Malware Analysis Report

2025-01-03 08:32

Sample ID 240610-3w8zyswekr
Target 7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be
SHA256 7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be

Threat Level: Likely malicious

The file 7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5174) files with added filename extension

Renames multiple (3706) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 23:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 23:52

Reported

2024-06-10 23:55

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe"

Signatures

Renames multiple (5174) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\v8_context_snapshot.bin.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\cs.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\preloaded_data.pb.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe

"C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe

"_New-VSChannelReference.ps1.exe"

Network

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe

MD5 ced4ba990721aaf04751b1ac249d77d5
SHA1 d882e8ac018ae109e110fcb259308a4fac2c90b6
SHA256 4127b2b43680b5132f92073c45ee6a2d012e3c7944202bd5db1d97b29c13e1b2
SHA512 649cf3d7a88fdc9f856ebc67646c7dcd04e52e2e1eba2d12a0e0aa5a7bb3c956c4e0b311843419ee307fbd33d3a7fd9d060b34725c06795f4954cb481c543f3d

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 cdc2d4a450e9db99de867b233ff084ab
SHA1 e05f5d406e6eec3f4ddc7edcc31bbe54435f08e3
SHA256 19074f8ba61f7f7fa80039ca4381ebb6a5c92c19c7f2e32644307fc8e23dce82
SHA512 3ea3fddfbd252eee0047981ef4dffec1e28e336b9d4afbbfe1b3140bd7b1e6009975397bf53f7f0ecc8ed6444ff4d847d310427fa0098b7ed56ad2855e65ced1

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe.tmp

MD5 6ff56bf0b24576a8f9b5ec56ca2072ac
SHA1 4d71d51e6742ebbba2068380d4b38d358b80d4b6
SHA256 a02317bb7ddb4704d20d28564198aaf4390f7f4c79bd61704f6fa6c674226c71
SHA512 ffa7218ae8c74468e9330db1711975f77e1c074c7aa37e5cdbfd42112af5e1a93337e95540f76b654c0d0d0c94dc9678ea19d3e14345892373cc70f638dbfc67

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 a16b32b13ad75df8c5d1457ff432d30e
SHA1 16edc9157fc0ec917850917096ce41858a03da66
SHA256 d5b57e8c65ae1fa64f59384c27c571a6689471cb0581b3abc043a860e1cdf393
SHA512 9f11ed122c46e12dfe5fe884f4dd7bb3290dca4f1a67bdad0f71bba8d759b80697a38ad02855cb2a324906e85f3ed10fe9974699d3fb35c280e9e4b2054f8126

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 eb42ee9270082297f749f703d5596b65
SHA1 4760c875b64c0a0327b597ee6a241cc7a628747b
SHA256 1d201f12dd068865bb1a9a93d95106a9f125b316dc4ef381852a63496398c536
SHA512 46330485350bfb99be241ae962371b844c58bdfcabfe37949039b58479833f6819ba9350de68aac68c380254ed15bed88994421d280dc4520a330f452ae71a82

C:\Program Files\7-Zip\7-zip32.dll.exe

MD5 f06e8fae69f1aac6f568e9ce5b5e2f7c
SHA1 ea2c6ccd394a42a8d24439bbdb681fc868caf010
SHA256 5b703fa8dfe82cdc69f8faef89ed527a3f0f119691cad3023adcae1b4bc6cd06
SHA512 9fba7d241a2303d27894fd12ece7b1c465ad155aeeff7148d29037ae34d2a770bead57b1eb0413c2d5bbb2daa2f98da1eb33f25a062a73777d3517a38208e474

C:\Program Files\7-Zip\7z.dll.tmp

MD5 9151b6c5448e67b83a2d9a63ad230845
SHA1 d864d7fae9971e072f4b662cf5b1a3cc9793205e
SHA256 6dd0b6e153157b3befdace487debce5cfb38698d008f18e4b4216c2ddb93d15e
SHA512 9f3288dc568aba0e6e2923584b65a7fac65c21bedeadc6c4169e51e9d15b877837e241b66ae123519d016a34080841b3f8f157b8d2b6ce7dbe904bac8e6732fc

C:\Program Files\7-Zip\7z.exe

MD5 00d57c8ef3abaa570c080c410534620c
SHA1 6f638531c56d9a95d01570983240441d6e0bb83b
SHA256 f73e0b4acff41d9889f791f8d1663ce92745ba3b779f0de6437686ef1ea0c3f2
SHA512 efe933ccb41d6d762bd40e6af973f308e9b31fb1ad9e75be83279a49115c506050d2a24f0c3f00b3f5d83a6b831bc2c8d5a56851703e3e7132ad88f95a126cd4

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 bf2cfbb60e6e52409fffa21202906f2d
SHA1 ad8650cc98602f19665b441d7c05e4cc0b84adf1
SHA256 d3f43b4e502b807d1a99e1db8a2127d502f5c32756caf6d9b7b4390ae1c5df17
SHA512 70e798053739a43be2a20aee87f20972b6421d2c941a551e49afc4f506b4012cf7865e8600e63c63245cd393d105ad4f91abf0ef0b6f0df4ffa259a36fbafd89

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 d087b84d2ca59f7a526c4e6b3f347fff
SHA1 b333bceb302cbcbe93696e16caa21431290c4180
SHA256 7587344c8b46e895cfa6c08a1a1ee688b2c3ae14a3dcaa8d608b146131312f78
SHA512 0b2d275d94ff1fb6c7251125c46a13a7a6c7618bb2d11b07b4dd5a55f1664ac8ea328293816881b874c8089496ef9c6bdd6fdda7650a952761e4dd9ba3edcf5b

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 89b796469fe03649eda33deee115f8b4
SHA1 8fb8df86dcab41451cdb6c799307d1170631e4de
SHA256 73f868f2084227a5970b5975c9828f14bf19aa43f64e3bb1f244a22dd56c5af5
SHA512 98e9423532c3ac4f7af4b0f0f497d144b81104b8552e3601b55b7fbb9bdbca138ceb34477061c3a0105d3d2be9a66ae282a23e2616b99b68e7e0f1adf6219858

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 5af91c307436ec7af19f904332b7ddb7
SHA1 1b9205bfb70bb3ba74ce8836e473f22bf2008c22
SHA256 bc285a159b6a220ef2fd16ad47f998914b2025dc4c382425a8f57322d597a48b
SHA512 04a127a5976bbeee89135fa03ef80842bae92f0a025138fe416a7cdf5003e55f26a117096d92b476bb06fca30193a4915483a49fc533212a46635bc86654906e

