Malware Analysis Report

2024-09-23 04:45

Sample ID 240614-bq65mazbmh
Target 4695c28072a68fb9a43cd66d7ee3d660.bin
SHA256 9bc3510515031dd317bc657017ff0ef01853023af2908c96072e87f6c6a760c1
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

9bc3510515031dd317bc657017ff0ef01853023af2908c96072e87f6c6a760c1

Threat Level: Likely malicious

The file 4695c28072a68fb9a43cd66d7ee3d660.bin was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (3846) files with added filename extension

Renames multiple (4860) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:21

Reported

2024-06-14 01:24

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe"

Signatures

Renames multiple (4860) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\16\Built-In Building Blocks.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\javaws.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\am.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe

"C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe

"_update-config.json.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe

MD5 283f8fcfd332f5dea6edfe560faa8898
SHA1 5eb9f669faff4f3df984d498e681d6a0528352de
SHA256 de78c1d043fd78c725a7307bb85e223566ace1ff4d5734e1e83be2497ec2e23a
SHA512 c8ea956ef101d075751cc9ed8b681d215307f26c395afcd7eb8720a4cda3b67f5b95e9384b310753f02421be906dc0011dc912a099bde3ca5fba57a46def85cf

C:\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.tmp

MD5 21a16d828ed6a08d25016f5eb46f00b3
SHA1 4c0e66d628b3faff4594b35e18c3d9d4085adc7d
SHA256 d578e34822ef31d89d883538d0bc2990ac298ba16d85e24d94edb48d077d2564
SHA512 77987f180bcda13ba17dcb2bc539bb6ce2c21221c040ddfa3f184eec91ab8cdd811a52394cf308b6e1d63dae441e133ca8d2bc104b03ee5b194da313f77183f5

C:\$Recycle.Bin\S-1-5-21-3169499791-3545231813-3156325206-1000\desktop.ini.exe.tmp

MD5 763be1f522b53cbb275c0aa83f90958c
SHA1 823da4f072f5305159f673626beb1816e08a0251
SHA256 d0111a4a9c355ee78300c3cd6b857ea622ebffa5351483cdfeb91ffe09f6268a
SHA512 87b939f1a3a33c3f93611094932280673b6586e0dbdc6cdcf55cd7ae3b579a0ba3b761ecb89c4de1c240eadd8248885c12a02c25c65dbec9ec0162c9c5525b3f

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 fdeadd8126e5c699020252942533e7c0
SHA1 b3004bce191f06fa3793e9a581bacb5b010eaa25
SHA256 db9ed71001c33106aebbec6fae2a74e82da5666182fd636d122d20a78d4b60f0
SHA512 0ae2c0d6fff3b5b78a3a53b1552c26b72fd6b51f80bcc75615483a8c759d4b19264d25db9e1d9f2bcd2a49233ca8d9ef5850085457b843ccd35c5b32da24246f

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 ff0e0b3b9a7c27bd8b725d619e9a2f5e
SHA1 e91d5e02bca28c5e61a215d5178f382b1328ef5f
SHA256 2bc7487f6ae4314318cb497ae3f3266a4bace80d9aa122610688b05186384091
SHA512 65b294d9abe002575de15336511d8efd321b8923f8fd88a7c29d6bca55ba44277002ed42550435b9c6416eeb157920b6fb0604782b542f74c1e10277a30ac180

C:\Program Files\7-Zip\7z.dll.tmp

MD5 53b61ff3ac190eda6a9dd66e6cb9372c
SHA1 249f4f5c7064cdf63ba8c251a288a40fa2f9f3a7
SHA256 40e9d32d63dfd7f62ec43ec8fbe0a3779ef3fd19bbee720e31ef1e0df8224cd4
SHA512 8487ba0de0e484371c3e083e10858355af476f650c876e32972aa106286027aa9d46371fe3a2418e1009878d2228d92885444a3dfd9735c87690cce10a173e46

C:\Program Files\7-Zip\7z.exe.tmp

MD5 846f15a511ddf7e5f52128d5311b37b7
SHA1 9c51555d787a5b85a582b10f380b40680cb82fb8
SHA256 cecddcc360aab0c49e4627af50743ff4e18646d184ac1d7c02c1e6c97edd7440
SHA512 a798a56174d0bd7e1a5faf21d9a16084c31d43af700cf7bdd2b61caf96ae4e42f34616c8252bddd77bd5fef9b3dc7cae18616593a49c802a247189070d1e19be

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 c45d03ae189c7f8b3a55f8e9b5c0a7a0
SHA1 08416ad6eb36282092ac89e11df96d2d69175a1a
SHA256 79892ca1f16b19125463bd72f081157c6a19d4491a0371ebd6f0007aa3226619
SHA512 7eac2f4f1db0a3e55737d754f47c1d2f17fb3d61d6d6b2fa37c041f74396f59bb2afefbbf156f608e3fec5eaf81d248722ac570d3f975e76dba46455ac0c37df

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 a310c4eb5c8d06d185e8564d2d78cb3e
SHA1 c2dad1668e237f11f90787e9b7305ad2c07d4e2b
SHA256 0f6dde05a48190e9afc504f0361253c97363cf70e5b05a1cd5352052e8e4e3f4
SHA512 cb388517db683fae24f6f844bbcd7ec17f21f142feca4d947fe54ce120fde97fb28abbf272300009083c87026e066af72170281a21fd2eaec4dfaae1a49a2f91

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 2576a29bdfc0498302282c51b90c5a08
SHA1 08cbdb26dbd8cd31683a13a0421095a888603f08
SHA256 194ca96c3205089645abfa27580db60181b487fd41229671f721ef2d8d339c68
SHA512 851e8155ae19181ed9f42dbb7a506aff4b9683e4bd44616e408f2222d854f834e0a68709baac66b1c8b455d328f3e3315925ab49c51d8c07a2479f61e07faaf2

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 9212e25810aff1c8310d2562f553ee4d
SHA1 dcae9fc11fd9be85d1fa41bc7c813c21a302c57b
SHA256 3267e00e15ad6e56b4a4d894a87fbc004a79d16b8cbb7e881d9376d5800d0dd3
SHA512 31ee7866efd3913a60abc04d7082b4ac9f24a8549112f1308eeb44f620267c8ed3a5b0c3f6b15ac3bb06b60885f70a7a7a6fb1940fb94232ed8dbd4be705005c

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 a874733c364c39f2dd408f48fcbd08e1
SHA1 3f7e62fc35c18b02021080c52b5f37adccae0542
SHA256 cef07e250a7d23f295f962b42f283008d94af84aa1cbc0b599323a5de41525b3
SHA512 20167d3737681bc1a6331bb2b7912df128cd16e1d0a7edeb508cd6ef5bb82b2252bcd545dd9d168e57a3999b261856796697c3e6c6f39b5fc015481627c3848e

