Malware Analysis Report

2024-09-23 04:38

Sample ID 240614-csf7nawakl
Target a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24
SHA256 a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24

Threat Level: Known bad

The file a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24 was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (520) files with added filename extension

UPX dump on OEP (original entry point)

Renames multiple (4856) files with added filename extension

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:20

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:20

Reported

2024-06-14 02:22

Platform

win7-20240611-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe"

Signatures

Renames multiple (520) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\F12.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\fieldswitch.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Internet Explorer\pdm.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe
PID 1724 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe
PID 1724 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe
PID 1724 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Windows\SysWOW64\Zombie.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Windows\SysWOW64\Zombie.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Windows\SysWOW64\Zombie.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe

"C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe

"_MS.EXCEL.12.1033.hxn.exe"

Network

N/A

Files

memory/1724-0-0x0000000000400000-0x000000000040B000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 d5ae82e22d74f1d81fe0d3182e0dae87
SHA1 57c1eb7409174a8a2a698657b80bff5343bc41d6
SHA256 adcc78fcff6cc793a8f9da24ab55ec3b38e2a6ac3cee7d1c9117ddaf06ed737e
SHA512 f5f9f1a632b6dd98935c7f5264848f070cc19e1b02afa8b5dfb742ce1ee44d3652edb4f8746c36f54e2a7cce4e584196d586c553edbe0aedbe5013b8cb5f8c7e

memory/1724-4-0x0000000000380000-0x000000000038B000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe

MD5 e76ee20afea688ce8ac609b997092d7b
SHA1 757d0848658e30dfe29ee27033471b9c4056e3d4
SHA256 dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5
SHA512 aa77e6b0ed072caa9eda5c389afb9ceeced706e91a4b662595467852e0e1f3f7c054f7805f35daa623adbfdf2e91b99ea248bc205900da6aee15f00b4db13f6a

memory/1724-22-0x0000000000380000-0x000000000038B000-memory.dmp

memory/2104-21-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1724-20-0x0000000000390000-0x000000000039B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\desktop.ini.tmp

MD5 425cb6fef5954ec58735ae083365246b
SHA1 072c649c0c22daf3433966e8a8a6c83befcec605
SHA256 df88daa9243ccb9fb73773f0ed644b1ae61c9f190b18a21d87d1a45eb8ad6cdc
SHA512 3f8e0497bac83625cb2abebce11a034a88d455641d98a2d898f3032124ce81ffbac35a590b4cf38810669d3e82eea8a830d49288648c395057bd2f526803ba8f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 324aee2dd19ff38557829a69c1dc89f4
SHA1 39f11645e6bf93813c24fd1642922bde3c88853a
SHA256 de7bf17c24fe232f9bd384a74a519b207fdf9b71587c2f56267fc2668443c36e
SHA512 3a2bbb6a68066bcb695ba9009e1987dfce604645642bf51a67bc87591e3f8c551067f49dd6bd46709c8e2aaf2bbd2257db1734d92452c8eacd5fdb24ee289cfc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 9cbd67e052322a9a12eb0ae905a6146e
SHA1 e0afef2e39e90d4513296bfe2409d5b0e7aeead3
SHA256 ed974b2d45b5c5bb64343ad3767a0e28f7dfd0fc08f19b454738ff2c12e18ad5
SHA512 76f1982b2712040bdad1ee873942578ec50abf08432bd240d962a34124ae5aaf787601a9e6df90101f0085165cf24bd778ca06c14d27bc5d48dbbbb47a5848ef

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 45172ea3fc53b93acbb5820ed54ed050
SHA1 ba85fd782bf1c50feab8a59b08c010c2533607c8
SHA256 a0d9f2bd231b387118df4068b3f0689cb1ef7106625657a020ba62e671701434
SHA512 8e145f84e97c3fde109d726b454e170919f03cdd376a91fd4cabf27abe23853e474e7bf2f7a64b94d19acf643967b3a5a2f06df366655e833511bf69a4830213

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 24d19214e599782d5fd265c6aa37133e
SHA1 6c41808dc569fc6e97896a16ba99044bd934be50
SHA256 ca153eb28e6c402720c998ca7f669c0a9dfd0b75491c304f1bbb70c895716d59
SHA512 38772498d84fb0625943d404c2010cc00c5b40ed8f179ed34d9ae1555e7178e26ee515afa15a2e3bdcb9bdac10ee0a51679df6878527e35bf99072279454a541

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 eda10aeb3620ed99c9570583e37cb643
SHA1 4fc1e3c93e39503d72dbea72a25ea7971d91fe53
SHA256 bee8a7c8dd1b636cf804bfff70d9bc79d9576cb18783b2fca8de2cabcc066f3b
SHA512 304d69d6be5ae3a830041254cd0842baf47b5baaedd43996d71eaa8fe693292578a1b3c71f0f0928d99dffba8c428eae1987d5ef98b461df06755ee78bce203e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 91342a32ba864d7a16bb412348cc20bf
SHA1 5fddf2b26575690b765afc419674eb61a38ae6d1
SHA256 fef0d70fa939160121053dfeb6dc5d338d32a64aafb8df61fc89385c212dc3f8
SHA512 ea9dba58e8efb7d25153cc3486471b1b533642f79500ba854350d9ebc6b53e14deed9d11d1d5e8566209478a9b558a5f7d4023768972e698420b1c7067ba7408

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 7cc5adeca8a65b321fb7d0e2580d5818
SHA1 f0c6827dffb79a90823f5ed649d91cafe7bef63a
SHA256 e03979b9d314cd52f1f75fb2615f13ea86af1ea40430275591bd89a7b5d44a69
SHA512 f6ed422d4d0e74a11336c779143b052b17287f90851c56b758d4838aa88035e3bb968267321f7946a1d31be22fe482b78669bb199a0b84bd0b8d5f48868fd38b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 12888d9b23948825df0140f9b4a6692f
SHA1 d150959088d81ec5c4ce6b6ce24074cc862acecc
SHA256 abdfb1d4df201920cc8b8a5865065322ee275178a418202c8c05792976aa8aa8
SHA512 e594f4e4abf74e777a5455a22c6ebaeb5b639b579e6434cdfd29a48ace2210b6bbceb01dd72a874dfba7485e58534b3c908c1a1d3b6b2469cb48ca631409f339

