Malware Analysis Report

2025-06-16 03:34

Sample ID 240608-bs2mxsfa8z
Target 1a423a69956d44c03f6b71f0e3e81ff0.bin
SHA256 839fbd9b8f37b7d7d4f928024095edda11fbf91e79346c1a0bb32cc24954fdbb
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

839fbd9b8f37b7d7d4f928024095edda11fbf91e79346c1a0bb32cc24954fdbb

Threat Level: Likely malicious

The file 1a423a69956d44c03f6b71f0e3e81ff0.bin was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5084) files with added filename extension

Renames multiple (532) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 01:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 01:25

Reported

2024-06-08 01:27

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe"

Signatures

Renames multiple (5084) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\icudtl.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero2.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe

"C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe

"_AutoIt Help File.lnk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3512-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 ef72e68d14be2fb2f472671739d49749
SHA1 35c32b72c346c13ca1474a30537e71616308d1b5
SHA256 d140d805968cffd64fc6dbb44630ba583822c585c13d800c1c74d11b5cbc389c
SHA512 db2fc10be942b9bc24a802d2e09c69b417acc02e729c22786932391177d8908eb3f4b21acb809838f6522e96d525bec67d06aa86f8dd665b2f62a9aeb1bd0de7

memory/2660-8-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe

MD5 526a7282d12fe9d046e9611607a42ce1
SHA1 60bc14d7bd9791d36764161c05d902acb2bfa799
SHA256 ba6c94a395f14ccd78edb14b61f38c375dd9644865ea327eda8c876603e3188c
SHA512 f9215bcc00695e5d8991f3a659688589d34e6da31d66c25297a211807f1c20c88763ebf787f058fdcac97d268985036900a2386dc4235b27f79b869d13cfe194

C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.tmp

MD5 00f9a675a79a518ab3b5aba5a896febc
SHA1 3bb56d0e12acab77117c77d873c949d0a2e90ae6
SHA256 53c50060bdf8073873b40195cc6576062cb8a1dd5841815b40ea9a464cc8c788
SHA512 641d21a2882ecded30703a672e488915860c6003e6dece63a85d7275d5387de419716ecd580d3926cfbe38618e9d50948a1c8acf3ce7146d5345c6ff2e71d2e5

C:\$Recycle.Bin\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini.exe.tmp

MD5 8f9356b75fd6c5ccd61a322d5b9dc6df
SHA1 46029d6cad15344556f7733d2e3b24d0f27b47e0
SHA256 9996dafb6ca392fdb36cca38e3933fa1393c23aa0bb7f0d03b8117552bad5e23
SHA512 81ec27f5ab4da59fa77ccda67c6030f21f155f834449894919cbea9085df2e2cb83132c6539fea9e1bf1e680189fa27f56fa58fd3bbc69408454edd43d0bfd05

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 09ce4163a6467017af4c1e38397347d1
SHA1 0a3e50410fd77235b311b38763bbb3a158ec672f
SHA256 f35a6de0a14fe90f150f203af4293482845655006c2c208f274faac3f0169e99
SHA512 a1c41ac00fc62a4b379d298b0c47be4afb6031b0337101961a87f9e32f1b04c06dae6d23c96a22e7ea0271d495215cb37ccc1bef4ede96b241eafa52b7d15a25

C:\Program Files\7-Zip\7z.dll.tmp

MD5 28dbe4fba3cfa20a6712b91f83a78949
SHA1 b49b530dbb8a5b1fee88e9d5afaee32f2b327704
SHA256 9635c3d079b2b236bbe08669c490c88bb772afe63da3609239acac5b69415114
SHA512 e1d40cf00a9706d252131965eeaff00c19e90913d7a13ad563d58e6b83405761d0cc3282cfd9d4d03f0055659c2251fa3c95e05df02e21b1d8705ca9a4bf30d1

C:\Program Files\7-Zip\7z.exe.tmp

MD5 abae9a397a3754376def436edca075fe
SHA1 f6b3065b0cd67b6e3a7a55841c566d3aa8e36578
SHA256 ab126956ebcf7d0ac1feb26634a36f27fcf520ba4c7d88eebb573a0124fe9c17
SHA512 5dba6224cee2971500bf97ec0f88b84f8059a7d79268ce5780e5344dc19f2327b8fd33f57e09c9344670f1b16c5da69807ae8dbe96df07aec8fb20c7453e1480

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 53aa2a36a3492f0ca9a9dfc0b9559f45
SHA1 1663d5711444ea274480f597e54961f3afb74cb1
SHA256 8725d36de4eb4d0f6c342e6e20e41f78b25ead987af4ac2705d487eb7fb404ae
SHA512 c9cdee70603567498e5b6ebb3e8a40952273423a09ba0539ed624b5e3e2afedcf10ee4426624a47e80d34729d2197010cfa5f884a24264ef2fdb5e3ba676576d

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 c4368845f461f3c5d33e5176ef8b20ed
SHA1 abb9e5e7fb0b6fae2d5484cebc563cf3777b4175
SHA256 0efdf0cc011842c86c19534bcc8e0c052a2e906651844cc914b11882421c6af0
SHA512 62555db8d5cd4307796103a7911fef5f44a00760328b8971264c78555945303de57b24238c819dbb9eaa9cc23a6fd77d45e9334122c61609383c4f257e6aae6e

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 4cf35106de17ca3033c4da791fd9a09a
SHA1 c07a01481487e686c90b9cdd4d7bec20fb1d9fc8
SHA256 e1e90b0b7f76505b2f98837de85931a57338e6bd51cede7a8131ec05566f1508
SHA512 02f9fcdeb1eefbdb5f55cd3c70acd0b1f094dc5001715732999fcd05497aef532c0e30cac0b2b89387cb439632c3005e8759b33ad476b380dbb95e0f5fac8606

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 a949d05fc3c848b347370cdbffc708cd
SHA1 eb8603e1352b5e9764238a35ced7d70e123ee1b9
SHA256 8cef42a1dc6875b3c5134bf74609e60e62cd12da9266ac225ac3187abd161203
SHA512 b00685a6260c781336a9c8ee60cb8ed4e71162bccd86f395eacb4233c090bfdaa25d222aa4c8d8c5d0cb9c756ff6f57f214a20bc3a5a0e8157dc201ed30194a5

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 11d24da0ff4dfd87447aebe657a572fe
SHA1 781dc38babb3e1ff7dbe1a4253f8eeb9cc7b9497
SHA256 1eb5bd32529703bf2e623ab73404db16e79da232ff29532ad3e19d21d971a38e
SHA512 256ff9d3210efd1b595a3958318daf53233c8c600bbff44a03e366ef1cc813431cf174a7a72187b81f3219142652f0e75a02e7bef9407a887d0bba1112421b6b

