Malware Analysis Report

2025-01-06 13:03

Sample ID 240617-eqdd4axflp
Target f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967
SHA256 f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967
Tags
upx ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967

Threat Level: Known bad

The file f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967 was found to be: Known bad.

Malicious Activity Summary

upx ransomware

UPX dump on OEP (original entry point)

Renames multiple (4749) files with added filename extension

Renames multiple (3900) files with added filename extension

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 04:08

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 04:08

Reported

2024-06-17 04:10

Platform

win7-20240611-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe"

Signatures

Renames multiple (3900) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_de.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Oral.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Internet Explorer\D3DCompiler_47.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\handler.reg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-3.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradient_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\desktop.ini.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\VideoLAN\VLC\npvlc.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe
PID 2460 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe
PID 2460 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe
PID 2460 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe
PID 2460 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Windows\SysWOW64\Zombie.exe
PID 2460 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Windows\SysWOW64\Zombie.exe
PID 2460 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Windows\SysWOW64\Zombie.exe
PID 2460 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe

"C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe

"_Get-VSWebFile.ps1.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2460-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1508-14-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe

MD5 2a66ea7b89d52ad7580bf95314a73ca8
SHA1 f79e0b90347978e5e1036911a9a9dddbd42a9213
SHA256 eea05265738b5d723bb64b75f5cc4f20d2979e5022d990039c95c8f0e556ebef
SHA512 0e065ef441ea4018a109dee1e5f90dfde7a3e764cb0866d23378f915fc8c113d0f6f3b30901196c646b414e5bff63d5e78a8f02d40b7fa4b34c3d876828cf848

memory/2460-13-0x00000000003A0000-0x00000000003AB000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 d5ae82e22d74f1d81fe0d3182e0dae87
SHA1 57c1eb7409174a8a2a698657b80bff5343bc41d6
SHA256 adcc78fcff6cc793a8f9da24ab55ec3b38e2a6ac3cee7d1c9117ddaf06ed737e
SHA512 f5f9f1a632b6dd98935c7f5264848f070cc19e1b02afa8b5dfb742ce1ee44d3652edb4f8746c36f54e2a7cce4e584196d586c553edbe0aedbe5013b8cb5f8c7e

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.tmp

MD5 306643d6d6e9897bf696d70fb2e2e0ee
SHA1 538fb594529254588ed2b7b9d051e5d125fd809b
SHA256 7f05da6024142cc35da74fdc6ba6835db716693764a58e7448aa2e0558efc151
SHA512 e72cf54c8fbffc0bb0ab3f7eb20fb5acbac864b22587db2153e3fe633c5deb46d88f821d8886e887abc489c5451ca3d09fca6d17588fdf8a89c315b9fad5aedb

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.exe.tmp

MD5 e095182b5eef31c610533bdcad07ac8b
SHA1 a48cf9402174acdace98aa78408fabe044b50417
SHA256 772440218a52611a8a0f5a959052a5ee4417ef1db0fc600a5a560e21d3380777
SHA512 6d8fc8c0043121c0f3cdfb3eb16d58595bb06adf2dbc84c963a40d5df90f0054b5a2377c2d27257015e694e2f68c94d79407818438e1f912b31953fc8deac00b

memory/2292-33-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2460-24-0x00000000003A0000-0x00000000003AB000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 868fe7a800b944ce9a24d4cfc6205ac3
SHA1 405232bc355daf8f66b5e8fdfd04beab0524b1f2
SHA256 b67829041e7883e4104b62bda5675ebca7fcc31f5c125aebdfbde06f9c49be14
SHA512 e2ab2bf392f981a541e4731279f4344835af62321479f5cfc4958ec6dff2d2165979f1ba2243f59cc32b7a5c890cbdb69d60194a5385d8a7d999a7c8898e0d02