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 08af48a56ac11e6109585f6a56806574
SHA1 46327a156df3439ee913d235e3203287487c332b
SHA256 d373046f387fa2d91d94b2541b60722d6b98ca1d1e2e61fc42a17993e75b837b
SHA512 3c52b995e0bef347454ed2cc78e461a1ab72d8e40ba7e6935d39f848a441fe05b96497f7ed9852386237fb95f489c537bc2a83968a890365dea8ea960a7096a2

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 b36b54e2031101273d6f22f3a4c6a95b
SHA1 393b09e7a580bb6b98a9dcde5ab6562a5297c5b9
SHA256 3688ab2d056d825f28749dafe5b5880b3a4041b5862aaa1cc95361ec7125efed
SHA512 6e6361ed923a85252250a547f99c3a0556d1fd37e956653ffd165ace2fcc6272d4420e2b3427ac2cbe7cf038f4265033c6973b2c33e121d171b3a73fc16f1796

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 ef409ee659b9a83cd77feb825ef747b2
SHA1 259df2f68becb6535b03b09e52dd6b3da7391085
SHA256 4daf0d9e6b211274ee493eff30925c8ed5df21c906d2700dc708436041cbb8ab
SHA512 47e78de2207c16694d4138d3724ca21b85a4021fef8774fc916d2167a44a63e1f90297b0df3ce39b9cf21b8dee5a18bcb1411252dc8c0b3cf09ac094b549bc37

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 e58f28f4bcad8725abcda979809441e6
SHA1 7505d7b47da235fcf86f3d31f8dc69e15149d867
SHA256 7490dc04883fa9b683b272f9acdec2388217c89a40b2014bcd95c265a85daf61
SHA512 bc6bee402a78fb7029291d0773f4fa12e35b6f52d086b71265c7fa43553d987e1e6d07e9fa7acbbd5599d568978f43802f788e62619a41d9477b46f305665e18

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 da637c148cd9a9d60cb2af86798709b3
SHA1 fe2dbd97b75de0ebbb1d8408a49f9fc27fff00a6
SHA256 aae9740646090c5a7ca81ed22d3b74213414c9e42bca1da7faf837513d422e7f
SHA512 09de4b04479209b60bca0887236eee2ef2816b1c796a86d030fcd5f3ec95667625d1264199964edf06ee2dc74cbb5c5cc71fcca9dfc028363e0de27f44be207a

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 32283b4dfe11e2f2dd3fd315494d6fa9
SHA1 8321a9075be1abada66cdad45285933929e249bf
SHA256 bbf3ef02b402ee2a6bf6618e6f827509f8386c21cfb3641978820ee0648fe6ce
SHA512 0f77388a6f0d2311aa3ee3d7f0bdd890a87fb41632c465bad3a36637fca4a8ae92a25abf1eece48bec3ae70d91e963e852d7180918e8da4b417210a9a3e35035

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 0258fb154d7cbed9e415f25d47db9ec6
SHA1 1830833989a3d4ec45c48c685beef06ea3487663
SHA256 838f7f1b5253e87f14793b58c0326afaa6ec822cf74047442135d9b6669a15c6
SHA512 6a5c65069b1a27d9c5a5bbe0b66241e1629195e2bf94acb997b2f0d3204c99426335158ad9e904c99abde0362827073f299191da97e2f9d459b67d92e07b97e8

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 3a907b92a2a097828750144d1cc20272
SHA1 da6df93ef0f4488e4f89ccf603a85b46aa901430
SHA256 79d0a7bbdae33dccb82f82d13d9276a90c12f42e1ae7b123c4a2ea0607c61cef
SHA512 332585277c8366bf807674d8d2a66548e001874e601431cf3fac1b30f1e9dd857c5abf69fedc087f275c44354fc2c32f2372c765bb1d41bfdafb7c6d13318adb

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 8c2da78be0db28ef3c58f52f5f059abf
SHA1 ece23fa339f6c1e34b1ff8128f25c2771d0ec4a3
SHA256 ff332119a132fa6973bd1248ca92126fd5a9159102bfb5c20b53e7ad253403a9
SHA512 4c4f0c496af676befc3a47e3e87cbb4f4cd2b2731bcc0cbd945b54d487ed652a5fc6163dbb4156ae1f5c3f5a627211ddbe5714eabfe797dde8828fa5071d2c95

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 a537aba64a09f6d2e2fe2b62f7557b30
SHA1 5a9d86dc3e08f12d39b2cec80ca394f9147af503
SHA256 a52250e0c2b6e379d6e870b9eb4c2cddc4cbeae14a85c32558f4f2366ee9c0c9
SHA512 5d75cc7be9ed0a9e20dcdc9fcabe7f9aef5adb2106880f28311028e55aad25314046d1704b882c1d91d8dca66e9bd726953f48a4907eb7e7289b6748a86a61e5

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 08ab1a0ed42299dbcf735252ff71b014
SHA1 3bd9fa0cdd7d7bc9dadb6b2fa2d00f63c5cf73fb
SHA256 da0b3d326397824cabe6d728db7c0167625a3ec0757ddf5fe702d6216524223a
SHA512 5f66af897b8991e722d4972e98b23ea8094ce6bec85dbdcbb34642d0cc559e378df873dd8e005503368969df591052759a94a778b7f44d6cd35920819c160f52

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 d97601a4edb29e1454d1455da426d425
SHA1 7d49a1a78b66d617dec899860f5dc48935681939
SHA256 19c09fa28dd2b258a2eb311131be938b5cb0fee8a01da5caaefd92d8f09030de
SHA512 1adc854b47cb971fa1b1cf4aed3c2a55f8b75f4835eb4cdf24741097241296bb7f42e5a7e82f0c490e66d37816a628d6f44c2b761185a9c7a71ea8ed59fc594c

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 fcc721ab8d541006b18442955251e71d
SHA1 ddc9e93ce7f33d6cf464eeed2dd5f9bbea422818
SHA256 ee8263c7bd13170c225ccfdd33c46e79cd1aaa35c963c4e2f6fccd5480011c23
SHA512 ed7f8975550622c7e9b9e074c8378954ed38b0882881f186b01d14d307c9a4d562a37ee8c6bf1112695aee0a853502d85f857c6c1a886e9619c3acb024cf9906

