Malware Analysis Report

2024-09-09 20:23

Sample ID 240614-dzkzvstcqc
Target bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8
SHA256 bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8
Tags
ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8

Threat Level: Likely malicious

The file bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8 was found to be: Likely malicious.

Malicious Activity Summary

ransomware

Renames multiple (4902) files with added filename extension

Renames multiple (3849) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:26

Reported

2024-06-14 03:29

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe"

Signatures

Renames multiple (3849) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Media Player\fr-FR\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santarem.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\Timeline_is.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js.exe.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe
PID 352 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe
PID 352 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe
PID 352 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe
PID 352 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Windows\SysWOW64\Zombie.exe
PID 352 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Windows\SysWOW64\Zombie.exe
PID 352 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Windows\SysWOW64\Zombie.exe
PID 352 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe

"C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe

"_refcount.ini.exe"

Network

N/A

Files

\Windows\SysWOW64\Zombie.exe

MD5 5b0fa9c004f65c51d3b0309ae4e60f13
SHA1 98b17add102ace5f1d3615343f447c790963a328
SHA256 44766dbcd37a6996f37a83990caab45e1e9a4881fe9b66215a0713035ad92be6
SHA512 8424bd7c2838496b4f010d1b5547f486c680d059362e53095d15c21a401abc20db4de38778f941bf4f7f7a2e3d0cde784baa77a6ba4a9b4b6121d7dbf99fb1fb

\Users\Admin\AppData\Local\Temp\_refcount.ini.exe

MD5 a05af6e8b8ec320a2d09bed5c6e05910
SHA1 6ff5c813a743863474ae94c719b27a001842a585
SHA256 59ecd0497895e00effcfc4e8e2186d0d455ee1d7fd439513092a9ac643705044
SHA512 46736e6109ca9181637cdf5086672307d23166ce2b7728461df5e31a1c25f4d9afd8a113d83a38da333f54a5e70b762156227f43676d4f7987236c1a82392629

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini.tmp

MD5 2af82f5e0016611bf4122e344cf9360e
SHA1 f7fe87b11dc3199f29e87c12344d149626e85d01
SHA256 4a5d07507694a86f93b7ee497cc7514f90fab24e53af807175a882b785a91a0b
SHA512 505b4d36a283640f91350a66375cb58b26538c807a5f043302ac2332fcb7adbb1a4301f3f385f888465f19509e62248943e5df2f8235ec3c54c50da69780b7fc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 93ecefc9d37c66c77e6cfdc48ca6eed5
SHA1 8c683e95a5a99e63b806c8cc0cc987c3bb714fd1
SHA256 245566565efb25aaef6f1261d89b91694a9abda9d81195b75fe3eddd480c49fd
SHA512 fd8ac4c1c7b55e8a0453a8c0da759dcb6c1a4185f4d7bf38f72c7fac6b67b1db70998f40e4830e25ab451c276457dc2fd4d0b838cd947bfb389d79396d854aef

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 9620898121c97381676a9b149e251dad
SHA1 0e67bafc52196bdb02940a2cba54aba125f69a68
SHA256 adf0851715476e99c66b5fee04bc7c8f8cf567b5ed635e568bb77389041b9b16
SHA512 7b44ea664b8bb428d19c0bd878b939fdfde9fcf8cf728624db330ac5d8cfa8beaa516f1cf311493229e4a21d75dee043fff6c1ae8d14ecd225411215a8af6066

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 a32501ce51e383bef403156c464285af
SHA1 a3c3706f883b9e9b475109127cdb2b1a62213745
SHA256 8ed58907be636b8a36801f7b04f54ef0ce66b7b1e6f59af5ce1aeab113427924
SHA512 5db81ec93ec87eceee5129bf88748ce2a0997cb8b7e4230dfc55876d1e1aa8d81ffbc1a21da96e939d00b989e7f4e7309bd98dc0039d290f6003a6abb4b830cd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 a0bc24fc10d7bee12b257b4a7d613b31
SHA1 648be89c580e30b5543ed38fe115341a44350303
SHA256 cff786e9d9fda5239018a0de06667c2abcf600a0a52e2099218729ff7b6bd541
SHA512 7ac03fa357482d6dc57c81a7a05c5f3452e157f0b0835a2486ee034cce266668347954cf8d0424fe9db7491a4396f7cfb403fd24e26f1c548aef4c16d45662a3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 ec184d20c64f97ac1cb62a5a3479ea5b
SHA1 73a2671d747681d2915481c808e99b006d39780d
SHA256 8a8d6d1e1e71897245c05a5be2ab89798a3a9cf062790b97ee8e700231c6517b
SHA512 13ab6d6a7cc25c5dddbdd9e19bf89e6626b46a88373a5306ac01400fb0334dea10bc31c07561621f7560a31055625f015bfc5748003d31e40f25a18a371ab20a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 22e733b6f20ec8a4be78a5c1ec85566a
SHA1 ccf29c7f7beb541a20635e857d3bb49d6f78a27d
SHA256 723ca3c7fcffc3356417c55ae9e70706086b35f038f15e8d9e6c40b8a627d49f
SHA512 a44aaed6731ff58eb26123b86ac3bd3e48df6b9fe8d476aec6e1c2d053323063c4fd29963a71ac3063adb7658d33a6a22e410eeda90c8d206b76ffa0789eb8cf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 ce968b5d1b3cd96c8d6a2f6de5c726c4
SHA1 8b77b5322522090dc9cd463f739a26709e2ae27d
SHA256 4ac2332b71fafcf800370f42b57fe978c9acadaf836a8f68bf342ca2249ed169
SHA512 3d3784e2f858a637bd32fba13b9527ed084ae4a638fb67022c8231ef05035832c923457f19cab35acc4a3fefb08e51ebb90170840daa60e3117e0a820142e45f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 91840383017c679bfb4a24eb44e233dd
SHA1 bc613be86631a96901580c2733be9f9666e27d0c
SHA256 ccbf3772b566f9b892da93e4d526ccdb4f43ba794d448bf132e6bd893e764ff7
SHA512 0a79c48d7ae184a17761de4d565762bb1d162301b915cfc05547a13a73485c8807b029791d38f3d535fcfda6ca62d827a24963130cfb662da1d02ab2b3d3d28e

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 8710a396904fadab7f450ce57c7199d9
SHA1 d6136d22fd1544e3ebf3379a43b90564e7647676
SHA256 f86fdbe9dd60fd5355ca678ad14940177d783365e98afceaf4ad0a3f6f4f2c25
SHA512 348af7f56cec8f22533a9b5f48f2d4d1e2512a0a42aa7ce0d97fcd4602db3fd547d5ac76fb26c32fd85fe5a8c33265486fdb8867a5a25c069db1297355d4a901