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 b61bf72bff8a1c599d8174823beb0882
SHA1 eb5132277a742a847357f3bcbfc3f01e6791d775
SHA256 24f7621cbde0cb777b0f64af4875a77c703522784a9f34ac527aabaa2c5aa88b
SHA512 0648d08d20db2272f01388e0fb89a0fae8a3749007e852362f3b7eef47d7b8f3847eef5fb702b375b8f561d3daa86bb391e33a76e5ff7b8382f8afe5bd13dab7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 da7e13d4fec99e31305203bbc1a7d355
SHA1 e73759ad4513eefdf15b7bb03aed406b06e7d544
SHA256 7d889444b35c2cf1d4689235ae8c6ea7502de3710aad816f0adfe09fc8a30fb6
SHA512 049b1b3612659a2b2f865b1c934040e1ac7e66530f884838102ef7dff513306672bb6fc704111d9f047312ac6c702bf73f4b5ac9c993893b186c2262bf898175

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 7d7493c6ede6b9210634437eba30af3d
SHA1 b673cb6c347ce817bf3dad67b9867df0d5ec351a
SHA256 0cae2234f3e147c5e03f862789b217f2ca11c350fd05c93feae8bb5994327dc3
SHA512 d9680f33634a318fe3cdd210802ed73cc85f8b8877357f52da9473bf01e81a0488c413961a780f92d24c3c1ee13de94e07cbc1e53a63e34535709118b418f975

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 e7c903d2760edff478c8df60607acc03
SHA1 581f052481eb4c1f4ec3263d2c0906d91b579205
SHA256 dc969eacca34570a54ef9bb55355dc88c921ab8641a6a977b6b914d30715cb69
SHA512 2ef85f89152e9d64de9936bf9a9fd0d7780328fde5b35e63ccfdfc696099208a2f4963f77a068d6d819b28d1247c3fb47511431b260bb2febc4081ed232113a2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 e747cb8af5fab74449e7616ffe426e81
SHA1 f126a6380ea76b407942b31fc143e9b30c4812d4
SHA256 ff9dad25cf40be40f6e5d02ae421ec60466b5706fab589c2d51ec25798a920b2
SHA512 a394a569dfa7ff0c3b0036528d34b31c6da5666f992b2d03d7e8b9d07e3f96cbc4c339fd0bd7f70f5c9cf055e457484003797a7843c7fd2927b63091f5a6ddfa

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 9bb2d77a82678bc8322d54e49030dc32
SHA1 33609500a1d7b0405313b7ea9e1359cee5a7d46f
SHA256 0d4577f05dc9c650bf01a15ffb4fd4951c6b2277c4bc6553aeac33f0dca68d26
SHA512 5d5af5ff126cdd103e3cdffef309f0f2391ca3072a02c76832d812e70006545f436aaa62cef3986666d2c5f554367490c5736423f45a81985f6e9dd78df3d627

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 a90a05bfbfbb618be263d770907223af
SHA1 cc88c76d59e0d19acd5f5bd504dd5a8b3c0ec3e7
SHA256 e4a5abc8da9505363a5e3dcdb9c7191376adb6218c8bba1c8128b04dc958f503
SHA512 2530548fac18371b878a26e9cc6176b34c4f97cbb7423c9991693991c5a2f2d9f2f158788a151b4fbd0e0209c038325d3fb4e94c27c070af523af0642ae3a7da

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 703981fff8bf153fe8357b7ccc2d1278
SHA1 709f5e073cd88ddfb71b86455a9f7df9e5ee6a75
SHA256 d1b62f02a09ad9af9349c7a74a33438af090e2d29311e0c77981bc88028a9a42
SHA512 5bb0745af152532b3e6f7699c17472ce1b16d15d0ddb7470c18be020991367e3d206c6b0aba9779add70afe08e51381b9b5bef6008a6b30c11c5d38dda661312

