Malware Analysis Report

2025-01-03 08:26

Sample ID 240617-cdyhdsygpf
Target c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd
SHA256 c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd

Threat Level: Known bad

The file c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Renames multiple (5141) files with added filename extension

Renames multiple (4841) files with added filename extension

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:58

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:58

Reported

2024-06-17 02:00

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe"

Signatures

Renames multiple (4841) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jre7\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\qipcap64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-awt-j2se-1.3.2.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\BlockAssert.nfo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\SaveExit.wmx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\Sidebar.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Darwin.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 492 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe
PID 492 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe
PID 492 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe
PID 492 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe
PID 492 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Windows\SysWOW64\Zombie.exe
PID 492 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Windows\SysWOW64\Zombie.exe
PID 492 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Windows\SysWOW64\Zombie.exe
PID 492 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe

"C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe"

C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe

"_MS.VSTA.v80.en.hxn.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/492-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/492-7-0x0000000000260000-0x000000000026A000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe

MD5 72d2292ed9fce96d13f38f10bdc2a54b
SHA1 87153b752025551f390f6c2ee0c4f99d81e1d726
SHA256 aca8ca14841cd15740be150b110996e9b2ed553436015f02026a715b67f36872
SHA512 78f69f8852b3c52161223daded68bdde56426f805e157fba7c132b664eb0fed1df3984deb12ea788da8858db105648ba21aeb2037e14f3a16460a18ca6afbd0c

memory/1700-14-0x0000000000400000-0x000000000040A000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 579dfe5a69a7092a28e0dc7b8e3405fd
SHA1 306943c51443588144dc592b8762c65ee8842459
SHA256 b18bde46c9a815c9fb6aab1f2d4115cfe3a4881c0fc3efb15ccc003d19e2bee2
SHA512 1db400b97da46c1f347f00891fab0205f431e0d135ee79f25b1f77ebbb00dfd5ad4349faf131aa93eab519f4eb9beb5ce110ad6d0a8f2241424ebb5c79571e02

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.tmp

MD5 b54f6e0a339147591fa4aac37e08e88e
SHA1 991e9d9543c2e7297b3aa8bb86ca880b2eee18ab
SHA256 72fd9f07ab6e9f7bc9ddafb8a437460c36013c58ddb40bdfcfcc43b72161a660
SHA512 85089a4e92b56ad7c23b760f27eb0977f633d463b7e39e96eb70146b589d8a4dade8fc1b48131b90ec4ed73b50f6fc631c0a8c33e77b05bc5fb3096d74aecb37

memory/492-25-0x0000000000260000-0x000000000026A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini.exe.tmp

MD5 224d555e7e957be4bd3e764232368227
SHA1 603198e4292d3d8dce070e56c9f313fc095cf6b9
SHA256 33b15c9da1bd11e93ff684cf74edd99fc0bcafabcf6ad086ce3d359a253628a3
SHA512 1be5ec24e67ee9735394bbe581be0b3fad8af72672bcf36e5f2050763cf9278ae0bda17d79a1054e996acacf25e15904f60a2276734cf64807213f47ed3c799c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 043a13fd0d928e9109050f685c2af247
SHA1 a1d24e4c27a2faea000da1bf163190250fc49833
SHA256 f6ea2ca3a60d22f76ac8e38bca5b65674aa5abb3766a74ecf99cc2a324e902f6
SHA512 bb1086367067742e90287e5492363ac85d7bf6d1951e65ab722507296b2e847215f6b93d2c69d1b58ac65706decc7a1698343b372ca0657164884b6e7faec6c3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 972a0e73751b0210a0a16b7a0a788d52
SHA1 62f504365ad45ba4a5d0382ed854c5bf5fde04c4
SHA256 5838b4c144d535c396672bacd8b449fddd3842a5966d839607de428b1010f736
SHA512 300764aa40a98fea30a879740c8b7e3f63b5e1ec97f570cf3574af5b135c4e5b42ed7143b524a3bf15d039e6d6dd99df6822cdb0d16551d038209b54ff913ccf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 533fd90af12517eb36802c262d1e62ff
SHA1 8245f3287a9fcc6ee726a1d3755cc0c460c8cbac
SHA256 6401395be7ed410f2f275146f5302d9bc1b2cfeec8f9e48151c6a98f42881c1d
SHA512 a37fb2a84e2fa5c18391a69e445f2b782e58a93ad2c70b09ab3dd33fb1cc3af2c18b9abd202bb1f8ba23f377a1a75272edea252aef276f8f292b8d271cea1492

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 5db213549a0ad308076915e6316ecad2
SHA1 2822dc9068bebe1c9acb849c29a29a4921d7354c
SHA256 384b42eff5bfcf6faba74732cf2fdc1717bff1c9ef6b761c79e79bafc32b3947
SHA512 d3699d53e11f98dd5710a4c12be7e7f7666515ca446ffbd2c3c1519e34cfec5148ed9cf9a0ee783c516af9bf188d8e510da11083697c53ea0c3a1ca5e6f75158

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 f941cbf251bbb743707d9d4306c9ede2
SHA1 26072d3e66496d08c26c67891dc07775ab5468e0
SHA256 34a593a34ef15e1c0ddd755c68020300958a1e6f82a4bc887618c8d0c4c1e718
SHA512 f2b74f41f62443be48cc8b153c2245551501d19f0a6e3655f0613620b67bc1327aed873315296757ce4fc773a9b830433de8ecefa0efa69fd295f835f65e08d7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 ffd3208815d5402e48433fd2b31fa2e5
SHA1 1d32ea384d48f72a9920eb7e8c5b069c58c4f59d
SHA256 d1f4a9990b28258a5fce19b570efa855a1139c45edba5753838cb4b437dd42e9
SHA512 707e8e2fbeb776053bcbd4e7a7c814926092a8baddeec3f5680fa73c2bf44fa746c7a1ac7500f562cf82e96dda0f06de382d9f5d0ec6b0f82ef56c2511081ae6

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 b3dffae161141b18ebb726d7bc511f1d
SHA1 7f1ea51f080a5fd777df206e6015a413c2c4f6be
SHA256 dd3f8fba349cc4d60d1811a97c55e969a8c7222fe77589057388563531e95944
SHA512 52ebaec799462410e8745cf0c1ab2385415156f7704f0a9c548b52ba55ce14613a1f2939277a8214caa5a0e6a85708a204bf10f10982619c65038212439ba47e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 c1634ccce8662abe6b73176081e3d1fa
SHA1 a886c74882ba3b9821413ba90bc2e8bcb7bef60e
SHA256 2debb47d9552be50bf6f975c91506e930af10161a48da65917d922d8e5b32e77
SHA512 747055ab8d5b86cbd8a6ad49a36118c17cc3663a50db821be56a5da0dfaa066efb0b0e44b60405bce43fab2c04b91215794858c25df17719ddededa1bc8d07de