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 a80179aaa369461f51f9957bd47d6a10
SHA1 ba7663797057e409a8063a6d4f125ff4045a7dcd
SHA256 c87984c8b78bab3845bc6be3488746254b2b6c9d61536e79410420ce326d6738
SHA512 b50c355d6c521d801657e0b514217c2d84ab893afae137bbd2f479cc162db9cbd097328c3af151b2521166813c7b6be0a9102837e70fbf34b98a8e8733c8ffcc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 a9d11293f9d304e7b5deeb6ef324d3eb
SHA1 b75130a792660e099b6ee7df8085be68877a01cb
SHA256 9a542a866b770364d49a8fcf90d60a5bbaa9bde01cc26045313fa2a00485fd6e
SHA512 1ebf5c5f0e7b0ff755527b3f9bb1c5057010b50e3c53c6c65575de45bbbf789ce6e6f3fe6089698b5874a9339c0a5d9bd40471be1f9c96f77bac51d592c1b1e2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 ff5cb4bbbd61b6a3979d87cc429f2e84
SHA1 199e26763e2740690b101e8c61c7302353a05f18
SHA256 5f2a686e17e69ebbc43bc288f3d5ef446822e940f51210d43ccfba0546cfe3f5
SHA512 b527f9876bd32215af977f96f41e1ff20dffbf8da13acd9c6bc34b6876f45851e902047f93f8dd481ddecdf476188a79f622f715b1408384af4afca86d374016

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 ad76c778e5cd1ae4f12542f033320ccf
SHA1 6a077ac5c6ec15602b1a59f649c2e271e5dd72ce
SHA256 08fd889fd11de0a2d2d8839ace729f8318ae6dd05d75cae5484b121a6b028394
SHA512 9284c8fa189c376f5ded103720fcd8b54156638bf7f23350c752b5099eaeb3cf7a76976f74cba0a4bdd225f2e9d286901536fa2b56532e8fd8866e40654dc1d9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 6666bf0d2f466c2b5a3cb099fa93a998
SHA1 68f09f576c6bad5999f7c9a5fa887fdfb1019584
SHA256 b36e29754ce2ef15897cd9b0b22dd09163db2cc2a8bd3377b75b0c7020a2a695
SHA512 5d38ae8167f60b5f06775cbdadd70c616093f48e40fbb31b9128739a7fb75a6be288fc8031e71ca3128c78d5107d8f3d5f7cf8c384732fd86260534b15f7b006

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 f455d7374e3d3754114c29c146d327f3
SHA1 ed6939dcb930e8d636eec78a254a45d06b9434e9
SHA256 464152af7cf9ad2b29206b894bc13a31e7a62c5bf4634af32874901987d2f884
SHA512 8f1c4f97b6fd445247245fb547859736241cb4f6f78622aaac4215df0fb897e2a4aaca3f21921187a43436867669844163c1edd406b1fd63ac0cdaf11466ea21

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 5e854f2085932580a3a9c9781248450a
SHA1 632df3b7e4c824f5a816d9150b1d0d22e0ba3343
SHA256 32b0a6844fd4239b43a94d96a8bb86ec3f4cc30dc6e8089411a91e28116690e3
SHA512 9a96b5efe926c47f89d5939e266722073a443fa06dfb7e9ba1521b44eb233b79a64225cde3a9b4f1c193ca992e55e6f76031dfe90c414af38e71ed98e1e5afd9

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 bfdce7dbf315517033f2a1ca295f0e0b
SHA1 e39caa8038f0574958432ca408c9d9ca8f3f13a5
SHA256 9e771c01b56e0bd85a45b32896f27e08429823e72336c8c3e39143a51d20f9a8
SHA512 11c222e78b1ae596449e5f2b7f81cf60940ba4ec05d9962590e53b084ce51ef51808952231f6d10e17bb50e4ab2b2d6fe2fc07b23b98a17d53dccae0b09d5d0a

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 fb58ce19d1064ca3bf264667a82bf979
SHA1 4853d4ffa5f4712a71da61b46daea17527e43b38
SHA256 cf4e1cc7a61aa74139d1ade47b82cf850554e3ff47c2d6395a6015c1a966f758
SHA512 ad9035f5e6624f3370d39b345fdad4eff28648858e18e26b8e2125271df5ea150c7ffa7b39fbf9fbe3dd655fd823436d8754fa0f5e54ba1ef3d111b7315b2cea

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 b6681ab097d8cac78e971a2f3d589aae
SHA1 3bb866af577cfc676050d3102d8c59b37e1be2ca
SHA256 d76e573f25e57748f65ae34a0f35b6904f75795c95c65a34994c48278417e916
SHA512 71f98d82f34074ffdeec9a917b0fbc2597d653861004a784b69bc561956919f0bb75e1a6607d4f7a73c893f933dece78b983fdf9f892feb1b454bf796677c97f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 8faed318ceb94163e83c6c551c736307
SHA1 02ec776281899850551e0ee4703812e946c0b934
SHA256 7919ffcc151bb76e881370e84d637763281cbab25ca56fd2e759f7b821b40dca
SHA512 3c6190be3b4e8fe6bae48ba4b414272ffa2962501b6e93b02226d3135d91472e04f8590d4a17e5b4b5a901165bd334de9745f5d6e3e3405736735d174bd68ddf

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 9dae1afebe512cdd98368181dcadfa2d
SHA1 91219fe4999fbf4411c17f111eeeb448623187e5
SHA256 95c4e63629127ff806caf391128bf77f5aa973bebac69594178868408e7243f7
SHA512 091e55fda384bb984f5ab0d5388016e7425cbe9c6652626752b9549e919631ab32457d31db13a96d8e676a97bc434b57424433a356e206375f11b6082e4b5692

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 ce36c3ad8957d2539720f94867ac35a3
SHA1 ee50021e03045d3335d6a75950179cd659d7cc8f
SHA256 a7cd5596370c53a4d9132639580db66355e12007306e9d3db859da98a775d6ce
SHA512 9ef810fcba63b0b861d981109363c1fed85d98ba5a0f986c79f23c964c1f6a83dcc49def8586be8b1dc42095ea3024a58d804c343dc9b354a13f8bfd6a116bcb

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 d9574640e1c24b963407dc63f092e23a
SHA1 e90b0d423de49e9ec1a61ad3b5071167479b891d
SHA256 f86cb015a70f0bc6aa6c8f15ec1cd77577141eb7cc123f76e38ab69e04f21121
SHA512 dbaebc9440c4ec9d175d107c427f0ab96a9802edf1a71329df05dbb4144125ee7af0af7626c1ce9637be3ab31435969bcf58414edea8279527f34aaa05cd4478

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 1737520c1e889e406d41de6f6d649a23
SHA1 528663182f8fa7be1d4a707aebca621aaa4d67db
SHA256 02e605d1747ff41b29f7b879991df88c6bf5e5893c936cfa6e7a022298876fdc
SHA512 f8ae6ef9a2371fc7ad09d247f33c18a9f52eb36473146f09f88167156f499c8630b675c44fdcb664e9760c5f7964ed4769b1b1c2e5778d17037648ce93d2fca8

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 15239e4c7ac749dc7151ce6f01f3fa5d
SHA1 e88f7cf9213a83b6db50d655ee4502616f457aa2
SHA256 1ad7e3682e922316d18b6d0d7096e0e0f6efb236ceea49783c7ac1190bd3af7b
SHA512 79508dfbbdc9e77279daf308eaee05cec6420d27031028cee3cd7014bfcc65dd454dee3c895ef78b50b21a61a964f89bc1c2bab0eccf072e023b802e34d31d7f