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 32a61b3174507b240819f2aef92aa10f
SHA1 80f94d22725716b85b916e2b7c8ccd967745ede0
SHA256 2fc9feec9e3ce19a9ba331c6ce54d71a0395076110ecfb76c4b96262592e4b85
SHA512 920086dec19148b2154a118767b35e6a9f7def21c843461d477a4378787b632c911db9dea97158389c805cf6068e24c5c14b41f64831d1ced727e16db7dd0b72

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 9a9724bbbc7d9c34378e1e611b57ec5f
SHA1 3fcb6e5de1be4215ef1408a137f8a2395e03ce9c
SHA256 8642d39767de3d0bb9c4d77d41fa1dfc3aa28bebb4302178706a914464da8ecd
SHA512 af4bfb53c2736c88022979edb69572086029db867c5f132743bbb7e465410d05fae09c86c5cee89f9b589516163462aed269ea31b0c919851130cdb479cb71a8

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 67056130b66f943e8f1f9b8b3076df05
SHA1 ef1467b51529adfce97a7b4f121b62e91f390344
SHA256 5f50534898b19630a0d5559b9dbb199cb830d159b31bbbbb2e399c2b8463e01b
SHA512 3ff4afa1d3a22f5fc834a380e38f105dd514ff45f5ad28aaf00ca52180b606b240daab04320cbc37ab03595b577a7320838d278cd4dd53a79c0d5e787bca2e28

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 5aebc00f09c01ea342743e449fe9d004
SHA1 e58116261be5139ec4de2d2622b6138dbde39833
SHA256 b0fff4279805e8109787cf1ed7950caa3f265505c4a8947dd1d528c9b6580899
SHA512 34bec789d5afa3f03794002a3238aecf11ad8a4cd0b837fdb431f331bcf1b9a3b0e161fa06928ed38aa1965a7dc1b5347c3a0b2d54332b7eac3b39f3ac46d22d

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 f9cfe9be711edbf2b00695ffd611d315
SHA1 e832ad70f5c3c001ace45b6b47f459325058f869
SHA256 40a895a5e055357d4a358a46dca0e957df0207ce03e09f60be6fe2791a1c1065
SHA512 f2c7beb321b131865b6e391d4ae9fe2d3f4b96119244778b3077c43f0d0d2441f6c650e1abc3e663898ca439d28bc200b9a7023a18319435770f964be9878015

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 4b1a476f2f0411d99e28825fc9bd0e5b
SHA1 204e05b8841693ef1d40db8d85ba138ddb605a32
SHA256 10c98a6f52c7c32b29f064028a8ab7d0d7a7535ac78d191682ae438457ef97d6
SHA512 084ffc7bb763afb299ce23a0c948086b609e18337a9e80483b792b82f8e0f8723f668ebc8d2a7f87d73197c80f99055ab9079c84e9dde328b7a44c50ef3bda55

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 a12aaa0f5f19d26420f2ac3b9291f690
SHA1 90c587877955fca4087a7a475c8fc73505e8fcdd
SHA256 c58504310ddd8826f3f509c4bf11973dd6596c14dbe005dbf9d40fb132aeab9a
SHA512 e5fe75fd2b160500ac9dfeb879b9363ab6cab0049307b9d9566f4cf59303bd5c8520cd92bb72bf0d78a6edf2dc53c26269c78a42acdba5f3037ff8cf07c24a8a

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 d5b2336e4d41a36838b546c85e4d5c30
SHA1 6b9d02bfa8d7689a43514462bbe0a088ef216fe0
SHA256 b50d279b3f0170220a07bccbdcc9c6ef7adc56d52fc08c9327cf62504a19b068
SHA512 461ea0b855c5b3ac3b2b291b259356cb18e75d41726cb586cf621d3f514d91838734f7b1bbbcda0038ba0f6abe88d406dda53ccab790668799b1048a178018fc

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 300e6f35cbc9e86193cace0c907862c8
SHA1 9624cf7d4cc6b6fa8ebe0d3b0396a12881212b07
SHA256 0baf5f9727e27fbf250dd1737f2b162b9307fa3085f72b737ac4341bfdd973d0
SHA512 621baed9eef26940be3dd698c5fc93af06956d0763d5c9f69ab54c02f11d1f9b30814d78f2ffd9ee2ea960fe23ef520ee1be571412fc56e3706398617e1fa0ba

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 1eb367f553e86340d95f7d0508b83470
SHA1 efca65c20d44f38beb9a215dd06da19bdd3ab89f
SHA256 3f4156202d29ef9f032b6bff1dc480205a8dd4a5ba8df7a58ac3e9e7ab9d8bf5
SHA512 47b1ca34462658babdb6257a4fb138d757303a7ed4375c82ad20fec5e965e8ece021f2142074d0249002b39231b0e8073b15eb25ce1c18e1713cf5c894c7cc49

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 b60b22e4be953ab0e82d7895fdf3af5d
SHA1 5420e1248f5ca545499e319b1ede188eb1f9d521
SHA256 8013d85deffc6a71a1f6faa54fc38be68ceced732a8980834c00c0c17cffaf2a
SHA512 283ebcd8aec2a28b1180771d191f1f9b73fd9e45f119819e48c21a9c2cb9324a33dacd3000b4b3d5be1d0925bf096876cbe054a1296cd8390890a56e23224cc9

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 04d46936b0d9a065f9d86203003df31d
SHA1 7f31f402295bc0729c146204790c4413a154340e
SHA256 5c359bd0630854c613bb51c968bced100d58f31e47711803bf596bc8a29557a9
SHA512 2c278399ba8a88f8a7150cc8ed4419ce9e34ad438a73365639635afc85a7aa5584299fc98e596c0dbfdd7d9a66852e1909c6effb6f2aab79a3ddbfdc0087770c

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 35cd48c08967c16c2979def0fed988d6
SHA1 87388858a61dd453ed22f3cfd62c958f31922c6e
SHA256 0f99ea4144d8c07e8aeca3ce3ccb07b8198a4e7c4b098e35eb297bd9ba3179a5
SHA512 c7a9cb6dc8d724d6eb51cdccc4b1f4044bc53d69bf9e5e5a2f286a0faef2c3be21c2eeed6d86850b874389006d62aa0f17bb3f7450184918c492e8b7edad96b1

