Malware Analysis Report

2025-01-03 08:35

Sample ID 240611-blh71ayflj
Target 9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066
SHA256 9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066

Threat Level: Likely malicious

The file 9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066 was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (5033) files with added filename extension

Renames multiple (462) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:13

Reported

2024-06-11 01:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe"

Signatures

Renames multiple (462) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\master_preferences.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\DVD Maker\directshowtap.ax.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\DirectDB.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe
PID 2248 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe
PID 2248 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe
PID 2248 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe
PID 2248 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Windows\SysWOW64\Zombie.exe
PID 2248 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Windows\SysWOW64\Zombie.exe
PID 2248 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Windows\SysWOW64\Zombie.exe
PID 2248 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe

"C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe

"_New-VSProductReference.ps1.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe

MD5 899bd469f26c3db6b99027bcb7510eb2
SHA1 8520c03619e3ba21571e5c02b17dd58e7830fbd4
SHA256 adc8a241a6de86c042a1b772fcd1001558069e3da0194049e5f272e147e5e2c7
SHA512 3990fdc91a562bbc816f4a5948a1a9aebdb283c88704020eb7704e2815276300c478a4b07f07d8b77905cb77ca5c10c474afe9ec6b4e7987d115d860a6625f52

\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.tmp

MD5 8d369eb1308ff1028471cc556f97e41b
SHA1 fdf9c7e93a781b28f6cc0590aca5193178ac7535
SHA256 00d77afbf3b6eca00deee7b75d07d04d1df55d45e4bd651ff1577b77b5310903
SHA512 522ce2c2918e98beb1cea871dd277643ff1194ee156d19f0918c5fbed1f0d23557bcc42d98d1aedc9157bd0162663e277fd582ebd2a22ce0b31637fcc897ba8e

C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe.tmp

MD5 7c55c255da9b51baa180b82a0fdc59a7
SHA1 24786fa6eae478bcc8301c564abe91d1965af1ea
SHA256 2cb2c756a4f193e9c58e4b99971e9c405c1d1d88d10cb437521d74c7023717a9
SHA512 ab08f2a1edbb5850b54a0ba05adbd16de0f44403c0760f3f9ba6d800ca7954d742a69deaeb0a54fceceb6dc26e10be0751a33e88ae4c6f72a2ae252f238fad80

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 eb8e5350628d1722ff6a008fa912bcb9
SHA1 45ab1de2f822d342f14d369b8d9d9f9f6126c964
SHA256 350ce9d1320f579866f14c4b33d6506d10c4d9e8b7b4b2733fc780d49ee62c2a
SHA512 1370e3253ef28987125da45e91a0873e579d0917bbf6ededbba0c375596e7ed42ceb2a4240e4b306e9120c3e4904991ce3bfb1447b4c618e77f7243e313b29bf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 f10f6524d7b88e74cd89fe223f71d50f
SHA1 ac701495f66041d4738bfdc3ca4b0fc57ffb1bfb
SHA256 69cfbba68cacf526d3803312b90d4e80157250765140d607975e35463c9d8084
SHA512 705d4b20278932869d96529c987441013e89cec2d730a30bb9069c22645c810590fb861ef253dc2472dc28cdcbc55c23e606dcd8fa45c36cc38e64db396b019f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 7862fe1141333064acd9e285eb5b5336
SHA1 93d3401dceb68e292128d5de29eda670c616bdfc
SHA256 9355d6eb3f984830d5a7ca16b25b685a2ec2d6fc5cb679369c43b9e28d42ecd3
SHA512 e341f2933ed2f353e5c6a9b4d285d9883813e599013190cbeff2538053a8a1d0cab171c66e7dbada638c50b4dce6f752721a026ed8698e35d00da5e935a06aa5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 4ce6b83adf2e0abc50cc0ed7b068b571
SHA1 61204ebeb23a96697b32470c31cc48c23b1c7611
SHA256 8e16059840c693ba864f338d42f64767d5d18510cf87b884cd2e2b9905acc578
SHA512 34f923fe80777967698e9a6748c63399208df25865fd27ac867cf286a05b6288a07dbb2313fd14d76aa4a45ec31b8a6a229efd5c2e9f5739cccd3b60a3aedd1d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 f53cdf766f53703ee80d30706e1e216a
SHA1 e6fff476dd34b0ae62ecce3102951f557b4afea3
SHA256 89526d087112717af1108e106d2c9891ad9b6f21a11b8c0ed72e84515e671d11
SHA512 f4c4361e4dbba6a418399d4c25e38b3b8b14e8abe706674bf373d11587665c2c40fa4559a4e70990d24eb394c47b9084274893af62b3494dde79a637d061e8c6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 243365583e2cb207730a2eeca11be9f3
SHA1 bd3f537a9e25693e1843590797002ae67f65cbea
SHA256 41f6c0a73e3c597911b033133c9eb45177f5972263bdfcaf9735a9a971f0368c
SHA512 54d48b70e81c606ee844e9ae7355bfc877bac6f082d5334e076e319f527b7042c0829b9246b995174dc87022bd1a007c26d5b423efd3b473f2aa3d49c9a3e280

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 ae521d67da64da055b95bad5feb85cdb
SHA1 4168fa13fe8da9685b43bdfe82f841df10e4bc98
SHA256 c14af1ca98098ae86de7d758bf2992ecc5c528a9ceeef7d46562b577b900ad00
SHA512 670f465b5431b00d741574438a8f372cfaaa1840b843353227779139db16b46ade24464eacaa12d686d8e6b463f04597051eca667e0205b67d68ca45cdc309d5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 98bbfd5858e4e2065489738fa859c663
SHA1 fa6315c4e9242c73adb75225af5eca1bee130a82
SHA256 a4e032f66d05db185cc4c6e810e4c9189de78a7b75e95ec0b73c56be21cf853c
SHA512 9f79d89339d984ed91349b6f0b33b52e4b997fa7c1566fff4bd8270c1708667dfbc00dbd4ee2bce103143924100da5cbedb876d010e58d49c692183e1198db29

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 286e3db3b9425fa0a4a9abb086b695db
SHA1 f3831f6753038a04cc5ac09f37d4daeedb947d51
SHA256 ba3768fc48b6c2b1ee9dd630ed4626dcc6facccefa8d615b51ae498e554282ec
SHA512 46c42bcb0eb12cd9fa8d80c35d517651566117b3c237b5dce5f42b7ae4bb61e96a4da2883ea1725e4252ca883959690669535a692a7f4528b1d5711d143b9b62