C:\Program Files\7-Zip\descript.ion.tmp

MD5 5eebaf20405891ce987d10476603a678
SHA1 3251d51c4cff8ca9dfa61fc6df109a5d7d00d085
SHA256 640c8940fda8cb98d615f7687319f3ba8f4adc2f34a30ff7e71784e30ce4fc8c
SHA512 6d8c72fc2c4128d4cc2d23aca899d38eafacf0f321281ddc82b4d3a4c2f7f98cb7d1fe31bfe223a22d3df5bf3a63e42e4bd50debbd26489be7a9332a2009c4a6

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 16323052121343bd2dcbe12b0771ac24
SHA1 062233e69d2699422a3c5ddddb8c2c4f47168c98
SHA256 6d4ced8d300460d6c203bcf77ac70a8e9921f0b3f22bf7cd7f95cedb8dcddc66
SHA512 d2f7b4730e87c44ec9f16c94a9802bbd765b63c642754b5dce5ec6678457a5ad823fcfc8df4d924d0ae22978b562d7c04e2aaed5233dfa5e31417822db5ed198

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 9326870374ee28e7058e7d1da0eb18a8
SHA1 34df60811a01a82dfd0f293da3cc1130992debd2
SHA256 045c717e1e2591a155a36fd7731082a3033a11a4c476c1b9b390459b87793777
SHA512 63ca4044c987b03e2be6fe036b81f4d9fa6621150cd3cbef282de322c14b1491f2644dba640c2437d41c4dacbe8a3e96707390c64a00622fae3b490f8ed406fc

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 8d0184749cca689a48a3e62c88e3ee84
SHA1 4b6e4befaa88a70fbf9f5f5b101fd2673eff2501
SHA256 20a14dc2c78c1aea2afa156dabbfb62ae5a059470b521c68fba915457a5a1043
SHA512 28b541491c135750182f319e4c2e6ad617122e8934037f84cd6055fdbfcfbe9236033bce0730f9615548490711695c4585a07743913e94e23af72dbc2a301bdc

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 ce154b39d400bd73bf391e3576a1a835
SHA1 2f6278df031f057070b11f7895c1cb2b080a003f
SHA256 b01ba77a4f4ffe1791ea92fcf0e0fcf7fd28949cd8d059a44784a49c4d190eb4
SHA512 0e68573d4653aba4eb03229c5bad0abdc978685e71840023e2af5c1dd22a6989c2e0f67b114a36a21cb78cdbd704307c145ca834d0ae4f1d558a19cb5aea1694

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 90fcd0d6216ff5e0088afdd604512e06
SHA1 8d13aaa055e2195ebd6e1b6aa695117453a3cb25
SHA256 58f006bb86bbdd7063d1b628fe26d4690f3c954518a30b915bd89303385d758b
SHA512 7630c84f664c7db989a30c89a81431b52f1e15faecf87edac2ebd901e8145733b4bde14300cf8b47f21aaa55271a232adb676d105e6d96374073a1fc697c82b6

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 7daa48a0a8254ef5531f221c43a5d72e
SHA1 b2cbd05a41ccde32528b8341177104b9ee4de67b
SHA256 683f5fec7e322530a7b8aa623eeb6b4fb8a652307a928848a116823cf300298c
SHA512 d1842bdec6eb644ac020f49a3900d1a67b89b057a346293e5c091d4e9eba697743bf383f5c002917b8c0f0a375322a2f75aa4899f011b4e48da5a880fa167d8e

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 c7cf56e652a716b9a67403c34de29008
SHA1 ec908f0212800e4a09e7efa25eea93251c3920af
SHA256 73371eedf65d7b697beb46f898234c43389b9b9a0bcd7ee4856d05b87ea72d01
SHA512 0fb278480220a1e8e36ef74a62f4805917ddcdfc8abe5c24e33a899db22fe5423da1b82da6a4da01f1fda55022cd5d0690e2ccafcadeb905226cb4f700bff86c

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 9d03299a4a563660d2a76c13bdf57746
SHA1 072fdef0e783e16ebe8060c24a3d04ab98b621fa
SHA256 c0aedb17faa6373cd0c6e3c62ab831135a3590105544fdafa7f8bc967b13cfa1
SHA512 26c7b95d8c20540017c93c257838015e8bbeb306216423f5b7a4fd3da0524bc357b5231c8c24c94c30d3038e897b151bb6f6d2a73a8436a6c64416746ef8e3b0

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 514d5f5f9585b6d934cc917e143ea8fd
SHA1 677a3135313411026ab1719c96335f9945b90a88
SHA256 9cb51c26d33effe635c183a9c306714132045207196ccd466b23f36a1ba6c97d
SHA512 968c8d5ca22be25ba6679e150912021538fb24bef6d1900feb58cf8738b51b43190744f7ace345dbd453c0078ebeacb53ddc23b55e4f2b999060ff85a01a0ed9

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 1299b57f4f02fc2bd1960a8f7dec7f0f
SHA1 ed3bdf1cd39d5f4b9719f6f05ad645ac5b6e532f
SHA256 cacd137a51592c04253c3f413c24c7bbf1b043384b2b0718225b04c969d11f44
SHA512 dfe0bb4adf7cb55bebb5ea6aa4b1f7c39f5cdc0e85b518c4ac25c3f2101d59afc7def5668f5c2e093e5f6fe1d49a41eb58c59230ebfc1279e3fb5f0fe3fdad7e

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 e8df523ea9c9440b7ed4b7b09f81582b
SHA1 09319fef52d550a664896950aec464a487fdd0b3
SHA256 ba009e3fc01c7802dffd0a8af3a542a1be53c865297e178b4426921220e946d0
SHA512 06d0bf4b0a629f689084452b71020c3af92e164563242714b31d841afaaa33cf4844792f370b8e01027b9ca88805aaddf41e53f9f2269cb6585891f1bfed21d6

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 54b500d1a81da6086266e211a1ca4734
SHA1 ea5ca70dbf89b62d2a900bce4f790947328d0bca
SHA256 27b34242df9cd19227991192e56250b73862e7110b0ad3443d7f63f948787549
SHA512 3582e0440481317b4fddb8cea94984d6081adfec343c993e6dd11e321653b7009cbab91a6da0ec2552db5fab5abf29848725898171e9cf540d7cadc71fd4a636

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 13c0a104d36c3695ab39826c84671269
SHA1 dc1b7b26ad727948fdeb96fba5243d0e3a12bbcd
SHA256 7825587a23bf861b0beeb40b83afbcc08acb28a561528bc5d93405b035546784
SHA512 dc2c06fc7f5805d48dca5f0aefc763d1594b2ae2940d0d38215f9135b4ecb296c8f15ea70640c918264b7ae091ee0f08c8de33ab22423a93a17b8c1a405def16