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 b2d44b7db4ddd3819a87017098cb0b0c
SHA1 36b3808466f92d65aa77c3927fed4bdfd5544cca
SHA256 e1fec5717209068c6be8dbb61b4e0ddc5302bae1fab501f0b85ca13715ad6fd7
SHA512 bd7ce4f12947ff1c918c9198135470cba6d269cdc8210c4b5973f020d5644626d6112f71eb758c44b3d5375fbf7edeef235d5820cc8d9ecfabad35b6d46fc240

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 5cf10e961c5a98a02b2fbbcc19b7dc43
SHA1 5ada8e28dbe0dc2a2fb21b8c264bf539cfdc8230
SHA256 479816ca4173e3459b9fbf00ae0f915600fcb2e26c59b896cdd736b8bfac266c
SHA512 24a8acab1b200ab6da020ae54f066250483602f5504df9813273e91b0fdba290afff58f551acf3dc4dbd09b3e3e0c3a7b328714d59b9fd7e2a05eeebbc14816d

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 205e1cdbd4bd7091cb09a7ba11199b48
SHA1 c00cf3196f23244a2a9e6b0d5f547b18bcf16e6f
SHA256 3513f54456092b88bc4cbedf2564dd68bfcae30d2e36733552a04671f67d275b
SHA512 8d45bc5b571ba9565b16805f307963b70d9ff88e87c801e05f51c4703cefa742a52493ec1cd320ce8ca69fc8128550992d103d8855451eecec707343ec12bd7f

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 517533833d438b3142a966cedc5b0d37
SHA1 1a75c74226ee8616a5f05d08ce1dafeab6471a34
SHA256 19c0e5ca0ebd13134b1283de9bec64c70775028fcd9b18e24092a57000279096
SHA512 5b807206e1623a23e783547326eaa0e673844713d184c400205d017e43fd06b94401469844c7d91ee889e6c67bb34ae936a3afa4cab7f162554972fb4471bbb4

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 b31ef75ca913165ad891c56f872ee737
SHA1 1aa6efcfb7998962b7fa7f6e22c99159fcabdff5
SHA256 6bb63b6061d22eb8e2cc167218136bf28953747011701217b3191ff1d0d28b7b
SHA512 5e50e864a59828a79f2548b9ad01382c077274497f21f0d957b40e150c1e2856d4129e4e6f6e0f926cf649da7480a4e3e24b250069043cb1c6b5267e42729f6a

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 09ca9fc734886382fcfe898fcfd437a2
SHA1 0086553ff3c54982bf82e4330028496c425213da
SHA256 04841a82fca5bd3b52ffbf06166aacfefe20023d95530035044952acb9ec307d
SHA512 4bcdd2db8fb7466381488d7d270b7ef387b039402ba61a102253b9afc399a7714235211466a72ab25655400004fb8ea9e85041b24d1ce4d90a981bac1d9fc92c

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 fc5375531e678e5b36c16b119a64c5bf
SHA1 e2f3e5a0c9c5e6aa20085b155b6bdbd144d017b9
SHA256 171ee1234e644af9e205c4522ffcb7662d4a6cd31acbabd1df67c135da1d50ad
SHA512 f6d1f94f827135f6db37a534a3af5a5f27981908958e5ae8a39ea1d1a0ad2d9f4e1cd2799d93d951c93fb682e1c9eafc3ab92479590919e5ecff6ec1e5cc1813

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 d1c997c4aef82b9d8460b3e2cabffbbb
SHA1 61bec080e27ad785169ec0ad02de1565e1dc1423
SHA256 4b17fbceee3d9817a3e6d00d39b8734483fb1ed94726fdccd901cb6770cd3004
SHA512 c3bb1d04e82dbbdcc57f364c34addcccb156c5817f1bf67fd8a035af2197dbd859c002824e289e764d9dd4c06ddd1d86a4854ee0ad8c9adc3da01ede81c7f9d3

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 245068d88dd1045ca7d1c4988beae6e5
SHA1 7ed3a395ce3494fa6d2b18de0411f341cde77a41
SHA256 580930162828655ab4a0769162772bff0001a34b63d973d8be51f05150b98793
SHA512 b15d2cd2205832faf6818a9b1ba6e1d920fa5f504e23b1737f2ee690cc1e8668dd56bbaa2bb4aaec054416271effa7a990e8d49ae10e18e81a27766c00865e67

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 cda2e37da119524bedf0ca65ecab3503
SHA1 33c35e685ce4d70121aae1f8646843f27415fc82
SHA256 e03bd567445d2aa27b0fff9600e4aeb217cb2d2972be50dc82e355c2d805330b
SHA512 3c48b4c57eda279946ee2e1e4aeda5627f01942fd08c3164dd9c3feb9ab16caaa7f1309f2d0cb1fc87fdb33cafca63a3ea4cd60009b9906f86ce88d676a69872

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 bfc17cee255f7a9aa8b2892e7b02478c
SHA1 9f350559cf449e390f50a6c9c46c5d09f9793900
SHA256 c76f39e9a73351ed57718320509ec2e1ff4b5f3900161d7155dc330cd1fc0ca5
SHA512 f8937aa3dab632ecf37311a98e0a6e6ec89d93a69a3a7f350d1ea75010946e47231ddb6c33644b927f3ce28b78be4c4430dc7b870c9ab2dba88278cb65e305be

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 1eca7d8552d04ecd24783f33a6660ebc
SHA1 76e88afe111463565affe814e96579adf366705c
SHA256 5be784038282cbd8aef0ba01423037e87d9e2d4649d863e3fd46412496024aeb
SHA512 b28208ff9040f20754b7657d2e203a63979d59bc0d6b314328cb2510bca8db07eac2c18538ee3a32dafa8073b9c9c8014f96184eff8d5f47c12462b0c2d46c7b

C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoCanary.png.tmp

MD5 bbb4c3ff1445f5ed2910640c83d0585f
SHA1 6010a603ceb7f4b3eca29a27db72ad8379a1bfe3
SHA256 931dd0d1d915766a622985c92fb3c3d0ff0085384763f7f0427e399c04f30b79
SHA512 d4fe3300e7e16f2420cac139d58651a3b49740967ea797d9c1201eeb9d314d4abf31f8139505654d8ea4abce8a343983bdb2b56d865b4ad2d4a7ae098b5f3972

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 23:52

Reported

2024-06-10 23:55

Platform

win7-20240215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe"

Signatures

Renames multiple (3706) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\WMPSideShowGadget.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Media Player\wmpnssci.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Journal\Templates\Month_Calendar.jtp.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Mail\oeimport.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Internet Explorer\jsdebuggeride.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\settings.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe
PID 2220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe
PID 2220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe
PID 2220 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe
PID 2220 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Windows\SysWOW64\Zombie.exe
PID 2220 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Windows\SysWOW64\Zombie.exe
PID 2220 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Windows\SysWOW64\Zombie.exe
PID 2220 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe

"C:\Users\Admin\AppData\Local\Temp\7d6785c0974dbc86db8b1dae5725daa3798f42d3937ed6665e6ebdc5d68e68be.exe"

C:\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe

"_New-VSChannelReference.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_New-VSChannelReference.ps1.exe

MD5 ced4ba990721aaf04751b1ac249d77d5
SHA1 d882e8ac018ae109e110fcb259308a4fac2c90b6
SHA256 4127b2b43680b5132f92073c45ee6a2d012e3c7944202bd5db1d97b29c13e1b2
SHA512 649cf3d7a88fdc9f856ebc67646c7dcd04e52e2e1eba2d12a0e0aa5a7bb3c956c4e0b311843419ee307fbd33d3a7fd9d060b34725c06795f4954cb481c543f3d

\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.tmp

MD5 23ad5babcb57683f7e111d9a5ce1cb0a
SHA1 bb0a41bf923ae8cb28ebfc338844766907a6b541
SHA256 ffa2a769e73b690f07a0e388be6f95babcbb69bd3120dc9f4571de725f774805
SHA512 0318bdf18bd07a73e6b4bc1da56f403cd233324148a6706c7e7f0a6defe3245090196cad32f3b1bfd236e5a928ba32327c25abe1c267a13af5164d400d82dd94

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini.exe.tmp

MD5 9cab87960c0a00637b25528c877d70ef
SHA1 09b78b0bd039888258857d84c18bee7e0633caef
SHA256 2878fd2647da9783678e4b2872bc59c67089b108df1dba3172fff1d1beaceeb3
SHA512 03b17c21d83b603d919ef5083766c5b9bae8580a226ff6f9d225e7be3580f05de7e299a2e16fb65ffc1a86711fc3f39159dabde64f548811f363062c5e875f8f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 9d563290b392b6ff69555ba3aeb60410
SHA1 ef0052d941c808859c199eb8d58e7c9bbaac5715
SHA256 954a07af81f433788cca47d60046c769f387864a915636abab30c18c60f1265e
SHA512 90735553e6332f2958b278e1fa4b37388d54655b0b5dfb396022c7b1cf8ab6eaa63b07a7774073d5be02ba90a4fe9aeb9ff032967bd1ad37be875c77a75c1a4e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 a700735cb4e2a41c02f842308a52939a
SHA1 db9ce9c39e42da0278b157f0b14993c3d47f99b4
SHA256 5f3845968b8b1524d6cff30ec59f31ee6c0fb4eb7ccdcb0abab672f832d47ea2
SHA512 0f3fdc0e4f12cfda00b6eb3bfad3ec37757d6069e10e08e191afce40f927014e8c74d58178dbd4c630eb7621084d66ee3e898c1f35837fc4fef1d460860697e9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 aeff47b805d17ae924cf7a26ddf1cec5
SHA1 3cbc387a935bcc1caece6761669c4512f2fe9665
SHA256 3d310ef1f084645b7a7e9b98c43e162b36e44c8364b10762e54d2039300aea51
SHA512 7ab69c51db0b2bc311192536bba3e3f59aacee20abf012fcec096a37eaf9b30e263f79856f54a0cc265c6be044db25e78be0e4a5dfc03abe3c9ac4a76536c58b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 1d28a3b67f27e2cc2a93325f4fe329fc
SHA1 0a8dd4eda62fd1fa38d079e6f46ad2ed82bd8792
SHA256 a4c16ff57d500cac3950b5511e67f149c02abc27e9fe266dc86ebdaf68a3d30b
SHA512 6640763ca7ea0e1490be0aba4a1dfcea11100e0d8e31b76d3286d0975782436d8f76307dd4a42d783bf9b7c1ceb16712cfddc5b811c41bb3a9da4ee5d5f4be99

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 7820819f62b00d24f7c2cdb8f7d6420b
SHA1 000e40bac9eb7467e13a4862977971d1d7a65f99
SHA256 da9aacf6b2ad1b785b3018c22fc92f02fa28fc9920e7dfbff5f5cbe8e3858ed9
SHA512 81584898e1d11a799dd69e8f40fd5acfaa29023c8d3be9e8c882d9022d117cd9a0c77d6aeae4fddf8dfa06702d7aa22b9870d938debcc11f03ebf3b1eb14408b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 028fd63261c1daaddd8c8ce076d4a87e
SHA1 1db99f1a2c9edc81481ead5713a58b46725f8596
SHA256 0f368eda4f58f7b97c93ddd346f8c0e6cc858df54e1be77db5671464f6b6ce13
SHA512 6514873a4752e896545cc312e083f2cfe4d1331121b2c795bf188b85ec604ebb4bd7b79a12e6600d3dd49153cb63b1f381461cd74adc7824482535a38d2fdc94

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 654740fa92547bc370ea7c47dc420b43
SHA1 37df78d56f927bf44715e80cf72f7f31f2f50ddc
SHA256 970ee93bd92fa7926b6a6d8c00a54c216fbdd183ae89f5b50914dc8321b5d7fa
SHA512 8b8de236e26da246eb52e8e460fd23eaae0b5d2bac130af3109816a1f276c49b9c43a50719742b8d0ed223db63531a14e64528dd1df2ba124da2dfc5e24b8af7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 33b04537472943d58a965803046e0e73
SHA1 638550b29540d554d05b246cbc80c05f64b0b535
SHA256 04da7c0f0fe450ee8e06f344d02f0f805ed0bfc829a9e44ef5c832eb49a672f5
SHA512 372dfb39d6570847118007f516da97a3eba296b8ad6b79b4956355f12418bc0abc04ad368fc5514303173386307fd3519a8869d21d3f6f021b7ac64dddb52380

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 e359d8de6a049a0625a709037038a86b
SHA1 21a1f1acbf26f93fd7b9450465e40b5996bb558b
SHA256 3cd3f7e0db8a65875ec9277829998a2d2b25d898cda3aaaf6bfa945ef7cfb132
SHA512 c50f1f76604a03c83121f14b7fd88bf572d632c4b036e87461e26b7666228752fe785f4d67f7aaacca88289ba339416e8f462e297ecb97c575df4c738f94f073