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 f721ff18418b60eac02dee8bf23704fa
SHA1 c7144a0d827046c293947371a7273f6f75cd3abf
SHA256 0f99cb8e7e3d86b8370636937cd9cc933a9ff1c15bb6887537a6c7605853555e
SHA512 31fdae33acbe219f732b0687f2237edaf383a47cfd7e547b0873f792a3f1cfc2ce20596039f88e4421d51edc0ca3c7344e3191056b8ec22c46ac10ab13e39ee7

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 8aded8a5e9e5f669c0434fcc96d179c1
SHA1 5faa2a44a69bbd79d178dc9fcb38efbfcaa85dc1
SHA256 6deeccdeeb13def71be3c8daf4fc6b8890695aa559ef323ace98642ecb877233
SHA512 ea68d20217be7945708d64d484dbe6ce8711f72fb5629bbf0acd4cc1105509838084654ae37dcb9669396d739f6b253497e17973fd07d9f2ea4866b4c3f9e54f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.exe

MD5 25d6b9f57a0987a7fb2858ed054d3734
SHA1 78f6aca219ec0701649cb356dbf7f97afe40528e
SHA256 e7f15fa6cf3901699fa55b25667268f752e5c878082a7df660d5c734d22e0d60
SHA512 03bccb7027edd67189570ad31e7bb4baa62cd6096161264d69756042f85cee44a619c7b9ab0819a601b6d4e25c8f243e841b9809358616f46adc78e6ec4351bb

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.exe

MD5 ef115255be2f401f617e387311e2cbce
SHA1 3e86a494f1b63212a7c94f3ed2f9e2e589ca45b5
SHA256 5101160f8965577ab1b4bbe6b9185dd71e7d2382537688020a61065a56ae9b65
SHA512 9abd7015c4c12799c69eb1199f211ccc4db40a07a2515fbc85466177f23cafa9fca199e462be53a634dcac1c277162c2fee212f3c267ca386797d3cfd1200111

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 8a4a72c3aca7aa6c82c92b71e76e19a2
SHA1 33af97bebe45539b5ccc5843235234c159343ed3
SHA256 21b122650269cb02e34c45884ea962d0317016992f676142c14702828d2f353c
SHA512 6f8f2bcf54f81ee042db041bd40d959a459ace546836943006b6bd5d6f7ea196e9ffa789aa479be79b491bb80d2df80bf5a207192584ea872f566a2e982b54a5

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 199eb3f26a9dd25edf013e7cca428dc7
SHA1 1a0fdd4f084abb80446288dd4c600ac63285ec94
SHA256 67589a9c8b49ac349c9dfb0321bb49bc6ab168ffa10a905ad75b2b4645b9bd3b
SHA512 2861239b232f0ba11e025d45daebeb945d64e6d50082d32fd6e651bdfcce0ee4b8e75f08de799f9c629420abf9b4daa48afed8b3e43079449e1283350ba7a8ae

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 63335eee729a197f1e8e17ba04ff0651
SHA1 075b824b74c32df3e5da663dfdbf7769c3edbfbc
SHA256 2aad5fea1eb5cbd29725195da0d0ce1d6d28e180eed2c19c6f5ccbfea479eb4a
SHA512 ff7a96d76b25a9965cf7ece444500c707d077972a610ddc0b0a40e99e2dae595d30ad0c88381c1fcfeba45b6e48deb58fb6e8fd79ae32f3dd700520e26cdf068

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 b8ca81625f727c785529dd2bcbc45e0b
SHA1 33151b315d5e4a8c1334e7f38c414d8d6db33011
SHA256 c32c9d49903a6fc1b97ace3791672dc6b8dfbe0ce9067fbb7f97ba6c70317a62
SHA512 8ded9d00739cfa3f62085ef5627d7fb91ab60a6ac2d9e75a739eaa3bdf7be57cce55c141c01141623738fc4e0ae7bbd450d608c7372a7e17ded1b79d32589fd7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 57bc2483f9ee0fd531e2acf68ac8392b
SHA1 40102b85f37e7df5aa57b4b9cb91073a5349f224
SHA256 ff84d208856336cd84571a9735e42b89effa673b957c67454900dd5446ada483
SHA512 7b8605d2a3277b5d2fbd63bcf066e4c1ae51c6abaef2da4faed0021d140765e0a541c111afa7fe404b68b6ced9a00644ce8be618d966ec814cf07b55654fcfaf

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 e7f43ca15cc1ffa82f5061278e0e0f9b
SHA1 456dd5abc342614d29c8412dcf35eb5366d12deb
SHA256 fd4c00f26523e174194e148e441eba7f2d474b7e7f3803e9686d9e6ebde692f4
SHA512 81b9e73812bd60ae212c0c44aed1ab8ea7dca50cce1d28d6df5a998f73d41e97df4077dd75e5566dffe04d902fba108ee02364873e3f6d06b72822a062810fad

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 6dc5bf00886df937f447fe79c69add39
SHA1 da79a0a08d8da8e3f06935aa82e0e8d07b5fd427
SHA256 1b6a85a60d569725f7770ea9fb019de28b4c12404d444a29528390d804bb80f2
SHA512 11981c546fe436332c577d02f3a2b35e71a9ea9c7871c383d7a26a057cd81be7b3a42f950bac6e526dd444bc1f12b4fcb3ce87ed9409a9f55a638dcf6e127eb8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 15b187a59f155f2eae0881faec8b1cf8
SHA1 52b913e17897a2b70c86d35efff79018095531d5
SHA256 9ba1d16f0ce54bb7224b4656a9928e658f6099687230529ba92a3111a3f5ed53
SHA512 6710c5df46585305e86aa5fc6bc4321aa22372e0bbb494e85872ef6b0c9bf34058ed8e4fbb503438849d5e1da4932b606266ac4fcce68a32fa83f5d6af9aadca

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 884eeefd1f3014ebb3a687edc151d2ce
SHA1 f79d00f95e7f2bfb600d0449dd213c5ddd89ead9
SHA256 808f27a5c317ff9915436964d9834763d54b55e82376fe43feff61d5e5c9a068
SHA512 1a799f0bfcc94b99782f22883aaf6269ce3fb991bb9d10bc352114d3580ec82205a5596942e835f7207aaf15775a6c819eb8106cdd426de04bddc6ef2196e14d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 e582f12371d27d11a12addbf0fde3a07
SHA1 ce79ce39b129d7fee64ef0adce889bfa160aaa2a
SHA256 11416b5557d0883a61ea5388318c998de97e31771d818be1a1758ecc5c8c16d8
SHA512 1c49c63c2c7dbaf6ee673e483714e1544d5f5aaf34af759bc9466535319f1c14b9e5a8bcf0f69def444fe0392ce550f1145b08e09c2eb02955e3c1aafc9273d7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e147b905b8a1ca95dc5fc9ad081057c1
SHA1 df041dba87ebdd28d082c9a7976cbbc9e66a3d7c
SHA256 1f1ff1c4d0f2cdaa72a72747b33e48a291339863a47af8766f0b6a0b659405b3
SHA512 4f4a09e8c04bfad33c23ce0b1b18722e6715025b48ba795391deb05411821d17c5bdd303a633318d78456b45b683a195cfaffb24b8709d6729c19e09ebb09d09

