Malware Analysis Report

2024-09-09 20:24

Sample ID 240613-23d8gsyalq
Target 8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe
SHA256 7ace0bfe4e43410a7e44d229c4b6e0e441616c71242e1cc5ae60ba562c1f06c3
Tags
upx ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7ace0bfe4e43410a7e44d229c4b6e0e441616c71242e1cc5ae60ba562c1f06c3

Threat Level: Likely malicious

The file 8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

upx ransomware

Renames multiple (1257) files with added filename extension

Renames multiple (5050) files with added filename extension

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:06

Reported

2024-06-13 23:08

Platform

win7-20240611-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe"

Signatures

Renames multiple (1257) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\F12Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Internet Explorer\jsprofilerui.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\DirectDB.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe

"_About Java.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2200-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe

MD5 cf3d77baec66ba364a98f33aebf0d26a
SHA1 37d302edcd53f10b2aa7aab22a6dd8cc7830df7a
SHA256 7bc3fcd2c7eceda45ee4faf4aac5faf493c828b9dd3105afb7a281f3ee13413f
SHA512 c81b48e84bc07595ae48d68764525b3de9989c2e6f9d29949d419d980bae414b16067300ce155d6fa70f842119cdc0abda7f530e9b354a26e40c39eb3b237ac8

\Windows\SysWOW64\Zombie.exe

MD5 b65467aa566657626527217adc449830
SHA1 9e5fb254dfa91ea678c62eaa2e5fd62dacf476d3
SHA256 7f9770167a6565370acc18e0e567593da0c558fb449d43018f64ed007cd3e976
SHA512 22ac350b50451f984b74a691dcb9cf2c255d5548f7617bb59b7e21641cbea4c0688f5b21ae8a0d7368dbcb643e7f21c636c88d61873221351256775fef05e3e6

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 d3a87b124bb5b101994e02333754610a
SHA1 aecec6c265b62eeaaac998676b48281454a1bdd4
SHA256 2dd2f6ceb61b9a59519b9bbdb7b72ed09b14f671203e3669c89bf74f2bfd5e3a
SHA512 c39ee81defaef52c0545ab0d68cea821333c6244cca6a795395cf41bca9734699fa775161cad1ca2b86536ad7820449cb73f785e941b385a1be7287103c97fdb

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.exe.tmp

MD5 6020f26208d2592ff82f5511270f4880
SHA1 f5153b4319c8685ac93c664f201fd245a83d2302
SHA256 f4ff12a74860a6b8fe57e1c90f8b2940edcf6760f5caca92c20dae58059dd516
SHA512 7941e92bff0175a2ca06e7becdfea2d09e534a3048f1ce4071caccfc24f6dc57006ce60ece8f0b5c1e1188b5b90fe172fda1b0f15b0fdaef60bf4efbfd42a11b

memory/1252-26-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2200-25-0x0000000000280000-0x000000000028A000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 00215903c1678ccf25af1164162e03c0
SHA1 c01a689e8c1e3f711a664458563c6cbf67a714c0
SHA256 8374004960d7ee65ac3bcff38c9eb90e56c4ece9f211ed79a38c6e92d2852d30
SHA512 b2c60fe094ea62d675a316f81daf59d9b20f4b763dd9a10716fd63dbb7426d3739a2ba6ae186db7d5ed928d62a4b0040db6456f3482f1a6d9ed5f485978ecf67

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0edf6545c33bf34259fd2b3bf22ef8b8
SHA1 4b0df3b85bddc62a2e6f5ae5bbd482f785fb1f06
SHA256 a74a786194f64dfc49e0c56bef657d3fdfd721263125c17d53677328632155f0
SHA512 6e544323f0f54569bb07a42b059b4d7e32d4321e8e0787c4207e5d5eba3cb59e3ee9b46e2fac453fda837273f5e6dc5ef04637e73a8de22a2d6baa4c5ad5d552

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 1370320aaec2946c4eb5bded37f31eb7
SHA1 b984215e6ec143ffe26adf7787450340b47934c6
SHA256 3b39480068d054d1bb6767dc076dfc643b949a5f9702468a2f4c230393f21c8e
SHA512 70ec69dd06a0ab7ec9e04c492dd5f795a3fd3dbb0d5039f43222c43fe0c0b30d3ed69b86ca89df88083a238485ffea64dc48cd1b927763a5f7b8bd95ca677c90

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 9b976e50b6a4acf9c22277f52ffd5f7a
SHA1 bf93c1d0bfe867a4808eeee6ff09308339e386d0
SHA256 ea871f311acf409d29372c889b2f787c11058e0056d7e1583ef6730c774f5273
SHA512 6952939b26e5378d16468462c7c08daa458c5271fbe80565d9a10ee763e58abdf609ed9f7b45f6ac3814febbb014a2f0c9682d1e2f4a051637638958aca099d1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 a6b7ed942ecfca5bd472f6e5852048ea
SHA1 d4d1efbd325117983871a5ab20200d09a83ae206
SHA256 20c9acd0abb90d6d605eed5f1a7eb360348bc356325cde8470cd6797aa97037e
SHA512 9908314364dabc873d9eeeb93d6e45ac1b3079f5147bc2106d8bcdb7ad33d5bfe272dd504c90cacbd72b3b4aa05b4747003114dfb75e4fd716d87faddd0f6a8f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 be62b6ea61d1e042c5e8d917f0e049a3
SHA1 a7ce03892e3dbd9e9be721dd7a992fbc85320985
SHA256 87b40f7d1b00346815b4b73897cb99ce0decf407a3908f739fa14c3e6c07886c
SHA512 d194c1e997e5e9e42fed3dbb0b2f33ea75ebcf70358201d805e3871d8988324c2f86bbead7e3013e4580d9c57beb8973003dcf50a062fd24a85f076dfac1d892

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 c6f21cabfd580093ec81c27841d441f5
SHA1 7dedfd1bef9d147609c1ae08bd3f9b8295e824d3
SHA256 fc7dec6eb15e7206236a800b8298c94082baa4ef5ba130efa6c7d015533af561
SHA512 58ce4b99b887cf85f14a60acda4f5bca840b21e0852915677e141ff0eabadfdae9b87ae78213b55e9260e6f8211c93a37293ecbab73db9ae3373aacbdd09eb84

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 bbb6da13d56f07ae10ef4b5fe9971247
SHA1 452ad025b6911c1ea7b6342d509a94e7623b9405
SHA256 4fc2753117c931e7458e373cf6802783e827e9e7f3a98c0b7eeb6c67da4f6e55
SHA512 6b2e763c55cc997c6e7f4b3365fdeaadac4a41d7ddd4cf889dc4984a73c1c7ef2c4199dcd278c9c4756dc74975702fd877493e1ce187050823c04e8b5669e9cd