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 14ac1842ec20aebf8f9a81b75812e47c
SHA1 7aff1d9a7ff07a4476126aa3b6e495fef252ef55
SHA256 9f6e9ad2428ddc870b57cb13a2c469ed133dde3a681ef4db47a813966765c0d3
SHA512 d691f15672af81025bdf227c42bb0f82fdf05cf0d3d3de2d4913b474d7263d9d956bc4b465914803fd08c40eb6e225d81c898fb8c095aaf9d031723b4bd636f3

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 8e7547680457d8237d96ebd58571ffea
SHA1 f76cccf49175452be0dc92d7dac9af86edd95e21
SHA256 e7bd077faa032a1fde188030071df3a835743a990cfc5ed73ae0ce950ac7f859
SHA512 53318adc62c2beacbbace7d5447720cd6c48296fea4b29fccb9b8eafbc468477571cae176317cc897181451e5e13c12f6286cf8e2b25477974b304ed99a02e98

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 8daa1e506e9ac4b55df62a45304985c1
SHA1 8be71ea4b69ba45c569eac4efc1d30e7ab02682f
SHA256 b92d02ccc3a4eb815b6898e12fb54259e22b5b3bfc39a6b5793a3584ca4ed3b0
SHA512 fde4891d64df930a057450acdd011fe2d230709f30eceb2d9a0fe6c4d6da48c4514f085c0ad187e72d09d108cf6172b2c4e512888dc809673aa706aa276bfe4d

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 c4f4e1a3043f98f9ed0c1eecd36177e9
SHA1 d9c9035dcb5eb02e79e649f61b0aa9cf8ea33328
SHA256 7d9a13afae3952227fbdd9723d6bc2ff4bf05b5d7960b0ab8c0b22cfd46b68a8
SHA512 773fc284dca2b897e009f81db004cfd7eaadd833d939c499335846ac173efe070341f21de74b71e3725d4ea9ee6f649cdfe79f7d840603cdecead02c2c4364a4

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 acff27aa3abf0bc603ee9ce7f1044a88
SHA1 e2ee69f55b638869f7f26c0a4cd3606b175a5ffe
SHA256 7fdd87d218e8266ae1661336b3561dd25425dae7c5cf77401f05815307701653
SHA512 d548a6256a82958803c11aedb70d5e9030d6fd80058405c368ee9a367b61fefd07080246bfaa2107f76e634c07b3ad4035a987b9b98737ce5ec19c70a2e2f4ce

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 f2b93522a116bfa4fbb9bfb2bd9faf7a
SHA1 0ea4bde80b46db07d6076817ba01566e3f78b309
SHA256 7f822614060437d8a6b6584f2e28feab2eeb95b66df5023df5d9b76e0782baea
SHA512 bc9ef42f6655cb17d3abbd44625ba7d03552e1e79948e157500e55a755e7c84af576f0b683ba45f483a7713f7bc2497f2ba9c5143040a67cdfc6c450b7789bb5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 11c9334a02466a46f46dbb572ffcdf30
SHA1 2053d3f1771f86273b2112005d1d4f59a27c15ee
SHA256 2f3106d32366a13f16c0730369ca05b83eb26f6496c0a014427ceca656b70e7b
SHA512 2d78dd146401a5def6ff515a7fc8aebe959c52a2a2f3100a8fe808709dad7bbe8f734b6f6b96b915580925957c48c951c8304a2e4db8e585d5f4475e1ab26711

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 caa198d5afe3686838bb63fc927bbc09
SHA1 2dc85a07c7310d3acb59aff688feba9479befd31
SHA256 91d0c6af2ec7a6b0ab6b6285ca14f4bcae76c6aa8d80db2a1647cb208c9677f3
SHA512 f9ed5ea9961abb59a15a29b697634ee02ff7e23d04758f1527096962297e43107aebf5a0d5882972e452f9cce48887c0a8584a36b6d44d9184889fe8aec477e1

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 41731b7d0a381699b90a9e0d9fe386e5
SHA1 6049e66c7026ba6681f27f183d2c85330e2ed557
SHA256 2705a17c9e49bc9444da095b52cfa83a31e4803c540f59cadb38799bce1cadda
SHA512 ad8c80aa68fec4296acd46589266a99d919a93a21ede81deef9a9a0effc56424bf3616f067da685d6d4ceb9d42ad6308e68a772d3794169cb9f3da187393771c

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 f16fdb20f27fe8282b1b39b95fcfbb44
SHA1 6cf8206a53642558711f78078b0419336a5d58c7
SHA256 eb78c69e2af3ddd764d1e69127beb7caae6c873df7d3e77dbbde654e699fba46
SHA512 b31437d135d7b5b3e5452e8581b9a3980c64dc282495a497cddcfa56aa20231adf94b2a754c33f2983f0bb47e02f750f13e2054a4cf7a819bcb07705561a87a5

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 d7d365e533a4e3e7d40580ddc68f0561
SHA1 63b0a199829e12428a34f65514db055f53be94fb
SHA256 7957c4259956c9b945438024560925bbb23d46948fd7462ee4c7a4cef3de8a11
SHA512 bf42c080f650f994aca7983220651027a30f140ceb83f17bc2843bc697333ef52e397851d366140a897649200cf6adccaf13fb32d9aa04d3630dd8fd1673da3f

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 368d32b2b89ed3e9d09bf8eb9a05834c
SHA1 f1afaddced63e50c85bcb3e8e656d8b382e29fa8
SHA256 9bd2ce8351ed3f9445e9a17ee8560e601618a2877e2f923a98d0b412ede555c9
SHA512 fb184f16d1a4b8b1a8aa099c51db59059ba5f8f2a2a4cafa22c6f370a498289a558b0a415d8db103b20474e3b70299ba454841ee4412e9208516e032530c29ba

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 b70d64abed5a12100dcba4fead027392
SHA1 0db41829607b74bdeff914507fd6c1434f7f8455
SHA256 8273304bbffe3122f8b2b81ec8b93112057f7b0a0ea47684a7c850a9cb119b43
SHA512 cee26943b379eadfa3d00651c8721d4ea0998060377a6fe9ac277c2630e9c4054e97af0071ed498c178751046c49515e3dd6ecacd4e8dcb371e824b45494692a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 106a00be87d081063284c4a215272f65
SHA1 785698170a3deacddb4735c807ebb6635738dc5f
SHA256 d417f010ff88908eb3589603039e1eda8cc2e89eea270f8545ed20fc44e4d88f
SHA512 9d7ef2eec3dd7effdb228f312b70c62f8711eb906017e0e5cff74082518b7c3ad5353412036234e3aea39372fdb96af6fff205cf68c5b90e1f191ee7f8d37cd7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 ec3ade61fa03cc8748f616cb5f7795b1
SHA1 8a521d944525712829c66908c7ae57d9ed1c4569
SHA256 e45f5ef53a785a5db8e7fbdecfaab92c2d9d541cc3939aadcaa9cb13cdfd5745
SHA512 15d417529f60a0cd0e5f788be5bb8450e2557e8face698e05a2836da047ae8997586d117e61d4b1b64b1c01f3e55048ac949a92cd29e0788faf173df08c7f006