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 ad2e1b98a32911271557b1947b41231e
SHA1 33bed6375656c5a7f317130cdd225901d8e65cd5
SHA256 5fd71710f46481c1911ec1447063b49c8462dd38ac620d0f72ee50b1fbd81e7f
SHA512 8a3a0b5425a9fabc37beeacb52002b043b97d63bca8caaa9790273e6e1ba31c52f7d26ffc76698cc5c155639206dda6fab99d9d16f830a8ad07b0275e576a9b2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 714c6b2268470ff72cfcb603c58890a8
SHA1 70e0264438ad9cf43687c42bfd1b6bee7e989429
SHA256 5499f127abdf2ef0751796036b1ca91946bcd6040dd7502e0a66cc48bebe1c44
SHA512 91271cc1a31301a5317efda873260b3ec5831ea41ee6bf902207561ada3aa4e22826a501638eff62a3fd1235f8c4e552e55ee471de207d5492a4a745f5fb74ab

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 bc3547379ae8a3492089be80345b5b46
SHA1 6357fa39f391441996d7fd6d87d1316e6e5df355
SHA256 5f3c5a87eb2d30fcab9609f680dd808dc853f4eae74561b12bcde14dd137ee05
SHA512 8451c583b7ba5a3b0207d288610b5da63a984e0f302af6bf771f7688525190d79ab5a33356ca45e8aeadfddd7855e5581df74fdf0fab42b59fdea4c21fc24b2c

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 d61171c5d26fb4f3dc83498891d1ab54
SHA1 7a07c615fb2861e37bb502f5e0d4b0a84ce7d850
SHA256 236462c9ef37111ea88079b32ca2d9abdc3a49d196efc030f4b4415370a20ee9
SHA512 b9808ec8703fb23ea8f90981e99eaf5d5c7fb43d10472da33e0c3aea36a02f91a8d8ce0f6c968698b3ade901246850f0ec098f9c7178e93bc36f203f45a0c2dd

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 8ad109eef2b1b55ae728241647d5274e
SHA1 609aa6e419df205d005781f6568df8c47877db10
SHA256 e109e058a6163e811a62fd16639031c9c99df7b963a14bf0177130f33371793c
SHA512 2064663082d2a4b98d7d174ace66da1bcc09a33ebf8c79be45295a4852b047d4c7adc7ca54c5f0fddefc29f6cd38aac302f43a392085c9035e39d7bbe5bbd987

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 2b01f2552e928561db344f3a9a172efb
SHA1 9fd2250d8644320e7426195df15b72ab9c67f9c0
SHA256 f1737783237294843bd1cd2768ebb9278e889ae856f6cd5e9dc008df4e483cc3
SHA512 64579985748e9c30bde32330f5665e2e8191475a54c6288fc2bb5a5b38e26dff72e268a159e55626549c61c7bb382e423573387280a1bea4d88a4e3229c7bb0b

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 1ed3acf92805a39873a3a34f20f8192f
SHA1 0ab27c072807d29bda55cdb40e55fd1408722de7
SHA256 8f42e78105b8bdb5eef958c6285c38b935965c06dfdc63796d2b12307afcd758
SHA512 a0362063801336426699452e7b19b1e140ac2edc7b776f7c91400bff2197748106f46aad4d82e88ff1e93096cb8aa248451f76d8b6c92eb02054e8ab022abcfd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 b0d4a5821ec9d1bfe7b46f3db6e27e57
SHA1 9018bcf4dfb986150d4b0af3cad7af6b8bb80bc7
SHA256 c2af6604fde411e5c70185db8628efcec758c54bd1e61c5db26f0fba482f6dbb
SHA512 0f6b628b2e002b7b9e5ff5d02459d7d362afe478b36fc01b908961719d1f0dcc89ea78f67e7eabedcfee40e2de530a12b9f48fda67a41849e31343b777709a17

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 f9535aa33c61f10813831191db773696
SHA1 02754b560da73071dd7afd295113a538a67535b0
SHA256 4bc6809adb5b5a07f6d07b3d7327e33fb2fc37a70b45e7bc768ce57fe370b16c
SHA512 045ffbfed0e9edf04530d92415bdc8b5b4411561cc0ff410b4c723ab3c067906c3c3a8543d84db3972ccc7982a5ff9ed414ad7b270f76ad5d12cb08e4b98a7a6

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 a1c851fca8815fab6f241577ffd0802f
SHA1 220ddd491e0dc1694e7a10e8ac379829e0935744
SHA256 fae0080ad54a9e3103229ccbf8a0f1ccb4b4ec1aa25a40646f5c00954092f43c
SHA512 34c1bb6f97e5d39951b33e037acbae6400b4344e91476f1c061553e9cada3a6eb40d9e0171c40246c3de85223ea14795da2e295c9f6b9d68e81a39a038377cd7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 899f5d3f63913345296fbe695871b93e
SHA1 806ecfa407d035c0cf7edbdc6b6feaaf136381a1
SHA256 40ae24eccd3f0b604cb89a7bf1864492ea1499d9a27752ff9c25613d4a282d0d
SHA512 995f3b48ce41bfbb2d5beac85e198e3aa2f0b05a8acdfe1c8d9130578de385abfb4fabad8ecb79a3c8f32075338676a3716386389f487e60d64017f950ae1bf0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 113e6ad2558dd8afa69bee8b9ef6d8b9
SHA1 04dd37b74a5a689e4864b236b6a2a271e16da8f0
SHA256 4d7d98802fa61088c8347b3fb43510241327fcd46aa4b7fcb69aeb52c31cda68
SHA512 8bb9251fd064e3e255633e0c66dc2b521a22ce483516ce16f9b34a05d489f8a9a8d5a825c099d9cb69b59725272fe3b5802f25fd1865fdb1fdec28858bf5ac1a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 a7fcde7047818ad23e46e50eda2ec2ae
SHA1 5d02c4926d641819fb0fb64050305ce6260a6d33
SHA256 5e5c9ffa5cf6cf552fab65991bfd28cd89883224ff5c743b4128f3f8c1099e73
SHA512 587031d5401859e374e877383b08ffffc7d9896f3caed499840f493b796ad1d32a7c5d95c8c239fc401bb69334b1475c23fcfe5fe422c9560d21c83691669b2a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 07520abd76b598c0f12c577a8a439d6d
SHA1 11a12805e0fce4c246a22c3a8d5eb74ee603114d
SHA256 c8bbc710f0a641a40c4e837d9e495a4868a3af93a57f075d735043fa63e33496
SHA512 bed189a58a4d6d5476bc8cd41a08ca814eb18565ee1bbdfbd135e6ecdac8f1144aead827737823afa0a2184651000203ab07e077a8f57caf0e864ef8a63723e1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 b9a207a940e6f26eda73774095ff9495
SHA1 6cabf1378bb3fd95b1bd55c3c4051aa21f256b2c
SHA256 17de47ccd31f470ae3984e6682ed7285119cc4113d7b61bf479bbca5ef198140
SHA512 31825451a441433908640de9754465c1471f517420edb15f2164a481667a8e2d22929ede49dd66deea1796b18f08091324fc8203e1902fb264e72f95b8c91eac