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 63d30fc7f0effd4b1c517836be667e46
SHA1 9991a27e433c53a8ff915dc66c228538a14ba43e
SHA256 0fe22befa07714480763313f5408652e4549c70e487f4471a390e02afbef882c
SHA512 9a097bc375073972658ece5649686c36928bb05ba97299f01f7aa1432ee4e4bf7454f91f5edad3c02fd28df8b2f58ae1bf5373de43c8a2450e6fecb04afccdbc

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 2a8bd5fe2e626fed1aec09fbb92ed692
SHA1 9c1d017e8e6b958a235eedb97c4f2c1c64206f5e
SHA256 b5f5f3175117cb206bc3e5292eb93da05ee2ce5f2556c05ae32554c1c25db0d1
SHA512 09a4c210965b9e3009ea05fcc4f28da6748e510732b483da8dc75edba0a7941f08023b6918831716053ed0c2c8b0ef7521946d70aea8f3b758e7aca8f600308b

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 279adfe70f6bf4a28f41faed43821ab9
SHA1 8365b0f1543120c1c09eb5c746845da78b275768
SHA256 0476f4bb5acf8d2b4b988791c7188fc24736ddd5e3ab34717d86f3900b64f4c8
SHA512 afc58f3cc8509e6dd57ddf36918f39ca7100dae26666fecb039e18a93d62ad5fef875ef792f9bdf80c792a2a538320f84b3de80ab5a2cbd706ec6abb00341428

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 02bfc82025196600db93c9bec61dea16
SHA1 02199f3c837db27e59218a6ba17bffc27b92b13f
SHA256 ca188595e1069f4e6214123fb9411a08b58d5cc482c6cbd7e0b5c2685e627c00
SHA512 4c4fe9a5022dd1c0ff054fb0c44dae52ec963688b9890e5bee7693fcc2083e8a3d3061e5927015365e524ad2093787d6559a0eed064b87116c2e2ebe098f4ce7

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 1094255ef4b2a224521d6dcef134a802
SHA1 3061b711f73d46791f02758a9426a9270adae206
SHA256 a0f2d10814ecef1b67f3544b2e46b7f55a02be39a69efcc78f81848398105997
SHA512 b5a6af27922fb812c071521380df1e1316d4fdfff9858a1966fc163b4f20048a4f22c31ce5af66e0c1f46c1df09e0c4e1843289ed364e57606f40a2276904f7b

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 3573d682763c3d6ddfd0f8819c75a99d
SHA1 80f0224016caae4b368b1c69bdcebbb268dc1a5d
SHA256 647e6d01a01184ebe3260ab0a3d49189d902edda1c0bd3c5f69ac4fe6e159fa2
SHA512 96f8b38475b401a366a3fb6c549049b3bacd5f12b29e0f47ebf51adf77fe66114d5fd8d75c1eb667557b11c1e98d5ff7a1a9b85ba9a2b63a4fb9acb9114db4d6

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 5f1a3a659cce7f2ffa4396778ac9858f
SHA1 f97fb33eda27da28333e45b4c6d953cc69afb641
SHA256 46134611fba881e791be119fd5fb61224204a68dc54dcc00bcfb54d16ca79d31
SHA512 5ae9329aff2ad73e4a84fe4725bb3d4ef09a7c5a46055ada468c5e76141b4e902afdd6596d9da875736277c85fb1edf3058f284d0d422628d97610ae3be095f0

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 42de214f158d747665adac6fd7af1ecc
SHA1 7b3f51e859f6a67c9251ff15ebc947a204d6f2b1
SHA256 b3a00ed0f335ec1c996d37f17285994059e99a139795d0a41ec5fee8eeebd39a
SHA512 067ce341a2741c1099851c1670cf16ab5d5f05ea5429d44757abaeb95034f58be5aba76431ae56e0961337d509542a1768be183bf0effb5f813e6453e99ef09c

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 0823f59a129b01f2d97725ca8f003db4
SHA1 c1169d4d4d61da34a579295e06d98c202ce967f3
SHA256 040c314e13a30c7ea2a6a87c524f0ed7b6b4022c8eab6401de778eb7e0d99d63
SHA512 dec235b86b6b97da4a5fef47d542daec0bf9185ccc5ccbf0edaac10a4287c4ce76d895a62f64eef0ed703991567627dfb1865b7b215e0fc883cfc64e768e4d85

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 7fe0b2db31aff283c0fbeb6e131e6b04
SHA1 af0e98e04939dcb9bc7b845a219c20b19333fc66
SHA256 d8378fbc60370760909c7cef28ffb372195c5f15b0b9d23a8a5b2abab618308c
SHA512 bc280128558bddea249f66e8cebe006b93c0f5fb54ddd016a890fb903afd1c5544761f5cc1b7f1f40d7fb15e6456b9697189e168471ffc1501dadb78efd83b26

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 75986cfad75df2bac373dec0836acde7
SHA1 ee8ef34eae665cdaa36251ca9cbf89bcb8cc00b6
SHA256 3866bf3b75200642c55fad225e339636503b23482324d8b382fe7c8efdeee19e
SHA512 61259effb270e217dc941516cd195ca965d93d3f3ab7ef9b3b93224e802cb30c1cb66ef5adc20b8dc55d8d0b6e3ea98368ad88d6535a6c70fe1657db993db8a0

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 dba649a940978fb378b3eb4879cfbc3c
SHA1 438b5250c698188fdfa00ccd078b544a5162fe6a
SHA256 205f516cd5a93e0bbb09049a7ec8f5737c9e4c059e329178dec09dbf6d822184
SHA512 c84f5ed14a5b2e864b56422c776c05ada9666c787961dbd2a871090d945b4f050a206475d91da7dc88e155c694a2ed4c11b7c54cb8943902c561ab5364399e17

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 62f472c995b00039ed733f1d5fadac38
SHA1 16d75fc573b72b0ab719fcb024e8b06adc310059
SHA256 8475d56a7c27a77ab3e4608b17ba5a2478fb7ad1fcb8d5f7625988de4f215f1e
SHA512 3dc3ec08ffd322aaacdd4dbc86f070cbb0937834fcbb8f4b3896985394dae730ce62ad0c6cc24e36dc50c3a685cf7b2b6b654aa76f705023dc4927e44b66ffb9

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 07741ca8e94e2ce84045314c57970dc9
SHA1 529931c84d41e289e780560df636d0ee80911d14
SHA256 da41117046060bcb0a5c271c446a19bb88615dabeb0e57312e33fe9ff2d38414
SHA512 fc732db7fbe36ef07789b4baecdf4fc1b02808cdaa72f281a41137cf1b3a8784aecb54b6df7bef53273fc12268fb509d502eba8bd8735adc96e9c338f95d9bf1