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 bae70073087cdfd810f62b6bf46eaeac
SHA1 8da9840210fd388b1d0dabd65588869d349af506
SHA256 af4675c843441ab9848949785701247605e560644714015afa75e891fddf0ff7
SHA512 8665bb69c5daf80c28661060f6c213e8125a55fbf65a1b4fa22af8542c2f41286072830e8e141e384ad74a5f0a74bdfd8fa635630645c41f890a579473e5c1a3

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 1792089c98604a206d1a9d8e67aefee5
SHA1 d837b3ea5f676c4493166e3aebe87741666dfc0d
SHA256 12a407fbdc5abd28df88f22b6630c4822e9bfd51491c525c451fa5376d7d70fa
SHA512 ba48cb72f3a8803e159e37fb67e24fcbf3cc0d90dc35ca4818af5eb0df57509c297ac86a63f95d25305a2154962caa223878abcfbf2795238241facc63e005fc

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 5c40e3d87a644c4804064794e4a78e4d
SHA1 b52478b0b18bee3ba4c590f79e71455a8e1462b9
SHA256 86eaf4c45e90b32f3e025294dcc55dbf61be51bdd9c8c88bbb7e180a01915f32
SHA512 e22ef75f1493ce97c0bfde51e00b5456987e9d2f438dc9a5f891b6ae7a03bbb361848c2ade090da2d0562e883e1ccd888d47a73cea13d1b1bfa1568480f0441b

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 402a236f73537d85dbdea33af70fddf1
SHA1 36c2de854bbb73faa5206383341a5b8a7d3e7bdf
SHA256 17454a417e19ae1f59c2ba695b58f6033dd7c8d084f1d495d363b0c42cd76306
SHA512 c0e836f3f8cca9e344717c9752fcb6bf92868aee949c8dbe472a6005eac8ba594eb57ea10f7208c5f362b59c3d1dc4c83ac2f41f0de349bafadfc98deb8ffcb1

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 b34f84dcea5b085f2e93fd50a287b184
SHA1 f1fae42498c5122b9d86c140c947ae1b09184bc2
SHA256 ec7c98cd6be3ca45a490d143b2c9f7d3a580f7d31d367196a6dbfb2fa348d778
SHA512 a5f84ba41c332193ea0e64d8206b9fe2fcb620dac3fb064634419293c81600657a2ad331d0db2ef5ec74a767c01190afe28a99025f6cc5a839b43ecc64286e50

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 e5fb056d278b6549feb70d9dbdfa0e10
SHA1 1d958475fcc101bfefaf4596e2cac47b50832af6
SHA256 47476443ef326c5af66b292dde61c1129a5623c65b6a894156f414b2423d1e20
SHA512 1930481c791bbd036b520c4129d3d77b9c0441aed19d24cf7b857b3570750360fbbb4bbbee3dc05dd475aed665056a11ae1f02b03490c5c29fbceb488de0bcc2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 b64305e7ffd7219e3f8b2e3868fa142c
SHA1 d13964aa727975e3097a4b93d267bb63226bed33
SHA256 63bbcb5e6614ed09d605de89f067861e10fc6eb05f4dccd2591a094862bbf976
SHA512 edf34e4273cd12d6ecc2f9b1445f475f7393b6d234a69a3748a7bd8e044fd55b0276d3baca59f88181586e87b10c5d9ed085d3849dd0d2f74631c691be15ade2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 199c3700d20e5983c4169509479f06b4
SHA1 10cec4afd05493684b8fc4df86cb4bcd86dd4c0d
SHA256 ac7fae1acf27e0323269dc0c3d958a969bd7d8e30e951681209366a60a5b6af8
SHA512 0c937507f241826cc8d21c3d30ce9890891141265b6af34e19034bb3acb4e0720c957b6dde1279dea52e931cba839aff78d9bc14c8572af70cf5db8a29e7ebbb