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 c341943a45f92e17528abb75a6f0b08b
SHA1 1bd68b4614e228ede0cbe4ce31f6ecd3c8f16135
SHA256 41a10b3201d903fe26af99a29967c2b98761f7f63253e7a73743582658e7cf93
SHA512 6b8935f7c7db003ada1e3c14ac44df47d9e1969c79a3e8ab35d426ad7f22160919b18b72345c3d0a638a3196ef45a4ecfed3a2ef4b30efae1e0d0c0861a8289e

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 9d08a669310f6fd24368b6845c2d7460
SHA1 18e12f318fcae146dbbc46419153e3707adc32bf
SHA256 bae9153903f906f8ca0c988f1483d0da42c0a4c6f53c90299fa7551a8612e788
SHA512 f23aa38adcf278135dd9c3ef49fc65e5616d981be5646f0dcf9682e408c4c722db312d3740133d4c0470af8b05fb701a332c1925d0f7088cbd64afd1610e14ea

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 74fe7795e675557cda000271aaeb232e
SHA1 4c2566011c2d87fd607b095551d31823a726ab91
SHA256 8deb4d265fdbce8688b0ddd6a877124bafa08a2ff75b18b9d47732434169400f
SHA512 368bbcd56ba2a6b7120c1cfcbb2293fadb2d8265eed0c562e6157e039b4cc6a71d359aee30c7816445f793f150072a774d6dc9e3667f2c2dbf65e53709675ded

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 d884a4456080f43029e05f170e509182
SHA1 fe037fc70a21c9dcde55f102d4c2075420eeb33f
SHA256 476da4e3981e3a332dea1ad6db0e94ca4956965299ae9cb82ee233dd858d53b6
SHA512 7370df25a802527b3f15e2027a181bb7f1f58607f64a65e20e03379cfc6dc9ee0fd960430c7ea7a15867920e9f3c8e2a9d0e924f9cf8bae5c19b77efb03e0568

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 ab509dacfaef9eddcb5335b9848c9207
SHA1 7c81a38256b0c20fd385c57e64be5f8d10b82977
SHA256 162c66fda2485b6559d71390d3189adcb1c89aa4077b7062c3d5ca538e8ca5fa
SHA512 c763d467eee0208545d57ac3ef78668fb6d97405aaa8826b853843f105c08e139be9734e607e1dda57d928d73bb7221dd2c0fdc2545a76c3112f759193cece69

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 feba875bce56396277d0343c8db2a10d
SHA1 713b2f03d0aa4b761418dff7c689cde3a40c6528
SHA256 eb6827695b006d697e0adcc2e7c7ab9b5936c82e5beccdd46382e696345b3040
SHA512 55a4a7cac11c12abda82f2e249948706e3664dce208f8a54ffbc222c656b25121480c022f646688f990231f7b7c01e984f26fe49fe4178859bd4f75514ada1c7

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 d5c2325be26cf81426081edd7f0c91a7
SHA1 a9774a09c32c0b50bb64907d10af90d03098d532
SHA256 93ad7c533f4f7ca4e26d5e2c13172e65e2ae0a65cb84f9c7798c96a1b0352046
SHA512 fab61b947b982368defc3886bd1d80eda4a78f0a5ea8e630592dfbaa555312c318eb6a8cefcf2be88437a1c63321b7c6000cb54ac5d62ba192c0edabe17e6098

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 d0e47e00164ce74bc963c708022c8e5f
SHA1 4bfcc0a79a42ff9bbdfe12424711c77cf0690939
SHA256 6db48dbc77ddec80f3524ba6c61b666336ec717395cf066a1c13c3fa1fb6c77d
SHA512 cb32c2c715a0c033f96abc7db2ac78bdb8ce92ba88c33533b8d8e40a8a224064f4a28cdeac0e9b32b966f1c71686e8d49cacf77c4e702c5a41ff3e77e8aa42ac

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 be76b0d9a0912dc8fa0728bb2e003f20
SHA1 b328e7d656d8307e912065aea96ec6ba46251e28
SHA256 0e1cd01e35b00999ef25c63b45d271f1557b67759445474cb999870687a2fdd2
SHA512 9fb1cc8a6cc5945ee98e3ea12b2a87cc4af6369d588cbc3c2c3839bb1c0306f8a1bf5fa1031101a701a4cc55e2404f68b0d6a6bfbff95d10c6da12e9aa6ad76a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 a7f83aa87ae7a71a102191fa4da3b56b
SHA1 5e281369ec324d08c06f5a1cd7ccb94268bd4fd3
SHA256 a8e9d91afe7d98058af294cf8fb4fe43ecddce75776c01dfaa3f1a62441b1c79
SHA512 56da7c15ba3b1b99a54f634a2c92db2c68edcb0e8b8c26da03ca1ca6aec553d8bef4142675e7563b82499b0885f89ead95ecaab25b7be24f32f34c4f4f364f95

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 8db20debe00574cd225b05bed96e52c1
SHA1 c36b448e812b4e91c7b702f39aa252300ed507e5
SHA256 28312649669c65c9e3c1759eac49d950039274d28ebc455c97386e458503577e
SHA512 727875156a7a47a833b44e88c92f486fbcb494d765caaa9774a018ebfa68bd9153abf09ec5b709eda4478e05b21790cc8f68230eb6668464f2ba4c831b38795c

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 1fe7fca7dd8877f65d6432e235c50805
SHA1 e8805cd892ca434dcb8fa6041c62702d408e1e73
SHA256 2f8d5feb7b38c186313ff05659c0a49de779370598548e4d312f7b26741818e2
SHA512 39f71e40b323384c44cda40456ec56e9d08644a36eb54551887361c978001eb98f406badfe7d6548df0ca19f7f6ca3dcf482e345ae995fa403ef2bdd090fc844

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 ec4456299c3bb185ea8f1d18a825e958
SHA1 938ab6c291038b81acd10e5ff4666516a3b7e698
SHA256 2c212ced39889eaa63074743c1e56d6633e4bdbc0262b40eba96551932f6d45d
SHA512 e50fca4d900e74d389a22c3560cbfe8aa8310aea74658f8f89df7c609a8f627549b52d78f2c8bd7b1cd464d6446d7b245ea80e23693d4ccdc2939fd629267df6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 25c57ee50548b3e90f7dab1f77e65fca
SHA1 a85b648bb66d761ad470ffc90e1db6a653b605d1
SHA256 085d548ef9e59543a1cf195089db22b6317aba7750f3725203963db9fbe26ac9
SHA512 6be4413398b16fe2ba9774e7df2c7fce2dc46e943f65d267c1e6ae44b950dac75551bd059359bbcf7c066f27a92a44fce65e5bbbdc8f9c3904a009de1624b125