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 1159452bbf4c989149bc0830d09b0938
SHA1 a91fb834b4011084224585f771f3359b8b73dee0
SHA256 d4ea1951d011fca463f563989785ed1ed02cfc78ba5d78ff24d53c6a1f60b14d
SHA512 4e68c53c46ad60e724324a2924ef62a173709cf1b6ab28dc5d527e56c88c10b63d4e6b223fc791bc28981a2466f0cb5c65fd208e1f5e9cbfadc7de2b23c82a85

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 aa70076ecc84d6b92df9ab7ef7d5fd05
SHA1 504ed40c248f81518ceaba6500a6298ea4dc4bd1
SHA256 c793c57ea433d647fa60b784cef3b0ea20b287471099da68a86240ce0c18fc14
SHA512 a63d4fb74ac60d716f73536c1ba9f51152bdb90e9b27cfc2158bb95092ce13277e9abba9770ddc8dc41cde7c6fadf130c4f11d47d4d022f3388fbcb58e58f204

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 856c71328367156ed005e0b08919aa5f
SHA1 d6f98013bd0ebdb4c784cf0980b1e24bba571edc
SHA256 c5d3eeab90a1d9af8085a18eb6529366c8da08924d8535b6d7fccde32e5a947d
SHA512 025c34493380193f46c0a6c8cb9966230e47948c51748220a9013c3bdecebdd3d14079788b931df94546b8ad3005ed0de438997b4a3d234206b9fa31811e5a70

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 0ca230eb436c145168c30c165ca84d9c
SHA1 71e0e59af49bae8bf4ab23da346ba8574c23986c
SHA256 ac6ed3f03003a3f811c49d9445762b11e9d6437b79fac28735b838b4978e8b17
SHA512 592b2809bd5ea2c3835440fbc69f3e26838a9214c3bc5950d81be40272d00aac4fd566850f68cf50810abf6a1c07ef3b2c12b7ea4bd1a3f66e28dd49aaa0d3a8

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 97fe37834d46e9e58a72d8780c5ec218
SHA1 0c32ccb5927e6c73efbfe1af06bba650e3e882ba
SHA256 f7de22ab1def33e8ca1f25464018e49a8634d5d843bdc9b90da54491133a0932
SHA512 2b10d8c7f0493cde06e177ea956439a7ee982999588d55559e3472ca420ae379196a702ce50e7b276f13c8be59df9413651938198f61ce549544b71f51108b42

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 a9330c38dc3d5bc2ced716a91e79b4d5
SHA1 e7cc73b0b316ed9c1dd8f4767ebcbfa37af84470
SHA256 e563eeddac366c7ffe3bedfb78c3343413b164b6f9d4cb32982d71bcae001437
SHA512 fc315acc15f5ce17356c5e193dc3f451c09ef43dfd94d5bbd169ccb91b26a02b76c96c68660e8f3d8005ff9bb22705a012c3cc8e59815617f805d702be0e830d

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 204a536815f1542f9946cd386319ee1d
SHA1 7ea5b507a3943f14bcffe108600e714d3b1df5be
SHA256 db20c6ad17a99806d5cf600ab8bbf82d50823a15219e449f8f69a4c634110a47
SHA512 49481bdca70a7cd8197a55ec6fe368b8e5ae000352a2e791a3ae8d8194eab96861b191d8ef6c5740897ae783aa739f6a26c8d1d71912be983b72d919b0c35f71

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 cd1c183b12a10d3d2f69c2251f4aedd7
SHA1 8ef4de06b70b026bee8526b958a0d98575b9d7a3
SHA256 12a157036cba0c3a8c672c816612f29413d0603c1b8130c52b899f6ecd3eea83
SHA512 da47ea947ce07c48da56072888a70e545cd333e9c85a138757272e9506595bfa481c50e170f0466fda42ae8cda7a147eafe21e5243582f63a1d8c8adfdbcbe60

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 643a5269ce0be26cb207a6efab2b49d0
SHA1 108853ba32df6631e6b19d34c4ac35d90a9a9c15
SHA256 26cd19007adaf45ad10b1812246a3143edeee99779164d35dc72a6ea38be6d3c
SHA512 a524505104612ce515234cdfd66e958b838483ed0a661d9454c273bc663de41ff99b7b3a121a583406ee7d6ad0d1ed54ebe944ce423da798974ba437d2a38638

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 5e0730e7d2e4e9e79b287c20c3a86db9
SHA1 89dd595dd83ad7f8d9a25a0dd92df6755a5caaa2
SHA256 bd1a7ed14270f02377def6637ca87adb89a8b2df410198c63b600b8960ad502f
SHA512 e6af212e0abb5f291b8005db7adc57767b343fe5182948ce84dfff57d383889f7470f2ebb66e6644588136cb6b1d437dc530f8bf0bf1532e9de4a036249b4052

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 68b73a057743453209e1cde70bde7e67
SHA1 a420b930a54a921471a35defdc02749247ad5159
SHA256 8c340e2504525078c9502ed0d9cb8a962dd7c5e0a3d5408c1b583628f13420d7
SHA512 3f3960de736b5e49f3df90d63dd10a1715e3f592f248d7dbb4f6e5bedad8207ea1069b84e29529598800a3e95de0bdd0d491dd4d91cbe5bca93089bb52eb56b0

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 4b1c7599c329edb76dc7acd8670ce057
SHA1 8149f740c8096dcc659093b165317cbe07ba530c
SHA256 51eb91000b279ce850037c9ea69a4a94e9ae647c4bc915c26817092bd3e77325
SHA512 a5b284179e58562912f59c7238a5489aa3c3eefa85d9ed4d1af42c19c4b8c089b713b74f087fa5d985ffe1e2c7bdea73240df271a62db24f5c5db81591ae3cbc

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 f5badb57f74956c8e9612755950a5f4d
SHA1 c8edc8432bd64a5d5fc88e9c2600d0e9f8c62151
SHA256 8d3c8ca011f0a7e3237b35cd5d7d185203e52903e46365f98516796f173ab3c1
SHA512 e51c38dd1f6b9adab9a23061ca86cfeb326af97564cebe5ea989317c8e699da055cedb00492c3a4321bebbcf869050716cca6af4cb6372fc75c2aadb2e5e9f37

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 7aec2fa22010217a95aef75935c193ed
SHA1 447bc500aaba828ad31e64569635645fddc51b77
SHA256 d2ad31b5459d7730c0ffbf1793291be1497713ea5d21758156e97d37a2318f1a
SHA512 bfceef0ee84ac3cd472bf21870ffcc40f24314c88ea013bfdc7ce628f2af4dcaa597cfaea5db3c735c6dd1f77bd9f8a43aa6ff404009256cec6d9396cd81621e