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 6d418f2eadb394e3ebc94c3f1a2c30f7
SHA1 82a39c8e92068736f886d6451f1323c29819cb2e
SHA256 24cdabf58347ec3251fbb3b4c713e21e2507dd01d7267192134745a3efb6b1a2
SHA512 f154ae876c433682f627fb95c177b2be512bf93209b1594e9bac516792cdf671aa22c6d58a30046e1928a12a5805981cf73e1695d8e01b8c8ce72dc70a04cdea

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 14c77893f316970ae95739780559a826
SHA1 3b81805f6d18306088f8b6cb0bd0959200e0c695
SHA256 1a8a3f3595668a1e3e5a87bf69744c5308689abebc7de1880043e1c15a6eabd2
SHA512 12f41375365cdec8481c33bfc2cb39e843ad5ccd541108997891fd1e5aac2dc1f8a4e36f86463e10a0bae757a6df72eefd9e6384ff57a97342dc3d6ae7554cd9

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 07637bc5874ffb79e547da3f8caba4f8
SHA1 e1c37d28a2abdb4d3d424e10763d39ac59b2f391
SHA256 53b8d585d6b5cebbde2d535e75cdaa07acc98219c5dd7ed5294fefb584ac1cdf
SHA512 04c1b9e35c26449d70361e02ea97fb300b576f235c7ac5625d27eacd8452bb87325103e2b816304670dfaf4211db854fc35260a8d34010ed0101eb23e65bab99

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 e5a6aee9b84df3afccabe876b22f72d8
SHA1 b9f0e26df0340b753e37743e59d3698e88c9b94d
SHA256 9a7b52b97098736bd6c374fc3fd4827c9ffdd0c1ca37db11b92161e8c2295737
SHA512 8527d91973807ecf58ada12ee6703289d3cd8a3a927a20df6428d09d4085f871aab7f7571f0d181d7313c2968cf7b101ba2922f6be421391642c41c0f2dd6771

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 1035bef232a3239d49df1428aed7687f
SHA1 99622c76ef5dabf5875338dc2bbdf7fe678e90e8
SHA256 88063d85e31e64c1ae583c33bd7c25404c48b587e422cbdf3f78fb772d5bac48
SHA512 1508f81eaa2543899428c9e6e69214997632b0362da5239b73f4839d51abb00771c734e9190a8df05937b80a5eca8d207215e2a36079f9ad1a87d82a356556f9

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 aad0aa7c8a2c13eed55ac00bc310489c
SHA1 1b2a3a39f3df2f263fb3020b99f187e85d066dbe
SHA256 593fd38e5b1b9c0e9a79edd3d878f04eae0ccc66bb8b8248dda2454a92cac74a
SHA512 e66d986d59d87270d952740abe17ee6d7f5fffde4244876315d6c69325d071e9db8cac09aba158dd7f7811efdb4be15f2a9293ba72bd4fd011e19ed0aadb7beb

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 9e82160b563401465c5ebe25cd5cded0
SHA1 2192cfeb131ad4436e0cbca035bc38e0cdafe24a
SHA256 ed20201ac3578fd5d940e0e481dbb345f350dbed730356eb52eae4584fdadcce
SHA512 32b9f40cb28a6a91dbd189db66b019375949eb1bbc31a1f6f8b71a877974d6c4f5095c168fc12b0ff1ad88bf0b291c2679b43db4a8eba805eebf2fb0db1329d7

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 56104db1b289b63b83dd6f1dd7e1f6d7
SHA1 878375d8a9b530ce9421acb0c3e5d5029f75744b
SHA256 abdcc19d4af089da76c1f72f7c758c3dee48d171cc5459b4255a00d08eb861b9
SHA512 5782d4a40e30a797d8fb18a8535a90bbab861f51da99d1bd16a451f2dba971fc8fde29f63f3fc5ff87d44d13c9b610c054881bcb91a449615bf70488ce3d8dfe

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 282911223a5c19c6995d386e0be1efbd
SHA1 f53a4fc25d30e23609dbad7b2c7cbea7915cedde
SHA256 c176c0e682a5fa788f059eb8c6e55beb6178242aaf085c909af46051afe0d75a
SHA512 1482481e7cb68f6c9f9a450902a91a6258c2e1130ecbff475301a3c59faf6f8c9ce881767f1d53244f348c38da66e02713fc8ec6fb461cf0459f93f023e326f3

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 2e2ecbf042fddc4364a0fc82c52ce47a
SHA1 93bc3cb99156718071a9341977097b958a5fbfb2
SHA256 c7661eec8ad2f74c5ce1ee9ed6b7d53510853084c4fafb735d75b99eb3e2cc7e
SHA512 e2bae56175e13a4980e4375c0bcd8aa7fb4c97b0b2033c1553a220cdce7b9c1d48e73539d0b5a22fb4df6276bb69563e34856ec14b9b8e10c7e140260413ac98

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 3ace18e137da5e32e358728732b6f2ba
SHA1 ec32f0428259f01a120bcfccd831d7b2d1cc4e88
SHA256 6c1d58036472437a8a3b8ef37e17b9e669aa6ff5a7b16b3d6bf5e0891347c5b0
SHA512 6fd64ab7c6ed9bde9978c24557a9aad4fc3ad83ea6f97069e9715c9f9f8a3fcb63f69434b31c302dbe286e86e9340221a6d96cf0be9d7940602aa3edb8a7e631

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 d0a8e39c379064f0559227c37cda76f7
SHA1 411d0b0e8297e73ddfadf4fc2ae28c2b2f5e7123
SHA256 bbb8f38d95914e39f4ace37c259d515a98a67b8bb4a1a2f026156e71d5ec835a
SHA512 d5e9d8cf62a4e402691bdafb41150fbffba443ea7eb436acff32b0282c2597ab95d05684c4b2cee494ca6b3baca6b109d9bc8b769d7e1e25e0c849fa86a8ce39

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 3e4d46f54d8cf58ec32efbd133ca521c
SHA1 bdb0569e13b5bd119dac6770e65ca732947cae2e
SHA256 c8e4f9527efa2487c01b15297faf1f6f58116dd66a17c4fd7c206f744526562f
SHA512 784caed983179591a9d7a34088667f6479c378bb2ff9091fc0ab8e5140e81bd528f8f8a71c98619432cd3bc56d1d7684d535cd68aa15a4649225d35cc4d5ae3f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 1e64b5ff9fbbae1b996f382cf0187625
SHA1 a9ad506b4b73d486d34c0537c605ce696c44b37d
SHA256 4638262bb27d36febcc428fe96ef10e3dd4657a119b466feed067e56d5ce4a61
SHA512 786b2705924cfd62afc2ae75118b699b985626fd6c2399e2b0d58919f200e4970db34926f23646c5d7327eb97a513d4cee01e0945282a6cb0a437ff8498fce75