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 165b367dd038f2b98ec9f58cc0fc705c
SHA1 b3f65489eae5857d84eed6fe3da1453e1d43aef9
SHA256 be0c7a0c1be00fc9e9f17526be96096fba935e960c7a2b9c8db4020ee0aaf07e
SHA512 4efbd08089b962abd574edffbd2e2d7b8b30ffcf4a75247d2c83629e326a9fe4dccae9d0a516b4a65b7a3732a254f5b15bcb68647b9b0e35497d67f3efc97814

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 64ac45d048736c22889ec8481dbac419
SHA1 7714a1cdcbb0a94334343322833954b39705bda7
SHA256 51b68ee1aa3656b61369a0b24997e0dfdd8aa1ee614b618dc48660074505360d
SHA512 eeaef8e04c2efdd9b7389d0b3d4cf8ccb6cb44552e2bfcc84a853a6fd10c3d4acb67a49491b6276fa3ed00f7c35503c3bfb4b4f008074de6ec27de7d74ec4229

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 c0c948f785f77a698f4d34cbba8b5db4
SHA1 785fba81a75bbe7c3c1053688a1e729549a10ce6
SHA256 3af83e782a0f84947a90e9aac6fa19d84edd88d4fb969c4c27179cbe7677cddd
SHA512 8333c22b09ccc8c1d6c2635578430ae9121d33d0ff9522711e28dc546fab1049c8847b7d5cd94f03a9ae7ddb86634ab0bd18254d301cbf4a6decc70e2629bb7f

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 c7d9ff642b02a30383ad92bda6f2ed89
SHA1 45c46188ef1789663f0c79786ca846bb4255b883
SHA256 5839fa539bfbb700f54e6d2e47378f864b586a9992352f061954403f9d9f78df
SHA512 2f23f49ecb1bf699b1a433862579c36ea63a591a26ed3121140f1b806b155b4974be8db0aefd9ef6679b06d14a4b5b987f0c6a72af43eb4f6cd4a8b2b2b67452

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 3a02bc35821d56fe9037020acfcf14ad
SHA1 d49c84b002aa1215383fa6a2a6060e752d28ce86
SHA256 90ec2e53a37442a8e09a542e5a3f6729a2c46bf5af9e722c9beaac37d4a0acf0
SHA512 efeb84ec32511b43c6f556a39e217d1e3326d83d7173aeee28defd7698f5a9c3c423566f04b4f58fee8af33e5d5877f5b8e1f4a1d08c0ec902281d26a1d01763

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 89e17e5318be8ede95d02c7e96395e5e
SHA1 e1fc46d91f0b9a497ae2e51c7bb2e725673f79df
SHA256 d4228a13495a3b057f84df86ed55bcafaee023e96cd7c30b3b3b7e9dd9ad6756
SHA512 27af9004d12eb671d15d7b1bd00a278e8c4e85abb6799a0f3d759b079cab681493fdd2c118ace5b5e9b40024774c50c0dc6f9d6988cc25af2fa406c0b7f8b7a7

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 e61d2ba4c8c5bbcb73eddad1bf52e453
SHA1 b339b306df029c6ccedf49e3aabf8d4db6a71a8f
SHA256 88e97c6831a0231cedeeb109c0986cc2c2be38c8e657377119b364c4b17dda32
SHA512 15c9bb31a88c2f1f37ca2fdf920f766055c4583e6a069cf17200035a909ba88ec8f28e6d0bb82984542cd18eb463e3c76522c97f6fc8ec766f3c4c94ea19428b

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 89b669f8942e1da21f7e7e74b2cd684a
SHA1 c5f1d0f6a1ed9048e162b6eff1e41a11e1edde49
SHA256 7ace574786005b376861e8299c568dc4d51472179ba5a1aaa08d266c2553951a
SHA512 0b3415f2a3ae804e7be3b03b62ba87645591bc327b854ee6eb9269f5dbb5a9a5a05f3a39a1828903efa3a8f9d58b903c1ecca81e9db373ccd3f5f0475ede10c8

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 115d4f6ad0c5713baffed4be4e81f347
SHA1 37c62205b2ba3627e925a703d21508f29c7a8723
SHA256 e8a0faf1bfcb7e0273f25a93022d972cb53b64995cca1a58b6bb60377b479478
SHA512 fa70a3eb7733fe1fa8505ed07a48d4d1e3bad13fa6b485dedf8dcd146ec04e52631b64b30b117a9aa8e1053e508acb78ead2100b10b205f99ea8dc3b18e4c4d5

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 5f05fdc81a0e57d45eb1ddd9a1ea1758
SHA1 762174b6ec7d968b2849133e3b1a5b35c7ef9d1d
SHA256 ad2c83390a11af8d8a53a154455539c59fc07b861454408b6692d30be0ff6e7e
SHA512 4a537497fd8eb981dced0ca57263f183c35e1ab9ed95acb829fa69bd348674c8ebe625bf15e433a63c3950ff05eb8569b9a17664e1b5218ec3a15c0ad8693274

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 dc9c3fc253b953ca65dc6c102effe057
SHA1 11cb1b865d2bfe9f2df185d9338c676cd812ab8e
SHA256 8ac068ea76bb03f3c5565936d039a5b14b064e466a29dc6cfa314ee0bba959b8
SHA512 e6ff593782088910a3ccae6a83cc910d343f1285179f83dbc26d289e93b63b8e3274d56faa131360bddfc60f04dc4a26c1f1191f4da2fbe6ea6d77bae2b390c7

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 63f0047a9c48d8ec05107b61322c3b0d
SHA1 12e4e127a6d23d09bb735346ec491ca2b76d80ec
SHA256 575a47b56e5d43d6abfdd5435c6efe68ec679d14cdb3c65805517949ffaf8c71
SHA512 89ac065748b610997b3b27421c0e8df1f993f6c71f2777a1673f16ace882836f9e9bbf6729a4001c94c605370aa64ec82f02c9421fe35d33d08cfd10ac20f299

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 39d53c6bf2fe1d2d7ddd832c7be82f93
SHA1 ea1180d2eae5507de4de90cb602f74533d4b2210
SHA256 1ae68383ae1abe4ddd45bba70d9c52ccf2bf7baf2e22181962a765fdbc4af531
SHA512 5ceda96a89f7c6afdefef895205db1206670835ff7e45f98e91d857a8224ef2fd29e13a8efc97a124cb03fdfa866792b5bdb8cdd1bc1dc12c3774d7075e47808

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 0806d5a47cc481598aea30ef057c4551
SHA1 8b717718366425662245479f4251781806779c84
SHA256 d4ecd68bf959db7d705d8f688279f3bf9efe72b0f7d7709faf35fbaba76aff77
SHA512 675d3c97dce73ebbb3afb27911429458fe6ad38e297b2e9a883a66930e816d193c128086fe45f1a88b91d158c6841bb893f05248051dc8af58eb1f2842672a12