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 f616d20ab28d43f45ab67952afbdf445
SHA1 54e78fa1aef6d4d1df07dea6f7757a365bc1f72d
SHA256 42952357ffabea038efb138c115aa4ece342481935e34cc221b59001e25e679c
SHA512 cefb1a6ccfa4fedb89ba98130440c8bb8739fc41fe349ce2ca291c9fe99fbef3788bd81697e83326755876ebb95f451031fe1b4442b0074aff88d3fc401e403c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 d1b45df4743cfa702dbab4b59c5000e7
SHA1 19c8a0eded0cab266629587c04f8ba7555801949
SHA256 50cefc3f2f68719507a7c90c28b783ac44d328999710e9101c28d2fbc7f14a83
SHA512 c1192d8f042a0be0333cd5d19cba8ac6c431c6733a1d15a292a0023e3beb326e3ae0fd144176dd11b7ee0c4b327408b7072cf108a8f31b0a3dedd217aab98f4b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 d54f30fcd8d1ea33882db3cd9410e6a6
SHA1 c5fac374764fbc761ac8e021c68192e481650528
SHA256 68f24781fe4da2e3a297d42b66be35088607356ef2bd3e11613d06f2ee41f611
SHA512 ca6cc47c1ac465f7283856d135968800bbb71efe019824a5de1f5dadb4895c0b624afdd8b7e204d9c590a579f61c8d014e0dfad84a96681f145eb2274feecf1d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 d2f24982dc647c15ffae838ab8c33fdc
SHA1 ff1e9f07c2c56ca6b9907fc497e2fc103ec00763
SHA256 e05d91536afbfcfd92b41f98f0cc4ff33752277553130a62a684bb21efce2c42
SHA512 e3b3dc6fc0341a101cc66555cf843c451905446dc04caab687cc847570f1cd368951a74a98c52fbbb2f41b0a97f50c6fb5c7644f14c66e234d49a1bd582c895e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 8c55f0b73fd7f2b17b680acb5185298f
SHA1 a46ac43513f32690ffcfb7848b326a560508ecc5
SHA256 099fa33fc7ca8ca30d494a657d341269523e6c2ecbd816f6e73bda7901dd125c
SHA512 b66271024e6205da3b9b2f11f15892b7440a6994eec42557757a767e46c6693708c95f97d40bc487f09c194c8a3338f9e8637cbb579818f4db45ae1b50826d13

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 5d1db08aabeba6a327b53b1d5b75d1af
SHA1 1bf65ca305f5ec7537e9e221e8c456f3d81d42d2
SHA256 6f88ebfbde5e5796c2a71f29eb6692b0d98c32bcffd561dec7ccf968beb783d7
SHA512 c200562a2cce4f033f1ba888d830d0fcf865c347261f276a9d51f5fa5efa6ee19626fb5c1b960a831abedce04c52618311fe4ef4f74247a5f918ec9472c166fd

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 ed085de97265b6a71c076874fff52e58
SHA1 25b6ee6a1c60e11adfb0deb3bdb584e4a5fccb2c
SHA256 1cf24eda8d49cb8f9bb2a7473db38246be043e5670eba64ed1b93511f336e7d1
SHA512 e0a41a2dbe915dd36fe612bf8002eebcbd909114db4c71d0e03b3bd5da3948669b540745f7b438517c97c70c83b02cbd3dd62d90807cdc8383082f91321be8ea

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 86cc6a0d4ff4de9a6d0728669bc197d6
SHA1 7a58083be6b566d759ec3a3592f05de2892ad0bd
SHA256 d50dcff526d817e0849ba12c25dbce276453bcdfdb98bdccee403053128faa48
SHA512 c489e4d57e677885d86d0452853ff8b5ff84a75aa3d9ed157461b21146c0fd84af098054d1fbc9ec1aaaf1a947a6a0a60c292c0f8410c798d184112f2b4422e8

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 94d2edeedc237d040f0966ada19eec52
SHA1 2fb8781359d0c5fdb66feea5d9d5b0ca78c2a2de
SHA256 a8bf68d5353a94ec854aa95acb3008f424896b7f8fe2b4e2237ae563c277f1db
SHA512 81f7b34332ef588f158d7a79fc4c6c57afeafa811e1594724de395ef2a29dfbcb6e3c82bec1b7e2211135dd81c1ec713c30eebd3b6942b01c5eb582f80c6a2e6

memory/2200-192-0x0000000000280000-0x000000000028A000-memory.dmp

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 c6388fac2e041a54d213d4ecbdaa9611
SHA1 58f3ba2b0f63b6b9a7cad7afbcb04c5d611ff8cc
SHA256 4c8ae9720adf3e27c2951e41b867d8a9401bc9aaa9d65f9b9090b5109ac7e6e6
SHA512 b6495afdbbb374e944029b83d86412692123dbedb822c8623afeea2bd8eabed463a11f7f6821e4ed8ef57a31742bc778428e75d94db70b8403332ed03c3fc055

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 d37bd37eeb6d5ee10a70e18dbbaa2cfa
SHA1 cd644da30f8aba18a7ef8c268b4f42571eebcd6e
SHA256 4c646b72c01b90f0e8eed024bd59b373b7d648564bf359ed6ab263c92f5144e0
SHA512 2309476f0f05499670fe4eacc0288d36e9c486c454dba1f192ae7ec39f11ee092a65f6a16b407d423f34a44612b9122b411dcccb86338bfc29e3a1f99a8c86c4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 cf51dcf3ee9c93ea0774667ceb411097
SHA1 9c1a1fe4116a48ed3466b13b38f36cc33dfc21f0
SHA256 8798fa04251f47fb8c3a4e3157e68cd08ba4d8c426ba0cf427a726bd9fcb59d6
SHA512 47056e7c70ef272ca8dce47e6cfe22e1eb61659fa364414941736eb066ecc36c961716aaff6d0daf56d02ff682055d31fd2495ec68fdef85a77df6f08bb08c15

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 b088de22419525a984c084a3a5d692f4
SHA1 a1b9b5355b6d559f94ef953d0c34eb1a0559d033
SHA256 147f3722f460a5d182525c235d35a153cbc6ff7031c5dd98309635e37e0e2bf2
SHA512 1cce97219097f8e708dd6c5a199b5e7746c7820d73a81a6a985aec97e961293e5fed34e5b6a34a8c568c1e6f000b67a3e08180fd52054f584d9c80808842eee5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 3169a1a9fe13940d727ab5ef0dd9fc5a
SHA1 db6758fbec1324db5de93629939d73bfc0358c95
SHA256 475daa5bd21ea4acc332fe0be413c74173283b9ad2640fab66ffd10bb67bdbb6
SHA512 4b07ec7228954562cc98b468cced1e773418cd0560b0a581ccf825d9ce55cacf035521355be9403fd067dcbb632a4e5b70f877b5c4d4363a9e6a97f5ee0a2462