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 13766b840a10db678059b37a3b702349
SHA1 53f8dc723f1b16e000b6e342a07674068d1e747b
SHA256 4b43ac0c54859ba3c7e3b95e46fa3c3e28cbe62fd8dd3020386968ac0ce7cf6f
SHA512 178f702abf9d395f1353faaea7e233f1fff233a81d1c58c57b06979263749e02668e2927aa16c65ce7115bf5cc18732b7fcb72deaf2e954cb951c907819d413d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 520a7fc1e0da74d2210122cf2b46a59e
SHA1 c9610c40bed1d54156ec79d212c884e63821e7f9
SHA256 3a11663bfe3377ca1d7f627f327dbeab38e05e73fed4fd2e94fd5526b5280519
SHA512 8836d745afc05de7e56ed800f38eb44b919f2b8a556868eda04953b6747ede35cecf967edf051d434741e7228d1f6115e0e54386a48e95cac551f459f433ff1d

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 e81f5c36935473489dbb7c03968375e2
SHA1 8609cac9e87ebb969d0f23237c47f875e8a1c4db
SHA256 bde81d41e70eda2ca06d12683c6f1cd63529597b2475889352039e7222a2dffe
SHA512 784f1ca74c087b1124c1880e55d7c98c263690e150ca3a11502a0a861fc3d96f7d296969253b04bf1edbce81042718e425a635989ebeded0a7de0fe0f2c73310

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 5c01f46121c13da2c4d86ce2521a798d
SHA1 0c9267a9cbe4d0a96cf9b7d70c302315a5e539fd
SHA256 a4cccf34d429ba91eb4b113b1fd5e01542e4805e1117066546bd414e35043e3c
SHA512 71920abe747f5a4ffec76d997c53ab6ca96117845654d02b61187109726364d6b5658820977f724d07707a717a602417d7688518ff6901ed213f645525d2907c

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 35ae191b49042ee81644459457876fe3
SHA1 4258f7770eaee14eb3c629ddd119f5abd28b91b9
SHA256 42759462caa98ca87737fa1fc40eda35cb1c4ebfc183a3f0971435e09afb682c
SHA512 3bde9cc48aaf15c3436c13414f6d0ec3cb5c1c4ad8efcf4feacab0a9ef1068519c1a21010fbcd1fcc372c6acae79ddfb78e2865da0b1d6c01451513650d8112d

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 44e5e485aa35bef020d21a16dff044f6
SHA1 ad87ce85f127e555cbd6929c31f7cfd288a13cf3
SHA256 a45d94b09630cf7398a2d392dd7b3394819f191494126b4323fa1037381157c6
SHA512 866b9c37b2678a77076442dfc544b43043ba505b86e6888c290b1956156625b79c39e7246fc675505b3931a25cf2d6aef4421bb11826c529e4481328675f895a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9374a214538754b3b2f7425a99346b72
SHA1 8e8dbb97bfccec58c858b8927ca09bff78829537
SHA256 0070105152c7490fedc300f5f0bdd89d35e8307f73d8a93b3ad43368b4283da0
SHA512 3f1d52f8b66e3eacf3f76f6644eafed07d68c40c89d528410d0fc3d5395b3fc4fff87c7fb2475f506c36e9f50a08e3bd3fbb4b2c16c5b6a4ea27c6bb2b47ca0f

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 9497ee4d1e10585185b678350270ece1
SHA1 0d9bca46e691fba076e9943a00c3f96245be9408
SHA256 051c7fc230016f0b517ae523502b9e3505ffff4ff7d8f281e8046a6897ea4c6b
SHA512 0a0ad7605a4508fdf52ad34143f7ffb6a1ca4964ec0196e310a6a0537a294cfe1503519d398d3c4a9ed3df653547b4624faf529a809c3d1a4d15cfd91b94409d

C:\Program Files\7-Zip\7z.dll.tmp

MD5 0e6d6524dcad0a15c308fe636427dd01
SHA1 c2852a937135e0069f2785112b2ac8f2dcf1a732
SHA256 c13fadbe50f8f23bbb053c0ad9e1ef6c11a1cf36f4125471a43af34f57edf821
SHA512 c1abc9e42c67ba380fa2a45907d8204ef962a9f5e01137c68e38f7afd4625c6349d5fb35a29e49a61f26e85313fcbea1cb76d9ef0c7d2c1f54493db368d617c2

C:\Program Files\7-Zip\7z.exe

MD5 fef385ea23d2451fb4c73d25eccb2c6d
SHA1 fe7d85a39695f882cc37c44561d13bfefdcd8e34
SHA256 6c12e318ff823bb032aeddef4f126dd74ff467944671248ec4e287718c2128f2
SHA512 e81a9b654181c058d325d9378495c6cdb127d4e9345546494ff1d73cc0be833c8db73b3f007beb5ff69dd4f5d4baaa453c59733e760e77f3765b91ee4dc25818

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 83a61294f7644226347c68692455ebce
SHA1 b1da320477a63e8e0f68a18058fdd7b4942cb820
SHA256 9bb9bd89168b0f4229fa4439d95cf484c1b1f4931d1869f1220e20f1742524a1
SHA512 50297c5d44281648e97a4943a46f346e7d1fda4405936293708c8c39fa69032b4bfc2cc3d0cff8671974a7eaa217e3bbcdce3cf9c26ed946092e595f39c126fa

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 901bd3ae083b3e495404547da991c1a6
SHA1 57e80a2a27708852f3f2740895ad65e8707716b4
SHA256 224032a43aa0660d5c9b86b89801e67c88ec24d569df9d09c5bb7d43da3ab286
SHA512 b1473bc948998b60803159f31959fbb256259d83b3ed39e36e47ee623fabff6f5844c07d1911fb48b501301a41bbaf51bb714e8dd4c63a824b1b1a685753e164

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 3708cf67407f4ab8d2f47ad45be33158
SHA1 dddc685d35f50264100f376122986740ed811840
SHA256 63319ce34c0ff5d025c2ad22a2efdae9b9d48cfa2a8defe8dd84c0399cd4d9db
SHA512 d63cb46b893cef2f79f30ebd30255ebb09db2e08821ebf9f971e91cc7ba1be35b624fa578a163cff6276e0535fe0c0c9c81dd9146dc4532609cd935bfcd8f46f

memory/492-1174-0x0000000000260000-0x000000000026A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:58

Reported

2024-06-17 02:00

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe"

Signatures

Renames multiple (5141) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC32.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\CloseCopy.3gp2.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONMAIN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBCTRAC.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe

"C:\Users\Admin\AppData\Local\Temp\c2fa417061458e4495ac8518e43bbb2ea1a968b21deefb9078c6fbe975ca13bd.exe"

C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe

"_MS.VSTA.v80.en.hxn.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 219.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/3536-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MS.VSTA.v80.en.hxn.exe

MD5 72d2292ed9fce96d13f38f10bdc2a54b
SHA1 87153b752025551f390f6c2ee0c4f99d81e1d726
SHA256 aca8ca14841cd15740be150b110996e9b2ed553436015f02026a715b67f36872
SHA512 78f69f8852b3c52161223daded68bdde56426f805e157fba7c132b664eb0fed1df3984deb12ea788da8858db105648ba21aeb2037e14f3a16460a18ca6afbd0c