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 3fa84dceb05b8c34134066d3fdb6b9c9
SHA1 5b30ad71a4b0de06d7ab72fd31cf3c2754128e4b
SHA256 324bcf29c3bdf951434cb13f9f7367b0c5f67976961b8091b6ef41e7c77ee038
SHA512 d57835f1548821b50ebbdf48bea93a93bc94052d8d826b4322071ff661a434820b911c0662a19b47c8c401f25c2277ada45a1ae96989331040dd47c8d3d1f8d0

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 e3011144852a16ac7371b4efe31e8f03
SHA1 c1b0b022120d724e72656c5e88ccfc5065b6b79c
SHA256 012e37dd15c57fdc8fcdc652e4bb412a5e45876ec98fad55f1dea91fae67020c
SHA512 22483ec5810e7d125de6182f16208346ddcc17fe2007c59b665aab6b0757311136bdc69c8da1c8e07725ddbf8f8f736d1358ee2b1d7622a89bf7cfe456ff54c6

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 07630d93b946a530cf66ccd5ea62323e
SHA1 e63831600eec734da52099676c4be4400cf84b46
SHA256 f0f9273b34a066e7e24bf632ab715ec329224ad90be1291ea397c534efad729b
SHA512 14eac9e43c491f7066ec13975f9137526a931025b44b25c8a18bc2a2dbb8df1b3c1e4573b5690b82ad4debbc8bc4fea7ca719d3785fec0b3b53056ec960a1b6c

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 d0b17724ad40b437a8b9f089b30d31b7
SHA1 21a0733bfd096f30cea626660ff42bd42a809b1f
SHA256 68a2f1fa7867bc0b5bdf8a27684733e10eb6c0429ef5b290b9606afc1b6bc6b3
SHA512 55dfa7f69843718bb37920248286669d80b4273166078e9a91c8f78ea04d436ede91202fb749089d54dab15d60193c8b116dbf5cb75cef500ed786250bcd41fb

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 187206d3676429450b585f44e986f641
SHA1 b3c8409121d055168f4657d375403285034b3947
SHA256 ae42158f86154f14482fe1629ebccca5b0025a78e3821f76a13994206fb212bb
SHA512 b66c7d41cb12d4dc8618fca8fcbb5b039a9708a36c212da2b873ec477b65742a97ce5049e5ed09425d1360466d1685b6b648c4a161531b762aa2a41d42814f36

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 fe6935991f2dd2bbcdeff624aaa6789d
SHA1 093680fec6d8bcc17e94ba91304cc0a1ad239126
SHA256 678c812fc78ead0e3beac3882f3898c974fbe35df4dcde9b0746f52b62f93d52
SHA512 103854fb80ee753429312b2da3acef6c3365efbe0a1034107ab5aef142865bce997a991bbd94e56e00a838535c82d31b654fd7d729654f4d9a23f7dee67f4383

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 9c580eeb989073e0b3178b5bcf3c0bd3
SHA1 290be4ec510bbffa01edbb7a6507ebfb95c6369e
SHA256 4d3aa5398535f4f0e5b4c37eea6d2af21d43af7796227f948431eab76c1d51ec
SHA512 9699f07f0e741e8b489c6857829e60b4fa4915d784dbb383a34ef0fe9710e5b224d78fe56948db3dc289207e79a754a92362eaf40b12a3b495752a7982ea7fce

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 ed25a94b28c4cc06a6c84a4a87566e78
SHA1 2664c50d0869b7c569ecc3f700934c68f3360896
SHA256 e4d6daa7f9b2e11de3eacba52e83f65881ce7577435bbcae5da9a3c52b6a2a2b
SHA512 3c1371461d88898f97b3078ead4b4902a86391c0890935ec7fc7fa4a0be88f7b36ef1e9c29f5ac7c1b363e2b87418115860758336900162eb41dc160a542145a

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 38fa1e6f483af444aa891373a728ee5a
SHA1 d662bbe69935e3e1c64d9e314172d7b0e5f8b6cc
SHA256 235717827fc95247c2557656137b0fbfe96e3fec22f255eed00b127460b5c304
SHA512 d9bfa6ad5ff25199a87b059987486ced041395bfde4921928a4df37df84fa56a8efe7f56165c7733b3e54fed298d3a9092773f0419a9bbd9b7e65493eca86937

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 2e27e5e57898481c266bbc45c88171e0
SHA1 9cf4ae488d53798b37531af0776233e15363903a
SHA256 4cf16c857ca187d337a8f868d7770d7e488011599cdbd4a31e6f12e4784a4163
SHA512 80407531b7ee66eff982e3aee2423609bf95e3d3aefb5b1d8f5185edac54218300d62eff227dcca927daef392dda82f67748af30dc1e7659a057c7c3455b353c

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 9d295520ad0a7e70c4d8c11351917898
SHA1 32e5a4b2df4fd60c367fc3334b4c624ee0f7f2bb
SHA256 8d27ab79b345ba7e6b69e1d3037ac374844c8614822bd3aaee50094e31bab41a
SHA512 e38ff43989849ba317afc7fb525af4c5278d76a1f553726de5f08684816953768ec1d3859004e5c1a0e858d33ee5fe9bbd1a60814b2b39b9a6f8cfe9ce2b2308

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 7f453f207ec8c0d7c86dc98a3ecf1d69
SHA1 3edcf8981260715a7cef5a7b9bedbd5d9e97c8c4
SHA256 ca2bf9a9f5e519369f079fd206b928e3ae46c47a63c87f6b8a675f5c8b20f3b6
SHA512 e338f95dec7190b1bd190f839582ff12db076490b687f464dcb120186e8c8f81bb4f70ed5b283638b5d3418f35b56f1da8cfc09463a3fb325e58f6ed6c0aab31

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 ce99457e07e9f256c0e83508903fd551
SHA1 dbff8cbe9ceb2838cfda836ff38ebf95ba55d826
SHA256 e1386622ffcc9c69a63e241a33ff3d8dcea49cd5bd5c251b8f8288c0b7abd7b8
SHA512 9738d6ee13d9b230a0e23c00b8443c86be6624719a3fd438ee521b245d984251801fc1a76a24277c26cd2bef4d974ac362e7097ea46e52a518d93b87f69c028c

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 b7cfe267c33913edb0fc923d919003df
SHA1 e0dce91bef9edbab2d1a8f330d8a03fb20504077
SHA256 bb66f584f8dcd03a554b0401c5bee1abdbc0880937e836c893b005d747353c2f
SHA512 5f7c560345d86b8a2bcceaa6eee5b76b89564a46ffe79881ff9a70341de43cd1aaa642313646a8093d2ccee293161c9728e7537d3e3cb7988194b9c650538158