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 83b6d196b921bec37465d634c5bf0d2a
SHA1 ca5b5f0da95c8b7cb7b83132866afb9d180b8fe0
SHA256 84dae5cd8b591e401b346940cc7811c9e0ad4bf8b35c3081e08282f992eca6bb
SHA512 bbe2ebcbb854ebf8134aa4dc86030b93aa9cc3db0700ca4e0ec3f05d97b0f7e1078e681d4511e7dd6f5f271a64f1945609cb3dcdf5b1a63a229f0037fe21637f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 cdc24dedca9256d73470f9dd0ce7a6aa
SHA1 2020d5082da07f095e58d4e167bf4a2bf4519cba
SHA256 d320ca904e14e2774b69b20a70fc0757a674ac1acaafbbb5adccb2b6771053b9
SHA512 09da9a85ec75e0f93ae60e06dd4062745eff94532f48c347475fc431d46c861c9e909c04f6c07ebe1d3c8c25f7edb98998d1eb999d86583079da5314203d96dd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 2c233ff016e6c365330e4292a78110c1
SHA1 9929ef3630ea17dd2ad2fb6e6d52570687b41dcf
SHA256 431e509a8cc0099ac145e519a0e39849280e66315eb3cf6a2da27fb12d643de3
SHA512 5ef79e29fd93c9cfdd82af3de3075668b0b49ab624c1c7e7b5776b93fae3ccab3e78dc78b6b509424b20b51623462147034f84e89c1a774a3345999b5e3cb7c5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 73eb41048202adc41e919de102b40c88
SHA1 8fa233d206ccfdd6d502d97ba08653352b15f9e3
SHA256 ae809336f8b36c2e04f57eb7735907d25dc046ff815f4ebd73c4e135b4869ea2
SHA512 3baa9281e6518e0f6cbaa0fcf8b30600adb5a881eb164e5d88607cecc6bf602bd6fa0c6d77d58b576eea1b38b12db7a0434cfc6d4c0ed70d8abec91def4696d7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 9548eda65c05596342f2a42144373a21
SHA1 c034e8c99f07a703aa37dba3ad3292dc2d7d995b
SHA256 71987058098f4afb3e223425086182a24a5bc801514e72583c702a1b60453464
SHA512 9f9f2db475259534aff8a1693a75a8f83f7d526527878ac519983e42f8add2fefac02d928f6a0532e3014e0d50553bbf36045f5cb328f59bf2fb140bb03ee48f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 537d315a44c217204e46d28d7b609390
SHA1 cd5bc9f0ee79a90e2050a701a3c8524f62e61b34
SHA256 71bd845917a8abd2e8d46294c8d99462c52105bcdba0bf48d77052f1f463fd83
SHA512 4524c0748c064e4224f361bc9ef5d8d1b393327e5790c1340d606524f100b8af2f9a5e0acc0945a90093941ba5672ddafcd00ca70e5549c396e0119380d4dc1e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 bbfcc0601e70625e6ddaf96a177872f6
SHA1 da403fc176d517f9b9097e69da6bff12119f126a
SHA256 b8d05d368f629d7bf09939497d6d2a2926dff2e06979fed20ef96c927d44cf05
SHA512 df5668ce087271c245083eabcb779ae4f3db1d1b4ae00b56d4e6c233a287f1f7c22614ae1d48d070556212d0a27ec911460a9fe4f0f13904a8180c1976c4df1d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 69cea542cc6d28beb14d674c78ddb6a6
SHA1 4b0e9d64003fe0c5c0018037dfcc16ec04f0c7a4
SHA256 7c3f0d3f8a762925a29eed141b0739603bc244bfee560a8959cb8762585d6ec2
SHA512 74ffcfa12f29f834f8d0a72743001fa2c08781f13c4f07a17f67ff01caf9c6a71698b9b58cc8110331b7981f3e25672f37204e4dd6438c3b8b0f97e3776ed2f8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 a4a2a66d03d1406a790d9d09d55a45db
SHA1 30465b0b3c20f6a9afc6360e07059635ea6cad10
SHA256 d1b32f86b61c3c1014f57ea0c291f3221a0e65e698f43fb63ab2ea7b178ae869
SHA512 877a31486606fa48bd2b524aa2911e6a96aa578543cb5d9cb6bf77fcfa5c9b3d0cc172524a47fef4aabf8ae739624e9ab4b699e5c0b4175c02df2f9c1b69f0aa

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 636a77fd7dc6ad38dd2a31d7f5ca98a0
SHA1 816dbfc90953d81282535e4afae1f36e606cdbed
SHA256 a10f7273fa576a011321f4e8d104bfe7ede9472125be55992c261ff24cec4ad1
SHA512 bc5f9f125af24c94e2f2d57eb73fc5aeb5ae6947f29590b97433ce4432ecfce2c75c99efc9b0b4f58ba3287a8417bf86b033c8299503e9c5692bb2c4fafafebe

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 9538621bdb7081619120383f39deaa9d
SHA1 d56a5fe085167c2fd926cbea625215ac74b31e6e
SHA256 f672a1a8a8dfba8ef2e53e7fac1de2c85ef3fa59e14919d215fc2ac72cc94eff
SHA512 51ababaafff85672e24987c70b864e5e6a2d96865098a1eb347f740fdfcce6d798f0f25b88e451a81dff670fe2f00ec83de3a5536846b9d36c4d44933e5f2094

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 e71dedd326451c161a5e28b75212c95d
SHA1 35bdb87c7edf21e8fb00e1b1fea5a9ced028a487
SHA256 4ff5513c677e6e7d70c593d0b80cdebf9a8c5e4aa70b24e18772493b51265b1b
SHA512 70bb1eaf73f5d3d221bac4b0eebb122653ce1036fa417bfc3a0b2c6ed851dbc21f296081df82dfafc720a38c0656ea6016a28c37bd07286fca9f328fe231afbe

C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp

MD5 2edbd9c1842c908a6b56b1fc719b3812
SHA1 c2e0dc08b33617ce347537a37d270dc2b9a388bb
SHA256 766cfa9227fa4d4f5cac177ed7722f1eef19e0952552e24583c465b443c89cc6
SHA512 a382a137ef655c687eff4be5bed4f8f9a30743faf740ee6c1d6512e93440803f71a42598cd9c58ea7c1cfe7cf258761a720a4bb232ac42f85798ad04eb7121f5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:06

Reported

2024-06-13 23:08

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe"

Signatures

Renames multiple (5050) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Xml.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\IEShims.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8ea8f1e0010d20623e96b2c883face10_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe

"_About Java.lnk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2416-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 b65467aa566657626527217adc449830
SHA1 9e5fb254dfa91ea678c62eaa2e5fd62dacf476d3
SHA256 7f9770167a6565370acc18e0e567593da0c558fb449d43018f64ed007cd3e976
SHA512 22ac350b50451f984b74a691dcb9cf2c255d5548f7617bb59b7e21641cbea4c0688f5b21ae8a0d7368dbcb643e7f21c636c88d61873221351256775fef05e3e6

C:\Users\Admin\AppData\Local\Temp\_About Java.lnk.exe

MD5 cf3d77baec66ba364a98f33aebf0d26a
SHA1 37d302edcd53f10b2aa7aab22a6dd8cc7830df7a
SHA256 7bc3fcd2c7eceda45ee4faf4aac5faf493c828b9dd3105afb7a281f3ee13413f
SHA512 c81b48e84bc07595ae48d68764525b3de9989c2e6f9d29949d419d980bae414b16067300ce155d6fa70f842119cdc0abda7f530e9b354a26e40c39eb3b237ac8