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 031ed5b0f593ee32c84c64208cd90fbe
SHA1 21afe103386ba5aa8a30961471b806c4e5eb2a7d
SHA256 88f4ee1cd7d3bbf5f98492c594326e466dc63ed950cb369212b6f674b96a45c3
SHA512 603e1fbaf5e757ac8a1eb381228327c0449ec78a6651a7b3d6f64e4a6e68ab8b5ca7bd8997bd9b3ce68646d3dfb9c71b70d00ecd5c07e1243e9ebb8a45f94b50

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp

MD5 5f0f0bb3e8397d0c823e47fe0d76e5ec
SHA1 d369c4af6ceb799503eaf16b8c239dad16331ed8
SHA256 7ac2e331234ca962f4aef9e42a1fba27284ee31235f0d7ccd2e135768c80cc60
SHA512 8993bd383938654f7c0c252363586c8f3b07c9bb8c5299ad3b4f6a5b7d12d8d1c17c2b11175927ca9dcf2552a94eb2e72db576616476cd5a84e9fecf41ed0c03

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 01:25

Reported

2024-06-08 01:27

Platform

win7-20240221-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe"

Signatures

Renames multiple (532) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\OmdBase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe

"C:\Users\Admin\AppData\Local\Temp\1a423a69956d44c03f6b71f0e3e81ff0.exe"

C:\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe

"_AutoIt Help File.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/1524-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 ef72e68d14be2fb2f472671739d49749
SHA1 35c32b72c346c13ca1474a30537e71616308d1b5
SHA256 d140d805968cffd64fc6dbb44630ba583822c585c13d800c1c74d11b5cbc389c
SHA512 db2fc10be942b9bc24a802d2e09c69b417acc02e729c22786932391177d8908eb3f4b21acb809838f6522e96d525bec67d06aa86f8dd665b2f62a9aeb1bd0de7

\Users\Admin\AppData\Local\Temp\_AutoIt Help File.lnk.exe

MD5 526a7282d12fe9d046e9611607a42ce1
SHA1 60bc14d7bd9791d36764161c05d902acb2bfa799
SHA256 ba6c94a395f14ccd78edb14b61f38c375dd9644865ea327eda8c876603e3188c
SHA512 f9215bcc00695e5d8991f3a659688589d34e6da31d66c25297a211807f1c20c88763ebf787f058fdcac97d268985036900a2386dc4235b27f79b869d13cfe194

memory/1524-13-0x0000000000280000-0x0000000000288000-memory.dmp

memory/1524-12-0x0000000000280000-0x0000000000288000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe.tmp

MD5 66e3fa55483620c2588e733e6dea5812
SHA1 d478c025c963b1d6dc4ce6f1c1a00d27936c1b35
SHA256 6f50ff93de12e541fd8f11adf794854f4ce0a84bfd2703bced548e70c8b0e169
SHA512 779f63e431fa4d41a41a43426d34baed28bb2726241dbb7f4059869d878940cddc732a9b9a9c477d7480747b29567c5230a62c338c9d71d00504b52acfb1b803

memory/3064-27-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe

MD5 b251da5b30918750fe41c64fd86038f7
SHA1 4eb3ebb4c453eeba91034757b385b683e23f81f4
SHA256 740b7fa0a9ebdd43e8004a2a9c73f50019cbd13eac728513bf71ec33d65133b8
SHA512 5ac5acbdcf6f3ba73fc508989853cd85e165df402be7efb589f2917eec30b8ce365c8edca559e49bd3433314fab9a221bf5647c25df752687fc72b2f600d89ad

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 46ea3ec12a9f81a040eaa1e46dd8729c
SHA1 5d5e24a6165f905bd2cc0302025c25a311e543a4
SHA256 7afdd32a67327d116c71416131705470540a32988e6d3244269105f7f414203f
SHA512 c15ced5f45ef3d3acae1a468b39c78ab604be58c8ddee4950110f2403c7cbb7e8ff0f52e41e7a9018821a793c6d891165a63e4c8e8dd693ec7b5cfba3ca66a36

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 8ac070a4712af1f80a9fa3285a6c10c3
SHA1 531fe5db49ca5a715b6663132cee7803ce946586
SHA256 8a7f7929021250dccd066acc59967ee57a466141b89adc616bf95af9d743096a
SHA512 839e2e57e1eae43db4e227f8a4f25292915148cc1168737cfa33bb19f6b39252731def504418c6d6c1b9f41beb2fde3bf936ff4e1cf10193edf78f7bb7d1a742

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 92a6fe3a7e6ed8673ef7c6ab708d46d3
SHA1 45c8e4425a9a532c96320d64a5538eb1c8e1fba8
SHA256 ce44de31fc3131edc56af74bb00e699c38540818d833b42b7d712805785fb6d3
SHA512 76eecc6d2a53dbc30b80c459091ea1e4d389825f4fdf0b0fb5c5b313aa2b7b73b0a3471b2651c9768ab612d8f9a8a1642bfeaf62ff684515a75cffcdb501a13a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 e525b8182b0ba659b4a88c90886cb5be
SHA1 14f5e71d436a00933cd6772a324f5fc85d80583a
SHA256 bb8fd840d51490a2348bd6805909fbde4be0d286e562859576ed8563590f5d36
SHA512 485894be3ee6a94249c608e981cf266e634c4f3de813d92d6f52c1085f6f9f9d11c2bbcdfd3abfdfcd3c39e4d2218033dacc6f2051ca381b4e70cb5e5605c954

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 e58826db4037b9522e94622bb724a8f6
SHA1 25e3a2ce8e8cdc22e29defb7056d47b8245c9c36
SHA256 7fec9207761794b3fcfa57d15913af4a1f131143eb7d11e103820f50c23c97fa
SHA512 f3029cead9d15f615581d8872002ff8e44e7d88f146bdbf1a84f585a82891effed61c9461f7d226c84f1182e2eb9201b20fb82cc9b982167d1cac7ed65518db4

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 199422d7b4fe256572839105c6f52c0c
SHA1 71d321975e560337e54bbb387b058c77b98ed91d
SHA256 8492b35c82a97b214f2fe9a1f9192cd7366036aec30838d52224e755d1ad57ed
SHA512 12f24c2dac69cb1ab3dc04db38760275e274d882bde5fb14f8fbbda9094ad7f7988323b97a6e3ae8ab36d3eaa1ee49971dd4a1ca4c57d3b1d003a7927208b199