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 81da007ace683a72ac3ce05db40bf0c6
SHA1 6999aaca365ed75ddae16c3f1a52db2c9d959988
SHA256 f0e16ddaa3a9dbbf419384e6486fdb739614094e54064b3a5a02e770b5e74b62
SHA512 54a3b2c1ca06de969da277763dc48c31383e942bb40ed626911dd835f7e0584ed448a34d873549eabe2e8b5ffb784c3ab6091d09158a4f77f6e492c4ccb28525

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 4da1b0784a30fb80786aa619b547c0e7
SHA1 0d35994dc8853b4e5711b92760dd55b90e577611
SHA256 038ba660d2cd6e59e8bbfd79aa1b91064c878e1ea7ca5d20fe6ce49b3f48c936
SHA512 f116a049fb5a8e32292b58942e719d66c2c9e8677b5333f06bed418d92ff28349c150e657b19a2a814806cc7e4020de5a7a5e3e88bf386264e3e03add3189605

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 e6cb65911f645b425dc2876d54bc36f4
SHA1 a6c3d54fbb02bbd9d7da74bed3559943923b2f66
SHA256 3cf7465ff7f10c9658cb4d6f81458ac23747ad191450b8b311f1d8f674d84a31
SHA512 35d1ced63aa8cd63cd2c3bdb470f7257689b3897da141cb0e208973f22f3b95564d0bde4a494900446abf0560cf96073095fc5e88521df3607f91a2d2069b299

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 2b800a2ef3963a549aad2585cf70c74b
SHA1 9aab14d090af9e20f03305dda9a9a3ee438be5ae
SHA256 27f0ed52f788dbc857e4d232230cf74c5091537020723c96732c443afea2fba5
SHA512 148e9f1273b84cc4f46ea6460243d373774325dcedbb57450cee4b129c48d9a1b09d18d4be5d89091394a4a2440f95342200ae941a239169b3795ae493ecfe3c

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 c1e2aeafd32880b56304f1e2d9dcae85
SHA1 74beca9a1e47df83a4828a187c4e39d7acb924a7
SHA256 7b575a3f20aaa1073ea196ee27a948f9ef267b70e8b74ba2f5fa4c0a50a6d753
SHA512 769f8aed19d41fca22b98aecd6ce9aa8ee2ffe0ecb4f152a1ef1a209db65603e07afe43cc7e065f6fb0a1b76b9b9099586669c9902e717d8986320035487dd66

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 e02fd4f1a8b7525ab12470b8be5b830b
SHA1 12902893bdfb433a6b228f964be9fa10766be1ac
SHA256 40259fdd3bb6ab18e41943798838315ef894de744eb3c02f617dcabd61cd9d79
SHA512 26615a5c1de670ab9fbf5230199a554e08cd0e80cb0aa389e77d892a3bb631a22e93e05d449119ae9013cde97aa9a51ce5170a17f40954515db1b1583655a2b8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 0bc401607fbdeecf4e969660c9759490
SHA1 36c55f309ac98fc70a3d286b697846fc2375930d
SHA256 769b01c006b30bc27f4a2e4af1b5720f5b08b7ca88456b2826c8af689eb45540
SHA512 cb672c8ec43d205b25ec555a028dd143f30cdfa5510eef9f744fbc474a485ae4073f6d39eaeb15971aea3d3175a4eed88d7b90bc5c5c220bb1058ae2b457aa6b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 bbbcacb12eb8dec655ab21a43a2060f3
SHA1 6a4c90d33c42cbf817ed23783380736e7f0e2ddf
SHA256 3ed07827a82d8a4601f86e75137a22b3dbc9494944d9b1c59175d6da8bd4ddd4
SHA512 646353c06850a5208caa272d9d28bce3d816bdb9447d25c9b32e877d81487542b65eb839c8398fcccb33ea4d3b09a01d2e5d60b2380507b2ee5ffc66d9fe6de4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 8dd25061e310a94e36682000d7322b75
SHA1 67f509eb4ad9f6282a480e78cc33fc82561c89a9
SHA256 70f0511a1e0a7ac4a1972c6e5ab1697a5cde8126f6f9cab17bc46e6230a013f5
SHA512 14b3141568fd7ce2ea1fe56403cdf2cfd8de0c4c05151c9ece468996c7b283e1fa8bcec361e55909d76a6868f714526760bc58d15c20351035e36ca13bed0f52

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 28da1cf9fe9a559172753f0684fa7c71
SHA1 ecf9270635449a9bc2c3df9ce959fa9654b46180
SHA256 7476ae030d74c952454211aa9239bea270313b3c4efddb166304af5f684d90a2
SHA512 289ba2200486e68929ec2a8e9c5a38ba660dce7f913315b82579a213dd14092daee15ef445b804cdab26f86e11c2ba80e1f6a018faf94be38c00f4fbd78d35bb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 ec24c75a76ec60bad1f21a1bb503d93b
SHA1 9e65273b2f368e1c31384aa4e39f452c058e2362
SHA256 dca4462bb90aad9b35a90bf362d729b51ca0fc862aa7f389c05d1bda339f4a40
SHA512 90055f6aea01824ce90bc823db01b46baabbed5042c29f6e0ad8a7fef10439ff860a60b84c71196272355b18453e964a9b0246cdef3168cc5551ae48bffdf099

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 b20369c2b2a7b9ff5edc691a6ff65f1f
SHA1 3960ef049d70641270e44a90a4f6c69ec11641cf
SHA256 08c51788f53307c377e5fc2e7d2ed4e6936400d27d3dda05e3c3957e01fa0451
SHA512 c1c76fad097b5f787a79691f3a507479a97b61bb2188ca9abc7453e8a902842164246e502ced78a34770a1a0cc484163145e3997f9ad2caf38dff462df5235df

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 37a05599811e3412dfd7d4b1aeebfef2
SHA1 4c992fbcfb43cacb9015a3dae9ec5ab6b93a57de
SHA256 b24a0a394fd1491af2e42f8a909137d1c179256e970e756673aeba7aaad84271
SHA512 d1d45a41e4adf72144cfdd9ecd310f945b87a847b69ba46e415c3c2768654f2ba0ef3dccfce250d223554d17ef40d96dded4eb2d29d461ab162ee9bda07cbc05

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 fe97e25aec2d20c8589472fab6061a31
SHA1 4bfa958c5e905c3de6e0f882131a9750851f4347
SHA256 4c986e2c0a1b69e31d651d4e1e138843813b66b9427a516b8dec7eea4f1732b8
SHA512 0152e1bb47a0d7e7e95e8c89207143772e53b6b9e42392fe23d80a6ac937370be0e76c5e3661f433538150c61b84054a535b4f855e83bf234040efa73595f825