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.tmp

MD5 5169d03b413808bec19da50fd374c592
SHA1 f09937874962262276f256de3ad2cb854290b6a3
SHA256 e1a449cb33cd7d969728429ed9ca058a8709dfcfd86e0e1b287b8b5a308f7842
SHA512 9d67d7b04c822c862df6300141aaaa052fe2d9d08a6bab01513708ce1c472d7bd47e388e2a53ef052703e539967818273cf442608d2e3bf142dd5f120b159fd7

C:\Windows\SysWOW64\Zombie.exe

MD5 579dfe5a69a7092a28e0dc7b8e3405fd
SHA1 306943c51443588144dc592b8762c65ee8842459
SHA256 b18bde46c9a815c9fb6aab1f2d4115cfe3a4881c0fc3efb15ccc003d19e2bee2
SHA512 1db400b97da46c1f347f00891fab0205f431e0d135ee79f25b1f77ebbb00dfd5ad4349faf131aa93eab519f4eb9beb5ce110ad6d0a8f2241424ebb5c79571e02

C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini.exe.tmp

MD5 d1f77b424dda72a9997d2412293a6c1a
SHA1 a408573b08c4b115e3289c478ce3ccb2bf9ed066
SHA256 4ae21f23869ceb7852469186c88e8a113642a7af1d30c8cd4cf85ce90ce0112f
SHA512 754690dab7b68ba6a2dd8c4ec7efee4f1ee114fb37cc0347e533db610be0ce050b471dc41be7fd985e435276532fca823233a0ecd31ffb435ffff4e42f183fc9

memory/4292-10-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 f79293c6ba19f534e7f7dd505bf460e0
SHA1 b4f349722dae88f8cf9d62d8d5c60bb239539a75
SHA256 3672c5e792e7620de1224de694699347aeeee09174bb6bf87dea41a9c7bd8f1c
SHA512 e3036a6fd29492812f332031ecb3279a52bb405e8c066f85a4b45b4edb4881bc78b9523565e7e88bd57a9ffe6474e7ea35e06c7289d90d79292554d37ddc7b29

C:\Program Files\7-Zip\7z.dll.tmp

MD5 e83081bd112d90f2dc954a683185368a
SHA1 03b57369a8d21f756180ac63bd7cd0a99fe9ea85
SHA256 96660b0f2900e172422431ebba8d6137c766ac18788c04c7bffb66bef7ae62c7
SHA512 cb95095d3c968bb2a68388def43bbeb7f04bd301ef3b85206b6a4c45c9c416c1ce78e79e52f5b18aa981b3981839cb0900e3d075ccfb07cb87e8172a3559f246

C:\Program Files\7-Zip\7z.exe

MD5 be3330d5e296c6707de391f1fdd4045c
SHA1 c00929f9f7e84bdfa868f80e91a907db5c36f7ee
SHA256 00915114b7cc80cf95b9ded27b631f86190f5f6bdb1ed17b457082b99a3115a4
SHA512 09c8abb31f51293cfe42e6e6cae105212e2fe5505edd38fdfdc896366bed4be10969232c9f3fe83f98ca97fe97336336594db6c4e8d3599e0c45b4d3f2ad218f

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 074ff0cc7b2dcf8cd31265b1a6ff2348
SHA1 eb0ca4f4e07f473fa3b98b6cfe70bab6f3f946c3
SHA256 5b3df6b0a43a0b9a75d88ed3579d34732dd53806886b7174dd01fb0e282e0dd5
SHA512 aa7e9da681a532c2d8308e278c4065845e3a737d0af3d5f346afa1d1e10822fa214f1d962ce452607043c5a62b67029e1aff691a29a0bd7c8a19aae2e950b560

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 b2f33e041a6943512909023fbf27731a
SHA1 b3c4b2122b9de8403389fc620ddcf77083df6f9e
SHA256 8c215918f7cff9f5691b906508e6d86b9b5430af8e14dda88d0e4d01c9b6e97e
SHA512 01214b01bf1a43e97f5c33a56d439b4310f4d39db0f7859ad909454e9323977640deca5626e1cfc3aeb3c87d8fe6f1d99eb97022eef1509cc0a9192e81482668

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 9b7bc0ccd457557e6a50c2e88cf8d058
SHA1 b1f9d49965c73597be13cb95d42ee20d9da38440
SHA256 8771327e3b457d62fdd880155458b210b113580fa1416fae1d0861fb2f5a7635
SHA512 969d249204f50f26f8f6ef1044165bba59832a7ea7255d0de29dd8946ab76173a0113b30e501b2e75d0ed1cc0f87f5018ed68a33ae4827c7dbc862d947a3c481

C:\Program Files\7-Zip\7zG.exe

MD5 dd08a4cc069644b598324c70d815957e
SHA1 6a61d23241c541d6ea59ea45dfb30c7ea80baa11
SHA256 402b1b271cef1dca7ef689d11f00aba67ba47156ad89dd83e7cc70d5411496d6
SHA512 600051acd755b430953164d48a2aefa55f8173f643512b308d03065ad88d7f4f5fe7c80643bd208bb3bc2f074ad9f858e7c3cde7661ee0ac9bf185af5d2f012e

C:\Program Files\7-Zip\History.txt.tmp

MD5 2fe4a3c8d88a362b68bf661a5b6a4957
SHA1 d198a05d3374c587484d6e779348cd4c4cfe3b68
SHA256 537638367e59d325f240814850511ef4148687d4f5f73b1088e3ebdab003859e
SHA512 5b005f71fe262b6c831ffacec4c6e5bc2c00657814ce2bd626b974a82230c54cb5ca8fadc08ce0accf6f2e43d1334991bb0f8ade7f23ad39c41bde283f062cb9

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 39bddaf71252af0ef36d8d854105503a
SHA1 01f2a237938825fe9a57d585d806596dbdde9490
SHA256 eca5dff72dff8a1be5dd31595e9783f7be13f0384f5c009525b4da64e9c5890c
SHA512 f5f261121e66abfbdc294e31962c595c764cbc44659824272d1be66873696f5e6b3cf9298b7f6e8f16d07abbf663eb4e91cbbceb866d72aa9a3aa496a2160642

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 127827b45b8eb81c0337d4ce355a949b
SHA1 1e7538c0a200839f3f2faa344e545d92129cc5fd
SHA256 bc370d4ba5121a524a9e9b5736c31e1f09666683eb0cde7b0084aefdc0b0814c
SHA512 94a015d303bd15dfaf043b5ab69dbb4f134e2b1fd106f9db99303820cdca393e9ffe53e66a852ea51649c428fa7581b06b0ed730300bac36c89f70eb47e477e1

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 a7186330b4cfd39b4486818dd7d6a1b9
SHA1 0210b8eda257204163b491e0906bdda07733507e
SHA256 f0d3aca0871b11f08b0eedd2e801776f2c49039544defaecadb819c5681c64f7
SHA512 6b63360aef76ee698d77ed77d0ce248d3e8bf92b0320c4c9694e8517b3d0507bef61a1d1ba1020cbb3a44e01b4959fffa57f612585dcf842c327bd96b785054e