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 89baa93f857605f22501df2ef0c0e78b
SHA1 009c3d6b0a4881713764cab8898d625aa7852ed6
SHA256 fc8d68b17302f22cfff47d3c83fd877bce99e5bf802344f1a2edd93533b867dc
SHA512 38f775abcfa032aad983bfa775e2d41e32911225bf62bf7774af1173ddf3305b5a0ad1ceb63f83d325db061e178b4cb2750018a2ea3b642b4a311510b9290bcf

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 e9552400faf3ad4576cbad3ffc0ffb4c
SHA1 9af9ae50a313c9dcef89597618f11cb5468a07a3
SHA256 d92ff06f54598fc569bb17953831c7d5a9ea365258932edb407b19cd2839b660
SHA512 a9d61eb4c8d0022963de15844ab7ddbc34c0d2bb4c1fb789af124869329e250b2d3e1d940fbf17f4195d384c3135d062c874400517f586f57272cb0c7ef21600

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 bef1c3869d573c0ab1c8be163e3f8078
SHA1 36933e64b9212602797687a3208eee6386e5e2ac
SHA256 489c39b067842e7e55a070f00deeef717278847fbcb0cb9cb5b10cb166540937
SHA512 2c0aad3772981974de11703bf4f8f4e644c348b0685eb85da5a8e3616cef7d4e03611d5b1c961131e32d646809a02ef97f02f903a35ed39bfa07e43a9bd02fd9

memory/1724-144-0x0000000000400000-0x000000000040B000-memory.dmp

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 28ba3882251c67221e47d8410612ff94
SHA1 fac157cc1d6a8564f6e64602f8e98c1cc13ddd3d
SHA256 a3753b43cef43be766e5fb596ab516ae676bcbeee05f5b07625736c7f0b0b472
SHA512 75a05102054883456cac7d0ae9157042aec5ce6c73d8c1e638de9fa590f38bc9e0eef650d7bae558cddc8b83b1e99838db64a482583b51af26f55b00de78fa13

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

MD5 3faf5f097116e66a25ed165176577016
SHA1 de690d64a26fd736b9accb1668af1cc2155ddea7
SHA256 a6730cc451b0fd3092b4315ed518961e4c670496988e2e12b876a69d8fb294a3
SHA512 4286608bd4354e51e137b3863896ef92f5b178e9bf7e88eea88290665a7b5ce505dc93ed9f8a3c9f846236231c49cda9184671088d920e2e39ee1ff32d5b9979

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 1a0e2d5ef573d754f3253754eb60443a
SHA1 af238675e004be729d4bbfa7205f41070f0cbf3c
SHA256 9114b0b4162c39c318390198842b890faadb843951a04f1d4f04a1d941c2d2c7
SHA512 5c6373c8c71b15e1af1cb2c7df0dc216eed6fb30f27f01e8c57444cfe9ce887803b978256ff1ccce0a785bf4f0f5d62abf2ae5af4baf20080548bf980802313c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 18b8ea1f32c696f8c8a4923f95244dc4
SHA1 a6daefb78687cf8232f7db479bdb6eccf2842f73
SHA256 b11bae34e43269dbbc0c6833f76efbf44dba59e04eafe49cfb7c61082d6ceac4
SHA512 e920a529356047e0bb776cbc9c96894e47fed5f83be4d82820485b8442f3f8875d8c44fae72304300d8e933445773c7b73652cfbae64819078f2b8d32c0d507e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 7f8625519fbd856a733bd0db9ae1c4b0
SHA1 57faa365c7b23b0117732067d208e9d522623fe4
SHA256 ddfe2214375487b1e4b951baf8fd191089740d04b348d7d99ca866303efaa7e9
SHA512 d88ac4ba5e80213c3907c6f19ccf341d3f3a8dc5658420c4d6fcf5129a21b75fc13540c8d7e3a2d7531a1daf7ac1d5b250ac81dac213f7b2c3a02ad3b268fcc4

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 129d429b86a970d1e9ea9a4e7a6e8870
SHA1 bc8ed05c372b238efdf15288342db521421b9f22
SHA256 d82fe946ad313c87ccf3f918994a314c6d359c96cb01302b5fc39b108affa6dc
SHA512 2492707ae866247536fc5eb9aee6e034ca42187f5ed9d725aa170f304c64fe0ba34dc5256765630c6ebc65268954ff02b24856b7fbf5362af1994967d2b8a452

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 16e2b980d0ba50518f40a3413df88a02
SHA1 74a571eb6a310edb3b129399460233f74709507f
SHA256 ff9022f3a95360bf103aaecb51beb6ab4802764bd45209e7c50c4c559caa6192
SHA512 5b3ab35293342c3892209414b3735be7b044d0327315a7f5fc05ed6eb22c442ad07c9e975f7647764f42063849040ca2ccdeaf0f45a4334ad070fef0432eb2db

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 6d42432c8c67808573d66a531a7b7f34
SHA1 1c39951da5f9a6f0cb5f19e715ef815a952f2696
SHA256 4cef1c9242162ff2ce2da808d7068d32ac599f37213e44dffe9c59d6a8d8940b
SHA512 4cf2ad85c4e89db8560f61b0ba54a0c09008d6a3472f4e66b1cddc6835c8fc0f5ab675d8f53804345bb01864a13c2dccdc291f0ecc6f65a58ec4d5ab02ce44fa

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 a0a9e5f8e0aa74ba5fe4af3eb0f9c4e8
SHA1 4239453377d7d118c37cde973d7d42e941ebcfd4
SHA256 ab84e4033276d9bbea54829035d48eb4f13b3b99642c9284e20f5bb709b48d17
SHA512 fe7626718e73221bc229972b315bb7f2e29fdfcd4201fe79ecc6382e6daeceed18cab9d6a442eaecc3e9c9ea068dd6ca69b5de4161fad7451abe9cfc488a3c8a

memory/1724-183-0x0000000000380000-0x000000000038B000-memory.dmp

memory/1724-182-0x0000000000390000-0x000000000039B000-memory.dmp

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 ba282d7c07aaaac108911c044b9b4757
SHA1 4a3527626beccf8ae37b0982ece574300a7e97ae
SHA256 c3db34c5b9f9c0d2fb85649df2446847e4b4992afd15cce2fedefd84bf429aef
SHA512 188de343ac9d9f9d92da2126ed471444452a9d0e6a5b9849c0ca68c8f1102b1bc57146db8bd648a300a5e448a7c0b319fd5765503df6f2e65536f2e73eee631f

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 d262287cf3b13aca694c73ed5b4e40c6
SHA1 076bb6084c3e71e716c297c05a072f329a084ebb
SHA256 3ebd68cde0bcc363df9da52b356271c61967a5b93e8f4c3ff0713a1475d6c042
SHA512 d210f72f9a461df0d3e6b265ae966b528e6767bc805b9de2b8959ac07f2087bbadd42cf0dc9edeaeec1178ab0b52106ddd26a0980307aaad5f945c68e7f687c4