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 f48ace69bc60b79ff91aeda726480b87
SHA1 bc03e91fd70d51e33d1e21ea14d17b14d39301bd
SHA256 9d51accc30a2ab243b6592fd346073fa3021c61fe00c7fd8a434aad43e174cec
SHA512 1b2db39659184d5988c10a370338c37fa1954482ac3c8c90b5f5b765309d1be7def6d1718d61ea79fd12c5386d59674f6a3edb9daa816214fd4981f868725a30

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 76b29911f74b06d41833389f503b724d
SHA1 c1d5492dbd038c9d1f28cee5337f81a268060967
SHA256 1ecc06475daf7e4a6cbabfccc2b04a7fcdda8fa91a79c55260cbaa56cb1754d7
SHA512 77a61c6f6dfff01712c7bb2f97361204410b8eb22fbd541884eab79fc7cd09592163e14215e11614cc8cdea498b5bcf1d51ab69155cdda44442183992d0dcf85

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 7e71bdb722484463e353f4247a7a7b8b
SHA1 362b250b78732f77daeffa4426a158a36dd3a9ff
SHA256 dcc1d52298d6bbaa33ea03bb317f4a41f0d46f25c24f03b89ca90d61bab14baf
SHA512 ed17c74afc794e0e4a449730c721161ff323d151bae76a7ea33e21dbf7a72dc9896b1939bf0fac93f11084d569c4415fa8a839440cd6ab5d5ef70214930b4c6f

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 75500e63a7374505c4c27f9b643fb33b
SHA1 d8a3af6a1ccad78e113b68a47f5dc4c2138c427d
SHA256 817b7f2502afcad3ad80ec7cc077f86f25ea87774fec4b63b23b87cce4745ccf
SHA512 c1cd2c929820e8486650796d445c22242b0e5adf6875b25f97e6f9aa56abf80381b406339b3adee0e757b5f8410523e171f77b8dc43d7b2bd30958298dda72cb

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 4f09baec817fc9d6c2dfa95e46162784
SHA1 251c47c3af37bc65e3e7ca7a8d97e7b0c2b9744d
SHA256 bca3a02abc46efa8b17ce4cd62773be76e9d46bcda8e857b0719334b6f27a185
SHA512 a763165da43ff25d61c7da05eebdb87001ccb6d557ed97b2f00b75dd4e15b35f6b0225d799503860f9ed1c4ba2ce69b6f27baccfa7aa02d7fcc380385b817e60

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 469895d2b5219a86a0d2619100c822bc
SHA1 a8ba0001af5d320629d7039cbba0d1278afb348c
SHA256 92a42f63f23941c8767a9c3c592eb1bd5858182e6c6f0248972c594aaa37f3c3
SHA512 af3492772a65898c3232c1817c9b2f539a425b98bcd9317173dd1ecd6e43d370f11ed4cdce72e98044dc8112862273f3cbd2a6849d44c77d09d89339cf662c99

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 0c4eb8b75bd09ee52d4318900fbdfe75
SHA1 ecf168a8380a1b19c14940a23b66a304ff23efae
SHA256 1b6e42cfced1bf786522708a4189b554a87bbdf67d45a6c84faaf7ecc4bbb9fb
SHA512 c1134e1126194edec36a4437d90b6fcb1a16a84977da3fd8fc6621e40c4029258a242521a39cbef89c5200e8a7d9bb36b79c4fd0134f48b8fd0641736a65ce97

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 e6f678f0a015c3786235376de4c7c37f
SHA1 d95ef91fcc701f6757f3f1ba4e3d20063bd01c9c
SHA256 adfe0df8bbacb0155a8d903dbd37ece8c464dc9dd9b8ac9dbb09a850860a83ea
SHA512 51bb91c4fbb38d6146a1c6b465fdd335c7d88d8bd4911f7e050669952628c9471f9ac04e706eae2127de22a754a85325eee3edd244888715b66560ed6670466d

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 fb43abdbbce77d911be822a646836e7d
SHA1 bb1982ae32485461ed126a4df3a0b6dff63696f0
SHA256 ccb38b2b578dab3a5866755f180145b69621ced6c56d58eb519788e30a22def3
SHA512 f8c317544bfc060ee0bcef3574c2ea5bb4b576c3f85a600c0696d4668604ed575739723ac36513484fe98705cbf0974faa82bcb1271fd6cd8ff020ed9daf631e

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 b962ef6389f8b38edffc41f1b7cce299
SHA1 e34f26de28f818d4b8589fa9e22ef30fdc174c23
SHA256 ae90dd12e1d38158d2405699960d64764993caaebc78ae635ab40564d64fa94e
SHA512 9bf2ec0328156c3f82982218d020e1a8917815d0f11636135b8e285a45b460b83d13e02470aefdbdf82c88566a1f2ab47584d617cbe8c30f761091e906b6694c

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 9922675390523003d90bf7e9462cd538
SHA1 97bddf2ae99ba8f987d30feda9e7e8f01535739a
SHA256 e41098541840082b4d979428eaa935736fed0b60edfcb4fe5f5724f59cd7e914
SHA512 10f701fea654a06c890f80e32f217b73ab64fb2d653d2e205955fc1a48a4eeb90bbdd7635ec98601bb26d6c7493c681a5f6a79d8540310ec7c21c2b2dcb169dc

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 a441d2ec396c8e51d76e82e055d44540
SHA1 9485523140e0f1d509f66ab8aa240bf5bdbfc4bf
SHA256 6aeef04ae53b433a49999c1eec654bd32b4ce4185e81303dba138b1e81594efa
SHA512 053c92819d6bc2aaba4417d81ee7f1d91cbcf34011365dcd54e896ea62985c9351634e71d02265dd77d579b1155b437d6c1412d578397ca3f948135c60b0c5bd

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\zh-CN.pak.tmp

MD5 b54f9df346320e65129a340f8109ff0c
SHA1 f8f89403040d023d1e86b125f099be7fb3615c11
SHA256 ec3713b9e112ee4fd3c66eb46466e1582d79656503a57ca140b5f6ebe80f066b
SHA512 c6c24c51d51a826d3ab83f9035256aa0d8f36e9d9b63d59aceba361f63b2695cb339473c63b28e817ceaf362fabcbe147675655e9a7de4ca0563d6e930a5dce5

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:21

Reported

2024-06-14 01:24

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe"

Signatures

Renames multiple (3846) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\WinMail.exe.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Rome.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Photo Viewer\PhotoAcq.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\DVD Maker\fieldswitch.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\gadget.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\core.jar.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.exe.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe
PID 2392 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe
PID 2392 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe
PID 2392 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe
PID 2392 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe
PID 2392 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe
PID 2392 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe
PID 2392 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Windows\SysWOW64\Zombie.exe
PID 2392 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Windows\SysWOW64\Zombie.exe
PID 2392 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Windows\SysWOW64\Zombie.exe
PID 2392 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe