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 e5df5fa1c68db7677d7e1cbf858a2731
SHA1 e7923144f1bba3fc4420758e47d33d16382081b5
SHA256 91cca9ef1b4d4ec55dbab6a87a1ac1f9f1e0f39bca19dafabb616252206a8adb
SHA512 333aa7a441c44db35fa1883bf474ac478e8e57e37702be879fe47c0946e12ae18c1b2e7ea6be75982c566cf3d1aebd611229fa37b9712057184ab11ae04009b0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 153ec7871bd0539622141650159607e9
SHA1 3e539f734a63d4c83130fff6720e4c85eb2eb0e3
SHA256 621056b7790f218f5dedd705e4329d3f03b7ba7457f0ba490b413047382afe70
SHA512 2a1fd756b8ef435b3488a90a213ff3cd2daad2a5518062de4eaad9d8beb3182493a7e48a730c0f87da7869091ac12ea2431edb3ea19d343f9a6c7ebe2199b95f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 a8e0bfeecd843ee124171d388e6f0eee
SHA1 4fa2cd4f32c95314c7ed80d4df1c1678ec2092fd
SHA256 5bc94cb4ec200bcb03de3b999c02054a08ae89b6ae76b09cdc9a157bb7dd32ea
SHA512 47faae18370f38929462b6939e89c148417f3d87c188f4b531ff3ed2ace749582e90c498a855d6e12f426ad2f137f408cb7c11cbfdd8b8d880e26c4e7b9c86a6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 3db813667c02f28c089597c92df38e57
SHA1 e2c8c51b44f56a9388d6ba4d6e96e8a2aae191eb
SHA256 f793ae399f97cf8dbae959faa522c83644b583ff0357adb732c26115871f30bc
SHA512 3ccc82e64dd6ec5e78315425da5dbfe5648d64c21348822a92c59a461a18396b0755cf69ad9e8bf31416f5e91212d2d46ae0026fbfd4cc329e93badcc5fc83da

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 b8ec7de58e9d73b1e779afeaa74ea00f
SHA1 bce3bc695fa1cbd8384067ed7d66efccca379e61
SHA256 a655565d52bc6e4fb558b58975ee5034660ae512c283b5ccf78b4b449197b002
SHA512 a113033af4c0c1e8bfc34689aeb2b072d7d548fec61060c32793a13d24532480c5861ce14024c0a345e595bb4679ea5052fb87cbba88d311f88a1fee2029d1f0

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 4987aa8f691bbf5d56e6923a581bdaf3
SHA1 b6b0b1169935a65670296333fe4833470742a8bd
SHA256 16a1082499110aace65caf7320d131d07e5f10fa1bb8870ca67e2509512f8a98
SHA512 1b37a5e96d60182e6b63d3c1855c172dad883d69107dde02e1a8c85d0f9119666eb321c883e5553c580f1f95fa18653277b8246947e17504a6e7a30216cfad43

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 028be3a9b108980808db7c309ed8d4d2
SHA1 822f75bd8eabb729920a8d0f5f160129f607402c
SHA256 207139c9d9a7865b40fa935d54908ee7d4116e2a0a35dbe1e4a0b00e74039070
SHA512 321be8bd4bd459a921948a2006cfb5b8cd90709666f567aa77bfd4529bf827ebbbb2be4f6aa0f08fd85aee0a2899cc8c75870b55fd09c65fd35cb2bdd7218502

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 dace6816fd6b86e30cebe4f34f4ca32c
SHA1 48bcfefee112a742985831c78794a918a9a4558f
SHA256 9c25a198fb18e5f00028878f93dadb047e10efa1eeecbffc0c1c21201ef6102a
SHA512 adf0c572e1577a4b6f5941478ea7df2347f40c48f371aa1ee3048799a60d0c4c05e008d57a349c1846d8ac03fee8afc4de8386536985b5cb24a703e874d77600

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 81f2d4e1a91c8253303de1fe8b34b9cf
SHA1 82295da398d02e0990c2e31e11d147d3ff81bff1
SHA256 72b8e4cc5775c62db65c75fd90484384f044f0d2dc79bbdb42202c00c411cba6
SHA512 dc209a571996f5db425190c3a67c9a62f3f0b2868695fdd1a90e4ce1ae7d989796d7a152157420e89ed8c1397a4a1b502ed9b2b4d1ef81baa59c4cd529dbccd0

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 4a90bd3da76ee9a3e6a1367ea625575a
SHA1 2287bc9f511d1dc1a635054e640cae326bf89390
SHA256 8e5cff34a6b1bc6bee4312815667d4ef69eb483e751fee8911e8d1e60e04c87c
SHA512 e0fb90cdd3682007694b9fb58fb233df3709ba4d801c5bbca3d6b25c8243e777b0d8052861bfc5d7b6e39e3f82a123eb5f65873d9b5d5265d0fe16ad5be4e8a1

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 1740f7c9b0968d876354e8b34dfab5a0
SHA1 944ec061a8e6a5140dd336a026ca3aee6ecb43bb
SHA256 417e9ec0c5f1c9214844351fb302b398f0cf0f20c51dcb38f53ed8f091b4ba60
SHA512 6813ccddc42f0ec3fa40f4fe8e921bd62c0e27fe5c1f133623bc287c90a90cc84e28b02133665eb1c70a50d00201c2069c8e4c8e4e9f7a177272471315be3fd1

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 ebfcea654605673a526ea0752ef3079d
SHA1 43cb791d9efe4cef6c1deac8121fd47e6336cd4d
SHA256 ba30df038d9dd0a047ff91e7c13a04df1bf56da9350de02a5755accd66cc9799
SHA512 b4166feec3520c5f5ebb94f3e60da79eb8d72c8c62a888a321a943c8a64dc0e01dd177d7b16423adf02dc6fab6c22a00540d490543e4aa2902eb096094999c26

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 a84bb4207ccd991560a2e4670c13185c
SHA1 b116c9fff724eb3a9ce6d5e377789db3fe600d8b
SHA256 a948186b5704d6c4d505e9673b77fc5dce00185f7c5a19ff179b77002c05c03d
SHA512 c7bc303934157dfa63c208e67ce6f5df2d27ca4c6aa38b47d54938cefb27ff0c1ac25e408861f33683baf87a348a88d93f0f7b1a7341d6c4993d9ea95a102f44

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 8c3cdfe8dcbc2bda930ddbd87bfb26b7
SHA1 07acccc011fed1d221885b85eaef7d6cf97c68eb
SHA256 ee467e5622e00b5ce071fa54579b48e926b2df9b0adc9b261fb2effd4351877c
SHA512 659f5f212bf669c4e473bcf7c4a50a2b5dfe0b9bc63c69f0adc420d5eb01bfeac58c2353debfc348236d9258b77777737e8b999302c40f0af3c8bf8b1cf5855a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 2e1f324f3f0138ca68fe6171fc867b76
SHA1 3173d85443490e33b3f0f8ba2c5bc2d61e395dbc
SHA256 32520b57b29b360adb2713c3178652800ae9695d4e9d5e98687f3415af0da9ab
SHA512 9db884efdfde42876a45a47d24d6f9a9f33e3b22309307f3abd38b7565350fd4e0a171de1815bc43fbd86f8737c704fbbf950bed0f76ede6f3891c9b3ce2c2c1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 d1981663c0020c5428bd445b014736ae
SHA1 fd6acbf4eb08b0d672916346662dd7c484b955df
SHA256 3e91fc047a368bfd3b2acc99a2c3ed090ab09ae854948fa308d0cf8381858727
SHA512 509be578aff18ea64b820941b8814b727f18fb358a42d9101d012c6c84040abd2d91594cca4e0f2be2fcca1e7f8552b0a4645fbdeedf7fc4013c2e55d0d15c29