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 b3ef935d30cd41a91ddf0787a81be1ca
SHA1 ac3463679fd0572d0da61f1462b3fc71da277ba9
SHA256 2019582ae328a53f20bfccccff678b2237fc98639fb802b5e80bfeb672459488
SHA512 2cfb5f004ea3490985f5e798627a5fee83fd4bc7059fe56713f82f52b94698f9730ac5a11940cafd8183fb1c71e755da28509707f54d35edc22a4cbeab2ef5cc

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 7e59a0c189c0282fac12a3eb35b4b536
SHA1 02640f387596325f015d68323c594bdced1a905f
SHA256 d297297777a56f31efb780e46ac4ea4edd4ae4dc6f3537e64a76214e4ccbc037
SHA512 cee1bd00ec240b6f1321c0a81ca0b4e4951c62c3976e371d4ddea3054aeb65a2cb0f142dda5a93620929914147bc6cd022db15eb7f54e87c174e37f4fc70a955

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 900f718aae67fefef586e196fc23b132
SHA1 c9cf5dac5fa1f2496162fac9dd01c5e7584e0ac0
SHA256 33a52d3f2e57c3406530fb07d33fe5842efba60bde4e3f4c9e6f8a907f2300a9
SHA512 f0a5a074416f51042b3b86363b11306adee69ac2a9450d248e61db73f5a29e52de208795b3953e9c87eb110dea8430fb182cef3895fa51ab4edc33b42844872b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 8bc832321bdae2884d9ad3c33e8a3d82
SHA1 b009872c6aa361e745d1a989d82b807875369fa7
SHA256 adc8f60f176d3e57afd1692775072143630898f0e9686414dd0cc29be06fbefc
SHA512 dd3be1ea58ed92a4f462e7ad6e6e55d9004fbcdd1b0f361109e25d61d2260716d717519b87d0958774c1c6ba8f477a0cc4c21ed3f2f1e8d4bd7180dc80b2083e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 bc477ac54bb925053dd5227f8a5af8e5
SHA1 c199ab085bc80ea4f259a2de1785c8440644ce87
SHA256 c18e176ed1a069cffbe9af1634885ee5008ec25a109de74663b44d06ce243d7a
SHA512 4354ea5caf02bdaf9e3e2bd89c21e260038b2aaadbbc995c57f01bc969bc00ac4ae319350a3d9e73e4432997f85def4e116c39f6e4ade16bd68056d8c3b0dec6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 7474441873be8a372466f0e42cc01863
SHA1 1347dde96592ff80936b1363661abfe0f2f36496
SHA256 16dfca0b9e8adf743eddb495d915e8a1553e4f6a65f9902b1daecb7320207d52
SHA512 a10454060396d16157b763be2a91a3fbb29863970a7a4320a3a527f035625be0d2a2239459239f2fa0eb77265287d9874753709e3056d8be0b3a334b34b3ce4a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 79c6dfbe1f60a383b52f2456388c3448
SHA1 a8a4095fc722879e1416922d92c6bf752c7d9b0d
SHA256 3c5152a5cdf5250a94123b6d66c819952542b67cb6b52994676f50b1db19fedd
SHA512 5817e88824d1e4b6621e7112d8d3590f8ebb21af604ac1bb44aa9d40f847f52b9e0721995d35ca1ae15c8bd14b61da591e167149bae5e1ed3d42c6096ac6576a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 0297f875a8e4f8f0a5126399b9474eab
SHA1 11ff5f1b1d8939d721642097ae7747ea194ffe53
SHA256 68ff06b9f83616b473b1228cce0b8769d2fc7d3c996f0d7393cd01055b42dcc7
SHA512 60194111e3eac88f3808f0f94fffc074b3a542f7454ad5a8cd02c2336a298ece65f1972ce8c733980fdfac94f0b45585b24704bfc9f30951aaf0f7cba0a4f9b9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 edb119e1f51ff97cccafeb57f017f769
SHA1 0e87858875e7f5f89f3c5e4012e0d73da459bf9f
SHA256 cf182056b7564603069a84d04f04638977cdc96ac5d00e1ff6c84904a9e64196
SHA512 b357e4314e43aebf07f8762c8684274c8ca134a85db6eb576803d6e13e989fdebd0795b8b9b708b49e1fe7506f1674cb636ae881d3df2fa8635104794832b7dd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 15dd4da098d37f7163d031cd242b1a36
SHA1 2925851e762a4169c05c17f3edaa6bf714ac37da
SHA256 817b70edb78b5d54fe854a5b712526fb784731b77fd0098ea6eb098a8550b142
SHA512 d29e777141878d4c0803cb8662d094dc383334ffab0fa030d350100b0edceabbf4e3f1c7e62cdcf64581f6a6f8ef6b94fc2be464b1b99654651c84038c1c798a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 4de6a635de1a5dd7e34a32f22b21659e
SHA1 edd5706b2d6edb84078c34c753b5757c74cf3231
SHA256 5de338ee7142c2e450ea090fb99ebcf3a449c16d648b0759dcb60da137c70864
SHA512 ae5a746262b06e782ca1c19d41b7f95cea89586c086b7f7beae840b8f8dfc74dbef12022854e5cf6370171315ce1d03d3a5b7b158e819ac0aadf7de81506cfd9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 ef5e83e98284838a78289384a4801ac2
SHA1 0e0415281bed0d656b6bf8da474fce03f1f7e028
SHA256 5362d13eb3bf5746232314909c2805a3c5b15045b3e03648f0dd18a5523efd9a
SHA512 996c1747705c07f32aeb50ae9395967a4076de41dc638242c3c38fc04f22f8772c71ec671cf7b88fd477161577a4c050b81d4a122deff140c9ee208aef4f9634

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 ea6ed8e2a0ba7517a29a4303fdc7b0bd
SHA1 de1aa90e9d77e0bbf6936d7e8b42f6a7c81b700f
SHA256 4f4f4c79d09671f89a6ef7f6efab5f0c183cd7cc25cb793179480e84deee31d3
SHA512 00e0410cd2c2676ab8f5e3a8018db3c2296e4489d4bff7275d2517cdddb84ef0549d079d48479cc764dfadbdbbdb95252a8b8cea4f50465ad21c870596127ac2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:20

Reported

2024-06-14 02:22

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe"

Signatures

Renames multiple (4856) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\mesa3d.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ca.pak.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe

"C:\Users\Admin\AppData\Local\Temp\a7a1fee8ba4bf51c63e95b077e5e05c0e4cc069b013efdf46a7fe6563b279e24.exe"

C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe

"_MS.EXCEL.12.1033.hxn.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4080-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MS.EXCEL.12.1033.hxn.exe

MD5 e76ee20afea688ce8ac609b997092d7b
SHA1 757d0848658e30dfe29ee27033471b9c4056e3d4
SHA256 dc48f452214b98f86afa6c3764f542c53b70fa187329d8052b50e5a5f79d1eb5
SHA512 aa77e6b0ed072caa9eda5c389afb9ceeced706e91a4b662595467852e0e1f3f7c054f7805f35daa623adbfdf2e91b99ea248bc205900da6aee15f00b4db13f6a