"C:\Users\Admin\AppData\Local\Temp\4695c28072a68fb9a43cd66d7ee3d660.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_update-config.json.exe

"_update-config.json.exe"

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 38bd6436596fcbd7baa1712ade648b07
SHA1 507a5b05e9c6e82bd3d8e992868f648116ac30a8
SHA256 5f2c72e14b67a4ce86d2b6e26acb2b46b935bd3ac583df75246bd24fe1ddd59e
SHA512 3778c96da4c3666305149a0b81725f22f86aaac158f55d919287a3dfe77a04df0808ed9f0af42312c72ff3962f580359a7393568bd86fba09904b4f4b8852787

\Users\Admin\AppData\Local\Temp\_update-config.json.exe

MD5 283f8fcfd332f5dea6edfe560faa8898
SHA1 5eb9f669faff4f3df984d498e681d6a0528352de
SHA256 de78c1d043fd78c725a7307bb85e223566ace1ff4d5734e1e83be2497ec2e23a
SHA512 c8ea956ef101d075751cc9ed8b681d215307f26c395afcd7eb8720a4cda3b67f5b95e9384b310753f02421be906dc0011dc912a099bde3ca5fba57a46def85cf

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.tmp

MD5 10484bf45ea7b23dc4402aea00d5084f
SHA1 41c82e6696317fcc66ec878087db2df0bbf43afa
SHA256 f497de2bd37084c9879b41a8e946a111d4dcc297e0b0afbf47ebcff13a7c6d88
SHA512 469f3c2ac41855918e59647618ae39aff60449ac739f98b4c2d9c7ddd48e383bd20a90981c6e1b3c4831ff46957dd377acf9180a3d02b22ab7ae363466d7b908

C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini.exe.tmp

MD5 7a006937fdb30416650e32fc6cfa3675
SHA1 cfccbf7aedf846dc07634dd27d81007d82ab1430
SHA256 6a8fb80b277b3527f7cd8393bc8a89e57154fa8d764543ccaf0db332fd6654f0
SHA512 020400086cc3561327b48b347f006ed5d9348f31ec920745b1998f3060871d5df82b9643e8d6f3976e7c281c7b5d610a8a4712cac5395a5de6f0fbe20222fda2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 acff48324668f006d9c9a144522f690e
SHA1 d1d407c4566754fd9719d273ed1168c889b082c0
SHA256 870b55f4e742f9f10ebefed920ed2e58df3ebd7299023c65b955b5d8a3379ae3
SHA512 1869a83d5fd4604976521573d65ee326c3f1b0da2c8e1ae48e63967e20ece95a6a33e11fdee35a9bda5d53342fd508d9cc370fb9c10243a51968f24fc9b58125

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 9725291f9d3f29cc4e3f74d09f82fed0
SHA1 41727671a1ec310f4b11bc3980ab280762f945fc
SHA256 47bbbb1b51cdcd78ba90039400a7a18254b09604315846daf271221bd3e4f063
SHA512 945cb882efb37ca11dd9a42260f4a0c9b9ee1cc89fb9acefd95d3c684f1ce24e4f9d4e27705b6e303c67ec185978755d2afb13e891a56b7cb5c20e8ccccf8f08

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 446e4b496641b5f19bc8f724bfd3cfba
SHA1 7f801f1be83c60fef11305dc553a8313bd5e1240
SHA256 a5a35d3c24762f59f3760836df46e90e618862407105f7ced8281625271ed782
SHA512 906c980d1820b97f50e13ba373e841d21c777f4ac8a165c01ecc17d9ac61041a4315603f707584faf3c200e1218bfdfc4502d4d2466506ccb12107d7900e55d2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 692e99b46aba25ddbb6d6813f2d48344
SHA1 d3c4951b289d2d6c73132890889528f556d7812d
SHA256 6f836950aaa4867aba98e3a405730a3f5b3ae1bf4a7b5f9e26cde09b67883b6a
SHA512 9881e4510c3f70b99482bea0c46b2a7ec8c8f40948b5235ade62487fe0576090df3031d47db067ec4de6aa45548b407e6c04d0e36e807f55d0cc43694fa4c8d7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 b08bb96d5bf7996d6b6453c1d0c72f23
SHA1 08405f4501a6824c057e0d3330e7376031b825bd
SHA256 b27664e8b5abed5785506da0f938f8f02e3df0f0fdb67feb9885a8723fc4c4a2
SHA512 8f8a2795bfc4603c91d2e5af93fce29759febddf533deab5ae2861280cd19f664a3ff02b1fac73ef7146c1760103fd068d89415192f8d8850ed86c73d57a57f5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 4278ae1c09a7f6c2774c1e8f27c8ebee
SHA1 b0393811fc15e29342fca96133101b4920c6029a
SHA256 4144dcfcf5d790a4f3fd0ab4ad389d78eab27b32c15553577c9aaa60caae1bbe
SHA512 a81e2d2a3d277ce0dbe307fb1aec8e25f5a0876a13ec76dd414bb4c5adce350cafb323021ae1333c021cc6d5339c876090ba8e5b56deb60b584a9ff90e258f32

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 38e5be397a3f4471022d1b1d08687562
SHA1 09355b2b81d272479ec830a3ce14d4fedc97632f
SHA256 2cf7f8b4816f13279e3d3916bbb4b990c97f0677f7e60b9f2b9f276ab73c1bd3
SHA512 d254959bdfcc657a4c0be163e27b75bcd4d0fc387b21a207ae4169ac832d851252c01ce42baeec5f9b654e4dd06db07bcf02d6d01cfd81d6a5eb5f9aeb6794a3

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 6f723d32d6a4cbb5857d09b53b711f4b
SHA1 259148fa32e12d872ae47aaa7364df35723f0a06
SHA256 a1ac10de9a9b68e8282d21e2e59311df91931e1560ed0b5f29b3a149db136e23
SHA512 122b29bc4314cf3ccd9758b505165a1c17654ce78bf8e521332b0eb18d7cbe891f77bfd9cc0ad46acb3c7e3060bb2c9910177480e587dce5f82d7560a5ad14cf

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 6a366be44e29e31a781724db9dff391d
SHA1 a09e9eaeb54d8284f41c5e588bfc8f15ac04d46a
SHA256 3bf8e3cf02901fde2c2cd8c03f33a4423e163630d2d13f63de703705d749b8c4
SHA512 11fa22f47b4d141d33f06e8990f4fb20370ff74b903404a7ab37bb4343e736ff635411f5bf316a3324980a11bc021957f2616d7e19fa766f5e3e94ede3d0d0e0