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 5ff0b2da47cfc36707a5217c5c8fba36
SHA1 1c157170e0bdbcab399d2a4bca9b3bcafe218238
SHA256 f98ead9c53ac4ec65f568311ce28acef2e6fd54737f58005a1c08a2570b1662d
SHA512 d67ee3aee3f1362b0e9303dfa927e77c8823a9bba3c9d591cd0bd545a0011d34487b68e3bb13a9985ac80919f53769440fdea05e53327fc2acc054fe575a2e43

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 ff1d433335893e82b61f137b667cff38
SHA1 69dd6f893b963d2a707d2417162ae30c727ed434
SHA256 a08ee5a40678f1e223b5ca5d566a158d8cb95738ac44c8c5d9a49149290eba4c
SHA512 7672782bf1327a92ed1a500827c7fc46f94b77865ada74b78f90b7d7e91b90e896a10e5083536a3931bfdec6915eb37d6fedc19b3b1e2b64ebbd782ae4173d13

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 03a17c76a4eec0b28fc7d65d0ebdd28b
SHA1 491045ed7a750d880c10520275d8da820adda815
SHA256 de89253b3666a89db54a209943da272cb8337f5d7f28768e64679db7503d462a
SHA512 792871fcf297cf844880d273a214a485f2f336ffb4726029de8d9f02eff8758a30873114fe35f480528d61f18e4d7cd9318ba8cd1337a94814b5fc0591f1c29e

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 ad6da76460e8c6d570c368601a735268
SHA1 23c9fb6cbfb9d0fe164d90bbb2d73b1113e41ef4
SHA256 74e4cbf6ed606d5d14c8ae326296cd53ab2663ea3132f67f81197ff5d29c01b6
SHA512 7191e7a8fa6f39ca5a6c2350d9360824132249206ca68b895018cc1ad5dc2eab1ab9db997da15536293babeaf67a76ca40cfbe904bf4bbb815d8d338272edc0c

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.tmp

MD5 5b86015615d3d760d69f86dad372fb23
SHA1 6afdf5711ee958c06e03a97d4e7d9e3e5a3b196b
SHA256 7d8c4c9ab84bb665eb3f154fd3a30b9d40509b143f0cd26f1c204b2edad7ad9a
SHA512 16021877ce0878e5d68aa302e8854dcc9a1a2473d2334dff4b4e436fc395688017f5b20306175506bf31c9d2b208d4a0a916764a2e0209fa92898e926ca59c25

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 d9500d4f1b6441408585117f5c051516
SHA1 ac239a13a01316f26ea39f3b8f1c81a424585d39
SHA256 c7b105fc7dff14b0a7b68c625856e68bd9ca7615c68c41471150818f335392bb
SHA512 ee158756cb86562d472c5ed0a084adc57b5314756ab0c09feef691dcef561d9b27033e9e8279235b8e3b685f32b27751fda887b04390e64129584de3cfceddab

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 125995591b1795441077599d4ac8e2bb
SHA1 ba921dd707f781a5a7ff62f9cd19bb31de8028d7
SHA256 9b2edacaedd26e1cce9c3cf09bdde021c6137a5d5334e29797cd01fa10b9453f
SHA512 0a785c881e168ed68f55ea7c6997f648fe19fea3b8848f1a88c53eab99c05a792bf91ed6cff17d2e2642aad591da976386f79312756a64143e25592b8ade381a

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.tmp

MD5 5cdb4cf38a3896ede5f4a018d368ac0b
SHA1 a6b89fabf8bd168038750580fc1c68ecd14eaf3a
SHA256 eaa81cddf3b2b2ff0df04057f6f3b1424dbd46c9f927d50b133db3e4c98683c3
SHA512 13eff26c28f96fce6108013d91c4f31b1637c8f2b555e348e5e1ec0ef478d46a2c237401050b39926f333a00a8e055ca5e1531fca62304c8c0d61845a62849d2

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 44190a8683608c211160cf16efd320f1
SHA1 fd601d503b97ccbfd9d194bf7167571d4f1c9a47
SHA256 392e719d555479109ebe5620563c507cad2ffbdd2d2e94269d9526877833b878
SHA512 d547f449ae95c4cc7b0755cfc0d6819fb7ec1ba4b451d984b9659b7c4663bdae7e1f9d3022ee7063d1c85f80ea769abf5ab1d1a0c602547bf9311cb04d94d77f

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp

MD5 8d9cb9650d1f1ff951be7c79eac3ec2c
SHA1 f3788aff6dab8831637af5f5a7d580e4ae0fa16f
SHA256 6ad571290faaa6831b8480b350aaf6dd72b3ac446873111bd50d213b9f527570
SHA512 c34364a97ee34df291c5be540ab673d7767721dda723d596c166a4c8468ef30e8171d4e40923c010e51f31db032677456db8a89d81acfef10970cc07e8abbc29

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.tmp

MD5 eb9876095db296959a626e821f82811f
SHA1 fd79d5dd8ee922133eae0d31312b1269edd908f1
SHA256 277d4481e5978f3b9abd8392c3b1b5eea07c18e72c3e95528a3885cc707dc392
SHA512 b3300d6b659b8913cbcdfebd873d5d977a7469440a18888d44fc214efa1ad24ff164b31d2dbfee9ba281a4a03d4ca99bcbd9cfa5323163e93e9e1cff6d115995

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:26

Reported

2024-06-14 03:29

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe"

Signatures

Renames multiple (4902) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\ru.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Console.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\awt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr3jp.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\vk_swiftshader_icd.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Royale.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe

"C:\Users\Admin\AppData\Local\Temp\bd68f2a334be2f5db85e0228329c4bded173948e855dbd562579ce91f67495a8.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe

"_refcount.ini.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 5b0fa9c004f65c51d3b0309ae4e60f13
SHA1 98b17add102ace5f1d3615343f447c790963a328
SHA256 44766dbcd37a6996f37a83990caab45e1e9a4881fe9b66215a0713035ad92be6
SHA512 8424bd7c2838496b4f010d1b5547f486c680d059362e53095d15c21a401abc20db4de38778f941bf4f7f7a2e3d0cde784baa77a6ba4a9b4b6121d7dbf99fb1fb

C:\Users\Admin\AppData\Local\Temp\_refcount.ini.exe

MD5 a05af6e8b8ec320a2d09bed5c6e05910
SHA1 6ff5c813a743863474ae94c719b27a001842a585
SHA256 59ecd0497895e00effcfc4e8e2186d0d455ee1d7fd439513092a9ac643705044
SHA512 46736e6109ca9181637cdf5086672307d23166ce2b7728461df5e31a1c25f4d9afd8a113d83a38da333f54a5e70b762156227f43676d4f7987236c1a82392629