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

MD5 79e4d8a2efba5c616ad90888e1b87e0f
SHA1 fe5a8885c07a04dc0f370b18c9a71126677a9f37
SHA256 7585509b404571769839f15c1f8c4ce8bba1ba3d978213ba68874c9e6ea83dc7
SHA512 9009248a9165085b9dc97d4f4f31376e3a02ad77569d1e206d1dffb5ee9caf0a981548c7d8c5a7c213de1021a7106f6e29a7730486fba7e21aec679807a84a93

C:\Windows\SysWOW64\Zombie.exe

MD5 d5ae82e22d74f1d81fe0d3182e0dae87
SHA1 57c1eb7409174a8a2a698657b80bff5343bc41d6
SHA256 adcc78fcff6cc793a8f9da24ab55ec3b38e2a6ac3cee7d1c9117ddaf06ed737e
SHA512 f5f9f1a632b6dd98935c7f5264848f070cc19e1b02afa8b5dfb742ce1ee44d3652edb4f8746c36f54e2a7cce4e584196d586c553edbe0aedbe5013b8cb5f8c7e

memory/4976-12-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.exe.tmp

MD5 b06074d5b3a77b803150e2e67937bb5f
SHA1 f586592103e6c0c2543b107e80f46d68b466924c
SHA256 384cf26070299f9459efe24477dfcfd399c0d0b8491c8eecfdbfe947a7a008b7
SHA512 fde42abb88ac0480399f70095b791316a200d174f0387f54b91ad8f480f4e2fe64cadf8c9521e82c0967d5e89846ddb86a7a6d1481ace550c024f539f9764272

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 c59ddfcd2bc3b4bb6832d605c89e47c6
SHA1 be867cfa5b4ea391f6841d0f43ddd8f95e47fda9
SHA256 0a2bf3c17f450dfa3e80e102a57e3938ddf8346b5a2e1c17f34f0e10eb2b87a2
SHA512 fc1beb888dcfea3055722dc08fc9f5f309cf5d7d69b4f7572870ed5c509b134152237f612187f0b269f18aac6ce17d27dcee116a7376acfd8ad9f500524f9538

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 1e30f397958e58cd6f869ae1fabf4e52
SHA1 a1139dc242102688facf793127c97685ca968004
SHA256 aa3672aacb8d9ac3fab477bc8803054a334baa724b64fa93cdc57f4d6c98f5d5
SHA512 6d945db66132f866ad7b52319d1e305fc2b6d7b46f88c6f5a70239b7f2d2015ff223bb2f08725af2623bd4f4fade4eab4f1643c554e0ba5f3a11a55c4508c8eb

C:\Program Files\7-Zip\7z.dll.tmp

MD5 76ba79dc50a284b47d4f8c63fc10a75d
SHA1 9f264bb5709c5de014fa66e4dd94aba38efffff1
SHA256 7282546cee252e8ef4409546bfcc546ebc47fc0ff5dd69a54d83836187ae7ec7
SHA512 96154dc0d5ff07af904c9cde1423c4bc03fd5666b3c4d1a90710b54a75508d2a3d6e5e7fae64d2edf29fe33cffae4e5c5340d11482a3808351c96637c0ce9f47

C:\Program Files\7-Zip\7z.exe.tmp

MD5 b35791a7ec45d51e1677b028e553c522
SHA1 832a6aab458ea35471673b2903a4c471dba92e64
SHA256 f10585b82e81c1d99aaf7a69f893ccbcb13457310c1d524d6126cb01bf42bac7
SHA512 074bd60909f740dd0beece92b0ee946e277bda5cad2bc489a994e55406679beaff8fa2811f200ffeadaab19bb0b92981404c968d95532e13520bc40afcdd60b7

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 cdd87707173b25be9d504bc2e52021aa
SHA1 4a1a4ae8e3410813f433451df9adbe765e50f176
SHA256 8a159dc2068a84ca9c9991412a42c2a17dad58bb6fa7f598e0820355d3cc08b8
SHA512 54b49b0b0847ea6cbba2fdd6eadc72f282afc4a4369f77920db27dc09be25eecb06fbac92350acd15a31ba322f20d3d5e1ed50492b71a6a52637371e946937cd

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 44926e08228e9b20c62e22092213a53f
SHA1 b446f4405fab7a7f75c318112f822f88e885220a
SHA256 dafaf217eabad5e38f0810b02778c398fc5af8ea398efdeecdd2324c18fac0f0
SHA512 7ad0a4ae2f02ee2ff0b7fe623f64db2bd85335c6d6aaec2fc6228452f1dc9e2b74db47f57aaaf95c72bbd66c7e73ba408383812e53b61e0fba7d7c77087313f2

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 0c8d51b10a9b2b3999f54e9096ed6864
SHA1 a17a8cb04aecd8ce9cfefbe0b749e0a90731d703
SHA256 a9edf1874794851c4f7f2fbe69e8b53b543c67213cad5d5fc51292630056cc8c
SHA512 cc252cdb069eb2853e2f305ab1868da8d5c4042f4a9957757e1c694726d76522fb2b3bfb280999a78a0cfdcf910300c47e1bb35fa45f15ffbf720c92043a1394

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 3e7c173d544cc34be1422c5c6994ab05
SHA1 f46f7be1bc04cdf103df0afe0eb203e632d6ee7b
SHA256 c25b8ed370c1bf8f2782900ac2de52f241ab8b79e71def9d703a7bedd772c185
SHA512 09f8e1ead7029a7fc5f4ea437ee8d577b71019868164b99db9a1e113f5dfe5cf52a4d5ba990eec32bf10c8326409b8ddf71f7c8c9b014060391365c42db6eb35

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 1f9737d1b6d1dd8cac492d45b276bf37
SHA1 ce0f1f6db552e026dbd0434d76b4ba465390f3b6
SHA256 a04bc13b3cfbbe0faf00a062fd144930915e4e7d1bec2d9d4b65f3aa0febe51a
SHA512 c2f98e7908e3094ef7fea0e1b501aa40ad241a336dfefd99a69fc2da38a0ee3f38b88a5c3203bcc8cd7e009a666931ffb308569c4c77dc8a49370f8e61ca9be6

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 fa620466436d1572c82ca8ff125a1eb2
SHA1 6d993b12508f67aa7856d9496cf78b3702927eba
SHA256 1f36e485801674c197e3d26a80b41281e2c277c6c3aecb4da5b84470768d1d3f
SHA512 a1d9f6806e105b3515b16e04a7abdf6ee6089de86134f2b2132573474d6c56cd53babf52b03606ff2ef94fbc0c68fb53caf85b2149767357757e1633c61060b3