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 ea2919ce4a4a3da1f7bc17a7a3e9ab97
SHA1 3b2aed6eacbb9b5861d7abc85cc24bcca1a86fa8
SHA256 79d101d28faf616219f8b6cccaf6e4e9b85fc8651e526ef7ae81d0b0dd0d50e4
SHA512 a80b2aacd28793042e6a2d913983a3fa04f459358df3557c0f7a310a18101702b0aaa3057623905c0969ee05c30de6a1c284bf521bf1800e941a5aa6b25ef8cd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 86ba52a5d84b866bd990b2832e026143
SHA1 92fba8edb304605fe58b0c45af875bf8ffe5de52
SHA256 00ac0b5304af583ed67458384087a60b4cc7d2138ed9c9758d257f53d9ad5a14
SHA512 9d416164567f3bebc2ca3de13ee24541e8c7bd4faa79c2e62040850bb784ca1d2c2e818e877da1580adeffc4e6b9c89afc6d7c647bbf8de1f8ed53b71d010d71

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 cd599a811f6149731d86ad3eb8f44ed7
SHA1 ea9d37b5b0f56be7c9445ab4c967bb0141965a74
SHA256 fdedc7a190a4388ff3ca27f0013c3d85f5dafa194c8361e0d09c772328cc3ba0
SHA512 f589cc7c0f4eb6f51b3bc32d7b1ba2e1698867ae2fbdf232701a56de8c9bfbee670d19841688ba6d1f8081c75e6f742e220aea087acf2d04e1e0bfa404a3a419

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 7c071236202264f47a3a9a21795ad916
SHA1 030544c0b60487033e7037a6c6f920d0886e743c
SHA256 23693fb26ff387d156aa28bdcda21572b43a6f1a1b1f14a76652fa9444bdec34
SHA512 be57be7d2234d9263c0121429f3dea215e9a655fbac939022cee1e489919bb67086dd9907f9562cab8fe63f132b86fd94ac427669f23d6701ee85ef697cd69f7

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 86dad29ce5fb91d1e11a12e91bc9e10e
SHA1 1ff910d7ef21315f85ad89748de6a0a694013d46
SHA256 ddd73c339463213a46ff51f29af49ceec63ecca4f319cf44cc9d3624b5d576ae
SHA512 f4123e95c69b3d9ca4566a75a65195225e2ecd606ddb6b3539828fdf0c01fb581710c11011a813a24bd808f787e7e34b4bf213df111c7cbb5f746f19031e3695

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 0ef2368836d1388b2a3ba53e9ef57cab
SHA1 d59ae467230c4a1a275769d25ebee0699102a1cf
SHA256 bde2edad2965f8ad9ddee734d38587bc848d158c65d0522de45af9c72ce184ed
SHA512 89916fcff0216dc58652a8ea1b4901281eb319c120f09994e5704161864f953081111e6aa417dbe6d74c0f9a34a06bc103ec162158d1379e4c784eeb6570418f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 ad4c506b97f4477edae3fbee20fd78e3
SHA1 b3029c0d9e680c99db40c838eb8842f7c4c3a18f
SHA256 3ec99b2751bbdb24db87a4ce8b7258a6e77aecd3716831ea72df52b43dfb8a3e
SHA512 6424508e52777f28d589f64c2fa0e7549a41a4c22a7a84a378e2c8f991186ff934bf607d8e01938a3ca7ab4beebc095d0bbe14b45cf392d54c63d2d29c00190c

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 7f3c97bfdc2abfc8234aede6378618de
SHA1 a7b93aa433442cfaec001555311cf9bc7db82730
SHA256 74faa2897ac4da50e458186d38217c4bf8f270801da094f166daff777bdeb07d
SHA512 ae5e248bad55d8eab3ac29ad5f73eb14e77b31152787547f55f853c90bee8ae370fd2baa41a35b8ee7c5f81939483d60c05f84ffbca0473d616f8c1f619c68dc

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 bd3928df96453c258913716d6ab9991f
SHA1 478cf55e0ccbc3b54d37d9fe35e23b4e61dbd2b7
SHA256 c23939b4023c43d908915bd27aed37ee4186dc675e40c327f05f2ac432d91e68
SHA512 dd9a315992d4897b7ae24b1c9ea5a3c70c0a5907448dc54e4aa5d37216984e697a458283b7c30653009bfb7d36df6653616df2e459bdade43e126f7c3a3c2a2e

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 aa843adc2a52100471979d8de6e0527e
SHA1 4be77b1b9f2bcdd6ba4c53f02cb4d3d884d0963b
SHA256 025d3a3a72438e0245de8c1630f4d742a13bd53d2d0caea1a7df1522cf4981c0
SHA512 a70c2c4543717a274767e535f08e07c33b3d19b58601acee3a5a3eed70c6915b31993bcc76b514f6238018cc277fa8af04011e9fa4296e4ad6967c3efdf7e887

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 65134f6bdc2758e82962b4afc5a45a2f
SHA1 cc7451f952dc8ab5573d07d0dabccf496059df2b
SHA256 001a875ffd9fa1773436e97ab868088328e54a9c9320f9cec04ac7ab5131c701
SHA512 5a51104c775074e9f33b45917ccc3287039098c34a152cd2aa42f0e80f4cd63f305a585e45f963f6aeaf20bb0d42f64dc2fee8c13a7f07c8122859008b7fb0ce

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 6b473eb5fb0462d0d1b40406cf84d095
SHA1 197e9be53fa395ea81630c7582d7b770bf0c44eb
SHA256 db2d01e7180e8f47f39c5fd07e1f3583118e41563f16836bbefbbc2d0c591f1d
SHA512 c3c08db18456c0dfd449867da5df8bb4e98dec9d451c26497bd450436074cc7653bf667b96f7d328576597fa5a85d8762269cbc6aa51d9fb7656291f6265aa95

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 4caf2f6dbf145cdbf76f2f5a53125e9f
SHA1 5befa46842c9159cef9676a1428eaad3168d8248
SHA256 95730593e0ce4070ea75d2b21137688f5d215104a8d22c86e72e1c5a0ea70db6
SHA512 b14db1e5e186f16c0faf11d29002cc88de8282c91ef3a1ff8171884cbea489f0a1c75d9f0cd77c0dd2f333f973c05e71dc18167d3271b043b68cb363e1742716