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.tmp

MD5 c0c5b0290aedce0d2416c0c00d9ef313
SHA1 bb2256979014ad82fe0bae3657ed300f05a22f7a
SHA256 49b8679bf01963d1b3fc334dff7bd06c5c4fd6fba0a6482de8f2354569bd4792
SHA512 a4b61895c9e3ef77b17186474e0b6f31800d7088cb55fbe7d8f99943d3e7c61cd02eb64855c18b6fe6e9c158e4a054326ca936b88fe58fe85289f7dc00844b37

memory/4420-12-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2484-11-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.exe.tmp

MD5 b70d5a903fcf3e859b6dcce02aedc195
SHA1 3747ff571a98efcf20a6feb8462b58b58c55ba02
SHA256 00fa3866fd19c02db01ee3caeafbc537604cad5d93cc9e1f20fb119fc3676114
SHA512 ec70b0db5b70f0557516e628779a5837fa2426b0fb3237720d7274279ce200103b66552f2b12dba80532ae002b093765c37f0543271df7fa1205132eaa152840

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 8dcb7cf7396fd86aeea8d109f1ad7f92
SHA1 b8a999de181a321afd8250676e81ea237e577bcc
SHA256 9a39f9ed82ffdca4dec2c1368fc4d80aff0fbcb6d00b5d2495ad71707e3bf6f2
SHA512 4faac11b755101732b2db09d66f484c4c3e5ddfaadf5f0e11806bf45d8be5fd9e5eed36f355916cd8e62a65abe7581d1fcb6810e53b519a91775b8b6f23d9eef

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 d51df16b150cbd892c640bdeba8f8cc5
SHA1 18f8ac548c802dc98fe92b15e8b61498dc0a2247
SHA256 690e888e1f3dfa9bcb5776556a561135e619b7136a41c6ef2dfb375d37b10bfc
SHA512 f1195d1915860358ce23ece037185ff57a9c88f689048c24852327059066259ae5183a49a24b2982b8ca6103f015fa8bc8ca7c99b5d859771784284b72352f9d

C:\Program Files\7-Zip\7z.dll.tmp

MD5 5285bc3e904d1e445b4518baa4b0f21c
SHA1 1bab044fd4b18e2ed176bcfbabee4b9cc9d4b786
SHA256 350278d43e13a9c6a0c1def2c6c3624eb47b5c89bbd647f82bcfdd8157db6780
SHA512 13ad5db71111fff5fecaa215039a122bf6417217fc22a3dfd0cd8023d6f86ed00482de4c564dbce760c5a8530b2e46b1eb58714a9f2b29f570ccb4821d96bf6a

C:\Program Files\7-Zip\7z.exe.tmp

MD5 72c2e7cd52f6aad905529c7969e6da8d
SHA1 8821987213450dde548d153cfb7341583168fdc5
SHA256 1988d5abf58b258aa1df76897e66ae2b5a0366e8082ec470a0b0961cbb7598ed
SHA512 6bd50e27c86514e00c4258f2d0bf47ba32a3fe7bd474f4e5a2aca9e247c87005e34ff8ea6b61150334d90ebb8ab4b7354454836f6cbb31a0d277b71182452fe4

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 a1d9071bd2773998b8d35a33fc9c52fa
SHA1 78aafc9e03085af3f096c815e1ed3475123a557e
SHA256 9ee98edd476a9048cbf90a104b9c864499c5d114c9e491cb9895c69bce3811dd
SHA512 8b318a3f5385375384fbc258899a08d492f5146c37ea3857ad8403900b963cd19e25668857dd8f03a83705dda848e25ff70f400f1c8cc84544ce89fa7763e68d

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 8f508780b1686f14fef3ee7658c1d96a
SHA1 3d9b180b7818e13e211abcb05e058805aa5114d5
SHA256 4db9b9b2c411a43d69ecdb6eba231d3be3b08038b6357b8f3aefe919afda1414
SHA512 36a5122755ff6fffca9be334471bcebfb172e48880ceaaa5da6feb86f8d99619bd45840cf10f8f9f4fef7255a48571241172c68cfeabff4544882884e4b64bb9

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 012541bd92959e9e07522eb9b31237bb
SHA1 e11e174a8e6b93e32a543d0d9a384309e8239837
SHA256 f24419e96c642a3b0051660d4684fdfe59a3af46eddd592ffb02748dd3be640d
SHA512 aaca54174385ca35a43e610a54dab7342692cc1967907d530b2cfd22a53055a03694f5976259b30f1f03f07bfb72139bf15ccfcace74456e4fb35284efce1f00

C:\Program Files\7-Zip\7zG.exe

MD5 11df235d0d680258e0f79f1d384f2f88
SHA1 f2974486c066353336f9a0226b0b05f19860876d
SHA256 b76a4973985e801dd95804b347751fda28c31d12caccba70a2c54dec7527e4ef
SHA512 7cd29ea2b2db0fa520b8729214705b6a02ee65350677b237ea23e0ad43ec38995719e1c6133ef8b88e335ab11229a7d56c116c1ac9d8b48917f4a0be96382dab

C:\Program Files\7-Zip\History.txt.tmp

MD5 77b6ddaec212e2af03d64e1855e3d991
SHA1 d965829c5efedcc232781b50ef2d0a95699f6437
SHA256 20743affc5feba125c30b95793b96cb5a6e6934859bdf894456df0881e095938
SHA512 5395ac0af790405341b61d86733f2f49eef075fd712958e3b11cd189d5198beb8e5eb2bfb057a828701f71ef74afad5fa6eb5e9e73fbe9283d3a8f38f5af7ddd

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 3e210f59989741c2593ccdd7786d4b6c
SHA1 b706f222017aa26ab3012d982d299f167cdc4431
SHA256 c804c4de864da7be9c04e76254539343d6fcf562e9c4142ded56855fccfd7c26
SHA512 9428f9eeb563df06b23c4e6a740d9a1c2370fd7bc45d9c275dc7ee64a1a70227f58b95037df2c2cc12ae97c41860d27f237b0795cbf6035c482c2f663dd1ee56

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 0e4631e84a4621e4efe9cc1354f49010
SHA1 4ef624ec7dcc941e39a8126b83ddcac83f2817fb
SHA256 a486a608275186e1858a77477ddfbf889c645469416743cf0cb48852e2960ef6
SHA512 105de506c8c399c82d9b9353cabba01a16181c8352e57e1bc9ec8f5d3c73b70408c4060d7e630cd841785ea8f0ef9127c5992614a597f543eb34f166ed496940

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 e6545621ab0125c77bb7bdd663d9814c
SHA1 980b7a0bcd15e503fa9732291e2e576c4ef857de
SHA256 1122b50ef6ea90d02bcc9b6b1dd1333faed2b862fb87bda8be0ded95b0826fb1
SHA512 5dfc5093891c26b7786dfc50e32e6bb665d5f26b2a677f72aa2d3653987305d6ebe2d240cacdafee8766a02b20be25dce4e7d7c224327ba2acf6af9825f71c8a