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 dc138224fccd5f4621579bba8afeb00d
SHA1 e0533e698cf6020d868f531708dd82838555bdd5
SHA256 d6d43c1ae83e9957fd3340f239d6d67068e5dfc443890f8ae03f524696a4631f
SHA512 9fd57c7923448ab36e5c508f76f9a531fea722a8e84fe6f9e4a7141a62a9e955b9bbdd746dbda10e9980cb1c74b077b7e0f77f48ad811f79638af0afbf8fefaa

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 54afa349370638b97bc58c37f9215de6
SHA1 93d836d92ac1c471054254df0ed842e7ad89848c
SHA256 4ebf0743564320b7ecaf24aaf33001b86fd3a2bbf7f608eca8fdb2e80915588a
SHA512 c7d54727924835b4f54d1b2a4831bd2d36accd6c7a646d19bb65ee99936f644d2acbe7927d8817a0d7924ad087b41e27359e677359c6e7b904e27ef33dd70379

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 226cbc948b132623afb712dd0cfa8edc
SHA1 c94611d1ddbbe3eebb95b57ad44b214cf67f111b
SHA256 d950b0e6ada7f9ded655c1cb2801dbbf5b6a41d91c99ee7cf3f416b52c4113d9
SHA512 b4d5d26dee9a0bf30a3bb430a6a0e1c47e2e57261a001067a47a8ae5a4eb9f68d8c5b497da8d7a0af4e00c18e5b9724aae298f40ce5a838d065d84c9006108b7

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 6ee53150dc6c9935f7849e274a37d2e3
SHA1 16054cb476237becddbe177b36af77d0f39c7015
SHA256 65542ddfd30fe980b56195ca8238cf9168ee0bd561db8add0bdcaf5ea6f922a6
SHA512 458ca736336b70b54a050b5b2bf5d3dd1b8b7abfed15a82c39c120d27031ba063cf36980bd088eb7c149e777c9f70ea4916bb3a037d3d161ce39579d60f52ec7

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 aa500fa9cb1e5f209b6d4a207a370901
SHA1 8454e077f8252a38871d2caa272c05c6e3754d03
SHA256 d05b9b36b774b2d4d3fef81820e98fbded2a761bf1ed8b0dfb25e409d4d79418
SHA512 86eced53a7f5a4b236537b2bed5d98aeee3705e4e1a8c610cae709a7e97be28c8183deba4efdef72763dec4a0aa37858b026705e1c659ac6f8d1695b1c41f065

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 19795724c534a944f10e33c2279b5d78
SHA1 66f0163f736c97ab74e56a79f924410d9ed3969e
SHA256 23804d75004e467c04a07a9fd597dc3c3b7c1ca639d9f84a083d478403c24e15
SHA512 11635d5038bb43552e83b7852bc860b3a38ffa8f0701f999ccbf44da42b17ee62be1a63fb2b0bde1f14e5016ac9916f73c32aaff2b1020554a4dace0bed1da82

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 bff2ed733688ed996ecab3d0881389ef
SHA1 9fc291103bf4467a180b91dec71a5d742a49b129
SHA256 89d012ee90a0f0bf5d2c365f41ae29a26c9895ac2d6e958635490064e3c978da
SHA512 f9da554bce7296c3787778a55582db00104332e10fea8f41d8a06cf0e35fe40d50fa3e9dbc2ee4acfe655562658a1384071abb8ee0be0bd868f023af4ec1eff5

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 33686ed524bf7cb45069f4511e1d093c
SHA1 84138aebda2052a313037fc3f9cbb9889bf3d065
SHA256 c16469571a725c35d781673a976098e12b0d35040e2800e1f03d5814d2e629a7
SHA512 b2606d3e95130cefdb35656faf6ebb16a44580f01071df300d4038732a8c34d0715bdf290a58573ddbddb2954d5bcc2a2a8b72d6a79b7d7acfe1c95936332668

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp

MD5 0c30764090db2e4802c86a5b1f59a3bb
SHA1 c2168f4ecc32463ce259709a01c2e652adb31032
SHA256 53963ad89f0848e3e70adf4a2604653e5e00de46669eb77db989321e2175fa54
SHA512 f5d06fcaa04f22370313e02a31b25272062b44696917b677bef20614533a249965689dc16b19ebf5945bb39026e12593f0ecf64abc7eea2f7478b485db0dee1a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 13d5498fe93302f402f1666f672eb7b2
SHA1 27e52676f075f95a96c0e2d8ec3d0312b973c708
SHA256 e9e8a6c331102888f6adbfb76a0cd3291e07d1e8a711f6a44e09f4723dc04e1e
SHA512 bf2c4ce3e89cc317e996f9ef8699561ba815b5fd1e197c36da30ac3a6b1f1e349e5df03f20fef3a2c262b272daeea4230e42b8371d9a745ab0a82a7eb38aac37

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 2f659a8336e5a764df50e8deddae10e3
SHA1 98f607c39c8069033f3614cbff3487dfd8585869
SHA256 8cd525941342992206b376e13f03374b2a9db06c6b3f7202f42c6181f3c04ccd
SHA512 a9debaf28bc3d5e1ee7fd893d82e837adb6d0aa74c6f6b63387e5ac584a3f9cf60b43a1531d8defb915705b5cb1c5ceba0f3a759681ae85ed9aeb0887bdfc41f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 98da6cd6108e23c9cc2591b9e66c8229
SHA1 7737fc9ad36d687cfb2eefe7e4ac21f6a6836e25
SHA256 9098af33e2eb9506cbeb58cf97a86dbe44bc4d6c52388d68e87f0d211caf69b2
SHA512 9a32aae5a0dff122dc493760619268339b33b9d857b3f9f3dc9980b16c5e4f0c5910851e1665b7a00ecf5023eeb645be4b4035d51773e25e6f5c59628dd819a4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 fcd24bc971c40f1c3b843427c73b2979
SHA1 7868297fa2d5946164e1d3fa62905c8bf79a88a8
SHA256 929250d3f6f5f7d7f28b82063ee2b183bd3203fdd8b0351cb110249c4eb07805
SHA512 5aac1b43d91efaee0d15bb77bb7b53e6f4fba8396995f3f698d6d16a931bc095151f2bbcebb2b382c795c2a9af50563e7fef5c0fa6e79d062cbb134450b05ec6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 6d97ae520b3d52364919b9d2983463d0
SHA1 bb82fd2cce13e6d83ba734aa2f8cbb177ec3d9d2
SHA256 7a30e0dd00501e7bae4c3b3ce88bd034a90dfdb5ef1fcaa5438f8803c7c66187
SHA512 cda0dacefcaf93f030509ecf64d68ddae9dff4bfe0d9081a8c6e8a51e2d6ef0e73cbff5b7dd10936713d74fc897fa3b932f490131b965362e0dd71c96ab06ace