C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini.tmp

MD5 a38497b38405e532993b79776a64b3f5
SHA1 b44a4b3e0109f225ad3e3ab0989f85d6da6ce84c
SHA256 e0607f0981b6a96e803bf1899cd4f89d48d2b9631adc2e9cb3a2f3b5d967c515
SHA512 9b055238daf110109fafb598dbb994cdca7a8aeb2afac7fac96da90639518e552db253e5eb7a68cf43d495927bfaa9902f43c1a709aa34acdbe4103302b30008

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 87c1a3b4bf0f2989431eae7b62445223
SHA1 01760c8aafa4cc7c95141e18bef23a148053118d
SHA256 f3cad9939303fa8011e26401237c0a4e4fe5e79081c6e6377cfae6f89e25f642
SHA512 2cfbf989d60aad4995d6e3b673b03380fcfec6d486d7fa6a2511df35973d74237ad92ec751ff44ee74c7691803ee43f24f8d17bee5ec2e619278873baf1b1218

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 c435cd4f3d4b388c6e95719b75b6393d
SHA1 62bd27dc689bfb3f013d08455c596ff9d9a7b367
SHA256 6fe5fdb2c0e8c0944528239046c4f1318f86808845f83ce78e2e685e2c0f63ea
SHA512 4bbb0d308f2be2831eac8f6e0f648f87312901a7eaf63422c8dfbbbf540c389742f80ff052e9c0b6e5ef20e2a917bf69fd97c50a90f9a5da2431d4cc5b68a691

C:\Program Files\7-Zip\7z.dll.tmp

MD5 22fdcec375e1b33c6e0cfeac588eecb4
SHA1 b706e8ba91861004693e2ee938f3a9510bfd757b
SHA256 780f472c2db17c43f1e0e909ed39689855ce85bc51ecfa9c7ee42fed44fc3f9b
SHA512 38ccb0f300a128fc2457b77d39121a59337fd6cf294143b5437cda39eb881cdb501235e812aa0b8ef7723758e9c46c8640f124f65ff7f0627575e85067517f7d

C:\Program Files\7-Zip\7z.exe

MD5 9ab222d78c46c51fa677884ec3a25c2e
SHA1 c6d0cde66397153be24676e919c57bc93349d8bc
SHA256 b1537e2d8884b8fdce99f13b040741faa86da079c370dfbf325f3e68c6a03641
SHA512 5239434e160f18eb27603038833f43975dc26da3b96c3f3e491f575b116fec8d65665d01d76d7fb0f4ef9e28c5efab7f1766a8ddd9ce6229cf3ee6158939d212

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 b98d47fd280c86e35886b40d091de857
SHA1 0a40609d202f1daad0bca448088c88a2d58ed1be
SHA256 d9e3bdfc4df20913c1531214db2480a106e707d9ad8de15a189cc6510855ea4c
SHA512 ba5a4bcc9ef5cbc3946c2564192bdca70d69ecba456622880814783e50109c5d525844dfe45693f8d50053ebe7dc7535295d20c3edd782b277f9f9a91536cc3a

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 a439b7d78538757de6c41b3dbc93b3ed
SHA1 b31a3482b6eeabd63de5787366f765b2f3dfd30b
SHA256 7045e19267f07bc3c5d0764acd48ca7292e7b10c970b2e962f6a17047544e376
SHA512 5db8449664f2ebdfcb8e3c203ce6eb65b86fa1a2cb853d755b6c6402569ddcb17d57b6a2db8a0564894241a117ce88341dd000efc1ad3b2467dc11b0d31a5c14

C:\Program Files\7-Zip\descript.ion.tmp

MD5 5ca7bc4afe77fe0eb07b8e5f4a1a67da
SHA1 34aa17846ff3708f33193af0fccbf0baa823e210
SHA256 36d448df8b2c1e971f24d6418af34647c4f5a801ac8a48ff54bd6d15087cb4ca
SHA512 dbf67b288596bccc861ddae2bb13f1a3e1f9fb544742e5222b99b3335a557f165d83b96a55c3b50464db8d01ea0c247f733415dd3fea5b9eea0d8b4cf329e70d

C:\Program Files\7-Zip\History.txt.tmp

MD5 613141d6728454a39b10899505f62197
SHA1 7d2d0a0a5c1405aa43105b94da47cd38099c240f
SHA256 0db2694e754d66cbd83e63c9ad5eafd73b247c2e9294e2f253417d1b2bca0767
SHA512 0ab717c58c9b09c38a36036d200f3882c2568b05434542d6f66266f2458c5619ac8c8726ca1d30130efee5b0b5cb309b7ed7efbda16ce0436726d89f5a4ec7de

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 4f4d83490ca88c314bfa93b97fc473a3
SHA1 05663194b474411b1b968421be6b0bc2902c79c7
SHA256 84c8ce21be0c5d1082f91c82c25510d54176700d923bf81f981395f76f55f973
SHA512 5ff0acd1908e10b0a41a784f023f285bf01b7dc71d88b95160cd07fb4bc2dadfad528a5a6aa0ab50e915b30976db89973491464b7a7b37c0d79af4dd5b1066e3

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 44e1d2c469940682e59b80bcd36dc704
SHA1 65952309c88ec0aea6504eb93f52d116bc6f701d
SHA256 6d7e0cf889e6981318f5fac7b7065d3acc8a8575055652548d7e3ef63c067bd6
SHA512 6884ab2830ddcc2e5df3724964cf66205702fc70027c604b81282d29315e8116732389ff20068abe5a19ce5598a466c1801381ab550ca9f32d1e0e8527d17bac

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 9476aa6d64da947f23c916f585c8f880
SHA1 e7f0316d008882f87a4ee21cd00739ebe169e075
SHA256 4f3805749824736b5aab88cf6dba2743f09043acc50813ee6c11b80d18aa71c1
SHA512 fa0f662c31b3b7e2ab034830d5ce4cbf538654b103bbd46582b0fb83acc3b91723feb31718ee55fbf9088ed2e24fd4dce87536a7227cd5d5e305c06415ff0cae

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 7c0d112522db955fcd03c344962e5c97
SHA1 dcc780026799b960aa0468cbbcffff07ec5c28f3
SHA256 229c9b02dc3ffa4bb724c7c6a683e0fcfb4ea26690c35072aafe0c96c8893b03
SHA512 699b950fe09d479b2a8372d26c4d072eb23e51106231518828f0c91f0b122f1847e9050b1aed7e36811b80ed558f43e5bd3515c263d3ff8d4ac355bdf65f602b