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 242d0be57a554ee5eb1d663ce9f9c7a8
SHA1 6e6d3070c1ebc0d876954108099cc10c30f4bf9a
SHA256 ca9440da58275992919183b205671ae98728bc36102da9dfd9d21209b22f6d98
SHA512 3f4e88949dc3a1943b588d14a83689044d4463e20ad01261aa9c6d67d47b5f105cc35e59ad8f64918378a9a84dea1aa49a5dc6e918d1343252feab3880a5a970

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 b8c420d858c070c51b390213472472f8
SHA1 aa2c49808c6b49ee36f133c368625ef1be59c210
SHA256 0980a81ea995aa941eb7c2bdf8619091e75c4fed0c74a081cf20606119c537ce
SHA512 4122a7d9f90f94cc9a0022a4f58ab8c6beb50d487229466693b222f22fba8ff734d60a9b445cf9aa900dada453ff8d7e06549b59eb0e34b2bb55fac622cccd21

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 0b19592d8d594cdbd9423d3d4a75ad03
SHA1 8034910377c0340132163bef9cba676cc7765fdc
SHA256 78899ed8ea86955d74ffbe4f57e15057266833b1599983c60885c726535e5c93
SHA512 6e6c098b2fe7d004089472490835b6de87f63edfcc50ed8ac6d745cd6c3d60bde6d9fbdb75e20aa459424c3934a93b7d40c73e148f69334440cf8e24fbdef6aa

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 6583491caeecaa5e81501d515f60b0b1
SHA1 891547791a258597f414f5961951411f2f239696
SHA256 1132647ca455c882574601d57b7805c2d4f2f8b2f7eb9f6eefbfde79a6e8628f
SHA512 2fc391a28a5067f75a2b888e549e9692305eee0ed91229d0ac671d649495aa996799f498a0d9596dec4e29e75e1d8a617c41a266d04547d88377bb3bdf2dafea

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 d4cdfccf6d5cdd004c459d28a9710a9f
SHA1 8e7282e5cc5cfd784776aa24554a2856b3a801de
SHA256 7967514013042e3f07330da1238aa4f1cc044930edcef6c3ee0062ba5e1bb09d
SHA512 18a56a8d70ba3b5d4d3daf75c24f1d2eaa7e20d18a9ad06b530d9f95ff18bd2c9eb190a7fc62d73bb4d4dc0dc26aa4adb5ba62d50ab6592cbbb1aba07744a953

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 7006f5a5c6c8e3b6f6783afac275edd7
SHA1 b636918032dd3d4a933e9f170792b882a58e9ccb
SHA256 14085704aef136fc314bccf55d53770159a75ad777502d0b58e6ee672e33a25c
SHA512 8c84fc50dbd5bcc48e5af66beaea766744d4fef4774326acd82d9558112f4ce86ec49cd942d6d3fd57812c63e93a3f26a6ac536fee452348f57118cf44879441

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 36dc678a2ee69a7c0cddef1a9de2eaca
SHA1 6bf8e81e3085c89603f9266d54c1890c6c530bd6
SHA256 825bd92e68f231200a771a1ecdc9f1de88825761a3f4835016cb15801f26c634
SHA512 8e62d651570891e7d65855eabcc369ade6cf57e984508fba943f6f5049d38cb46804de06e6f2a9cae2cf6ad34be7419d14eb41308cc9b08847cd8f78db1ec31e

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 81692db22645140fe134c3e724d5840e
SHA1 c8f0921a30d2d1d4ab64c61ef0fadaa2a0abff34
SHA256 db06bd5fb6ae6b0842a5516829c8add19462ea5db50e1000653f77fd1030ed58
SHA512 afab1d9d0d26bed0ef45eff856fc85ffee931f69838f50288f73070f2602d4af61f45cb5207d8f4ebb58e9a1455c0ba5feb79a9eb799fa520d6687f192eb1ad3

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 19cc1f4ac865cc0af20726653f794af1
SHA1 c2be2a34da32f635e4f7cdf5bc9aa083771743f1
SHA256 6bd551be640c8206e6eec486d1238550a4f572227cfefc65b97a2c5d766bf614
SHA512 1b97054b1ac7f166f024d6003ea852c309b4cb98aad1fdd67441b95694ccaef50310cfc1328dd8e82ad4ce4a08b695b7d441d701936feae9ee0fbf72c49c1ff1

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 a05a184eb5dd25eae32915062f2bb469
SHA1 5abde41980297da95e98b972b17db07003f30dc6
SHA256 52e79a1005895162bed63d9d4ed417bdaef79be915fcf3fe649545be8e709a8f
SHA512 fc6d7191b74d069159c4e38d608604851edf6bc2d921d6f505df6429b672824da0ae0b9116f034d2f024de124e684d5006b7e126ba1289639e6a068f73c64cf9

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 4ba2bb803f302b2ea5deda0ea4ae9ffe
SHA1 f08ae64134db04a8914291fdb05e32c9037982f5
SHA256 57d80cea923fee65af45060b3f8b7be17d007398dbff2adb85a613bfa0b6904b
SHA512 d73377c35c84d6176aecb56ebd4d00bc28da579b10eaf27e76a29f3c2935cd57178a64d1506c14960d76900a602bf5726c625defd53c64351bd415b5122d36a5

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 35e26a4ca6cd24fb0de3f5328c6b4d6b
SHA1 e6dff65a464153122e102b7fad369dcfa9d28f35
SHA256 654f960a8cc9f39ddea7d927ff0199d29600f990d133822f5edd1ad962b94fe1
SHA512 b9d6b7050b339576da9ce006fc923ae5a0957406fd3fba179486673c207dc4400166e7bc91559000dd96380630f75a2bf76611f497b029f2d3683b49a4172079

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 16833c4cbbbcf7c9da7f191bc3e04685
SHA1 2201521cdad0173b121c1a7f3aa5f54a6f90d824
SHA256 e6733152a10093cbe1e852a055c0f66e14ad1b337cef65ea9fa270183daa0451
SHA512 f0aa6ea957ddf430b4d64733b29a91ea7a91711b0065b695863fa6f38aaadd8f40e03dc159a0842e1361ba633ec0f06b5f86761ba98bbbcf4929dabadba260b4

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 6438a5c8ec1ae4a4197893cd5975db5f
SHA1 2c28b24436e61e1dd86400b21a2d32eb45f8d2ad
SHA256 9c566f99c4a9bec1acc579bb623f50bd1bbe64c3893afdcd54377e4f2ccfda18
SHA512 9b15959f00dece577b7649bf02e55f862e7af3e28369a8afdedce47729042b8f976dfb8949d38ed7dfaf67f33efb4ae795857a6599477173d16d7c3ad0d0353a