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 4614e6c0f3a82367e4d2ae991dabdbfb
SHA1 da20aac27bad530af59302a0bfb17e1b63168f60
SHA256 6fa31433f936609e0b6838bdff1a64ef2baba320f2f9b599fa3449412d654573
SHA512 d5b6477ea523f4567a9096c494578f7b4926762502f9a7d63d2d194134962bf13ed655ef6ca0e71337f69f033d64a2b56669c14e194c0b6851b56049ab65bce5

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 1dd232e7a7147fe9d063006c3753bef9
SHA1 18e231b6ed1d023ed7ba12a8e069e046ec866c2f
SHA256 e87a6c928923040e6bd735a5a7f28d157876f4d549b82ad5dde32b255769b2e5
SHA512 fb4f1bd9767457eba6f99b9c404462bad2915453f0366fedca10c0eaf5813a22667bfc01b8c67dd3e1450af8791a30704bfad56be7e6d771aa05bbe5322e85af

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 967e69d1bf01d38b7c94a22a0d9ba62d
SHA1 3891cac9251809b0339184828f4bc9327bae716e
SHA256 180786669e090a17215ba7e69e39b693b0312ad100d6d31e89e8e34619367414
SHA512 414c516a35628244144d3badbdde7ab97b03fef21f2283da289d2d498baed95444d94b6284d38a6580b26f4a065ec3437507caa05ddad66955880fdb8a5cdf0f

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 feba875bce56396277d0343c8db2a10d
SHA1 713b2f03d0aa4b761418dff7c689cde3a40c6528
SHA256 eb6827695b006d697e0adcc2e7c7ab9b5936c82e5beccdd46382e696345b3040
SHA512 55a4a7cac11c12abda82f2e249948706e3664dce208f8a54ffbc222c656b25121480c022f646688f990231f7b7c01e984f26fe49fe4178859bd4f75514ada1c7

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 bf20f1170def539664ca7059a0013efb
SHA1 122b4739579aaac8bcf481db622d5d292ce258cc
SHA256 9f958240520ff45750f962453f549f0a8e0d139ca484bb9a12c368a7b15ea067
SHA512 6b529fa9478bc596b17ea38909ea17913c8d8f8fff54011feb45b5030f0180322d1a707018adfea282efb10a8c51869319146cfe94ec51c30922b95efc31a4fe

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 9d8c412500b170d3c3cd2bd3b451f0be
SHA1 58dd6d744a1c916b10a98ae74d8abf3a82383c60
SHA256 8de0bc734290468dfe9fd9a029405049522b20dbcc1258458e5f3386fa3b380f
SHA512 9992548a36aae49420a65abe5be7e5dfa473b47af19047fca56c3bf7edd402556ea2b028be5336acb2f08b3aad349f575e4c430467642c49965d6960d21a86a2

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 279ce366c4914f0b742361ac1c3a8628
SHA1 4c444a03e334b0557d0631f8db42d09ffef32ee1
SHA256 2a7163026c72600df917e5e39a81ebeb7f1b3f3c66633dffd8079788d2b4db65
SHA512 0b9345870af33827c7d5ca8568e29fed3fb6b47b2646163ca1cc084b08cf90267ac671714d5f6d77e644b10957da3f9ccf2162a8b5209cb1f7ef83c3d8ce3e5d

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 a351a15505f68b8e79e330880d59f29e
SHA1 72abd91458f1c47d491f225026742ef230337a7b
SHA256 9cfea9c109a830da77038164ccfff2642fb7e2f9fe328c6aa7ea68260de80880
SHA512 82460f33252703b2972060d222c7b013c541e69e9b6f56e83800859f3f24a088012a4d2610ceedb014a5ca37a978d7ac101c84f6bc50594c912dc9f8d7e400a0

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 124c55f0afefab4cad14937ba1983fc2
SHA1 e0aa8ae0bd1ee18fbd0ced74ad84519af71acaac
SHA256 35d5b4336e501ce40ec3700b0b8323accecb1e2f1573f2db2d2f063fd8a5a5ae
SHA512 92d703be187deb835871f31a308f2b8f6959b49e18791a0c137dfa12594e441f2c00338e0823d895dd3f59aa2dcc110f686b3cf013aefca20609a92ed9f2c1de

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 0c457c65c1ada1d04e4bb4252819fdad
SHA1 361925aa8305db3a522052a27f2a9f623193de91
SHA256 1eb481d309f46c509c44162a71bdb314dc7caedf9806f5bd85f4975bb12042d6
SHA512 2c64f981977aa928864ff8ed0574bac9f165ab3e897b4207f64b36e4e7a71442c035609427ed37aaea914be492c3841511b5df8f657426742fd99ddc510fe927

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 47cdc9b192d28e8f131108f50fc6f55a
SHA1 400923dbcfb095d67bb5d588c6a0a902cb9c7994
SHA256 3543f79eb17cba240c5ce6a0752be76620e945f6f7c57463d492241aaf6b9c71
SHA512 1120aae70f5badc1ac3080c2d2b1638c73a1449656f9246c7d359f4bacbca97fd90c27cef270824ec37d9596e23730ea2276c97c1fa60cc5eb34294d0b1586ed

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 173ec80158b8dbaafa4bf1f23023effc
SHA1 24d2542267f57cdce7efaa09ec692b831f3ac7c7
SHA256 b610d44f658af77e3251aaf4c3722cf26bc5994cf3d0f1e0babc835c56792cdc
SHA512 8c09e244daf82182a9132eeafe08c13e29a8a81be14a839ea1cd0f9b5e8e2baf8f902cf7ba59d843fcecf4d67f0cd05f6acf5dd3cacd27f0349659a7d2d002d0

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 6dd839fbd6cf8804c63293076a8c712a
SHA1 e2abb4d62c27565d7af4734c1a07dea1f39d1738
SHA256 49907ca8230d243e2b2ddbcac653eebd5ff66477cb43a6ee4b8f853c968ee082
SHA512 5ebc89a3b28441513bd3b3467112b76db9c37d6e4c322711e300d5aa9eecb21f30bb71cf8f0278c7825a0c81b385dcfd1001c180e7483cb34f02970770a37cdb

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 720942d9affd297cba473e6d2589a0c5
SHA1 abe71f9d7c26c080904dc30740545d2c80e0b1e2
SHA256 9e54836125aa6425406bc92f4c53cb27ea89d0cc6e424fdc87fb240565345a98
SHA512 81e7657fcfdd68ff91c2ada9a274f6ca9bbcabba81a85db7d09fbca4572dd1a096c1e25cc400c3972ce8527d98709e91d7e5b1fde5d7b59358627e5e71173da4