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp

MD5 8a7ac0b4cfbf870e6083dc22f3642906
SHA1 95d7a95c703893dd29140abe3cb470f779dfc9b3
SHA256 7a1cb95b388a28127eeec93b6fb5ab978dbdf6f503690959ec64939d153b3c62
SHA512 a369e564ece79bcdc502713c43b16a2f9e80ce9efe3671834254ab3af254e221fea93b8e78fb42aa55abf3b12f5d26953fba97f624f27c8a4008c6f02e72ae91

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp

MD5 75f34c759e2c1e285b72438260aa8aca
SHA1 cdd0006323104e99dd05fc7817c3c134d71b46ff
SHA256 ad5b926c085bc7387b076e1f985f310759da11b87f93eb229551709dd2393ebe
SHA512 9ec70cd6726fd9d5c2d2c4b4ae950488a2d24065fe474607a8bc2717823a56876f05c7502146cabbc4a7b5cb172475cb586ab8130bb1a3feeb4677e3fb89ae83

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 7714dcbf50faa9ab2a6d4f824eccd686
SHA1 4fa87e14659729cd5724f8decf103025f8736553
SHA256 3a00db1aa59afc8e15abd9961c621b572c249899c1b555ce950a068d4967af18
SHA512 858d3076221bc575950e6a6cb516fd52acfa1d09ea002c11073d05ee9492a1edf51c77c8127f1d674aa9712e55420b3cb71b94946eb2f838e584314430ede951

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 5a981c7f90f66ebbf40b395cd8d5f209
SHA1 df00800c621933af426d30cc7c296e13ff20dd52
SHA256 292b1f7a18649ddfea0e8879aa13f174eb4eaf2582dd660c137205ac97fb21f6
SHA512 231970a567a43695cb7aee0ad65c55b915c38ef4eead02f30ca46242a7fc3bcec4066d0ce00f7365007645b8ea4ce30941a7d70999f200c190c3e1df9672348f

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 7bc39f629d0f46722057962cfb92846b
SHA1 df5cd836b9d656e4d6dfab9c09d1ef3900db9958
SHA256 14f2682f2e8e7f81f63b86f86193c56d6ac1d82db07c2375876cecd8091925d0
SHA512 0b24e4ac71931e7e66f20d26345df61ac02dfd907087b6dfba5036b8eb597e432f6f7d931ecdb2e4dfa7c663e974df22d1ba3bb1386ddb1c6d22237b5a7b5821

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 d810bb2f12f9da3528adfce66d5f922d
SHA1 7216fae550d43b1ad164401e89ba5f0f0c48d085
SHA256 1d6270b4a9a6b4a60f59f863e6d9b1cd63356e59d941d50d2a74028d8028386e
SHA512 272bdb53655b5a137e11d113021cbb14d195f270ff91ebdf2f9fc681a2d21288752d08d6eab30201c59efb3507a1f0244b76d22203240150945d8f36b9b7034a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 7566f4c78aa5249a7519fa084e32b9f3
SHA1 eb27610378ad2d86a4dcdb81e0fceaf7320140d5
SHA256 4a9f80b4f85f0deec8e3cbd18fccc060a4b0331cfbb9fa5d2404b2017eb57b9c
SHA512 c7a34378f86aa94a723c58cde1174fa6679f7d1bccead7f71867fe1fd29d918f4edb07e2b7be7291df5f00019345aaa16d45d8f6e85cd0dbe0e551993dbade95

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 2e41ab12c850949e12d3a8289e5336b9
SHA1 3208d21e5062c6ef0dc38eede1a4fd538ed8b305
SHA256 b1b5441a25280ab2e86e0a0c14e82ff26b2f4494555d341fb67cb79cceca5d71
SHA512 fcb0a6f3b43b69a93a1e0c90aa403f4564e7b4b4be2f4af183901d0413e9d0073a33605c77e9a652af8d63494eb7381de2b7f4d8cb8a37cc50a102b0faab857c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 53baedaa1f4cb75245afc9866de6aee5
SHA1 b1948481a3e3f7541e632a69568f70b73554c1ed
SHA256 eb674d04835bb0a84e325c3ba32d685b18756e3b25095582691411ee10cc6655
SHA512 191f539fbfb8ea429e550280e0bc1894f75bda2fd6feccb62cc40f4cb41dd439d9a3a7fe01579486bb42647ab7827d37ddfb267c5aec733115d5ed36d012c126

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 48108cfd4433c9dc7b86a693c6feb990
SHA1 f0356685b257fb48141824de25ff2090381f7ac3
SHA256 f30e562ff1506ef2e668199dbbabcbadcd1bf33eab3a8f4c6b1d3a59ef27e872
SHA512 d02980a8aa5f1402d115f2dbc94ab48dfa1474e4c01a41312ee7dd21e141ed226395b1c5dd2e9de7de0331355a99ef2b2f44a8bb39bc5be3b6b6dc3683b0c570

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 13f895cc3b99747e211ceba245722645
SHA1 3c55e01dfe724dd0f3637cf746f8654bdec1caee
SHA256 dc84af23ab3266bd279e15df2fc2da08b85776ac10049e85109d8d2bfdcea407
SHA512 f484ab94d5efe20931b81b22ff93e99526416d13f2c58dc6c8c01a143b329c0d27b250059779762d88eeb1ff67fdb4019ff318b82422a3ebb34b6b4acd4f5a01

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 bdd1f28fcc40fed8079147955afeed6d
SHA1 8fee3b645ad858aeed92e02bf26f07ada354aa40
SHA256 33b2af936e5061cd67ad77b33e6097df1eced79958ca1af767f866ccad7f6759
SHA512 3783648537e50c50ac11bd550a711700421860330c0f617de1bc8cba6af693f3baa6023b9c1b11b62ad0c173e69d65ddd0b6173e6bf913fd2cfbcb3fb93c2a03

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 b70d64abed5a12100dcba4fead027392
SHA1 0db41829607b74bdeff914507fd6c1434f7f8455
SHA256 8273304bbffe3122f8b2b81ec8b93112057f7b0a0ea47684a7c850a9cb119b43
SHA512 cee26943b379eadfa3d00651c8721d4ea0998060377a6fe9ac277c2630e9c4054e97af0071ed498c178751046c49515e3dd6ecacd4e8dcb371e824b45494692a

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 7586fa6ad01b4b036f792e8436add0b0
SHA1 a7346c68f2faff1e5de41a56ee7038f1658124e7
SHA256 2a40ae2f3c9c665398e802a7ae1fe7b4322ba8dc38b483e1b0a3d6ba796fba9d
SHA512 04810d38e7a6d14e16d46f0dae5cc751ca5eafb17a4f47ff5bd18f4662de4d273803cfc874196fefd69338bd85d1847dd56324629fe5d4c7d1158f4b2e0e1a67