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 8e9af5cb6744242b36b2c6e63f20a65b
SHA1 e0d770be26cfe5a834e6b9c39873e27115b0157b
SHA256 14f4e8e4c7f629523339cf514948d62f76514d766e7e74d0a93996f36e7e4109
SHA512 36727997cefe0fe8621b54b99440ec6276f65a1f422b8de2f3f9ee3b6b469c8434653723cc8d94127f8010dfec2748db3b05858b1f9679d3a7d53dbc466ff595

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 c5aac40a5a4f3d2c9d25294e7ac0cba6
SHA1 ad59fd7f821e99108fc291de6036bfb244bac42b
SHA256 e1a08754e125f97f7b575dd6743c1e4ec4ac093e714897eb65864a48c64f9ed5
SHA512 cb18f22b108b8273d232400fd7ad51869035ed59ddf088c17b19e18b70279fdd60f5efb29e91790ebbfaffe04e4d0f0061f7b5e5a60c18ecde134e35276e3d39

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 55139ac389783c486468d1012c5f97e5
SHA1 7fc8a3a8f4fe8d569aabfe03ab714f6dffb8d48c
SHA256 fcb185ddd55e18ef53990729934cf321ee75b2751f638b49118b881b4ff07a90
SHA512 7f3e34f252e8740e6b108ad028601d6c0598b132c7ea40d631aaea27f3de89ec180d2635d49b1ff61096271220d0aab0f864c0334bbc7cf08fd2fa5b37c2eb14

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 b768ac340b331e299487bc0930117403
SHA1 6fd26784520172e1610713660ccca445611f8e00
SHA256 df202c054af206d18396b2f038a8f0e495e7d1c08006d1bc3914a476279a3d4c
SHA512 2a6e9cac3c20bb8a68a1f8566bd8cf5093c472faf9f16f38e034886392468fc437cc3577b8ca1c4a171546d3da6c37cb70cb537295de388dbd839553edca1b50

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 b638c99d96565881e11af5e660901c61
SHA1 987ff9a3909354f9e357bb47a7ec84b0aad8b8a0
SHA256 4ad21454192d8dc6673bdd87f4f4ec84059f67d3c6e14756ed741ae764c44bb0
SHA512 9c9f7b64c72889fc75ddb85f7d0a0b76894a4eb81f53db3061e782ca8b97c6ce41c03934c3ad6ff17257aeaa51310163aa24a94ca25cfa5014c5f0134a60a4cd

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 47f1061c72b9283a21f6b580c2c0afe5
SHA1 b77cb171a64e8cba13ad94d3c6f916a6f705303d
SHA256 6728c1521c5da11c815bf7591b0e9c8c4b1dccfd1a436fff6ae723a3bb49c038
SHA512 40f1b804486dbb8a383cabe1e9590ac16a7b85f99d9a461e8e8ab860bbffdf8e97f5cc7063857ff7e1093df6e33c504d6d2be0d3c7ac7e07edadbe6c01c49466

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 8e5991b18e0c7f43bfc7ffcac466105f
SHA1 f520f5fd7fa98be6cc3a7cf9fa1e0730837acade
SHA256 3efd388ec48fc8e80fc3a36ad5c06ac9307b4f7b5816dce41316887be9119785
SHA512 217fcf7ca62de8b36dba2492f42dba87556fbe07970e477e1be569c4d10427b63ddc93556d8521cc20019f025af9de85a0d0d67a6f9ff509ba7e6fa80d5ed421

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 d6c1d6c5fd653a5de17af51f8297f957
SHA1 856be6fe45c6954a52c763c2266a6a4be6c8b1ac
SHA256 0ce12c2c84143ee839ae143d59e9a87b0891e8e2bf202407a6d3fcb145bd359b
SHA512 60a190b7b57439d4b59f9dfd754d99b939ce7b928d3b0c1b4718cd3e3f15c84737514f3b3ac11302b32c09d8398fd1ea81d57e4b50ee67209648a8e4f52cbfc7

memory/1524-168-0x0000000000280000-0x0000000000288000-memory.dmp

memory/1524-167-0x0000000000280000-0x0000000000288000-memory.dmp

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 789bf5ebf6474293af201361cb6ed022
SHA1 03c3fe2b158aa3415c3f883add1a4295253fcc20
SHA256 594512ce9ebac282a563cf642531f63df883b68562f483872cb3a971b97585ac
SHA512 55d2e864c22c5e7bf47e416295dae6b371df3c99a134471a21eb033edd89a74f97bcbb148752b57f1b5849969b40f1898dcc8fd99966eeeaa5112678ac0d523d

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 78a08880f4ddfcb16a07dae94e10aaad
SHA1 e72e79a0cdcbdbfba05057e05411dc2bb415aec3
SHA256 5021bde7addb032551830626c28f5f43c71526aebccd731a02a04f6aef8d252a
SHA512 f82c544df8c9b0cf04a711cf23d567b3c31903680fabdf6f1e6a37991431db6d15ccd9de571921ad2b303d9864e95d70e8bb81e507b8b041b530c21e3ccdb4b9

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 b0d61df1141830028add6a96048ba4a2
SHA1 4e7685a173600d22f55160c4f906984f9ecdd9ab
SHA256 05320460fc813bb8df9ba53e87e650ffd1a91daefa32362ee0ec9c2006e09789
SHA512 96e3499ce52a513ae55f873525237c9eb850e77eb1e82f827ab6958d5c6919c2292beb67dcfaffa659f075bed3971b21327f5b6eabb692ef1d440c9656c48e3b

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 5b689c4077addb8279d2a3dc99e8692b
SHA1 4e2f16fdd0a98d19b78f98943d3070abdd2ee480
SHA256 1df7b138bee3ccb5f8ec4cfdb26366e12afe2ddf7226055054a90ed953588f40
SHA512 df53f1fc127cfa4257612f155daa216f6e5e882d542830e04899f4480fbc8c255e82de86c293063c0538bb10bbfc8a59c76c466bc1052140e663370705025f7a