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 9879d4a6e3cf381c02b5e042e98ddb3e
SHA1 f32e4409ac168f0d7fc2102c9179ad04a6ae37f3
SHA256 1d5c7160c10b0d849f37357112848fbe70a4eb44b4b81e614664d14298e4ce2c
SHA512 f20e110828324ce04f8ea983d193e2fd9d51c966b85e630f9f3837543d8d6756295dfd79c941d5378616811129f366b2bfdf0e87068da3bcdaef96787e8b1056

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 dd30203076b5116fe7d445b9986c9891
SHA1 3825c8e18acfe7848fa3b9aa114de015cb2c4805
SHA256 b01556a9e9c236159718c943220cfc54aaaecc907c79708dee6db7acd6c38ec5
SHA512 66d503952761ad271c5a5cb3201c6f2adce09bae7b7d38465b75434d29921506a68b5b9375bd874484cdabec3565d8ec89065a1c2e8033bd71ac367d17471647

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 69375f26c3ada4eb96626c10a3adc6ee
SHA1 7da2afd735e582b3ed72267a50c9863c42a27751
SHA256 1b12de660cc8ad83008836ee6e6461da11dcc302fbe8ef5766fc1cb31c887adf
SHA512 1d8aa19b3f150274a93f4aae42546ff7fecd0f9efa31bb27c34be92bd1a6122e9c902ebab968f1a392159cb18b299c70be458f811962ca14328157de11eb0d99

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 1cb2304318c743495b17bf38482064a0
SHA1 583db2697215b10ec5aee110b1affae7913a5b3f
SHA256 61dd4193254b9ee1b679ca87f80bf34ab2c29069b2b9c0fbb6bd4e73ccd4fcc1
SHA512 14e36d856d7afae645f653e9d444aa732f6d00ecb28cda7e4ed07037e059c3110fc4402f448630a6172c9005635d5c8306ad976a7199703ddd5a3825c322634d

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 5d08d970ab481b10329693320befdeef
SHA1 bb3d550dc484d773c0572e1d72cc7e8b1c0cac21
SHA256 4893f494683db57b7846b8b80d9f6e955dfbae0d9d73c1fccade74626140b451
SHA512 d80033c964b9e24913e53f391350d280fa72e49d53a63a329dbdd03c5956b7f35f64909a1491e3c761af13ec18e47fdfe0877d4e942dd1de132c99e1a4c2aaef

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 28699d3eb674e3b009e66ff9ea4432d7
SHA1 d3de9cf0b682516df7ab5abc2358825ad5ae39fd
SHA256 289411a6360bf58cfd1eb7bb5ea18499c22b002d0714b808dbbabe735a10c428
SHA512 53468bc182b49ae01478fd7b24392f0ee9f74ae8fad9ce88d296dfb3cbaed029ef0592783f2b3f59eae420581bd0708a7a7706353587cd1fc61524ea6066d86f

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 752b969f023017c268304fde8f6eae37
SHA1 c79fda2836940bc9291b94de8b7dc0dfbb4c686d
SHA256 3cf35f118fdfc25a73b44ec678e83450add61ae2e925ce2539a8ebdd13c9d5ec
SHA512 28979a50518c53b719acb3fbe303761697424cb9161700da62a9ac515f796948e1e1062af1302aa69f30a04c7b70e96db8a939910503142766661c01ce5ec5f1

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 504e7e77e4e2d49688549e5eb315e309
SHA1 ddd692eb2450ce57443ea2c6cc2de4f10f2e0f02
SHA256 468f20a6d5440488b2692768a750ac19a7d917acfd8f47a1431ad326ab9f7d6a
SHA512 dc0460e9004b1525199f456a56bed8b2b810f03d01bbb516caa47f53e854e98690f73f13c2eea4ff973328f5bc012ad4b7f692617aeafcb0b3177d1b30968bdf

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 fa772ec797be197b82dd860259012a4c
SHA1 fe73e12b07e3e8ad2449f3a2cc38a38feebb8ea7
SHA256 ff029c9098f66e92ded58cfd941a70438be579a670b309cd33bb55f399bf864b
SHA512 2af954c6fe94cc71fda3c3e1bae0a7a7cc500a6eb6beb5da1347308aab9164f5ed4545b15b01c2e2327cb9df1cb79652e15db21cfab63fc28a641560703899ac

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 8c312b95b5a8aedac48cbc1574726617
SHA1 9baadaea604b9bd3ac763e4833fe054c0da7c8b5
SHA256 8a781ad0aa6d9ce32cef2f3ee2b9a553c6926e0002a7b017ce61cd637add765b
SHA512 341d689e868f90fb88190ce70ba140f3e387fbc5d754c980ebe7a40bb8f7e2a7c3caf81a483e36bfda3caeba6e0e9ce390b579fd0913f911eda0969164106955

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 206d3c666b317f8041f14b963076542c
SHA1 6e1a102a22b444bf22b3b76a3b03a82803f0f9fe
SHA256 5d8d439593ee08879a58840639d1281e7ad0689a0fb0176956fe160884a4511f
SHA512 9c8d89d61388ec2f5556c2724491d337ec85ec2a8f0285d455e63db7e98f5c953102b257a4d02812c5f09080774d1039ef97eece2a1d33d212a8abb4fe85638b

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 6fbf9d4339393daee2526cbebeacbb2a
SHA1 333756cd69bd9b7f4622defa94782e267ad883d6
SHA256 0875e67ad82fe59450fc8eb2ec3ab95ffcd3ea4ca3534abc303c794fcac2eff2
SHA512 81529cdb728719383f85232e9698ea1fb254057221ee3190a149e9ceaaf47c13977020147cd142321f85ed9e5279e7b509c8c72398ba61b2178643b8b83fe2a8

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 0b10a4940d59dac3f4a78a53abd625c7
SHA1 22700b536041e38b7f34a984adb3cb8dd5a8e1e2
SHA256 a4f04d11265a25d6cbf5fce9606980036ab5b23408718e70f7303262fb0af2e3
SHA512 3cb0c9cbf344ba81dc981fc0d7738b073b79551b330e52225deb7e5182a587fdbcfc31ef7b01aaa3cf956f904cc4ecdeeb206f2ae6262c006fb012e2ad2340f2

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 d7d63321175148deae0a102e079b89a5
SHA1 5545c8726ae501e3848be6aa2c8ab8e95e7081bd
SHA256 750d0d5897e9a67cef93bbead5dd532155234486f1da10e1527ad1f34fa81ad3
SHA512 36bf02fc8d2ec89a5f61624bbb84c2288edf5d901f05438eeef7f5cfe4ae88a824388cceceb75fb28d5a3e23758ca40b092c3ab23c162f775fd4940fa10cd7e8

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 a3d5dc2e1185b57e005883f7d4220336
SHA1 01e2fafb3a21c15bee05d751c22b1f851e329f1e
SHA256 6d3b8e886af228276727dfbff8e1017b73467843620803538c659f269aab932b
SHA512 c23dbfcda52948dc6216a83647602cda4fe6f77286b5e773a105422e1ba241c8d948031e1e8d0f1408f2fb3d2b0a90edd7bd9fca068c63e31fe1b942c0ae37b3