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 25fec79b35b9d36246d03910771b51e3
SHA1 d2b1cb292dfd044bdecbe117c0a3cbe045cf660b
SHA256 77a612400290b3f1b44ab329afa5b4777f883c63eb1b786e40bceb3581f27909
SHA512 0a31a83c0a3d811fe8f4fc4d3596391fab45c37d26e440c203a6e8d14bc4d86674fdbfdf0c9a521ec33f3a47ad74f8fc097cbcc59350ae789014ad5d295bca98

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 1241f780312bfc0f0506a37e16d90687
SHA1 580e62cabed1fc8e39dc1db3aa2fa6b92d5df199
SHA256 d2a96e140f15e5da33d07d2a8e307f282e580a19ffce7c5267128af999acced2
SHA512 fea0f2b063e6222763f35ce38028c25cc9776dd786050d4a57bbcc4a75dd2ad5f8bc2830535a3a481cc52992b616d874d2a136423ee45f2d382105091cc3dcc1

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 7925750660bf6df52693f697c57b425e
SHA1 3d04a589d6f05591748fd4ef2501d24ad6066031
SHA256 6f2cec0ad6791bcea06b46ca2575c808dc5ee58ab3c092bfd8dabfe5f76db5f2
SHA512 d7fe76a3bca892028e3ca406fc7212be23a66333feb651df8e5ee75e95fbadc22f013f6e2744e7bca4e418de391c928f063795a668d8ffb4e409d6a3d509e3af

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 936ccbeae15e596eb10dc730288f76fb
SHA1 7ef7c66bc362ccc10459939e06cf4241a289acea
SHA256 70d4181507c30dd434fab7e4ed28e145a3e17f20f4b462dea7cf62fc72cf5267
SHA512 c2d0cc4b380eae19359399e9d30e8f6d550421e18a08a484f9e89e2d4693deab610521f91cd4c839ea0e0cdfdc0fadbee8d197aadeb15bf38c02ee17112ae107

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 b08926fe432ba9d4930c11c763941e18
SHA1 79d2940cff63b345264406c7d3d99a973e1e1ef3
SHA256 5b3bee0c095499a16179194a2ed34563392fda36c30a256ffae963029963e43b
SHA512 e042fe601c834be3c01ffa627cc2110557bb5fd059638c4a29b6ad1a914a9b29ab81bc72fc4d7b8bb61d6d56e9b3194ce9a62428b3c02c5d736776810323082f

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 5f4011e882e800e0590a4cd24b1af75e
SHA1 dfd105bcfa6bd3afec71b83923c41bf282623b42
SHA256 6ad978fed18aec922e86d7dd9444ae12d2b0ef8243ef231ea35e0943f4d498eb
SHA512 5800bc089ffed2a59768bfde4fc7a5d1791c8d829dd5d6074ba9b3eacd96ae3d3606b45bf73daa99c4742b18709a88888b1e25512c36c8ad19ef4a4ad0cdd05f

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 80b870bf063d88d27535d322cba2288f
SHA1 a9116c081c8ef87d6394f43e5a969b3f30cfff42
SHA256 f167f1e28fcd768fc14025541698ec7f5c68a1503ab86ecfd8588dd8ff72e55d
SHA512 0033a87a85011252ccd7c1406083464fff565dac4f7c0f70ddeeb9141f92a20885a0f620d9ed3c29bdb12392d7909e5d9051f206810389d2c6e44d84964bc372

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 dfa5887bea95c7d42f993104d20d551d
SHA1 082e05b8aa29e59eab58f9dbeeb4c7389984c1ed
SHA256 da9c3569e3e406dff58557f4ee561a6952bba0b0580508c13b28b825067e84c7
SHA512 702e18a63e2c9d2bf518757c1ebd90cc53921e9d8e81494fdb224a2ad03bfb61483d8a85e8f90183967a09174a60d7af2353cc8bd6e81bd6a74a636b77e486e6

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 54d0adc16e85d2272b0afab7e01f873d
SHA1 0f91f063dfb2c12d4d50e1a5e29f0cf2d11adfcb
SHA256 e72882442bffdb6bfa6d5fd78b795786aab609c4dd5a5ca33fe7902f0a508ed1
SHA512 33a5a80f406575895449db6951da8345b3ccb3e1fabffdb25237691f7893734233dd0b3d71e81467070e315daef564a67d062ed106b037b9b562aa79d5abf09a

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 88754d9149d3f4abd130d30f73977698
SHA1 ea27a27ca7a55f3e0a98f179676b58f340d71123
SHA256 6b972b5a16202b3e1eb118228ba9feafdd5b61b20addab565c43ec19aa7231fd
SHA512 2b83940075fa75eac5b33768f15b4ea51d178a9d0ec32644b335eeb788f973acc834d52947822631ebed46f7743776e01e12cd16241fa9f48dde4907f8cfd2c4

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 fc0846d4d90942acf0dc5d5ee47c1938
SHA1 da46bae7590756f1d6982cf9ad87af8d2c6e716c
SHA256 10c92862ed2b5eaef0030d8ba096ecf01aa055977ca2f5329f62ab3936a28be2
SHA512 b9df3c6565ab7bbf8ae994f4003d9cfe92fb52f6d13bed9e5baba46434300af59bdec51088587f262846f711ef47c0600dbf28397b8ceab52e78a0da240b3c95

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 2af41fcbc21766a6d75cd304b3c0c763
SHA1 bc6be6418ccaecab4e4dfd9f32fdb696a79a5590
SHA256 80d4ce3e3b7613bdab98b4fa34077af996700caf47c8198dfd66e8453779ddd9
SHA512 4a28838fa6f7a9c0dc61da96c0df67400b2cf7d39390d1fde20d0d693c745998388e2961a2375192e5fd17927b432c28a0fe70e39d78723103ddd3cf07cb0574

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 43139fc20c53cd25d8241725051f4994
SHA1 572af4a6bce5508871a27dc2b7e1f4ff49a750ab
SHA256 c6abd89037ba9438876346e9cf66ed50089d6eb70bc368bb56884ab61e4c2bc1
SHA512 5f249e0ff49cec80dad5e3a0fc5565eb4e7911bcfa8704c5ceed84fefbb93149598f2054ac6b1cd4c47ccffaeb2ffe2c0312607151e3163a9240fd642e7d940c

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 8db5190cca1e59d64c4cd34a365ad9e1
SHA1 7d7d7ec1a2644644a8419d1c08f1d89cbd411e7b
SHA256 218d2b00d5c469d57ae478f557994c9a917fef2b81f0e276aade9375f23cbdfe
SHA512 d0f9e489cac3b8684b856544680c80d75a0409c1babd8f9393d19c0e97d6fe4174f41ee6c56e3d95bd2f528b104b3413c758d8505070e744794b045a1987bc51

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 b41d89a00ff96ff362efd6b8e5015df5
SHA1 db83d8482666882d3af977dee0dad2d5a9201e8d
SHA256 09a327c34780495b1bae2930db5b62cc63df56cd3be991bf7d1b897b8adf1be1
SHA512 c6242379d8699a0ed77104d6b6a562837a7e4e0753085c4a70507ce8d1790bd4adc6ac881d58791ecbcd888a9dc92f70b53b64b16bec4e623e3701f476f269fc