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 1a3b02c667ce9c7998ef62ba97f71ad8
SHA1 fc79ac82ec2f007186d6910e56d3132d7b58de28
SHA256 58177956e34fb52cb63abe687c42a4d2c2981e6cca66eb2fc71fd97857099038
SHA512 0690770631ae7b1c4f81f782e425cead1c427022fd118a69ec833b409b51a640f6bb5759327214873fcd812626ce107fe0ea2b6c9df62e8a92c763ed8a0717a8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 0ca945a88e7af51a7320ca3aaf70ac3a
SHA1 d74668449da5f3537985045f44237961d8de74af
SHA256 aa80643f28bc65d24e13dfa16583bae7874e8190df6ce3b37e4ab9c1b329fa0f
SHA512 5c412e31ec826a4ba552b90c09d32ab5b2c8b021435cb8c99c5f170b2e44a1695119a3915fea704e73b17dc03325f3595081f2a4cfc4ba3f49690cc313b92c2f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 fe6366c71501fe3635e386125ee3d116
SHA1 b71a09b8f1d9b53f7b3829f84313fe624820bc0e
SHA256 fa710965b785c9dba18f67baad4601d63e18729a715b4206bbf3773265c64efc
SHA512 2c6a5f61799c7ed93b8bf2206283ca2ffa1782755084f7899a05fb8c3e4b014cda514f29712f2624a23a9be7593b6e006e0ca886c64faedaa203fab2aa6b422e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 9e2d735e13ccff703d48c258321372ac
SHA1 34401e7e83990136ae604fe5030d94a1f57e835d
SHA256 ee12db4edc88bdd427420a947a6e641b1df674ef55de7b75c35469b7448a630e
SHA512 722d29bd2c6c68b69a38e3d534193392cd2e91bdf4857f1bfcdd132fdae935b2c9ee73669ae7a1b63963694ff79bbc336f0387cce403d5a54b66bc07f63a888e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 9a82a30f43b8ed1214d7f04744cdfb74
SHA1 fbb385d831ca59e9bcc3393acba3ef7a465c53ba
SHA256 293498512b8162a6cebd2535beef5c82af40691a98b3468d4d8235c16933d51d
SHA512 e636b82e846442b7ca225abf7b5272d5d8ced1efa41f4f66a8adb6e7db3b73dff2d69003fb2ae6d6bf3ca18e33418f97fd6249861b39ff90e887365fb409639f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 cad97c2d621af6615a1b758eb08be82b
SHA1 d3f7808d5b1b15267f16eacc6d0edfbcd47c4b8e
SHA256 211e129559ad14f629e86eb3af523670df563c935dfeade724351e6421d78ef5
SHA512 9053e64416903bd1ebbb35d7a9620a93247b2b0ef67763a47f2d46d180f9229ecdbea612b47796b4cb799508c54c6b84bcca68a2390ba619bcac1198003053c6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 442eee29197fe4b14a11a048700f7a2d
SHA1 c4e372ace42f2a2be9b52efbc34dd372f0ab14c8
SHA256 e412db0743bbfc731fe4603d335b97333fc14a16f8f6a95519e07420b0ee5076
SHA512 69e15d4657bea608b4e1c65bee2ba4e3bd20d853df6b3ca4e68654797ac2b16486d0cbf92c8903a387c85b620ac9c66a4ee3fefa14c695c70dc115afd0949360

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 0999c0be6c76dc57de6ff8ca3d31bbf2
SHA1 66e0513e282190d3b29d24c2fefc3defefb08209
SHA256 90d81aaca38fd1a59b38bc7d73c9207e43feeb6e0c87cf68ed28d864b8b3393c
SHA512 dc7eb82d3be7b1cc07d00e465d29c135516bbcae7dad66310fd6e97d5e9c850d1378038c4ef7b38a7698483fd26b548b79a6432350c0a57d4ea40efb8f7b1377

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 72ed146d37b22dd2b7647a594ca6bd3c
SHA1 8f1ddc3443bf3a7a9d0c5862cb8a5c62c3cad43e
SHA256 e9b9287061d91a8958a41304309b5047064d475396fd7eac2fa077f68de42ce8
SHA512 f0e8d925ae30a7b8de50ec4bfe282b8bd09236b52b5f4f6b625c295cecf4ce42a2dbc829fd28af6f294bf5335786587d9319ff1de5a3657b299574caee639696

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 ecfe098c418a303c8bb5c5f3e82fdb82
SHA1 6dc900c127577df13c7e249030c4ecc8b0bc7f7b
SHA256 a72612ffde38ba6b9116541e6f784fa2014f58b4957a142899eb229b99c1c317
SHA512 1151a8a446ab3f0a78cc909d906419a21499e6e0ede32b2722f61ae5352a57c5145baa9602de7fe010ddc51b6f9bf462e82898928b7fe7472fc9c8423e8833dd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.tmp

MD5 599641fcfb3721897b859c8817810d66
SHA1 bf74506de0a664d301980abed4119a55b4bedf99
SHA256 bc729f20aedd7b98e7f2f22c594806a1b635d55164a157b02f4019434a24e035
SHA512 c4444647560718b8c325c0e72650305d108228d861ef63b6b522f3f3d27275f66edf07c8221bf1a17efa801059089dbc29cbe98b21eaea3cb3260e8ac92e4c3c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 dd280e51c7867ef6f8b8949d7e28bd0c
SHA1 2abcfaa2f0623adf3fd9917a0a418178d08ecef1
SHA256 33798c7718d1c14d7a2bf9cee1ada63ce81d88eacea0e9c7873ce38d53d81233
SHA512 a31ef0315cfdc4c914bfcab1f79388fd6d52df81b1d67ad2ad46f0e83d943957a04104087b851b9262ac2b94b3425fc779400da0c4b4063420efe7224cdb550d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 a4a7611e6822718337b441e354ef7aa3
SHA1 eb750b10c55e757e1f557f2e99e285fa86163c04
SHA256 dbeadc917ef0c24c0cfdf8d70483c35ce5730b6095118362a836ea28ecbaf862
SHA512 f245eb65a3e38f20780f8fceec88a1fe529acee659f9e06c04ad6658610fa67471fe71c4243f43ddcf80bc3a38c613393f6869e5715924f01020b2c9fef5c316

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 a251767047b17acafa63755e66ea0a4e
SHA1 d1cc5a188061b063ca038f331744e1c21e6853f8
SHA256 1b17c9ed608068dce91f61a3746811f7b165151e8740b247f4447431c721eb03
SHA512 be581d1615b107f9f6751d3ca50927ad484677fb891b13c44b2fe9690af8fdbf072f1b6206992a45b2bc04b63c10c83df473c3e6687c438423a944f16465c316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.tmp

MD5 674806e2e9279714ed96bb2132eb729d
SHA1 06cf69aeb01ebe5518dba18e796ce137183df641
SHA256 7d1c786d9130222aaa7c39fdd8c34eaea5d00a4fcbdafcb67a0a7b6617476ca7
SHA512 c95420a13462a364ecf29a8969e5e1dd3f3032b2ed7d0740ec3211e0594f1d9b5aab14a611847a5b45e7cb5df4fa477354522290e7a397277f2ac3bd98d163f4