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 805ccd7b8b9a6ef4dfcbd3fbbe4046d4
SHA1 7a9f27e0c39fec233da76f3656c146bb38d1ede3
SHA256 a9753ad1ccf885821deb519d997821603d1c5312fec71bd873c335392af16883
SHA512 c33b81bdb14e493c7689b8f12a3a4f771e59a35575d1b4683ef04870c00d1e15764666263f6bf3b5ce09391b86576e31917fff5948365ba96aac253a57b2221f

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 f0e32073ec2ae4bdb0d9fa1820789df8
SHA1 be1e8e4cd9d6b24094fa79e936812bc003aa70c8
SHA256 5ac945dfc0b76ab8a35abb774a408c92338c16cc3780a1c9c28176910f905658
SHA512 8ccdc140f714d65f4ef0532a40ec93c2671f3c5e87562bfb14a07c7b94be88de2dc02e22dd289d0868e842c51c2c712712edcd5cc6c436492a2796f6ded8c7fd

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 c740691e8cf501bce66bd960366b8da7
SHA1 d36fc6a0aaf563320d3517ac899fce56d93049e0
SHA256 04a091cf92e18d52716e0754914b2865fc0c77e399560c2d69a6e64dce3143b7
SHA512 7d36456c918d5ead91d18097d2548431f029130881d68b55901e5b553bbc9cea805a06a06721625c5cae37cd866523261f15c6b28b484a11d5791546c28dab57

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 a1888649f4fc7d8f9bbbabde2cb1e8d7
SHA1 67ac24ac8ada8d1237de7a3506c3c6e3c25dec3b
SHA256 c70ee2ca946b3573140d9b8188018adc3e780a5cd989cc3f001594811ea85059
SHA512 00f517947705f14094b20dcccdf1a6bc8d32a2c2a0b98b95c2c9ec13a9e6dbf948c3c1be9ce804212683862176f2d5bd05e246e15bfd5a76daf6a943af034895

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 a9d11293f9d304e7b5deeb6ef324d3eb
SHA1 b75130a792660e099b6ee7df8085be68877a01cb
SHA256 9a542a866b770364d49a8fcf90d60a5bbaa9bde01cc26045313fa2a00485fd6e
SHA512 1ebf5c5f0e7b0ff755527b3f9bb1c5057010b50e3c53c6c65575de45bbbf789ce6e6f3fe6089698b5874a9339c0a5d9bd40471be1f9c96f77bac51d592c1b1e2

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 7aac36222cd0cf378c0e567695825a9a
SHA1 b137300a995c0333a6b2aafa1d8f1349b3d00595
SHA256 d302675efbd7ceb4c669bfed1e3ea2855adca260a3c9bbcaada1839f67ef9213
SHA512 7c73d577fd06442e48b4bb514e2b56cf28332c5ae9c8a625f5e704ebfb2a5ad588d8b02985f9874895943153dbbe6307345f1f5ec619baa9758df0e34ac66e91

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 e41da09aa5a31a7f3b36404220534164
SHA1 22ecb2b5f916567e90caef43d6d403f56bf26440
SHA256 4409b21809d33a02d20da90f1f36cd8a56a15d8cc07d80942a148bec7de9b421
SHA512 9dfc9399d1f3796b0b2d21e2933a78ff7499301004df8f3c3aaad6eaadf1cabd7fb70a503198f3059d3b434319f2234bf9b72251e066c0e5485f88a457ea74c3

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 fad7b3c8a6f124d4524a914f58b56f24
SHA1 8df057d31498841d11ec8ed7f07e49cdf51867cb
SHA256 cc9a1e8e10b305fc3ea5c42e6beb016ff37cd591bfdc18f6868cc187db48d3f1
SHA512 c8390fc2a1d275b5c09f2adf925bd1a0d70b833b24eb72eca88ea775205148deb42d4963977e452cc02be9a75590a99e62665353151cf32aa1222a3c33257f77

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 7e61f0ff23e62acaf2df82b309f39b41
SHA1 d52b2d8b327b4dd3504754e782bed6ded87a4d62
SHA256 b52361f587805a1b141a5f0d8b706350b891e479c46ccb3f1f613e4b09197667
SHA512 c17c7e8df8331f258cc5e131dda2743ef84bc403304498adeea724e32b085f84edac4337691c0d98509da07581c5c4a235ff734dc50006ac2bc9c1138ad985c7

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 3e1e3b8924bc70369929d3f50babaec6
SHA1 80a83f3694ddf7bb6b6a82ca8a5857fccd2847ce
SHA256 89f820be107305d6d36e01357e579366804faebac2459329fc933cc163ceff42
SHA512 c08ca1e09eabc462fbc48d03f2e2cfa292a8d89267ddceef66d686229e54e78e3c4eef1a81a6709e735a7912f0ed0af6ab2c39dbd0502f63a0f5afff0831924a

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 30a205ec3af4c0ce42876b70a6351a4a
SHA1 1d673928f34e54811fe8ef6577ca47c5b61e4d58
SHA256 5b03ba317dedad3300755e7a2c8dec112c62e6ef837e1dc82f02b190de411926
SHA512 d67583fbac63331ee23dea7758ac713c20f865cd08344832fe571d0b281a2fbfa66f8f0d865f90ff9656f705016280cab88574312e4050b0f19d19960870c978

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 67dfa809718682d22d65d8fccca5022a
SHA1 b181ab763548b501ef7039955241563c879d0501
SHA256 c1de726dcea1742277fcd2d11e2c4196f2ed50608c0388f6e833397942181b8e
SHA512 3000bc57265baf58c35447f1a0613c6a59b87a5093d7b028db75ee0fb88ea8e6c43e26efd2a3e78505d52a3d8e2a67e3dc1f02d882503ae26c23e4d62778181f

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 4c2228e9ece4e09c40f8094595380771
SHA1 e186dde07dc6f9c2800c65abfcf107f625e0cceb
SHA256 f6e90d0f436fdf5ea8bc1b4fe4cd9de62cd4e04fb8ad95b4878b38436d658d47
SHA512 2635adc765adc9c3ed64fe6f72412f3bbdb4803edfc9eff7b5157f0c91448d45c1471810d92523b51099fb1f4a486fbef5d22b26eaefb3202652f64de40d3ef4

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 506f9b93ebccabc45c883036d5fa577b
SHA1 233ec6f68bca177b8b9c794edfb35ee1082a65b6
SHA256 2cf98ec775e44e1f29376b0df3d331ee4efd6f48b6cd07a1bdab8898056c61dd
SHA512 06767bfda0d45e059fab98f2ebba21fa855c5c463118c48d86ec543a1bf3f3c76d71009fc3f2f95e221d6fad496dc2b45d174a5a1d986c664f03b834f7991a20

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 4f64d9aebd2cdd00aef8c9dfefa2c0e7
SHA1 241e7125806f88cddea025e6ccbffc6c646b1d98
SHA256 02c5974f8a5c732655c0972d6064c9a38321e153ddf0126151953c1f86ffc259
SHA512 c87e0b184743f7b2974ea955c81106b50cd7819b27a31c550c64ff0919cd815a0089348f65af50253a764ff7c79c10ae54c861c58ff57d06e46cd59541a6d2fe