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 04253c9f6110265d72d13312465bf4d7
SHA1 ece0f15adebe3c3f6f5b11bccf4b1631bf442e55
SHA256 a207c2b02b427170cef0b0eccebe8d462d404e5e58afef9230cdc858a3677ca9
SHA512 9c67e921fabdd0be7ddcf163deb9c9e3674e18dc2dd35de1cf3ca06195c08d0835c3f245a8303b4f71f432d3f9009c062156799c1d264af0fc682f38b53be1f8

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 ba08dd0a72bde1baad63bcb630b236f9
SHA1 2165434bf8b0abe34e74bfbf9126442b4cd904dd
SHA256 97e65a76fb18427970b41ff988dde183616a03792ccbe386cb376374774ff29d
SHA512 16fc77f64dc2841bd5f7a75f9322a186a9a42013dd9bd2af981cb59cb18b86a703b30b29cb2c76d908c77d2681e3995c0826fdc4cb6ca03ec18e23ef971081c6

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 04e751b98ec72ff2c06e9dc439807de3
SHA1 90652e19fb32aaae6c0ef758526d3b27e560a652
SHA256 cd27c5cab868b48a0f5269d15e1af011e24b5a7dd73fc3e57d4196ab01635919
SHA512 23908d43ec0399cdb5dbbc1b8cf52a6c1ac579f1a57f22c4ce8f687e25a829096bf06c6e9f457c7cf65d1dd617b7465b24e79427dddc2c6b8d998efe1fd5b9af

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 dcf08f12e76b2e856135f6107fc0f1e5
SHA1 3f0dc8d1a576b4d455fa9290cd33241c0fba171b
SHA256 fd74791f687710222fc3f3d4d54864b8625546c95a1f09e7c8fac7bf1e596433
SHA512 72e3a8629a9a29a8ea3e13f1eb572cd820068618ec64657eb0f7278f9858c423bd64e1f55193ee0f9f0dfb3710dae71600335327365fde9db4c3ff7fc92a6e86

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 31c21609bbf66e2542a8b3116365ba6d
SHA1 d04966ccc41c9bff166f503e257a23f321fbc15d
SHA256 adf665beb2609bd2ef76aaa6a2d6817a797d2b07118da8a93e6c22d3c9aadd46
SHA512 5db7881b380698df50678eebdf78993701f0d2d0512869fa1b4d2c4cf25d8d6e1111b21ae2cd3413fbd69037a1f64e79372fe297457e6af034a335fb81c3bb21

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 99f959585a2d878ef1a4c8082b0ba24d
SHA1 b28cc06201c532f31beda76d7ef77e128062cb97
SHA256 bf1b8aa80b9131905fbacd0acedbd195c6f6bae96e1dbe570f2ef1749ae209d6
SHA512 4c3406f128981c08579436e870fa684a06b03ac8364754283eb376679759a219de213f50c16d702d120a55e3c93a9c1640eb8e62591ced409577cce1f45d933a

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 afcbff2d5b81ea77795216a39aa22e73
SHA1 503ddc1d9bb126592640b70a361d0b515ee73d7e
SHA256 b2e2753430a3c90cea4adcabdb89720293339bb7925cf4d671fdae777e5bdac6
SHA512 7b457ce4c1206d742c5b5228f6e58c662af970a2b987e26af475d297c35146fa4bfc8d385c050f5370194da1d536098c41a78a08f3fc8118d58c0ac83a496e95

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 a92bd16e9eb19ef552845e408750caad
SHA1 d44e72495259c7321edc2b8495df475a3bf8a5c9
SHA256 6eb0d106c6467e68bc44fc3739aff4fcf5eefb047c8b192d07bc9008ebf8bb26
SHA512 4b8a4bb48bf7fc4d731a8494e3799938d5d1535af50a7a72e047e48dbc6df12c4c94f85424f681ab31917b2b6a34805722ce5f98c53291a0b8d7db438eda0da3

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 362e914e80d2a9bbccda66ecfc4d7018
SHA1 dae82e159cc984ffbe93b2fa3a584faa97f25a90
SHA256 48defdc6ffe29ec16ca382a9eef8b3c628f96a12d8ddea804a8afd9568eb65b3
SHA512 9fae414bc07a2b64e163b324f5e239c5b11c53650b78e6345d82f9d7264ac3ecbe0c019181e6acce418983d2c181cf130ac8763c05797c8eb825f4c4ebed80a8

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 ee955899091d3fe8fd50994545c90868
SHA1 9e2ad269c2f192b2f89168eec9d4e1ea1a3b75b0
SHA256 04e65514b9714b3851e4fdf477786035d8c4c7d421cc7e01d15ebda5a24048d4
SHA512 63bdcc69978c725c9ccfaca8e8a7f2c641504963815cca0fa52e10100b1373b7dfe1a11331f8a881781001230b5c7ada1494e94872d79b7d3bd006e8b3bc0e2f

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 84ff709b7d86bad4f64a43435cdaf0f5
SHA1 f88302f2aa4531eea06041b42952cb20cd663aa4
SHA256 30009b7b33d771071f4b2c571c6513485462e5a80a3c9c7e24d93130dd26e07c
SHA512 08d9577c8ef1d83e4136fcb79dbfcf7eeec698b51116722112578bc4cb43a782a7c803bb1bb8cf4fba6f5315d193063379ef20f67dbbd11fd5e79a41d19e8b8e

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 529281f682b83ab515ac7f0e6dd0ea50
SHA1 6423374bbbe0d62c6ef485e5a8101212fb473ad9
SHA256 5285f8d55d615cb812765270b2f0a595913aae4eb1895361778da0db76f23ac2
SHA512 fc81009061feda2921606292d5cabff264f6c3306aa4dce0d7d656635e89e8c3cdc9dc9f7cabd411068ea13cabe41b3a6ecfe9cd184803b6d18df0fed673bd55

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 efdc7d814b530f6b74da0c4579e2617d
SHA1 acaaa746e800326168918acc22543c82beccfc62
SHA256 faf6000a4c931c1f1478ca7d9c53ed287692c7b932a63a0dc83f0cd12f380c64
SHA512 99fb749b503a78bf292d80b870821f03451e29d79356fcb92445373e2a23ba078afbcf0f563fbad6c8333235d804c8c85df64fd1851c55ef3f48c6e8d58799af

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 0d31a1eb9cdeab804e0e2b49f9bbce0e
SHA1 4fca7d11f39e4bfb5e18ee27a03aea60faf8efe6
SHA256 bcbe5f58775b3dc3ec582f66685bc176d5f4cf989b6260c8bcdeeb489ee8e46b
SHA512 34ae184b97fd4c54c2c58d6ea7220989d15055b11192eec8cbf501cff40089ea8127ab3187c87d6638ff0d295fbbd2b3e6a91e7fb665704e0118505821f7cad7

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 90745d386c5bc0c665a7cf3cb5c78eb6
SHA1 1d527eeb09575c6eea4de004036163edfbe7ea00
SHA256 53aa664bab4a71a825ca479cb002ffdd96844c29fb9f07b3d80c3a9a58fd9651
SHA512 376e14e82e06d2ec56cb454342804a6c007b81294a31e6b753fd5427bcb0e6d67aa536204e3a19f46133473c0fcfdced95cea99e746b1680ab2b1040bbf40b58