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 b77ea74a0924ead28bb7e7ad64694727
SHA1 69857245fdc6433f5b57c24e650b273efc80594c
SHA256 1d97bc28ca79a4ac704bf48a19a6938ca3115770831a402a33acd202e416d9a1
SHA512 2cbf976cba724a924983086f61b62fe020d09bff525b0c81c9d1876d68ddc8b0ff2c916eda4a7be310d2318fbe2dbf2c62225acaf6b968792bb3567ae728e46f

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 747683226c5efe88a9ca6c79f55039af
SHA1 897f23f5be64355abeda8b8383911211b03b72ca
SHA256 3689d7c37d649a8ff054fae2b53dbfb5f8874c6f36e355cf015a201d9ea6a9aa
SHA512 0c9ac1bb1e7b277c4e82248fbc4eb7c3de6e1d52013d15b01427c9c327338df50b183ae34f6ace76d65439a3909ee33fcf12bdb7cca93098cda80dc1bd35e82b

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 037749213df3d9a371c0257087014636
SHA1 3caf27ddcb29760e9b8c2a80491cf60454d7fc3d
SHA256 dff0e13c3191bb4c46848dd06f7cff63dd3d8d8a45a811e99400842f9c8d5fee
SHA512 20e7c23064f3416948849da4de172ee3d464cdd289296ec600956543f15133e105241b4968676597c773fa2cc3252578a5e076cf781e8f1feb8faa09eea97138

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 b00fa2b317a069c87cac665d8d129f2a
SHA1 6d3e1f07db7bda335615b8c35e1a80fd83a82648
SHA256 c4b8913123908acafbc43564077b83b1cf92635712127a255a1df99c58f9a1bf
SHA512 25d70cd2164070a7687013a83cd759dbcc91fc3deeaccdb09f15b5f477849eaf7395de28d4ca30349d3082b288d86c4bba4bda870b1d3ba5bb3aba7f74499b35

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 8b2f05e52a711ba2d727e74e76858030
SHA1 78428e2efbb240f58d0f4513809038b7c93abbc2
SHA256 c83de6cc1f7a183523cd0df8d99dc8cb8821c42002706dcfef22fcbcbd4678e8
SHA512 44177f16dd3a9268a67e3f6e3a8690554283531d20ef3bed8a90011bda13c0c5d353ce7f5baa56bff8f92e6e11c262e03810b0952d9d5a6462948c8057f11fbb

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 6bd1d5eecb1befc94073f8b42ee5ad2b
SHA1 57e613cb6a20a11b144684abed393296da007087
SHA256 979d347942bc83516b037b9c3188e6519ea8a329454773c68fd0106047a6f0f4
SHA512 bd66c3d3e9a23f02ef502032b70299d8e40300f8c94d98038a56feb52d74c2c2b889ffd542bd912c8ebf3feaabf01c11981e98dc66a7484d7350784e5072efd2

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 81ab045410f96285123fed2138ea9882
SHA1 f7d90df95010a3f064406daeee01945acbe914e6
SHA256 bbbdd49a36443902258ace4e45778583455bdafeca73338c06cf976cdf55026d
SHA512 899bbd89d9bdb867db35c2875b80000b91be69b9c0f759e50e17cb8969d5749dd5b68a513d246f6f5b55a357654ecf744977dc635b9a17ec2ef0a8460f09c5cd

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 005195d0840d71e19458e2c7ae230427
SHA1 91601b12ab6855bb6567cdaa4c332a870393eb8c
SHA256 fc1f0e78a4e033e06d27d0f482bb5b9049a2118d2bf22f2de69edabff839f9a3
SHA512 41e1d892879f5fd86bb6b5175e245d648d3abb16e9d2f13855e23b1c115233b1843d6e51302662b1caf4d8280276969e5bee81e80f3f209499de00bd2bd0af76

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 f949d71e8c4e90aeb73ec97604192698
SHA1 768550c13b8340db6811c016729aa855398adc8a
SHA256 9ed694b714211d4d444100e1135a3bff88b5b4d5cf2fcf43269baa45aa4f1acd
SHA512 4394a6f26a081ce5ea74ea95e982f6423d13a28a78fcf7a564736ab3db44901fc6b6c92d988f64c31d50eeeb258fbb95ff481a998edb5b221e140ae922df5432

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 42e2a410bf9098b7b36f10c74539e65c
SHA1 dbf3f9dda1934b88bf0b7b0c8bda5c9a37cc04cf
SHA256 2b472cec3fc48e8674a5d50699c35c7f2152e1eb06bb253cd9e5cd19d425c0e2
SHA512 2d7c5736f02208c18c31faf35d2836b038418e613624fbac36b45622525d6e9d1fddaeb4cbd890829d99e0a2494019a28d849b2ec483c01a5ed9917c0b3f219b

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 2690339cd9b60037cccb2eabdc4b3d80
SHA1 6ba06a55e2019d8a69fe269dae0dd6c68ea99ee7
SHA256 96c7c3107fc27cf3819adb6430e996acfc40988bc4071bc1c66decd96892ca45
SHA512 94311cd0615c33d4bc9e8870873bb01befbbbac9926e880e76f7cc53e904f2e0fdf3f89ddbe482c52882e01110c1e6834b97ca6cced3254c19ecdaf35851692d

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 3002861091ff89d65c63378ca720e9a7
SHA1 c8379910ce61e4fb21f38c87dc5bf3f1c17629e3
SHA256 e430302f144f8a3629ea159c04da0091f68954a9feacc295d70a774f35380d23
SHA512 608eee02b571ad71b50950f41ab18c316757d2c6d83db052feaedea13ffd023719e359dedc6a760385cdd38073040ce33bb71b9da8fc3a748d8735c7b0f72487

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 806342fc8cb03b2bb6e70985857b2d81
SHA1 b46aad3f41b94e59b6e674ae89566e1727c7c877
SHA256 58eda0722dcac33b7fda1acd3a360048cb97e49824862912d285eecddc4bc7b8
SHA512 9c25ddb674f8967d62d870cc8ca3aa974a9cf99117eba8fb1669b8bd79f121d4f1cde01eb4b56f378b69ff78cd2e5a43f65d5f1c8db1f60564c9d86d2ada3d5e

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 742828ea732b9ed913821b1613d21bdc
SHA1 af886a2e0d79976442444486f56ab9f5ba0c1109
SHA256 be3a5650b3f38bc9edb926bf0ada532e08aee2736a9892e1dc47789d7185c9d1
SHA512 483b20d742902adb87bf582056ea4cf5406fffa32e75bbeb2fd968f2d4a88b226783aec971aa753a33e19af085dc1f5fcd337a9f8f2a5e5070e0165eabec3780

C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp

MD5 3f81d98c9c7333b4d5a8b2a7a43b00ce
SHA1 6827b95786b1e610277675361d4b44093c3ae3a6
SHA256 883df8d00b13a4d300220cae2ddb651c2fc8ad66daebe3f7377c224348acee2d
SHA512 26083905400d05c2dd816150a2d6c92e0c4600c9fd71850f6606ac69b33cbc2f640b86e111a978881cddff37b3b41f8aa89880f1e46851b2814efc16f2f0e6ae