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 b288dd3ae1c68389cfbde35c382cf89f
SHA1 50287ef8f5eeb2b5719efbb6c04bee876f6d5e83
SHA256 44ee1b7eedf5e10c70758cc3bed490b3d828eee7f789a914533b46e13942911d
SHA512 b684842738a3632b1dbf432c9cd8181cdf7f7356770980c8168cafdaed3b03ab982b7abf8118a1eed0e51ee46b6dcb3d5133f4a8a50a6d359d545cf94ff182e9

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 2b924e55f12c13d74e30b90d0c894e93
SHA1 e1974d70172f28f00c9ca0b0fafe338781483e53
SHA256 973ea771f3cb348fd6b98c6e40c31a790e3bbaf0c5569889d4f8867643f976a5
SHA512 de58166fa3a3e574f33be521f42db4c8b8229c42b446369a4d9743524915abb853f8aeef3debec829c4123cbeeafd67c5bbbb4b65057d578cfff097eb0b6ba1a

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 4c4fafff9cc8c4b09ae528bce0ff8750
SHA1 6b2455ca8c42035a187fd424ba95733f2b09a092
SHA256 942c59b36cc3008cc496f196b9c13800d1bd8a97b1d56c429247e86476d581f7
SHA512 8770db371d963af92c3e96f271c361b8e7343250505d529a3b528c04ad0db511c7e6224735fb91fb81473e7099145ae193ee65ac61080de5780dfbfb7f76b731

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 68f40016ffdfe80b975ca28d99365f85
SHA1 dc2a88034567aee5745f25201e93b71deda4c5aa
SHA256 3ba1e4a7c2c3119b77446489e10e512a5c33c0c6a742d9c6f3d0e39a65a538ae
SHA512 6b55e4fcda9eb4f9e32cc0554ae099be11588df48f19829eea3baff2bb561363678b4e9a0a12f908dcdc93bff4d6ab80bb98fb423ce2f58e0d314227b66f6aa1

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 d5445f8976736ce8c56189ad0f96db9d
SHA1 fc3a65591d8563fa13bd6b99cc7e334db4948876
SHA256 6146b328d68da4c6fa006f895ddd12b3ce35455e8912bee550900e86cd5cef65
SHA512 40dd24cf5d43b25ab9b2fbe46b0ef4e9766385fc3062381568eec698014e2ed54c986ad15401301188dd1648f95eb2efd563a7e04d47d70d8ed55ae6e12ed9ed

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 a9d05f1ff6c949d2ddef4c4d37c12d6d
SHA1 f7051cb1a9302f5a8dda4cab63b1f57c81c041ab
SHA256 9eefdad3a9fdd172c41ce9306e07c48843a3ef6cd34be0265b26ca3d7c3fb771
SHA512 27b548a2d383994d3786ea519168b930b3798cc5bed112ae851055d19c2597a443d7e2e13673bc4c2d87109636ad37e4e29376cf965377840177c8490c6d521f

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 0061e3771faea33450827fd7b20f87ce
SHA1 8cee9a5ad546500f19355d28a0dba828e6470bba
SHA256 2d1d1fc8e2840bb40c6b577c11c35e8cf178750a6b9e78ebddcea31a6fa6545a
SHA512 565f1f5281b9904e1f2da6e7aa4aaf17dbae5debba794e8e7a1deac76c03230f5dfa97f8a13d9ed415cd781d3e76ba482e9f513a685558085f508b6ae570e289

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 1d93fe8f87c0b7310206752159df7922
SHA1 fc4f6a619dcd60267b83fffe5819580bfc67b651
SHA256 443d0259545586c68825b070fe7034bec9f83e0be27edb1cb3e9cf9d123add56
SHA512 4fe4c1c85112138b343bf5cd62301c82688caa55d595931e0158a72de1485a959f4a3039caba835662d79a05f1e64f79ddeab16bc035883a049a416deb807ea8

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 672de54b86109a6fb675a1295eb4d18e
SHA1 6370060529943b99837509dc2222606c067dd88e
SHA256 f642b4cee445d7aac0ef9477b62407db0f05a3318e8da0cd86de19e3dbe79efb
SHA512 831e8b5f046eeb35a42245b2e1fa6ecd6bc90d61f59ba2fc751509b735d99e5bc9c1434d24a3bd8fcc110d6a63d0771945626ff8334db6588428a9878b64513e

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 ff9c0e16f54f55feaebff7cefb5d04c2
SHA1 9a05eaa1b54d6e9947c672e5b01df9b8d845c718
SHA256 0e2dac1377ebe1f62ad2bc759540611a04923cac950bac99ec88438d2cee6ac5
SHA512 83832e65251a81336512fd9db086d011cebde3957d12e39eac5f5b0454a4f8b229e1572180deb4303d73c29d4fd0bd2586ca7dfa4fd811fa73970a758644869c

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 77016e6ec50e8da2fe63df46166ea5ae
SHA1 013b587c96ca1245c14fbf1142b698d7a4da30ca
SHA256 58c1ac13aed1d37dadaf5dc92763ba0f9cac1fea07f1a99c1160a908f6d9900b
SHA512 db533ac21c5e03d5d0228b2b4f8ba799a7dc67e91a9caa5fcbff600166b39609e878b8dbc06881d7d4824d020d274a23744f44ca4649b179aa277b193024352a

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 9c299c563099d0433a38628d08cb1d60
SHA1 e2c477a5a3d6a2cdab754a8a73361ee207b1c013
SHA256 bd08dcfb78639ffcdb198fe6916044be1e49b5594acf0141a84600c2f4441040
SHA512 92d6d56d49fd33405b0d149a1b5fded5b6fecbb63a6e03e01b7550543935c13ef4f5b2984641ddc9997eccf0e8232deaa52052cedf6958e6cdb97b08f933acf3

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 b4fc6a918c873abad9c5be0217404de5
SHA1 b51d834f7c26cc7f04ed369f256ec5fec99a3d20
SHA256 cc1dd8b6f66e3868fce3e5c561f5f3e00938337e96c6e69190fe2c5f1e29d05d
SHA512 8159024137458a110321284d257cc6a2a0eeaef0105e75e2c8ccba6d7326d8f705c76e354bce21007d855ca5c30b84298bf4261b6b4d4f911dfae5d62048befd

C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp

MD5 75d73cc781d5baded5b55aafac0516b9
SHA1 adf4b86a5e42a56378c51ad8de39a4e9e834d086
SHA256 abd63b9a45946c33819b747303204fbb1a1869c3c23003bff643f95ba7ece860
SHA512 8f32ef7b37246deb65b513c28d66fe0fe7bf270070dc8014a4baae05b52af9f2cb59be34dbf5b85fadeefd7d881d5ac2a7783de5e41127bdc121bdd9a6a5e666