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 c5c2c0f8c11d1e25f523b0f01a21ac63
SHA1 b1ce560f62bb76acdaebce728b6c01214ed719b1
SHA256 08efb58f72adabeaf4dc1e1590783e2e62f9f11dcf95024d3e6b00d12f91b9db
SHA512 453642b859f7274f6414ad645abcc8abdfdcac03ac0eabeac85281fbf2a5973e39ae0943dbd28af79010be97d0442133e2b3fe9da25a2a1d05027e23de1959ed

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 9416f5405ce64fc47bfd9796dd98675b
SHA1 c903f39922cd7a730b16b1015fef971d34870baa
SHA256 e397af92684bca59dc179355e3f7bc13963ea7868d4a95244c9033a9909f3e27
SHA512 9511f07c6aaa608676af71c353e35fe1fef5dbc3f104f2bb3f080566d67d80ca38386201122ab9e9cb9ac9529eb477c93ff646acf17cdfa4cf0d0bd59c98178a

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 a7e4ae17ea6bbbe24f84b9b9948272d7
SHA1 f2c49a6b483b55b2a21c5e5bd4f4fbd94d1552f7
SHA256 7caab955a55801cce3db6fa6c2e3b3fc91daad2f8b1db00401fca7a226858359
SHA512 92c1e053e8fa60f7ada495265e098a579bb61ace5ef21b9a6ee95f081b450aba73ace1de3e4ab508f633125edc6d9025bb2dcbf12f79e99d26e26c8ab8189cf4

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 b115435a51b72bfe7b6b83fe3a35e361
SHA1 b4c955a6c164b83666141306f1c4e33f0cbd3607
SHA256 cef273c3b0989413fc67333d0f32e7083c1e17988a5b250d28ede37c6bba6955
SHA512 8a5a545f1f3c7f3e0b75b5d288542ea1163d85c09037af29cebd8a2b12b76b429eafa37cb0fe5d725a436523e538796551ab24b590d9425fba171d421d4a2f37

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 ded9be22dcb3aecd6be983c09906f012
SHA1 6afe3e45a16c09e17579e4ebfec522af002b2f01
SHA256 e3a80542de8cfe2c5300510bb8c404640148f17467e421cbd6379b7b9f5171af
SHA512 a0eedd28fec835a690c180ea1fd37f1e733fd59866bbac814d71640f5a6d225933800d7ae6c851f1182d58cd892e6932c9035e3add8814e919b06aeb258dc6d2

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 956d5fe0e1d8eec60054148ae7f61277
SHA1 bef6f7081cb7aa08ef4543036fb6086ee54bc2ec
SHA256 ce5f59a320b72616ed64616faff0eb6aa4057240ee2047fdee5bf6ce77a724db
SHA512 c55750158ca52e7193c5f17f6e6f025f95d240a62edf3a0fae66ac18b42e23bc772f763d5679c54a083bc0cf50a3b3977dde8519bfcd80d0ac3e067a3d625a73

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 fdc22856cd238d6ca635f24a489a8ef1
SHA1 d14cb9895b677fe62d83aaf2ede5466adcab3990
SHA256 78c3397c833baae6b3356900ab9f633cb864d22047da2c8b5b1030918ec3d9b1
SHA512 8c64872ff719dd3bb0d3826f5ca1f9a1ada1b4bf23c8230fbf8e0c79e433aea693427a44b2218c83072078c5a5a9d5bd24c0ed0873e0b89d49cb05b66d1b88f8

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 e2fe7e3b6b369a82acf94c496f25197f
SHA1 0d1f76ff2abd063996812c96d648a84b92f154b8
SHA256 bc0864afe1180ded08369531a5a119a8b59cb50811ba7b11cfa2f5b3ecc6231b
SHA512 706bc2afa6a79c13babaf8379180f876ee8b259e1e605c2f0c45d9bb5f11f71bdd8e7f8880987d77815f621ee08db0b8b81ef9e60888c98bdde3c6ca4698c49d

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 0e36a1d3093e524c247de9bf375cbcfa
SHA1 6399dd8ac1ba5906f37902a57b6cc220989011d0
SHA256 fb5fb12c76ce46e4c86f5d1c2e93c147a6d713cde606ab5798521cb708735e64
SHA512 2f8df4242521cb05b96e98a8ada3d28f6f23667a2cac389a7a7eea2eacafb6e80d61ae17ca0539a094503b535bb1a8089b4696adf912b213daf78aeaabd01d5e

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 28796733a3021fc7e69bbf6704780bda
SHA1 e4e0f3e5ca6b08c8e91f21d987b18060e7ab1839
SHA256 6daf121692893e4ec93c28736343bc14131c814f0c0e181a044bb5ebec20afec
SHA512 c8016577ef8a2dec26c68453fd098214a245f34931dc1c64213cf2cbc0eb7be2a24122e0de02ef8c91d3dd4888636ed4a46f64bf084f5895e915e28b209cee64

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 7492618f2c5749e9d64ecf8ace54639d
SHA1 94d28c84d07fb91afa52d735aa20fbb920a0a897
SHA256 3c1a1be02e2da497a72b2125ef107c1eb315c0a9baf2d39d5871dc7cbd355769
SHA512 c5dc38244941e412e38e466297d133b431f600d689f29e95eee1352274972bc359b26608f0edab891e042f4470ea659e947176d08c439130b88f2a5aecf27791

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 e41b495afd9a90edea5cdde2b34b67cf
SHA1 49cbb62d445f3e32708889428ff70e5bb84f32f7
SHA256 c85c0bde5c9145d95d0bf8fd0093ae8a57092e85aa7905d2e88b40339e81a718
SHA512 68c33e06eff3a0eb9f5e7b81a68bc7cb65c74bae9cad303e034b257221df0a2a207baf97f02d89adfaaa70d152c5f1e3e98dfa0daf7410bc25afe44bb8798d0f

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 b5eb4bc6b48f65c85ca52dd544be9f88
SHA1 8a63e79a3447b30d76dc6ca8f12e94b2bbe509a6
SHA256 04eaa55808eb3c3d9bd693dc0151c6b9f1eb46debf5f46b85f2f2a7637343484
SHA512 64baa2b007437b639ec1a00bf45d133bdaee74449b2f1dae12d798b54074e9914b6d7e56322194927c146fa93f30952347c1f2db399dbecf904326cdd9449eb5

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 09bed6b75ff771dd3f325452aa75ed38
SHA1 66ce217ca8704e9e770368d0861590760163871b
SHA256 876750abed78d1830996ee9b6782b5a1e614c0feeb5c902fbaacf2fa0ec0fed6
SHA512 64d8e41b318d8dacf9025b9850351a1398a79bd00315e12faee0d9e291aecd61e31232e511d7d8d9180cce9ee0f9c32329ab60f2af54c4913d64ddab217cd192