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 360536f75099d4696789fe162a492e63
SHA1 3fe3370d74469b3f17d9ebc0a27c55d3c6d30b8e
SHA256 b707a391ea78564ba729989c8ed65a4a3767da73b018efbee6d87f694517e012
SHA512 f6a607839374297a7496eee1e75ff5dffccfb393aed2e1169d20190c54398a6e69e640bd6b9848efe9016d905597087838e89ac0e91eec1d8adfd9ff0489ab5c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 c2def48b0b59f76b88da800f51af9a11
SHA1 65ee3c1694feb3a56c54bdbc667602cc35e5532a
SHA256 4011792f42c9649c4ec5291e3c1924787a834bfa185818745b41c91d277ec2ff
SHA512 d195f09b0849f65b6be30e1f76bd520d910d8da21f9f94da3edbe27020e85214edc9e556d516afa6ac8179a520dfb8c4e5943f677f58fea97c6878e0d3591732

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 6f79b824f649ee7e607a632983ef4464
SHA1 08cda1fda3f1eca51731fb431cc6db09107f842d
SHA256 ccaf1d2d9eef5231145910d50969beb1ae98a313504bdf3321531653e814a4cc
SHA512 5bd9eabb008eb0ec61174bc4913d6f8198099668588911dc46c99650a579e6327aff19006a10891aca283fe4cd907326c056cf6c999499bb4c9a13f06853bd65

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 a73c0ac397a8f68f29d51835c107050c
SHA1 2e53dd8a2136881b9ade0394d2603a16e479df9b
SHA256 b4f3e38fca21aea2f602bbfbc47d9b605dd8b60a1f656f94ca5cad414b64b60f
SHA512 30c87305d7990f347377fe1f526684c5b88d1a7a9b5a35a593d9d473b73b74e1be1980163c8e38129a413f12b909ca85556511a017c305114c47e2bd37768dd8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 df49696f1dc33792dbbb513328ee0933
SHA1 a3a02f890caccb7ccb58939df7cf0f1e23cbd8e9
SHA256 653bdb3c48548344df9d77eea7d4df24897275d76f9c81263b75c66b812175fd
SHA512 1b9ff9a583c2db939c0f4b250ebf5a04dc12878a6a3387502105980e668ac52be9d45236c2aa7078113cfc9ee9bd006f4b98f1d71ff112ee8d3a4ed589fedf35

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 22daf1502a2c1f0fdc95782be0bb452f
SHA1 6568f39667e1d1feee12be68b446acd3722e2dd3
SHA256 250b979b5d7697646988d718c03fc61037e26a5009a92c2b8c7712a469095568
SHA512 0fdd8ca14a4840988a741b411f711f4242f6d509448aa62415d8aa94f9e508d5996915651cf61e5eeb9fe46350e7e63674f77b82095b739319528f1fe42d63b2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 3835fc30551331afbd599f3a90549a80
SHA1 87f6b8d3c9600957b407aa6284254f63b605bd78
SHA256 4abf1165973cb03fb259b1d844ff6a0759e1fe19a6b2a3e0095ea454e42d44f2
SHA512 a8c7373859f12b1d9553473e9182279926a323dee393e78c939cc7822823f52b24d35bee38c6a7e639ab9e8c1e91a53719d755cac6bc5a978602551a53d8844c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 83c3a44bab7620efd615d5e14d5379bd
SHA1 db9df4bbc6a6af7fc92f1ec51857e1de0f2158b1
SHA256 1611d362bc696bc3abec7c56d1ce8c10a24891881a46c18b88e0df53790dbd2d
SHA512 95919dc511f71052c9f65bdb1b1e39a5977ae365e0d9830ec6b3302ebba86cd0ee38c28b33f6fd8d676aa6ea09571cde24eb481739fb1599c7a67bea413db022

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 f0858d674fd2fa7e039d5aab2a2c7051
SHA1 35677780b6da3ae8bf7f6eaeddc5e3d4ad64750e
SHA256 d772c84c0a17d2f0797a7a49729d19121d7e254e2dd96ae0bd776a20e3228d2d
SHA512 146925a6f41f485e2e22f9c0057992ccfc4dc6efcd4ddbcc5d069f0abe70ab3989e1548c7f6526bad93a6c1d696d7b2056c4d7d0bfc8270e8efe3f2cd2c63a93

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 8850c7642d5ace3ded11bbf8fc7db60e
SHA1 320da6c5fe0105a5f7268b23467ccc4ec5d2084a
SHA256 1dfd533516bfedd01de6d2290ebae111f2062dfb372a71102dcf64b3fa0cea01
SHA512 2450093ecc8e63805c3d98b6dcb24d2d44167f3c6fc79104a5818672165d08bba7b254743226c40d538cf503d82f51c6af88222bab9753d4f9ff741e55f6871b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 b7b24e55c83412afb922bb488e91ab40
SHA1 1198c92a8c4f15f61b90a70a84e49bb613ef827a
SHA256 fd0d675a886aeb81623dd32fdae3ea7228606e0d7c1f371ae014f534bca524b8
SHA512 21b4f7ccd8dea7260fb30803cadf9014c1daf00b6380eef4c305832fc487d25cd4b98557700a66505bc0c77a91c41e7bc7f7bca864bbd2653ed832504261ab1b

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 f00aa3a5a68d7b6580e0aecd3b987b4f
SHA1 98b17a9bd6bbcb64f644a1b7fcd835bc26bfe887
SHA256 4038ac06ca376bb2f3e28a2b984313c4497fff915b2c22064d2b4f924170dbce
SHA512 bd49254e53466182485bd097b428fc78a704e26d1a41f14febb1c74ffcbd379bda728c1bbd2d1f06b190ee5374335f55779cc295eb081252b220508b4ef9ee3b

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 301d48342c13ebe44f8cf4913a833b1f
SHA1 53b0bb83c656e9d1fec942ca8fa70aa7789cedd3
SHA256 08cd4218b81c9ed96eb4ac509c3f7e73a7b19a3a925de3a1cebce5083c3c5ef0
SHA512 912927170f2ec0f894930e82c62fb288186f62e0784fdbfa5328fbe5f85327f3cf3db9f55701e090585cd049824f35ee9ed3956c781926f3585eba5bb2c88bc9