a11890ae7a87a0ad27d5ff2444836c6
SHA256 b1e4b1e08793117491931198511bf81eb5bce94e2602cda82da871115f00c87b
SHA512 72a6909dd873cd05304f6ba700f483548f4a679a5919f13955e60f499f8c86770a042879b1ced3224c02ec7b831b4056bcc33a21cc1ea97e9562e1a5b0f0c388

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 5fe4c3e9a120f15621a263cd2e4e7e58
SHA1 a37ffd035a2f353af4d203889f5943cc40aa3b8a
SHA256 06c502c3f058a826a470d3b7eab998685c747bc838c459db876e4920b121fc05
SHA512 077fc5dd1e166e8a8fcb0e648a8a384c3248d42da3d49bbe95b7f97a62c24d7b894aa88c6440cc1e4669c0127fe7b76c98c113f335dcf9aac3efab5ea147e09d

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 2f5158c0ceb2c8f6ae401abd053ff3b5
SHA1 ce781bb7d55f706883a4e80793eae7c03f7e63fe
SHA256 d987fd77b60c9bf7ccb7267055249488a3f35a139b842163b36814e0fd49bb08
SHA512 50e8982f5959d7102cf186b34404ae6bb3b2c327124c3214837d142a8835cd4af38d596e3cda0a0179c0335cad9f9a82f21eddba7e31751bdd684b049ab866d3

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.tmp

MD5 be37dccd55310d1125a5c6bdbe77f57c
SHA1 09c60a3d5b3309867186baf03e25f734c4e10338
SHA256 d259d8173fef3dd50dfa1f926f9e5ad8b35d7ac7940c6edc22bd68178a72c412
SHA512 97040f5136973f07d8740bdc8d0f307a16eb2a5727003177a36d183b2ca2e7f61b763f8173f14ce2cbbfdbcc3eb7e359d5180df3e1903760b22926e119111629

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 b8ce828074aef11926d42e9300260567
SHA1 ccf5dbb07836c64f373534702f0bb21d64bdc33a
SHA256 65274686aaad1115da2d371b517582241c0403bd8d464728ea24599b0f907fc9
SHA512 d94e0f09e63a9f54bea2c877c9efb332f0d6f4f37715251ce39793e3a0c9de064ae9be538543ae0234c174150ae84ea3fb140d189be517647cef6ee9ffd95568

memory/2088-281-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp

MD5 a4943d9c7df1a198b2d94d9d10bdc15e
SHA1 04a8036a0c2a1d4e2a5c8706e93d21bdfee3c3ce
SHA256 2d687392b973b4eaf4e45aeda54181687da4e42daab8662b893bf952c7c09fe9
SHA512 b25a937cc312205e536fef472b50016736071cf9d951ab1c079a56e7d9ba47433553fb547ff94e48529a5e3aa3d3ca66a29897150d4a3b5c93fb630311e87dbb