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 757345f3a5ddfc308450bec56d944874
SHA1 6944603d2489548c63bd15d727b3c9261160eb25
SHA256 3cf1bd085b3486ee79c088f72289f182fedd5061d1a3468c47104f2fd0cf673b
SHA512 e0fe653abf64e49fd0e7fe872333b170a01301f204cba9e8913ad98204b8571490f9b0bd3c48d43f2d02af5c01dc0e66da97d857a7979bb702e414e159ebc9f2

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 af6df0839c03cbb469e80d954cfabb27
SHA1 2fd571d665bd195b12d04c8e57b2c70ca8740490
SHA256 a78ea0bf26fda0b44772637864bf6e10bec5e96ab904627b50bddf7b5ed44b8c
SHA512 c839992142595c6e9a508d8f0159c14417820b31ab5964dae1124daf9132c6e99e8bd2e193ea79ad60622a167023bbfc5e050a03776f8a90f9bf0a0c48afe83c

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 c565f3bb8b6abaee7b9e6b5bb837e857
SHA1 d70b1f2459ef6dba0dbaed5c219d6eddd1623037
SHA256 8936f032eec137ba333e751de899f363b61be0db8684350f01fc287c23763ac8
SHA512 c0eaccab4829c1d56ed915fd4fb8fa1f5b979a9c33e87de7ea6cf8a44d97bfc9966d56bacb0449df452b5f20f614059bc48887827f4f914f03f91a9365ccaaff

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 84e216e1ffbed3b25bc7eb0c170d5e1a
SHA1 50cd71cd635713f726d9d079e35ed916f660259c
SHA256 1f6a7d9bee3c58fdf89fc05631e4c528e9590cbdf67cd1b0417f456ab4b4d75e
SHA512 51da3a21c4d040eaa942116ef01c89672db9e9275d803ea09255d21daa626c08a91d26a4da6d6cfa192f9470c19bff14e684dff3471ac1c8fa7848166b5b1e8c

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 da2f34e6ebf5dad04d4263a1993c6703
SHA1 6d90824b283fce12851cdc755f0a0506c4737390
SHA256 ec75629f405ffa986c66132042b71146222b56c72f6396d5907b3d80632079f3
SHA512 98e427e2dc0d9e6bc31992a816d54447be4fb4b5aa12f741eb9688601b2820dff198f89ceb4c208ebd50d0a08d84dcb95e0db6f915b1986785a3a34ae5e4d09f

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 62e20d742d26c617cb10905bf270d88c
SHA1 3ab9a1cc057d1f4ecb70feb1fc7c615059a00b39
SHA256 87da4e6122e32dd546e1ed0236d1c620255a935dd101d178997c212a972447f4
SHA512 5fae92b2d0bc266ebeecbdd33ded885423be13ccdc82303bf9fba069a79b55733f8cf583a10e465620ea4ef9f9eb080ac6eb77c6b64458d71ce93786bc07e353

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 51180429084b8f13e5f5e4f9ff7ec4c6
SHA1 3c1282c0e2bf05afd0d47efb08295e39718769ec
SHA256 25303dfa45e94e7ca66d01f0c1ccf07a773ff17c06e15e6660d4cb716cc45053
SHA512 f5fba4d1db9c5bb3ff3d212fa2c139f3ba8d17a7800eab8f20968774acd6f342ef4528731c5a5fef7664f2f4853c7d17ff76f3d1948d0cfb78397177573f0c3a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 7f40da3658ddadc4cf8a7f72a5a2559d
SHA1 cfb24f7efec3cda737c3025eb6262a7a21835b06
SHA256 76a870ba1eec149f42d9e98a320a71b45bc360a30c8f2730ceda3401368a9551
SHA512 1b90a17d5210eec101fd6ec945d10479fee0e899e84a84828809ed2bf0f551bbca9161d4d58113f2ae8b15b356ab06599d426ca564001f2145bc617797f6a85b