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 876253f4505107798977c7049afbb706
SHA1 651016f5e89db1dd7905415fb08c24695e1c3e52
SHA256 3bb5d332c4f9b78941e15c789cc2e35b476b7d0df524daceee7b69700ee04f86
SHA512 2d123203f4cfd11371c1e33d342db595fd27986292ca1f377297b4c05ac464de619d2c9dfcd65a82101da78a7cf6169f28f46a031ecf1124d423cdacece78651

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.exe

MD5 9ee3af3c1303a968c2643f3667cb8d13
SHA1 8a43f8ec21135c0c59da296f54c034acc0a059c4
SHA256 e022431f91795265c98105f743f9f18317d25011ef0a67b978e7865d2dcfbe46
SHA512 1a92f532c3db386f647f5a7d70ccccb4d907e7adae9bb45cdc9b29b8b711f2c95192a8b61777ab046e4d58b5d13e0435b4efbd909111b7971313cbc11410c1b5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.exe

MD5 d35d674c144678f1f38bc9d9924403b9
SHA1 9da84b7b7702972b81afbc4c6d157cb6f2ec98f2
SHA256 baeff5712fc0fe62db4f2db27247716644f73f41a7b18a3db72b5ca998e61c6d
SHA512 0fcd6df9e4cebbafb87fb981247d8c75ad1b58e0f3a850469b0392813bded0cb0aef410625aa3856c25cfae3c9e3a4373ff6f4eacd577976477fa193545cfa35

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 2f6a0fb554ca3b5ead22985ede1ef9e2
SHA1 99672718d1ce943f9704cba6e2987ff3f519febd
SHA256 a9b308ae51081077b4ae04cbb1d7677708c2006c42d829713376b04961d2aa75
SHA512 0dadeb827c9916749882b8c50d4eccf028dd81a4991fa9757df9ebb83d263db9439d4acd3e33e0c97e3fd77672f0820bb725301331ab49511a7f72fada3bc77d

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 cab5e68575741eb7935945be7e235daf
SHA1 d2b2d91e6c74791404ae32498c3613994f58f2d1
SHA256 77ccf4eb4ba2e97dfb506de634c40ac3f827967b7e1bd39d0d624f70aa46777b
SHA512 770573ddd88f11634c26f77152ad425f471843829273f6cc44618cc6ceb8fbadb268186e63728e66ccf9ad79648726017c2ed120771de5d5548f8be6d3925bca

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 d4cf485e2a6f310007e0a3845419b481
SHA1 979f9293cd2b139a2b0eadf37dbc31a3e6b030fb
SHA256 4b4ef5aeedb73aff235fc71ef4226e1b7d998833a05775aa8940b7b8144bb16a
SHA512 6485628557e795993bdb576d453be9e318fb76bb0867c00e1376ac6c84d6c3f3d08b18cf857bca6fa232b0da54614f658f2d1feef7905afb5361e190d32ccacd

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 54adcf8f51f5237c248640e8d57b0223
SHA1 01c0907be8f52480c7a7263ac310685004086abd
SHA256 317a6d5d1bcd5d15c8b060512c757f50e227e072b40f5f3e09ae4f0cdb6a33a3
SHA512 35e703a3811a278c67e6b7ed17f6a3a1f2fa9a7321f45c3c5e5dbe8c3bd7656dfd8d7dfc6779f0acb305cad97484ac2de7670b02981172d9d427e6862c4b7ebf

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 eb0d969492b08031ec105ed038baf7ac
SHA1 3ee3c99741de08416f9be72fecc0c2ef7a100f4f
SHA256 2433272aa3c510962446777f5bd92a8ec40afbf092f85b5e54f105f04eeb3f90
SHA512 177efed975b36765a3056559221d75905e94d05e0397d618b50e70e4222660434faafaab5b092cf5c18df01bb38566d7c59eb4cfdb7308e6123a714e0ca3012e

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.exe

MD5 05b32abcf0383f59310781e539bacd78
SHA1 c62f4e3963a0006462317e660c3d2ebb7dae08cb
SHA256 29c707b91bab2ba8ec58a2ff72a1473befd1ca83ceb3f13c21d9175f4bbbc9b4
SHA512 c64cc60145fa19e1e9274568de38aff9751fc65138bf6323986e49eefefbf5541822ce8b5f055734d8c97001fc7f09c82af2d2eba55a738fc7f2e8f005511240

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 013ffa2e67fde7f464e153ff9379f624
SHA1 5a392a174be13da60b8961a30b152528db1949c5
SHA256 6f9177f34fc7fc02aa8503b38cb49038628b9bcdf9eec064176117797d31e76a
SHA512 37452ddd540f5975df30b97437a7b462a6d0b0dd17b6c7c311ea47a77fb84f87c2730d36910defe6748966646bcd9a3180d3d4dc156d473da2e1ce1d91d5f23d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 051402cd4ce82522ac3c6a039bf02be2
SHA1 16151fceef30d4242f90f94e66937ee3d852c8eb
SHA256 5ad4b10178f580407212f7577edcf5fce11862d8ea2f71955c4e95a2249649a7
SHA512 1156d8b05d1df0752460539c688df6a5728cc5174c09296a5e4c861efd84f01904d1719b194a9920d16912569d9d8395ccf8cd5c7aac73ed985ce59aa67d47d3

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 6ca81a81687249ac60d82e0d4af3e437
SHA1 a746abf3aae745ddc838d012b2dcb17b52643126
SHA256 6999ce2d424341198a866302ac2b26907d0738026837561de2209a3436d167c0
SHA512 0081110e77fb4c21d0aa1d2cb5b093b0685cfe0824c7b68023191cc58e1f07f7aea63d8478d07cbcc32b3dc4b58d096f0c2474b9159905b643e66f57307e7d23

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 c9ae906f01a52f11d8ebc63ec1417d2b
SHA1 17a87907ffb3aa403a77a31250bb5180d1447bd0
SHA256 1f89a212774dd7fed607a079e6493453d7a85f4e4549ccdb2d08cae0e3e6ea64
SHA512 8638e8a9d086a9c436d1b08cc47f4ce76d19933980271ca4a3ee5c22ef97b153dcc7170fc455117a927a0610853acbeb7c18554a702d971a25f3811feb86891e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 f33618b336795c7652d26bee3af0f4bc
SHA1 9ab78c26d3486fbe3a8cc1ee75b6615d2ace2b77
SHA256 7e6245b640215f1a0bf5bf097c8f5df97406056421f820040781ee24cdce691f
SHA512 5d10f04c506c068b266dad91ed744a11f0a7b596c1bf4bf12d39d0e50407b7ce1ee9d2dfa6ad7befe3bf881899d26fd06a335549ac2a81f2ca8935ce8b9640c7