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 f33a832a42d95d5e1e8266d57c7569a4
SHA1 62a4bb8f227b2916019e3323f368219446c80c9a
SHA256 33a859545ee39ce8030bf231922f9081f1ff85184eb86b3fe8810147c13b2d06
SHA512 ccba14a015cb6fe0f417ed223e16fd65d3d5c62663176fc5ab0144d03225cae16c03a72525a832f51f778c87277defed36fbea22dcd8954b911c453a2da8daaf

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 9ed51f0a182be16db3c4893591a231a4
SHA1 99cc6a43044335bf5e7da27998f7c7dd15d34886
SHA256 42028b8f08b8939bcfdffd7de5cd460b0a8182666cf6ab12f795dfd075c22998
SHA512 e6ee16f2050839aac009a9ac9b158cac4a74ae0865b5d5312abd8a0c13b1ea7100e1d3391fba7de2bb1e9706c9089fb20003fcaccb0e9ff64092d66cc52ccafb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 9040134cfb54a66fe128b0e5c2718a94
SHA1 69cd0e3994396d229cbe9c9863b6cafa11a22cb5
SHA256 66d195ee917aaff4b4aa9af3dcf9e0e145005f25900a552745b5542454c106e7
SHA512 c3dcb5a3ad9179d2fcdbd313d98d943d6dd497d429323899e8eed3f4af1e71c24114dc90d6403c1705c18d45e9f157563d929a28ad3b47aaa6fb5e353305b94f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 41e5ed0b9a7219c32c40a98b219087dc
SHA1 3d1f00af602f5653c62de3bb44391b1b9a2f2bef
SHA256 41b3ee931d43ecd65b7366196f970c842484ff0cfec9754ccc313b94104375d4
SHA512 4ce6bc893bada7c2db01b1d5ce4c2bc18e00718918f92d7e26a2446c0a07c3046698c983b0edf79ff6ae77079fbbf3429e312f22194011824d5a16e3a396e4db

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 84e01ae0aa29cbc0ea7cb208a85ae05f
SHA1 626447d5369b7ee3fad8fe31b5896fac94848316
SHA256 ed278f218061f139752913ebe27f664accd2df90bc4454a888d84715b19476ed
SHA512 d45236bad678175e1ba6271d64ccbc25bd096f593ca8f83409ddcbeafbabf4861700f8d7572a80272324fc4b522dd9a0e74efc50629a7fdfb7e6345fa2358c66

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 661010ed750dc39b04c7e5f2259cb3a7
SHA1 a2e6136a5c53523cd8d5dca50e36e08588b75b9a
SHA256 13a1eca4da75f6f28f23a7a44589374a94538771f482c11c0eecd7a3925a3a1c
SHA512 f367dc83ea6a219132e62c3aaab21537a2f3bb183b834ee48fa8b7460ef8a55eb021fe50e5acebd8d5a1af781ac6311c864c71fa33f1911bef0e64645b1f888a

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 b8a8f625034687225d411b704f6d64b5
SHA1 0470b3728aa4dd28a62e59e18e36571859979450
SHA256 c188b9f209d19ff3dce0fe7b62c0cf64f645d37df76af2c07f8079c194fab530
SHA512 382e48a6fd732c3ab8bd7a5c586557f898a78349e9e288932d24b1f844997ba953dfddd32aa47a4612438798501d888823b42356754a81fa4ead3c1c75500ce6

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 3f4749edc3941766d4133b2242df730e
SHA1 70df1f7c16888ffe6e12e08da58b60401c33273d
SHA256 fcfd27baeeb63d53414bb4fc9a83ebbcef4812a5c1cf7ec39e5f58e9ce36959a
SHA512 64ae5610c70110bf11ebb0be3cb6d7960804028c49fb5c1169e0ecda3c93dd652a167c2b8f9a13297c45e739a5660b551808b884976682d6bf26fb9163bcfff9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:13

Reported

2024-06-11 01:16

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe"

Signatures

Renames multiple (5033) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Parallel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe

"C:\Users\Admin\AppData\Local\Temp\9fbafcb6e265f53dfbde9a38b434c54795dcec75f646ec7210a4c0fe36b06066.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe

"_New-VSProductReference.ps1.exe"

Network

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 f052d15f1b566107764a2774908b6af1
SHA1 9e1028843bff7fdffbef8a8a41d0f96811c6316d
SHA256 f85dab0872df5adbdf677222092b0856a1838d56cae16021d069f293b4b34b61
SHA512 40ec41f35a125c28196e16365bd2b8b480edcd6d19c0132f248b3b32f04f22fa49efe1c7bc5acb9106215e1630475f4e3ba562d77b2d707b6dd1bc1562c798bd

C:\Users\Admin\AppData\Local\Temp\_New-VSProductReference.ps1.exe

MD5 899bd469f26c3db6b99027bcb7510eb2
SHA1 8520c03619e3ba21571e5c02b17dd58e7830fbd4
SHA256 adc8a241a6de86c042a1b772fcd1001558069e3da0194049e5f272e147e5e2c7
SHA512 3990fdc91a562bbc816f4a5948a1a9aebdb283c88704020eb7704e2815276300c478a4b07f07d8b77905cb77ca5c10c474afe9ec6b4e7987d115d860a6625f52

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.tmp

MD5 2d7f959e3a45fc5fadc081b810ffe964
SHA1 beac4b0d2f4b9ff0be3a4a0722ec060508964912
SHA256 9a3ac7ede0c59d7caccea0b3182ac62b9ae91cede64ee48f3dca1d1581360dcc
SHA512 e390471f73bd3f98928072ff8867c0e289cad235b76e76c4e136fbd99dff76e318b35a261bbf2e0590c81dec6b646b6b596795daf67a6ddf46406d9b389c8641

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe.tmp

MD5 c9137d2abb2b8055bfb8ef6ad393e94d
SHA1 a788e641dc318e4a639469314a7940be443c7a1a
SHA256 1aad0096bd275841252ecffca1f64964f474b0072dd2aa326db8b43551b0c895
SHA512 b56154d3e78f5ec781704872a01b906dfbd317f988976e95df79ec2a754fbba1ee0b9ce66b66ce237a7071d96fd4a6b548053bcfc23cbde9199e1a03e114886e

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 0439277130ca898a5fd7fb7b7491ac4f
SHA1 7ed14e2a3d034f5bb53e1faa4b6bb1cf65ac7867
SHA256 7ba1468d6b7856f476ab307daf4bd50689bc32e0c203d59260947f9925c02d4b
SHA512 5b24fde1f38520766d25fc39f399212b1f8ccc70553b132c1437a9563855161a203f315fbb653f59319661aac7f86beeccedadbfa12f39a459365bf2d71c2d13