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 f9a7ee5e7efbe44c655e46b4096bf20a
SHA1 4e4dd1cd19a8579d0ed83545e941c289f285fafa
SHA256 bd94b986bcd1a45213364590ac1e38e7e7dced46a79f7e265df1fb4492240942
SHA512 f4509bd835a4d8f4c0ffe70ec624371cbb29bba57535a1e154a5c3d7430a38087aa4f0e828c82b5316a1b148112b45ea0e9adc43db1c3baa4d0124da76596d51

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 472b8a3758ce4bf0f947b3094b8b13df
SHA1 a126e5a20bc3e968ced1b8f7069ec34e4d026fc6
SHA256 6bd9156cdd6abc000bb8bf3e0e22924b3848d468e0dca78dfbd743f31db6bca7
SHA512 8475f0123d4496b0a7f6dd15260369ef2a3562aa70280d9f5c879fab26d00b86a869b4ff3d9b016be13077783b15ac2ec063d0d943f045d9beba75cd1293bd1d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 3220dc573134b42f6ea9d33e65bab840
SHA1 507987c6651fb0756b229a23d3d0579cd7424b7a
SHA256 dd07a85038d242e929c2a1d217f6fca38aa1dc399b3379e908ebb744d38b32c9
SHA512 abef8767ec09e8be37eadd17f6c7411920b61493508fdeb6cd26e4027aacb1d25db37b4a7f9767e6b23a03ddc53689468ccc675ce23406c54697934905b48223

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 39f2d707b0b48264eee094c001c26b70
SHA1 6003313c9f8d41e53190e16fc8087b15110fbaf9
SHA256 8d2905f19e6f1535d5a44c732a1e2f41d772b180365667faf46a345614c48c08
SHA512 aa9bc8585d94ca8c8d0ab052493f90335b3f264106037374c2375c26b7d172cc01374f2fc76130065efa6e09bcdc6dfae4596eb4a11d7f9a4920780b7b876881

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 45f39b81dfacb5d4d71977933e1b3383
SHA1 97c6fb6714cbb3ad5c1d879360a1bb1768c9d86e
SHA256 de4aa1bbc9e67018f30d16c313083d31d777753b9ea9ed0a004a582931de3b31
SHA512 4ce6c53e36e8f9942b1080380686c702a676a6da0d7b5b59057b838dbae506d11693e6c4f17ac9849328a61985d91727b247d06d0946eea21acd06f7e6dbb0ed

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 0f0aa68cbcb14aa13661f55fa0d9f725
SHA1 286135f7203207e4bd17e060abc00102807b131e
SHA256 ac0e959c2d202fdef038c91db29eb6ae7debb5d8aba433f43951c49345a6b79a
SHA512 a02ad70b3a5e834301a57230d6a4dadbcfcd94eb59c2e27d1b86b1e4843f1827e1c33aaab406ec4abf5d5e05d9f16c793c26c5f45c7583b83ad68e82d1e8a8c3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 e1d356fc8c64946275805cbb0511023a
SHA1 295d2bdc6b50409a48555eda9d662e55e17e9c9e
SHA256 9cd549231855d6f60bf4a5374c832e74bd99b408d80e64c16c9d7f53fe3ea500
SHA512 004637f3ed67255e8c595c61d951494d073a938766f513a7f74b81671874d1a2eed3f924928f1da6131abcdec267dbe60fcc210208054edf3c8c1468bf26084e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 7f6cbf50c05851fab61083457097e03a
SHA1 836d10b7fa47fc0da5f88996768db53a27ca042d
SHA256 08163dce97bb769c0fab1926bbccaac2ea1ef42e44ea5bc579e02964553b5595
SHA512 c75ac43479388e095fbc729cd8ae8b218df0d795b19a6f6c8c59117eafd01e69a81e161fa3d2282ec5cc8fe9ea7aa820688c4620fa6e97df9e417df9ff66fe36