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 220f49bc9a58c9c79e838175c92e704b
SHA1 a11ed7a0fd053bd43ba01371ca7969d7e839016e
SHA256 3efd4b563046632bc5edcad84c8a79580ee06cf6609158957cda542ed7ddd8eb
SHA512 731807ecdc95d5c39e4315b3224aa357a2ef61f5fbcec3ad8b53780196c604a3d56017533f8c69d40a5701a341fa20536d4ea26d8c4247df8af4c3670be4600d

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 7640a8c5baa105b74970b8e038733906
SHA1 b7f3bc2aeff638fb1ec496b3ec6b4178cf1f8338
SHA256 3ccddb887a35d95276ddc3a6b7de0f375061a4f3732eca3ef6877590802dc04b
SHA512 6cef336e0c3995edc4517f3f8c83e66e61f76bc456a939934f9b434b92fba5b33fed7177c90a4e2d9633d78ddf386c989065857e1288b1b94c344c5134bcd21a

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 535fd7673ca8213440dcc5d182b2bcb2
SHA1 c3cbb77b8abc2bc2efbc39a261aecdee671395fe
SHA256 483e171e27b570e164c14a2ec364e8c660235387147c4453ccc8a5da61a9eba9
SHA512 29c074eeaafbfe72ddc78a6d3c6cdcee53a900f7bd7eca191526db0a038569c4ee429d6b475643321c34dd17250eefaf11b22aa417a6c51582ac46630ebbb0f5

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 50034caa79059e046853f9caf7e24a28
SHA1 4961c03ddfe77ee53ecef850b01dff8825287643
SHA256 6e92df2e1e752d518d8fc45df5aea7d0d525fa3f29a60e077d347c07b5375b51
SHA512 93cf14aa45ffcd71e0c7711dab5a00cad9f43785aa5c42f16be133cb64922f72240568399b1b4719b97dce3b5e8ccd9d5640a0bebe4650a4d2c639e536350aab

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 59d35c51518495782bfa987d71adc4bb
SHA1 847e8aaf1f18b4b8ce2384f0bdb05dc09b1e7f5a
SHA256 0603e7de920cd46547b371e72bc1da67c24b1afb91c2bf270fa77301b3812a1b
SHA512 541871d55d78171628f509f57c57540b85db32acdddb2a67f5c669cab32192abbb460108736ddb5e24bfab76964881546c1e3c2cc5794db0a35e0a1c73f2b83b

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 6a20c1f9da5ab3d77a5d5db8ec00f021
SHA1 ab3fe8942447550412e58564238ba3fbc0241140
SHA256 543b2a206dcd68da86228b342cc6c051fe1538c45df0fd0aa99167b6b3532f8a
SHA512 c4214901b4c4b6b5378ff427f0d40a8b1425d7f5bc54cc40ee3b57885dedb10c13c4eb267ce2d0626b70ed94260c18aaafb46305478976f53be5db42f15ae013

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 0c245869b01b4b479e7747e3a0a2c736
SHA1 8c89d1fd73bcf0aa560a5bad9641df80a38489d8
SHA256 8a8e94d35fb221aaf1d4139dd3254d74eb4a9cc555f2823e4cdb243af4da09d8
SHA512 3be4274d4fa186f96382882f228e67bc63a47a58131c8467aff6b907fda7bd748644141f5fdafe6539323041f57c1b75967a80625d231577b36dfc1e2e5e9134

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 e4b1e244068ad81c322c88b5ef9d2d0d
SHA1 710a40736430b76eb46ce6f545bbb88b15beb635
SHA256 b4da0bca22a778034e507af5123962abf32c2323918d6ef8135f24ab4f05283f
SHA512 ef7bd2537fa1333f857dffd940f664e97daac2b3333139170d68d671fb20cf40271ddbf2d5058ced01e4dddb632b2af9d44a54c26f7a4077cad924ca154fd1ec

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 fe3122bcdf72a53098a90c47cd127eda
SHA1 42fe7f94fc620b1239971baee47c637ea610e4f0
SHA256 79acd3ccb88f17d70a068623ce69bc5f56e3a7e638948c391ce8f84a7f7b66bb
SHA512 b6a413344eec8772b4feb29f242ee26b7dd008126564c309e2cd7609c78cce0f99c870064ab577c3317cf7dffdca5f5c3da9918f56ffe9e9c13611f1d789e4cb

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 8eef2e27fa53fe1669626817fa724457
SHA1 1adc45a55a7bfcb30a1acdf04b86d1ea4ce96f34
SHA256 bb88fbeae4f8e140174bf71d2d9894a2cc5a6c4d280caf45c35b6cc21e207d5c
SHA512 249d5463807bd06f96fcf8dbaa7faa1a67ec40a77492fe2ca245e1997c255eae3892dfb931cbd3e44e1a3cf6ab1d4cb23908da985ee082647927983b48407967

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 9fc0300f0ed599b8d8bf56b7f3d2f32b
SHA1 93fa45207cf81db335e0314b06b64b4d42c42f35
SHA256 d56adcf08aac0cf70bd3dd1be036d2a7a2a66fdbd68ea01b5ecdb5ebbbf86229
SHA512 b7b1c109ecdd78d8f2e0f039bacacaf10ab9f282e906161ccc72ac88e5eb00021ca963a909b73b668f19555944b0f03af58ed2bbcacfaac6502113a121b739ee

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 cb2d56df5e2d491ba496d77e8577af73
SHA1 f238ef0ebb4c43ff30fa86f0617b506ee038d1b8
SHA256 1ee6681631b6fa9fbe346469ac466511507e81fcab3738ca93c41f2849b5b7cc
SHA512 a3a643d9e87daf887ce5418cdf760e12fb609f68a9df2f89ebafb385070fcd6e530144b10dd2a846e063c1415ce2b67fa02a3cc3728ea9be17ce7b0914795db9

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 43d35119b09961a77eb28ae68e72a169
SHA1 31b7dd7ecd8a2b95be7a2d2224f35d6468aefe3b
SHA256 c74bf3096fb0a939486c6bf8c64f143307faa2751d9d6f849ce5c3535aa2eec2
SHA512 52fab569828a7e793db1fc081ccaf0f26e30eb3b599082e579ca989b16c1a5541c64bcec836804acb47b03b1a4c1be81b371b419319efd4501c2ec6c8869cb36

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp

MD5 8ee0f374d00cd59997e736d5a3abf872
SHA1 fd6b43da78981e9fba81d4bb7596b1cfd06677e4
SHA256 c0363c3e40e848fb2906a9e0351e5906baab4ec465e3b0cf6d0013ff3234b35b
SHA512 55585cf1fb8296285ec3080380c81314017bd2dece7985fa54ae41caae75d375cbe0b3141a8c4f3110c1fafa0637e8e9a0b18c822758ddb49489ceb6c85918a0