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 e931c858cdd04e112a9fc7b741c21300
SHA1 037bcca837f973545b97aaef06ed60ce3ff52228
SHA256 0f2574354a606c78c7a62a1e7000263dc69fb912d862860a2bd894548abe8955
SHA512 246ba1215dd31a5d36f03fd9ed15168d5087a4930301549ffcb872a5c8b3cd7e07ac1c7b08b3ec7d2f6264fcbbc75b06a6975507fc4328ca5657f7c99ee83d63

C:\Program Files\7-Zip\7z.dll.tmp

MD5 05bfad29fd9a8ceb5eba9701f1117173
SHA1 70a18e62ae4a415a9ff3fc917c1d79390ba59b8c
SHA256 b610dca9569390907e60e0c15d0872c671a3c4f7b20cd68920f6a9bb96f06680
SHA512 595a1ecd161d04ad9ee3cd554ec266a2f4d7372860fd508d55c0bb67fcc53d5b6ea72a67141ba41737fc6c6c6843f6a90dab889a7c3f055db12a0150c34ecbd0

C:\Program Files\7-Zip\7z.exe.tmp

MD5 491163fd447045fbbdc4abd43442a389
SHA1 9cd4de7dfe0de2b3d4b282b0ec5af805781d8251
SHA256 824e7d3260c6638d729d4e5dc7cdbedde23428f2ad925b92635c04cda1d9febf
SHA512 4046df44affa9b69368c8f75e3d0b82453e9664a22347355ac033648202cd5c7fb82fb8aab9be4e66fcc139dbbae353e76043562d87881ee486955b6a3e70168

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 463b0a821bb36f136b895c240da0d591
SHA1 2b79c266c470645c929341ad26df39db20642979
SHA256 d40a4cbbc48038d9c7bc5933d1ce9a400ef5d48a3a7fed527efd717a09dc9a58
SHA512 19dd5589ed7e850a3e61dfac69589632f04dae299dc0f925f8247e460b3b88db7c42d39e5497849281f48cc055b136dec887fbf8dbfe77fb6ccfdaed3bae8b1e

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 8912a9ec593a474fde55931655e7d83f
SHA1 4f1bb0fd3c2afbadb691c184bbd0defcc133f654
SHA256 5116c720d371b7372ec64eb3ce4b9c523b01c89e01307da2b989f62b1e3cf92d
SHA512 af9e6feaed85872004bff448aac698ef9afa4f7a7f385bba831f66ae081f33e67ce5c273fa733818e7bb8231f4cc24487a8a1b3a90b597c1bec6e69184f52e66

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 6c10826ade1586bad5fc8c0e6769a9b0
SHA1 2f822f6074cccf03ba46e6ed33cec9e50f4a16b0
SHA256 9fd0fa91b38773711829e53efc594a56dcbae7041ed5840a05e5dbbe7c39c42b
SHA512 1d987702e6b938802467a161097c396448dc754306607d49def954bd24a5e91bedec77b9ad29f70b889aead2c204d21ce2d5c37c93d14415dd763453bd1c417a

C:\Program Files\7-Zip\7zG.exe

MD5 c48260e39a2495a71b0de5103033aebb
SHA1 cc2115553d4941c21fce106701b9ed0811d1c1cd
SHA256 c1db795e5e27f1e8929cfb5a4568e9e73d20023f6b36e3e51a37848ca5886d5f
SHA512 4f6532e1192f5e2611e94a5de8efccdce929821fdc5c7a90718bd2a3675243a892909ae3b41815f8ecab9751abfecb9c2aedc78be5bd9425fab6fb11e9030b14

C:\Program Files\7-Zip\descript.ion.tmp

MD5 b202e78a546f2f9ee04f3aa18c7bbf62
SHA1 340cf49e836948e62e3cdd352610531b876c0b6b
SHA256 ba82e93e6ad66c6812950f20bd5043b254b4d2c86fea82a414fca66ee9f556f7
SHA512 10e80f8692da8d4aa19e49051a6f58bb9b562ac93c78077b58040a6f0688b5adf7e0d6081ccbae6abb655590acbe3acda243d98de9e5aa85ee127755e4a00e0e

C:\Program Files\7-Zip\History.txt.tmp

MD5 c935f1d7a743aaa762ad095621a7f218
SHA1 87c8a8a10dfc196bb9bb9b0d3507ab5aa7c24b1f
SHA256 ac0369ef06183ab4d88ea3d251652ddc53718d9770072bd87f76029dd41b20f6
SHA512 2010552c91c191d369c7050877e0c0e9871c5135e155cf9e3c815597001ac3df7ebbcb223c598f56cd77d5455dc3e207436a1a38ca884daad39ea6061491aabc

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 cd3ff7d520f22bf2d8988a43a2d3aa27
SHA1 44d8eb3d5b655c6ec02701cbc171d1c4db7a7b43
SHA256 3e6a5818f1fd2bf8b95d10b219a257ad7b6249f76aff7b89459a298bf10f6a1f
SHA512 4888aa5794c0139c0c23ddd2c572f3d669860b9b4616dd78e58b30ff541f8b6e66effb97f00727a27e4107156ad466459f952dd43fae10995c20da1cadd3736a

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 83a7e340f5d7058230eab53e3a1d8ad7
SHA1 f6b51d6fea70ae5e22fc5928135d79c3633b345d
SHA256 a927d7309aa0d2a558fc3d886b42bca606214b18cfa8ba5ca9b5e5607259a308
SHA512 5deb6a4cc8d70704b60eb54dcdaeb55760af0afb9a45615457548a8e4436ff73aaa268da0637661f5fc854d67bc070cb631843a955b4727b80a511dde24c4139

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 03cdb22b94be8b6861525b1e9b125074
SHA1 1acac126bd37fbef07a6cad837672fc6d92a6b09
SHA256 09605815be3d24bc4e205d477754cebc2bcbd1b988b5f480ba17a7d3fbf6f77c
SHA512 78bfec51cefa057b331bea72b33d58313bb064501ab89f86af5fde5c3ba62c3df3db591108b35d6ea8c6cf3a7a7663fcbff2d006bac1348cdcd434421990a3b5

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 0972acda26d52203231de3eaabb9bb7b
SHA1 eb794253143435a2f86552edf34b7cd03379ccab
SHA256 5bccb091ee1a72f17b8b8afb01b171dc653cf13f20274c9fb52bbf88b82da2d3
SHA512 6fbdb02dc3bda88e0234b5457f43b1b4816b617919bd8b27c875efadc8bc980952ba04458a5a72a0b5a683bbb17544d0d24bc420848010b5bc2b008657b4314e