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 65bbba0d60cf29015f9ee9a8e2046783
SHA1 d64057578fda4bc12d28b3eb845b992ea00552f7
SHA256 7b0638957b540aeaa07c771a8445c9ec86468043d129fb2fbfd55908a9795385
SHA512 2c78e740f89d47f322f4ff755efcac1e572c5a324280089773e1420238553c82a039a8d5ed88f955b1250def04525d8dc694b7c24f3dcf2e5011ed5b47158add

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 143f2edc362bbe1f34545863a63ecf42
SHA1 034c3e91c3bd621a8aaaf427f2435ee82e60232c
SHA256 5fac14bc03cb865ee90c4b91945aa8e01fac5a8c7268ba526865148a04038f94
SHA512 bbfb3bc8891484babe7583d5bc2d4c448cd640bebb930a563941727447d097d3495736a8b78c129241cfe7e5b5c3d6ed10445dfff19c5ba8e57d8ec14e21cccb

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 49fff2e4eb6f8318d616ae2244b7bfe0
SHA1 78fe2b68a659aad3540fa3d4cef5ed1b3f53d068
SHA256 176584f97236bfd868de1719491fd7adbe33515258915c19a4564ac0b73d9d4b
SHA512 4ece89a6bcb67f92034d7b089108567eb42126bb1124328ab5f28576942b718362e67bc9cd49c527d68294196b943522f85b538847759cc10c97647638dc87d9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 d0d46c251e37475ab41bb3fd9e7f19ee
SHA1 567a1f751d77c15c919dfb1287b071c639b4bb09
SHA256 2395eb9b2fa226cee72653b705672c6e8ab271b32eb9365e30e733ad7ae9c96b
SHA512 b0fd637b38338f53616957573a04411f5249d514ebd4ef11ff83aeaf23bcb7acbf56d4d7b9823c3b22f97e2553f2880d335b010a893bbe50ee62e58b02c55e3f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 61462a26b48758314464ab4322956312
SHA1 b135e72bffdb1713a3f83fcf4d6feb0075cb363e
SHA256 e2c6139c9e6e0c053ae8f3a7f5f908fc1bad0d82ecabcd608a09b4a5fc11eeb7
SHA512 6df1030d6abbf20593da14362e62dae52249c27f9436efdf37e2c536c7ab0b1c5f570f13be2d03370ab47813b8f5c66040a41ab3011d4f7f331833b4c4c57e0c

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 7d72e3f0ca004734669e91f925e8c673
SHA1 13602d882bb1b327860ec5fa88cb9f22934df2be
SHA256 501c97afd32292dc3f80ccfbfebb2abbbfb9ec828780f2d36ef906162a5ae166
SHA512 7c8b3b01f3d84a2ed22257055f55e3204e8f89c2d4331b9cd9a1129f50cd0f9d03ceb5519cffe5a8163d1d3e91c5c3c63677d68cc16408bee49d66d837c310e2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.tmp

MD5 b703ea2f2382545cd242e49f2b540628
SHA1 674fd1352d1d01ec94b84a221f6aea072ff6efe2
SHA256 a3a1748464eea66599d9a62a15a70d613ec4f0d64988c825faf5f9a51c598683
SHA512 7903472ddb1450a24035aa71353b20ead4e012dbdb5f5ac4b7360c5181f389d96c33ac89d99b720a88a0adc43dc23ff3db48f5b7dd7ddd0167bdc177d154f7c9

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 dbc235165b7c1f51091acd89ed7748ad
SHA1 d52b6936264e5bb55a1744f2173b9f3d42c6f99c
SHA256 de305438c54c8bf3c013629dd6183dcda7d640d42fa6da2066bf7a7fb1e8c503
SHA512 00c10299518498d041dc42f9d5d39c86218c435524dd52654b3ee429e6df8f038543db69349ec4ef4474f0805458dc8833ab3107ce419fdfacde521a457260b6