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 5db853282ec36b1dcf767fb7676b7692
SHA1 fad82b409357a72c1110c3ec01aa96201ef247f3
SHA256 1b615e6356bd151e9e07d0c3ea084dc6c5262d023cf08aba483c06f1b76882f0
SHA512 fb701f054a6666c770f105de742fb206db7fdd4205e8e21341bc145b654b4b27275b587d1b6ff6eec78026c301d3fc0302902992cf40aaa9fd73c4d6e687c452

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 ee631acb31a5c0777aa1ab52a3d4222b
SHA1 2a7d36df47985ecf85e1b407e1a714dbc33590b4
SHA256 dc139225012420a611feb1304b1302939d2340220a846293cdcad82f93c8aabb
SHA512 f42f06493aaeacb35ba3566f126a2d2e4fe9781130a5b6fbbf47ef254e4d630dd6c2bd8ec823accdfb487efa6135d26f7c30e1b243f8a4aa082e65cb1663d995

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 8711b590b699f00be2658e77fbdb989b
SHA1 fa21eeb9c7f5f7e889ca3a45f87ac279d059c45b
SHA256 961ebe01d774ea138982cbdcdb947fa2a43392fad57847333f475a3ce80c921a
SHA512 5d73c57cdbc569d681799e9c20b08f53a637aa740e0ef9c6fb43259b2cdb6979d82c925b1c46a4d88c516f20d130addf198052c6d711d46a74cdfe1a147d09b9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 fbae8693346c685513781d770bc53a6a
SHA1 77be2349037d890a1139c82170a6ac19c2e8913a
SHA256 7918de534b6aac795f939c11ff983419cf49cd2f12fb40748beb9fd2a04ce619
SHA512 67ee84b6e7845cb711c0baba0e30a46652b67e1dbacaab9996bc29c7d39b6d37b13e6a381f5a99bff0aae16d187003df5829b0ec4a6bea73850af3117daede8f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 4efdaca7f02a65b95c04e9567d025897
SHA1 286e9c39747d5c2e3bbefa802fcfe689a9bafb16
SHA256 d27b828c63a1b920aa4160a3794f20916fe06a57d15f750ded644b4a57bc8af7
SHA512 d8e26c65b322ce254d21811b0982d6cdc4140dc6954215872716c656da1f320a5239a2780268ef488eca74f9773f00d7927ddb72c40771e18077bd8805aed98e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 9896f51781dcd222292e658058b7f052
SHA1 3c4447c1b5376c548710387aab5fba4f118544cb
SHA256 1b1ac8388a6bb2c0033ebc80be67365db5702e66203573bb6926592e6b6edc63
SHA512 145f0ae7517d29434f8e4e5d8c52cf2636b91f909c8aac9e65e09bedb7e053dcbc9146ea681e7c01b0de80ac1f1478305331cd9eec4dff915cfc8b976d1cc6a4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 3d8a6c0dd31592f43682d704784af3b3
SHA1 ef63c5c1a19f4b2372fc2d8a0c61d09f49daa3ab
SHA256 eb86d56b134e6c172ee5ed9180b95ed189491ed365e0d23ebc635a5c8b42fbdb
SHA512 30da24c6078943acfacc30aba3b7ba3d7b6365f3650a6e8510d9f49892fb07ebd502c8bf4ec9bf84cecfe33d0124468fc7cc87e00ada7421a2ab20e4b3022203

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 fde4aee8297247a46032f207518ede3e
SHA1 d2344b7f451fe50f97252e2f0cfffd533f344004
SHA256 a52e30366c3b9d845a6c53acad09338c5c91d84097598e43f8eb3187f5dd0315
SHA512 acbc696e1dc48524a9310b235123ca7cbe7e686870a63c0f45cdd17179cae241344d2e55338f4d76f45f7a306017c71f7a7fff305d99efe77554cc709bfb044e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 4acf5178642ceb0e155f661cdaaa34cf
SHA1 1f8803d109a3707e410969bb179bfc2b1429c992
SHA256 b7126e3b49a9bc30f323a9e381e9f4b4495c6081f8ff365f9c654fc61260cbc6
SHA512 5c1a6a83c263b786be94b3aa53b52a3c0dd84e108d282127a434a08c967713d8a663cf5018b9057c34cbe9bdc8c75350ee8dc3364a3dca6e4a735e8086e55d56

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 eedc28b11a2bb5de2386d979529f4d99
SHA1 b0e44d77ac496b51828f0e56c92948f50ed3d832
SHA256 48b2c53193b2b4c9f1e53eb1e79b21a936d51737d6a8480fa38a406b003a565c
SHA512 f962a2df7cc3bdda1d2f33a4a35bf641e859b22ad32406b7923066bd412b6cdff0a7dfdbf28c35580686a806d8262a0ed0ebc37acac488c38bb918b9ac6f4b4a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 eec7fce2779c5d2f483500aca85dd5f5
SHA1 020e1d27ed28e016df0a5912f1994b0bb3ba26a5
SHA256 c16f820e8bb093441aca78b2532022f68ff32c7291f8d876b7887a05991aa8f6
SHA512 375e1a4cbc9eea775e2a28ab069390d8bd86674faaf1c49dad32a4429963814f371d457c9a7f50ae503cb11df71ce0f7fbbb0e9bee1c0e243cf4e4d000b7daa5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 544825f0a43dac20f713257c40d0bebd
SHA1 81a15c1cfb4f03d147327c13a4dcea796b872498
SHA256 562acc1c8444f0677821851d67f1a2cb63febace1028b648fdf748cd4bbfd0d5
SHA512 574a471a11e980eb9c351e3e8b70ae75e83808591a492e8894dcd49c125262eb1d641f4c0fa4005fdbc9a8b81b0d0d885648b5d5b127de7d63f8a603977edfcb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 b1e60f4db8076bbd61d154e43053fcb5
SHA1 ce54bf27e06a3f139023313fc81677027f34e2eb
SHA256 7b73b657fc75227bb53129e016c3091e94de08330b5cb6552ee26c82b42bfe76
SHA512 d6d5cb14a4719d0d0cc9001623c875ed4bd258009605db206ed3d91dd32e6e7b7db3f43becae60e452263156cbd436d2a3731158eee85c2defc678a0bcc5cc88

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 02ee7e4aead230f5d5caa8546cc21afd
SHA1 282fd3fa17d030d9aa38047bd9672e28126012e8
SHA256 8fca519502e2b90d5b803ba3f59177f16dcfc987a000919a89409b6a8aadceee
SHA512 568d2ce88014dc65fdc67d8f626a0bf6d3c2b426bfbe406bb094de808bbc3fe2af2311a83cea423ac3307ddcfa7317c030f63ce979fb41a79679c65453f9409e