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 e2362353b7283894eac97c2816afc121
SHA1 7e3c85c107f04490c9947d6d7d39958edb0ee9ac
SHA256 079aeed5b64759569c5cec5dc999785bed87421b85d61025a946bebb94993e9f
SHA512 8554e573a86b21fbe1a7fde650ea04ef2f6b31a24470ac24ac34649ca7287921ec03b6a2f432121f72729cf6263aa1173b2554b60bd45c3a32823e78840f52a7

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 9636eefbff11e118a912052753ad39f0
SHA1 ceceb5f6be8ecee80b7679c1e092a745e66edf2e
SHA256 c98f78a8c138dd23daa4e0f0fe5efb1b15bc67cfcb55d6928871dad86e00daff
SHA512 583c62b5b467037d8127011e4381ebfc2d4950ec8f4c04dbfd2ce9fca683cfd13406071a2c7ee869fd3d1c0cfa4031b4407ff77e983aecf6bbf8d022d46e9fa9

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 7a32acf59a987a606645a3f3478f38af
SHA1 80557920635c1e00d0897979c58a67ff0d47ee69
SHA256 b116c5d2c9b480ae7dfc5c919eea4e0bbf63fabcc44d3ea3ceebde3e7f5b6880
SHA512 3f156e954cd2b1733f0498e8a19a076b610fa1d8b7bf5c285152f03df2c4af002f6be13b57351acec28e78e46905ee55f8ed6ee75d7103fb7cb783e3d6e25f33

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 150e53ae388dd3243f2d4676108c8b86
SHA1 23ee5f712df51cfe02f6d6f63063b354df48c1e5
SHA256 1885bfbe252d2d73f6e890de492306faa3f823056f65ed51efd0d8217ac5d74c
SHA512 ed0bff5323b0ed3ffa909fb8971116e9c748b665375c3f6a669198ce64ac8b7cfa244145b97b61b06bdb06670bd53c177c43806ab2a74063fbd067afecf89734

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 aee9dac8b95e2fe19f027a3269cec895
SHA1 0a6f7b25b6e5496fc4ec2e3c1c0205fcf662d68c
SHA256 1d8c5d5b737575635bf8609b4987ef08f2c9325d678f8bdb97c757e0f7d9183f
SHA512 5ac9816f9009f22850949dfb226b1737d41f36b2c0784e099aacb83565ea25b5837e697a132afb174374a54660987d12aa95d1e41197b687ab4ddef502b4b055

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 3d74b0c5f2f4a0f6f938a812290dade5
SHA1 483f6e4a2263a664e7d8d9508f6a4bf75a6d5742
SHA256 a708dff614c25093277569d16927287d306c5af61c75c86bb04912f97494880d
SHA512 01e0fe2596dbd9afbfc023cab8b7216dc71e2a22d8a9706894656ab505a1833bd28984a172c1f20270e08908b14367557a130c6dbda4c0ea8817233e61b9cd71

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 4d411d3dfb9e9184cd9217c8a6705462
SHA1 903bb1df42d6242cec7d993698f29ba357cb3854
SHA256 1726375e05ed0508b634978b691f15211231e2774d7a45bc657d98d5b26a318d
SHA512 e0564dc2b5badf71393af212dc3a8ee9078813aee083cdca3e82ab4dff9696e2ee80414ece244a68da7cae0ef15846586716c79cd83c88f8080640ab2753a464

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 e385d7dd6a06d0ac10ac58ebb9640aa7
SHA1 e74f992c46837fdaec267e60b75a2790732364a5
SHA256 9a65a41877b93940a0971e080ded594c949c34cf9e5b071d5881bc76160a7561
SHA512 a926dce18ddc0933e88a8ef2c09fe1b14d14253725658eec5af7729a4cf788f54fa5256074dc1c2c442f52de5a6e0b3e836647e8a7f917c7311e23999d86bc55

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 e42cfae563c1330fb049902f45eeefd8
SHA1 403d8876f71006e1c8b2e0b24715b20c3a623a47
SHA256 fe4d1d4cda7e77bacbea866feb4bb23e8e33101fb412bb9ec197b26682cfe45d
SHA512 4123b5944d3f47b808db77c0c17db268cdf2b5afb5041b24d7566799a25c4e48fcadcfd4068f06613224947c124a9d4de183af81be9f3fd78b6c50e49e0b2103

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 f2175286b9fa66de2d18bf92d9b53164
SHA1 621a6936be6bb7f60d8fde4bf2b93fb02cb59518
SHA256 15006d7a441e696dee6c21202f78e1df1f3b71f385c7f5fc4977052716934bd1
SHA512 de42026052821b1ce00fb4edbecbfbd3d34479c4dd0e672aadfdcf3f461d82e9a551d579a418c28d25979aabe0ff115e5bad78ba71da7aaf3a15d09a850ac8c0

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 c0178ee7b689a17a0ebd28728fa44732
SHA1 c06ee85887e70910fa1dac0a0cc0c73ba0b620f6
SHA256 850bda26858af20453ca8523db37fcea530ffad29870202284a612ca36543390
SHA512 c523c9045ea365d13c24d77971692703c81c29384e948c6688682dc77dfad6a1ea2b7e9f1d887b6ba36204ec8ee6e7f00e4c3cc4023dd8857e78ecfac03214ec

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 f01d777253fa017df246cecea6901a1b
SHA1 dc436b8100346e2a6ab1c814e9a0b9603df38f84
SHA256 9d83666ae5b4007cc5e38fa8282ea7d3f149b7d6d9c3643f5af110b06a21516d
SHA512 9b653fbbd9fc77347391edc36a594239ae57662bccf072dc8a7c8dbf261ce367b86fa02f0008e26e7580175e31be7571db8fefb950f08f0fd0feff0695101e85

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 be66c4ffae3985a3c09f0c298e8b19b4
SHA1 6c9e038c49262e9bf3f0759c1c9aceba7b8a3687
SHA256 d62ed2b9cebb9d7296fd5240696bf180051da2d9b370958b3d809bcab942e488
SHA512 698bb86171c7dc31eaf30c95e246416270f441a063009ff0121fd5d06f105b3a7347dc8e5e98472049f7350e0180901537a73334cad6a4513f06fadb04c23084

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 0d26e433cdb9bb8d042a8643c042efc3
SHA1 ad015df779642eac828c131d32b50f82c241d141
SHA256 9c1f09e993c44cd8869ab6326edd030008fd8728af84b2ec469de4d891c11961
SHA512 62dc07fc149cdd5fb7e6e6df51d8a8c072112a5d64a6885befd2accc2ebc1a2385f1979d69a34fc713009125a07c6637d31ddb1ffb4c8cbf13514f884bcb4cbd