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 1ce3fc12f2d95a307e10b60df6976af2
SHA1 6b6f605d39c6489ea84a1b4315635d49da7821c6
SHA256 852307d2afc8c5a4fb79649bd8c0b663fa576b8cfa2e9b784bca704b90df335b
SHA512 12a8a84c2c95ad37c4585774b85a64e3929013feda502c20c12ce4506478727dce27f4f8827f0d6966eb0a2a65dbc5cd52b2e9f9143f56de6ae8ad2685837b81

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 107917d5b9eeed5a2dab27ef98f78b2c
SHA1 7dbe4f110cc7977fc48a86ae5348d09406e8f6b3
SHA256 65b80e941036ec4a9304f677ba6dac657e6514df0b652874d53c5c86b45f80f1
SHA512 1946e792bd141329af6010bd3ac895a5178def4ead8bce31303ad3926c9c195be95cda2e4dc04a46e9e7793b23a05617f23cf1b52778ae83a1c5eabf36654bc7

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 f97af9f9455b2bf5d5aa70edb9bea74f
SHA1 78bc0f858a06fabe255f108fce90b45ee6da2288
SHA256 a2f1ebf83025edb30f0b0f95449286be6b64faa62ed246b4b1caf9de05a11d3d
SHA512 d2e12fbb6c72974474a1a4b87b0e7659e7cd389a69540664befbba71b4a3ab305f09e25ed1b7f009334ceef557cff664ec0189d5e7e2212ed96f34368816e0f1

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 6967cee1a3da1fbae9ed3cee2b63858e
SHA1 c68ce5caf807e814b914918ae35cfed4f2ac948d
SHA256 48d30bf46a19b36a8218391248bc506bd566ffc576f68e4443365f2408159278
SHA512 b60d5432acdaedc963ccffc4e3b814eba2e7c7932e3c5420221426ce5bc7c785a62e44d1c71a7953eac9afd5a8db9553df8bfa7717cac6938a2d087497cc74fd

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 2086b484ee3e5615560666aaa273eadb
SHA1 95348edb3896a5a07fe4bee531019048a92a8162
SHA256 b6cae3cbaf2593ce0a1f1656a3645837b096776bda7815be525e3ad3ad39c4c7
SHA512 b9badbf2148ba5dbcc519ee4dbf0d292c72366cafee1560e0ff399ecc828713aa19a818debb7c7b83e01a1346545d1cd1be6b9d15cf47045f16d8809798c6f08

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 a7719e5c2843a52152b6211b6854584e
SHA1 431c8160026cf21b3366615efa8d907d110fdf73
SHA256 671980571bb835dfebbc3646a02511cc3ff8a1920ce30c4bc778046f932475fa
SHA512 9ad5047dc118c640c4c000f3ca6e6f97850188073c250f46142b4226449c7793c4839dcd0dfacbbbb6e60aacc32871707e226cfce556961d2bfb69c61eb06dcc

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 e943a2dd306ad8a41f7eadfc4a747223
SHA1 755ba41a3d5c9b1f5917bf7f528db0726d762be8
SHA256 5677859d31be311ef342011c9cb9160ece8423579ecb7c4b4c8f3233629f9d03
SHA512 3546f5d9d616915f2e1de71d9d0a2137594a75a1f9e389898aaa90777adae24755ea9d4afaa3679be7d72fc69a35fb00dd6b81e530ba89d25759fdad03aff67b

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 93a4f59ac605a14080b2c0de343132f0
SHA1 0365d97b32bdd0b7205aabe6b5a85c77625073ef
SHA256 cbd6a78a78ef63325865ee1ac980c3fc7ba7bf0701b41497fbe4eeb1209f0434
SHA512 212d6b69934670a988429863b49cf03a0dddbb1295f2d0a1203bfc2bc1940361b95a886e9f1ec295bf7a9bfc9af72924b007c7778dceb9cf56ad7ee7fba2acf9

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 73be50fae4a950aa922db7b9f43a12e9
SHA1 8e0a74005ae1a13505d87bb284ecef9f431f3422
SHA256 cbaf2e2b8969f7b5486d9bbb3fda069532e2d1f47df92957784e14b8dc832b20
SHA512 8ce423fe1f92ce8ab1a033d600f5fb82c5316b367add97e3b2704c7719399db1982239cec782fec42d548d2115e356ab826a899968b964efe76f9c477ef9ccab

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 923813d729e435df1b659e43385dd5f0
SHA1 a4effcc5b18b891df4fbcf4190b2dba787b347b4
SHA256 b622d43c3a71b697e536b57352e08be772308408b353c24ade9f343c7d8eb6b7
SHA512 cc52bf84f172ac4d5dde070f92bc71c15a196b67cf34b042ada9e7f47b70af8a7bd206f225e9f790c6964cabb199b19f179fbf3967d1dbeab65af36795e8993e

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 528a3bbded072089701d4dbcdb2b038e
SHA1 07f7fc2191f2be7ce95d46e68157525addd41f15
SHA256 b24996a13a292fc76b7e25a2c72f0244ecfa0c128cb18d6e6a69f842e54cf645
SHA512 fd8d94d22884f592a1c80d3919545f1f9e401bcdc31ae7644664d58fbb01479fa4020af61c3af6dade21bfa5d09b6f68c2c395dd6c882fc58af502464f608d10

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 6cfecb03ec8963ea465959581158e1dd
SHA1 7a7a0b902e1dfbc3aba73de9d88b2d5fa6ceff52
SHA256 49f551d06c2cb77b0c3b2111294db6891cffd9c23735dc772878d8f983f0dce6
SHA512 921cff078c01260de64928ecd6710d81e09ae583b36470e074f167d77823316012fbe06c67cd1dced47dfeb02e72843a3ab306c8ecab229e9b5e407f849f9907

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 6dcb486d3a920535cda845cdcc3c7e91
SHA1 3bc7877bb951958848994cae17636bea87ee39a9
SHA256 7d0e461fd7b62c65e3a549dba7fbe4d98005567ca28eaf7114fdcd6dd0ab952e
SHA512 f78ca503119bd1396d25a551a48e43ffbc5390b3f260b3e73fb437306831911270358719abd21ed8269023cc4873c31a268f3d9f9f174f4c5fec04449e202113

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 354a634403ad3bbc454348791149cd99
SHA1 93fa7ec40203a82d667de2451e1cceea38d8d75b
SHA256 7f99bdfdebe143b8ab69e635474e5eba586431fa5d3ed467205ee0ff91387044
SHA512 1ac2b2bd4cf307d6a7b2f83c2e1215c15399a6895bd9e5ca536f723a7628b75cb4493d941d61b979809db8f7927ea0801c5891802b64aabe5569973991289c52

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 d230cf04bec5776ac551e9732263f1b0
SHA1 a66af50172a67774e6faf1edecabbf9725edff26
SHA256 f7f67dd21c345a174297484d60096d051b20cb16383b17df076d6d4c65f76c54
SHA512 def9407bfa580d236f5ea21d59bbba2ff70f7b13e6bb02a61fb9ade28ffb6cd3ec4fe1e7cacc67645285ae00651c0a40f188932a7db589d80358fe0591d119ee