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 ad8b35e39372bbf11e4aee74127ed0b3
SHA1 f9b562fde2d3eafa3ff2f9e8985e68f596df6f65
SHA256 b7626b36bcbacfeaa91e735eb151acc31453658121fae1924dec130ef1132e28
SHA512 a59cfc8d65908054a41b2459d8e06271d6a6bb4d90cd5b3155bf890409a554b9e01c2205ed90daa41b57c4971af61170c43f574356725390fb77c3b5053ecab9

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp

MD5 e089cea837ef52039c03fd252302e321
SHA1 849d0b83745ad380f444918f9babcbf29f27f42d
SHA256 93b8a1c07f88e8153ecfe40b98faa15d0685b77ffd1be4eb4ca96930a1e7b96d
SHA512 e452b5e8f6c7eeb7f4470d9b6bfd00ec743f090355164e5f460a4c90679e63ffdc97338a3f3a202fb7d81decba587c2b5995a278c0c595f50e32802f61df7fc8

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 512a4d2a0b93048b55ed46377d5a4015
SHA1 c0b139d38fa90d0fb25dbbe9fc817e1d5cf1b675
SHA256 24cdfd215e8c5c59cc8c856e1790685d4ec3046e134e2c360b2a99c06b812d47
SHA512 1ae6d9f183bc6cb4d1e3a24e05938260059c2a0a77f3e7c9feb380cbd2c5e3905c284726601fa40689c2ea2d4f214c714f950ae5e7f3b5c4c6194f91e61f39cd

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 0ac99d25ea313164512fb2e7c84c0088
SHA1 b5039958c49d39aa556155df0d6c37eaaa7e94ef
SHA256 a8a38767a2373a735e030c5ba1916c54ad46f8483c05e7ea149e932f79ca82a4
SHA512 4f81c1b361831e61f7e03128d46294720c576fbcbfb3e574454c49645fd0b84467b52dd4006ca4d4c9f12f2b7edd8ecbd37062186373b9685c45e2b6fdd822f4

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 07f65db4e472a7c8bd575e0a6537f211
SHA1 6e3b407d6d3d3e5e524178a35f92c4f00dfc8f36
SHA256 f09fde948f565a2d0d642a9b4f7ed9adf34ec611a2dc9f0a91539faf4a5ef9ff
SHA512 8bf8db72d946175814099f51d3337040071cdd4cd86f8d0da1b438a6d56c557e0e87caa93d5b00e5b1dc7a1c635662dd4c9664edee1c88fb54616cb0607447bf

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp

MD5 fd6896ab428e81562295b064c49fa07c
SHA1 39344e1a4eb18acad976d69ccca5acd12fd086c1
SHA256 a399a250b5aad717eaedc90eee7928d734f9b8e178b48c763b0e248adf36b7b8
SHA512 75fb3dff8b00d6a8520bdba6216a4590eab52d21dc4e4a174b6f4ae7dd9998e21a171b070c3503baff19d098b29c964f9f9467d31cd13fb66d019fe13061d460

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 55fb5223668d0ebc527136511b07bea3
SHA1 c90ad9cc751253a823850e0c663c3848f42f4417
SHA256 5810c201d40ee4df9904c54b8b8c786412b747dcb8d17f16c804e622484c8329
SHA512 ebf4be5925eeec7ffe9896689182d8dc3c4f6428205a533c865e40b3e6ddf3f9421269f9042b1461751effc71bda6a819247f69fefe04d8afd507ed816522633