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 9e150ff6760715ddfc7787a25668ede5
SHA1 297e0ddcdc82b468489aff8174a509762a44bbf6
SHA256 0539a2bbca73940f1d4ccb0a1e1c285758db0102fdfd684a0ea072a332ec12ea
SHA512 1fd668353efebdb0fb9e6ec7e77758debf148d81506232039cc2c79311dcecab06bff1f6fcdac4965dfdfc4a699a7ca2540e9b25b6a8fbaf8db1f4534a5b8eab

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 222043fa0e59961fa8d2bd8f73ee5f4a
SHA1 723f4f2d224826b78c0ec6a44846c8c9eef554cd
SHA256 036bcceeecac44aa81ca244a7095179e8eedcf413ec8ad793106018601919ac0
SHA512 56a586e5587a86f17f9ba635b1f896dd04ef8ebdbc6ec7e83f092ae304e1fe5b0f7d35441f6804e05b6bac2897cdac8051826fd5bfac635ad260721611a8618e

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 0d6e2e13620a9aa7a7f03dbef6f7d06e
SHA1 cc7166840d48104e99ab415d39b5f442f4443da5
SHA256 092d2efe6534efd7696285469bb0b12eb5e7327646c58264c78a869f7f7830a8
SHA512 843f0194b7a450b485f901e3850f85faf2a4d0df47adee328c72ba0b639c9284e9894b79bca08467000b8e4bf61cbc14fc969407a203c680290c2c89c1e38e44

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 31e44a9baffb6f2d805006a84a9ebf02
SHA1 5b000f22c03443ee031015e82e16bc927261d4ad
SHA256 95bdaedc6be849b0605820796bce9b703bc3362889914f550cde0da047b3e27c
SHA512 bbc2eb632ad1922e7a8994ca42a0bbedbdb282cc6fd3789b575aff11751a4e3b063502f1d6ac381546234d07c1c216a18931fba749e740680dde671f7a95df94

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 ff76f172555db4108ac1658adf3f7b7a
SHA1 86f74a1aa1e7f03bea98d8801707067141590312
SHA256 613e4cba2a9fddf15d0219b22a88c677d7e86bc23efe746291d6a66f92b6eec9
SHA512 e7d26de9ce88913769cac2d8a04d76d65e811e7affc2c42bbb2957d8aedd995b01d173133ac54b30e72cbff407d8d2df451779266da67f8bf0e5e932d4714b18

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 6227bf16883f98991558f0a3fb00ad24
SHA1 c21cf43a14b656bb516708f76214687744794b7e
SHA256 196aa22708810a4c1592e5ad0cb09f9e1f04941d91ccc300f70ee3e19ed96c45
SHA512 4faf43e52786b88a40690c756384d5b42ce1eda20e7e3e6dd44d63351468d52e67eae54628803d41f0f40fa76f816bae8c3d844749aa42cf593c1ea2169e35d0

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 f9d0bafecf31721b511b3c40fcb67815
SHA1 15fa0cfec773d9a11db1a7beb7b2416aa5ef7381
SHA256 9139d3e273f89047f07781d9df6a832b97e5784b96616d23eb034839f0ff8e8e
SHA512 91c0fa99ef91444c9a8166cfe39b19ac0f60946cd0afb1e413c82a91745b3241dcc264dc858f9d5a806fb07995ff38600bdaea36ba86f4b6991be014a82597fd

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 c00a96f85501e6aca5e35abeb3685330
SHA1 bc62d1be36922d723496f8dc7f463feea2921148
SHA256 8422782ab13516ae22dd8a39a6ea5848c81f06896ec0a47c3db0650e91720958
SHA512 6c1aa032a35565c788c6b3ce6d3b6a78c74e2188037f8dcf4cca6ec80cce1ecb4108d3036ae76157da84f23b248a0269a7cce91cd5a7edb2ff765af774e0edd0

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 e9d80ea605ab84b6fff629387b23217c
SHA1 8f3153fbe187eef72ef92e1b46dfb848779a5647
SHA256 faced257a3a2523ad621b89238e66f976786b69b4a416f3868e1aa816302bb52
SHA512 4d56733ef4d8e3b8b4c4dce57b5ffbcc1713b62cce39446578dfb959399f9345c91e20870e52b3ca4be6ac13543929d1b286a1df78dc351723428ad07236f3d9

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 4c4c99f0a94485853408da6aee9dea1c
SHA1 9c70f2b9a3c8a21e04b55f5c30bf476b5c701497
SHA256 3f1b188c60dec1a038b99130283d3338f443dbdedb81430aae406b7ba4a3f1d4
SHA512 f2701f19b1a2b6f7e562158523d7a462c775d758b224ca5663981231fba16ea69db1b2718562e935579c1f6b446366ec4b94293e11ce9038223bd09fb3e0d77d

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 fb330cb4c32abb5c31fc1d8985e574b3
SHA1 a407acced47cfa956b38ddf7eb789564c05d79b2
SHA256 02ebfd56efef74bf6b4b29e79ae2df5ba4c406f31c6e0d0440a9adfeb1f72f78
SHA512 ec2610d58737709e08883f832a1b416316d14bdb1a7f112b0623de367baf9e692bd49afb83b868577b2c43fa0ff4355a3d78af11c998646f3a050171b1481ae7

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 efcba4f6d4159ba351a9ddc1d7b6eb20
SHA1 6a8ff6d5a7c49fc7d6d77a2a57c43c304af18e48
SHA256 28aaa13e72617ba7ea357547624413c497162cfbe2a7edd1f2ccdea6bd950cf1
SHA512 a5db21e8ff8871879d3b7293624902826a5d73c312313a03e66fc95abcd29f3cf66ace110249923a7fd50b391056c01f602d42680b961c52c44bd0b02b7b4f5f

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 50f3a6c9fdf5869b67eec7227973e33e
SHA1 abbe4e0f0a1330a556474975aafee4bfea7a2637
SHA256 05586f8a3e8fbdc292a0d18e1d151d68e810758a61da227217f183cc19750cfd
SHA512 e309c256ea33031f5b67a61ebcf235358baf8719232eb1f57eac0102d694f71c03eaa1c5f1b5cffe6ad2f34ef2f80e837636d3294efc056d9cf87a55f98febc1

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 f7cbff1edc245692c828d5ca92445c9d
SHA1 3aa33deab3ec33a7447411df390e9c9624095ee3
SHA256 38e684981ab0b82700ff027e23bc517e1713a9026d346167540a7806c49a1a72
SHA512 9f6d33ab79f406d5dd52e30d031b4a2d394c66b3bba5103eb9487b5f09130825bc970d9f813c89e4d393a35ba3ef24b497935ca3d543f4620d019e1d02ab349a