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 2d6a7c85ea3aec7e0f8dbbc5d9257ca7
SHA1 915b88a6663bc50948a13fb3c3e29baa01c5dad0
SHA256 dd3dd714c9281b620ea8772dca4816663e4aa036b03da652cbeaa439249fd584
SHA512 2fd6bfec8d8eb6f09a005d103b802e02293659c484afc300cf494d4a0ea04ae69675156419ae9699c95a5484600365be2f043987a310a4e159cf608fb6fcd091

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 586875b977564c96eee8e43aeb852d5c
SHA1 af05c556e5feb9f21120ed1c7874e7cd92b53a2c
SHA256 eaa14c5e5bf5eabaecf5b7b25374c4a32c46a55b2bc1976c9359f3370fe3f63a
SHA512 4b76006cedb823a7a75bcc4c9bc7baa4d7b3b17042f408ccf9b96197b4dc355b65196fc56c7050eb6d680c81b1ff126f31284f78e72d627a85f58a2acce404db

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 054426488fe4bb9caefc742e64221758
SHA1 cfee611f842174094a409c1c922de934c913b7f1
SHA256 38242c01043cbba8c344e08d5a4784e1350a8585bee449c9cacd277a8071a099
SHA512 2ce0b55a8800b50b1817d4285fd900835ac1e2daadf87e09b6c33874a72b91e38b090f5b8064ad989d475ff34640c89e11dd55581953eb76e6706e336a592525

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 631af023de8248056c3e0d5a1148a5ec
SHA1 b4fe6e7e924602ec8cc9d79dfbaee692b9b47a46
SHA256 cab79b3518eae2faf7e52274d106daf04a7a5ff4d0b6bae7ff812058288778ee
SHA512 c5f76871b11996d91053e5fef4f37233855e266c26a2337fb2732d19e1475c807100e75f53f52481165c82cea9edfefd137de7ba82998e0286d10c40b72b6b00

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 3aa616bbbba9955347963c0ccad680bb
SHA1 c34b39342e2b7335f941b327e01ce707285aeae7
SHA256 bd1aec1aa462b2e7ae9303c66d7417c61252e0c9c264f9f7cf04395609492bf5
SHA512 c25c86eab3f51d0ff48341da9e455f8747ae071238994fa6c29a400bbad89283fdf5634685a501eae1a2d8127dfafbc601343704eb1c2009162f6200b81e3ef0

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 18411d6437e815fea61a50e9fc0d02ed
SHA1 35c5d5b6588d6e3f3337a15883573087e851dc63
SHA256 ad4b4872b32e5a8d5cc0564df079697f03753475adcc374a6ae328a33893d10b
SHA512 393d704953253ef5606dffca4e6fb334c857968768b292b60e29e77adc6203d9dcaa827e04c798363bfbd46fbc5936aaaadc6e051a988cb0ed0719701a2fd914

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 cbeafcbe5405ebaf7ff803f59d160646
SHA1 80ec96bbc949ffa9dfdcf694b50abe9b81de0c79
SHA256 4639e77600bad7548bcf3d756859bc8545edca92b13cdb8def9f070b17fd24b9
SHA512 5e8a9ca328f822cbe476651ca40be29e66574807bc17e582a70466bb8dd1628584c6c54672086262220b0fa9bbaaa188e61a5f1805c8c9c5568c343dbb8953fe

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 c839dc041fb9b26ebe746b1dc552fd3b
SHA1 00b518bfd2fa7c4e245cda71d064742d8ac2ab91
SHA256 e72e60712c9a7981b579250ebb1448ac4102f37c108e01d8f277ef2197c562c1
SHA512 6ee51cfe895f86f00c6d0f5000e7633d3e14e08e9c0f30505900c6d1921204de28d40c93f050275f1a1283b4b82b55a91c2ef31afade2077e31acf732cac2ee4

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 69205cc458c65d2763d48cd965ac8296
SHA1 83f89cb49f449916f67169b597a0940193f09e8f
SHA256 349d012c8627acd6531eb305472c84dc75f30b7f5057d3b4a92c80a743edf6ef
SHA512 0d4150012b4f3b3a4fee5ef014ba2789d0d0c1aba0d98fcb2441e4c8f25444ccc3e88c893922bb4f456edcb51aa0bb17c47adba9dea0a609d4f6177f2e41ba41

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 96cba57873b1c7c50ad5fa7fd43fd305
SHA1 63d70dc258f8522a317b8bad784a45d5705c056b
SHA256 1d28d756424362d76f0fa5fcc7e38884cf3322fd0b5c09e86c1357715e9355a4
SHA512 f62a3c712d538244ae931bef82caf8de43cb6cbee9ad883d1767342874d0304d2ab7159faea873b48124334662eed460300b25390ca998f7ecd2c5136160fdb7

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 1e2dce46379c57a7a21b72931a805bd5
SHA1 1be3e5ddf73d7a5bfe5185a104356327e0895229
SHA256 bc70e09c494e3ef6ee6bc550de8b97ce2799ded43b020380a2fd9fa84b3ec6d4
SHA512 88e64ed8233e62848ee925eae79d12b4d86433dc889848a11c14a0fcc0355d5bc3f16f9f118515e9b97b37fae5fee9f05ffa3031475567d9f2eca931965f521c

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 377e204c2f32348d750f6cce15fd47e2
SHA1 c1c69d4651b4bb748f261f450288804bd7a6c8c3
SHA256 b1d3e37a18e0809e609d684335aa5ba2d8f4fd00b0d9cf9c2da8d42d1ea9257a
SHA512 7c616474cdadcbefb3e9d1842750cdb8dbd9571d81b0dbb6c94b7574c8cd69368c9b5777a536fa5abdb947a94328c1a268523394b606a3c7b202bc7f3f319c0a

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 c77a6389a2bb9830966da22fb4992c6f
SHA1 742a860542c2588f9266fa0fe8550d6a440c986b
SHA256 6c68d660aa66798ee72e18d3dce346cdc8ef98732d4623192e0a60f12262e04e
SHA512 25c737fbbcf057b066b8915a394ffc49e0f319485d6c1d4d0e4d603abb9e3f6306de2787055bb1a74bc2122a74016f3497bc01ae66f4b65fa3dfe4e17277b882

C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp

MD5 a9170a36f29a65df12b5347799e8c42b
SHA1 55423434f65855d167b0149acfdca62d74d5cae1
SHA256 7eafba54a98acff19e896855d545df3e007dc96cb639c9f76bd518e012f79175
SHA512 c8cb48cbbdd381071243f66318c8f94558409aeb3ac9b5413e2ad89b51cd852b71278c411e8a710cf18e164f62dbd7f768b397979acd98904d35b98bd94a7028