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 434913f0410ed5201985d5d92a93a03d
SHA1 0657a4af7947e29107ceb6f92046e7292f724ce0
SHA256 f182ff0b4fde9e0191856f80de039d2bed4415bae05a6a4928bb275cc349f3f0
SHA512 e6a6150034a3ff86efa5ec9a84a34c8701b1b58a8f545b7e151512e357f3c8a33ced57aeeac9ecee03d0ffdd310495806ffe203b244e43fbc9894f68fa6b8b81

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 f98bdbf218a693c65a8cff20e03faf46
SHA1 d885b50cb99060418cec8d71e49c746d59e0f4e8
SHA256 dc9bb956be4a5465979792fe4fd94a0e0292d8c74101779cdbcb9c85d7e35e80
SHA512 e79ac973a88ec46a7469032472dadfa92e744b4a28c35073792a316a40340a300d3a91b1fc7fca428d1e8f0d6671225ab1d0fc6b584b6785f516fa3e6280b4fc

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 a9ca4e318ac845a9e9c667668614663a
SHA1 dab3c8cbde6fcbbd6d086c53211e6dcd3b24c932
SHA256 5d0db9a426b511fee5eacff2946a9b1b70e884b0daf86f4c83222650a6aa08f5
SHA512 34a5a6bee557a8dca1d93ae5918fd8c9e593c3e912c78b6a91ad054c0699149d8950a979284683dccfaa451aef7bef82cc9a624abf414cb96cd698897948e12a

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 77246ced9b99cfee02c798b7a547a2f1
SHA1 2aa663ba85886d1eb9e802e1cf6c1dc86af6aa32
SHA256 de3ff02ce46e10bb0555f1e335c8ee9c564227ed65f58dc5244139aed4548b9e
SHA512 0900185bdc052dc51c5250937c0c5d0cf24e865fa43946225f1c7a7348054e9091260e2d9a1514ed9f64448d3fe9edd61d72be65bd6ab617b08c743ab8ab265f

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 feb636f5c10dee4fda0031c822c06ce9
SHA1 6a270aafa8897afbfe3702f09077ebd4d0bc3023
SHA256 bcca5c39f23297e775c5950810ca6453c66a9606eaceec5d5d69a16d1079c36a
SHA512 7c64eb2b15fcf81c5674dc559a8bece16819d2d969d5411b21799797ddcd819fee6e486b230dc0fd51988be02a2d184a0c744e9abbf2a5ba0b03c0e6eba15498

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp

MD5 c73680d3f2fcf265f88ae8c4937dd22c
SHA1 90cf1ae03fed1af3c2b742d0a53eea4632df65e5
SHA256 85e80d3cdd76063126f0c4783de78e0258c1b1539e93e09cc2bea99eeaca6982
SHA512 5398f95a01660dcc94fd647748f00caffcc29734c6927f636a1b3b5855e533493d7687c8e005d75527fe1ceb9106a42800d95e4bddc0927f2312fa3a0543fd78

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 e851de8d4c331138ae867246c6d29915
SHA1 21a295ff4d195c9422fe3f543e01cd6245f0ed10
SHA256 5cab93d29329a8bfeb5a364f513c6de6529a023c2f11d59e0c5f5278860be742
SHA512 12dce66feb58efa7a934483bb7a345ef7f2e9b9a883077f5242cfcd7ced24836a1725066927770cd02ce5b7400115bf3b476f95ec5c2657bc52a7957097504a9

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 5f70febe195a7c6fb3744130d5ef8618
SHA1 3c7bdcde4c750e72d70d853488974a33bd4edad2
SHA256 700beba395a01ad00e00a2507effc5fcbd7ac4e05ae78f1011f8f5b4b9e7eebe
SHA512 9b68a77d7fd89ee24b1b0e6764f0f4c2629047ed9073d0f65ddfe37bd84b26dc11352992206612fb9e84f1fedfd7786496955bc909d35cc00edc1488006f4579

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 7f210dab1b6c63afd4d37cca4fff5ef9
SHA1 407c14def2fdf1dbc61a0f101ddea2b0aa2d62e5
SHA256 11c6840f57aa2d4663755d467c7019a9616aab4b915cc2f6a6e0891467024f7d
SHA512 a9c3a159161e404dae57f4c7112200dea4c2f55d373d4e51e223bdf8c195cfd9669677130e498ea2400747a520bf00dbffd9c44f3b2456d18b2d0f480b31f53d

C:\Program Files\7-Zip\History.txt.tmp

MD5 779d615e51170a87fe15ac90c60fe064
SHA1 f2cda4ed23d4191f1e32c63a3c1ed3f5128d0e5c
SHA256 db61978dd457c2a1e4b725c5058c9e3be69d2611d8e86bdd635c44f29230bc62
SHA512 52c155c63f4c955770bdc061625e99ad414bb0de2b67586e793b67bcc788614a621bbeb9b56541be451a740bbce95698d0589def306e197ef96cf6abb7fe7543

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 14a8ac4e60c92bedcb3b9cf4b57a6f04
SHA1 963b34178baff0b6d266a5070ad9c49a7ad7009f
SHA256 6193731090a810cac7920e070c51257fa1405db4135012488ad4a1bea1d52d61
SHA512 fc2ba30741dcbefb8569519ccd1706f54ad4c6964abfab4d1dcab6d10092aed6cc6e6f5913b0e385a981640b883aa00c917091a39a704a3cd10dee21568fedfc

C:\Program Files\7-Zip\Lang\an.txt.exe

MD5 ca6ec3370e400eb46a7011070473bdca
SHA1 49f32449d788db4d278bd866d0def7c2453da1f8
SHA256 3b7610e213db081cc14386db134687d06febdd75ff8c33a06980c3f8f461ab7f
SHA512 cb3dcd6c2203d0956bc49cb4cb6b6d903deb3ed75c13403a611b6afac906b5b5c5f76bcfb88da143cd018f2ee1228fec82337330da69a3a7ad81de4c777788ea

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 11231c236516908d986808b022aa8b37
SHA1 6c51469a54755729d0047cee5b67e4f024e47f7c
SHA256 4942eb25409a96a80084fa2cd5962b98ed9f3389ef0a1beefd1841dd27887a24
SHA512 a19c200e6a41b76904539b0755a8e3e09c1055c8b8e3205afc5cffb01d537134a9f64224935403aaeb8a7851250fc22e865831e7da63ae117ffa23f532072485

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 e05f0552c50105d4a8af3e85d4868079
SHA1 b12ec121acb5e0f7da002ff3003b773d9ff0e3e9
SHA256 81df3ac0db0d4f144ae8f120ba04747e1d7ebf10c503547ccc7ef4d9e57948c3
SHA512 871fb4c1b66db0df4a4fce38dcf1c8ea1ab100c642bf68376d0ace370ea807dfef7df0977d3a337edb25d75664592c82133980091410cbefec407625325f7215