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 d569c615d4b8c787688b62ee23195314
SHA1 5cb1fcf0b8adb754e015689a269509817b450efa
SHA256 11ee1a76ff5a85316667a75c88b82c4b33e914ec304a217e762cdf305966ec21
SHA512 1e29bbb87b76ee508c85eac722877622213d8f764411998e83df0065dc3da5f30f683710bbf5e9309988b5940306856886792bcd1242b657d9d3f51e836ff6cd

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 eb3de366faef00ccf670f0f733f81344
SHA1 e52785e79b3de6763206debbfa2c1fd53676af79
SHA256 f3ff5a8b3806cbc3f3bde103a3755fc2bd79687dedd001cf672aee0241e86aec
SHA512 8181c2cd77a629c1474a28edd636caa3e644060bd4b7ffc51922d0d1eb4faf4f2ce00edff04dc2c761c1e7ee5891951c38571a2dcdbc4dd75f237a6a0e8b324e

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 d9f587fd76d1199a0e80683052a2c4d6
SHA1 e08c7beefcbf6af8a5e7b2a3c1e677fd2316ed18
SHA256 bb5bbbcf84fc87843ab949e58959d5bd65cca0528ffd2919b577df0aeb75c771
SHA512 2db22c21096a5aa5a852572653ae6c233bc605bd073fdefda5c407831a6689cc2183c2d937422319850a94f2b414091e4b2befe6a04bcc77d7dc08724bea7968

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 555c02f58fa41f9f5543946a9bdd7622
SHA1 98cd57fca11ecdfcf38b1cafd92de0f14fd649eb
SHA256 5c84583c98d082c2426142718723591ee13b1b4c1f5963f493a7b4691781c3ad
SHA512 267e766a3c2fe817427ecfc6e367e0fe3a7b0bdde7e273c22ff5a90c96509dc3b18daa8f0316728a09342be1f3d973b5373933cf85706850b3fe0a8e9583ac2d

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 8df9b50e39574171bfff42a089593bd0
SHA1 f92e1ae141304c3827c96a33b5d37dbadc23b186
SHA256 26b9fc49a8ad9672de3f91388b955473b14770da8714cedd23a2cf9f76b00479
SHA512 274b5bc29dec3d82d62bd98b8595fdcb5cb6fb5626380398a263a9af44f87c0d9f62ac7e0c0e31fe1a8228fbd883e56c538be1c4a804c7c5b71da7a4eecc01f8

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 636ea436e855d353b2dc3de7df6f2dd7
SHA1 03b62257d787526c2e87a8256d2ccba9388b8a6a
SHA256 65a6f1c8f94ff514b30fb598d863d8bf4857420f0399c31a14889d308e4f0f01
SHA512 1924d1efd25c7517364d64341626b847733f5403b45b4aeea03dce48f58d4ad2aa3cb72bf361af40b88ef2bfc8cbe245e07f8bd9f6f9424d213ea0f08e95a59b

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 f9a3418498d11e07bbefa3664cc1db83
SHA1 3ac724401f0c647971aaa7ad7577683fa7cfea5d
SHA256 d34a86010114a75e6931a10698984e614e4d2e19028d189ea413ec2d036c6243
SHA512 9e10f7765fe735aed5cd3aad17ce745409ec5730c76d2f2c9d00b0e2be34d46f4b4be33b7caf272e390530e906f1536f26f0c1c65a14254ed816e7e5552a3609

C:\Program Files\7-Zip\Lang\sa.txt.tmp

MD5 ccb8645683fe0d76ba71e9435b374a98
SHA1 00e37e2ab1471455919efeaeda87e3eeba998309
SHA256 0b20ec4031e5d78c1f338d94b7bccd16fc95f7c66534f80e55c75a25d673e1d9
SHA512 b4e5f6d74379bc67a463529e4db6e7e07fd0c495f63395189a1397c15ef6fc57084ee8ed26a27ed8b00355505e238ae8fa4a20767bf844f3d87442d5474f5f1c

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 0c17ed4920ec6009ce71a0cba014d0ec
SHA1 3fd6aa820bcd3f287f51fc2219c83cef23b27125
SHA256 df69fd52c9982bcc802b27c2717ec3e1a1ebd17d10d4ac5019f82b3afcfb02c9
SHA512 0a3f00915b44994ece540be1433dca76e71a84fd7ff585b8c792e343e6ec5d6848850fd173ef6e72cdcb70f0d6c7d24bdb4ea177cfaac0c5a81c5bd223cff629

C:\Program Files\7-Zip\Lang\sq.txt.tmp

MD5 f601eb2e8956b33a0f49fef6ea9e25de
SHA1 8e9f3a2e619f923e616cce152bfc40bb02869a26
SHA256 c78d28b247943994937b31ff9c2285d81ea7a0c0fa6c5a34852f67f526976378
SHA512 fecf247e69ef937c9069cbd1f53e916109245b851c9456b12110943081444a86c2797d5a7ef56528aae49a959cd7ea43020fc5a02883ca384c74e2e1961f9d12

C:\Program Files\7-Zip\Lang\tg.txt.tmp

MD5 52c3608a02db77e09531b60ce79d6863
SHA1 3b1c66771646dbbfc2edb13dc503757bf1616ea0
SHA256 b25edb22436392eeecdd10ecb6ba0f986b9587479e01c426c774cad220e339f8
SHA512 85bfc762f4cdfff318c2800d9798fa2311b85b1ac6607cd957f51d8a60cbdddc4c399239d76c2c6ee424d16b856f03e87a89f45a15b3e2f079daed713a109748

C:\Program Files\7-Zip\Lang\th.txt.tmp

MD5 4b84907b497e0e5afd428a0847464244
SHA1 d590d12ad041de7cea7f82223462af4db7b146f0
SHA256 e6ba54391662ff761875cb984cf6e5791e2515e6edbd4e19a27b408116f95f7a
SHA512 f52715ee05c9d881eb100526013cf1fe901662637e4f71e6382f8425e46433469430bee57c8a54cf81ede0ebc5c0df0149d1880fbdc806dd0bdca3f6b7075511

C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp

MD5 3949d2f0e872ddc8eb9f6f83ef9d9af9
SHA1 71792262350bb30b1ab7c6aceebb2d70f1384921
SHA256 314729697fecc51f88f0711fca8629563694cb434f35927c04bf29d3e4f4bea5
SHA512 1e123d4ceed0da3380bbf05b4ceab5e5423747648fb6fa5b16c05aaed24955fcc2ae0bf6e0693041d4a3317692a6a905034d284178960b7261084ff2a28c4510