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 a85747d1cb50d3014cda3b40db71e497
SHA1 d517cbe8a3e7afbf3837c4738308ca55cb152a39
SHA256 45df4d20d6bda43115a6607c9eb95f0dd8492dd1384d33379b462c41a8611953
SHA512 37b15f9e5d2705372ff317e4c744fb37a37ef8356a954338ca6c478dbe5333372f6eb7b5c32ef4ea6af715cb29491a84bf011c3fdda16f9ebc905bb92867d5e1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 fde141ecc1c99e7ae65059ba75f5b0d1
SHA1 85299904d0f1e33069f3a3e357f978ff3769e1f3
SHA256 ae41ee259c397d68fd670a9d0a9adcad92606965d5f52e58a8918d7a8109bd06
SHA512 1e6c914a65ae60a763de6982de5b84ae4a74d88a43c2b39bb83c69598affd30a359571d67eeed7c5780b49593ccf31502d24d48ab21f0a7df9bded2bde174c70

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 ffae95d5b766debc405868d7b0b2bbd5
SHA1 c13b377571042069220b037cbba85a0981e1ab28
SHA256 b4c033854a8754d7dc91ba8c8c864d4ccc5bba7e1fe0a04bcf70bc1bb03bf30c
SHA512 eafe1f1f9dbbaaa16d6ec7349ad55221cb97171cc9d0467c1ed48994cdd5c4e54c61a4789f912d818a1c0d45437ba620bbcce6855389d6904e562b7036e3e834

memory/2460-878-0x00000000003A0000-0x00000000003AB000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.tmp

MD5 8f6145dd2bcaa948329be5766d8bdbf0
SHA1 e3cf8a77d2b477ec24bcf9e43a1e9c2ea6e1f289
SHA256 3c47e722e004c8bade1e5e0cb80cc2c3e7da641fe77be405a148b010851b8355
SHA512 491bf478d4b0bc28009551a4a70d81f1222d6dcc7c4709d6962e4d84d99477447f4972402b46bb02402be78c138a2aed6e435559cec49579e3bb4e36a1d5e4a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 04:08

Reported

2024-06-17 04:10

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe"

Signatures

Renames multiple (4749) files with added filename extension

ransomware

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\external_extensions.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebSockets.Client.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\DirectWriteForwarder.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\nacl_irt_x86_64.nexe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe

"C:\Users\Admin\AppData\Local\Temp\f47ab39fb7241c7b8dc517ac8b573d670a041c705c0c99d5641a2b6d79e4f967.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe

"_Get-VSWebFile.ps1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4944-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 d5ae82e22d74f1d81fe0d3182e0dae87
SHA1 57c1eb7409174a8a2a698657b80bff5343bc41d6
SHA256 adcc78fcff6cc793a8f9da24ab55ec3b38e2a6ac3cee7d1c9117ddaf06ed737e
SHA512 f5f9f1a632b6dd98935c7f5264848f070cc19e1b02afa8b5dfb742ce1ee44d3652edb4f8746c36f54e2a7cce4e584196d586c553edbe0aedbe5013b8cb5f8c7e

C:\Users\Admin\AppData\Local\Temp\_Get-VSWebFile.ps1.exe

MD5 2a66ea7b89d52ad7580bf95314a73ca8
SHA1 f79e0b90347978e5e1036911a9a9dddbd42a9213
SHA256 eea05265738b5d723bb64b75f5cc4f20d2979e5022d990039c95c8f0e556ebef
SHA512 0e065ef441ea4018a109dee1e5f90dfde7a3e764cb0866d23378f915fc8c113d0f6f3b30901196c646b414e5bff63d5e78a8f02d40b7fa4b34c3d876828cf848

C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini.tmp

MD5 16ed9c6503d87034ab0930671cb52b72
SHA1 64c1d9f2bf63ef32642f7ead686d189266b47f65
SHA256 0c2926fb3cd7202fe2a9a523ee142387e5c32e6280fdef0c0fd1ff34a3872290
SHA512 e48cebc5f744ad0db469c35653c49c9bb38f0c10fd146c965dbc938fda889b0c10b6a7431581f6b4c21204d9f52c6efe23a4cbea144934a28c52be07ceda419f

memory/1288-12-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini.exe.tmp

MD5 306fe0901ceeedc77add54b2ed6a04a7
SHA1 b771f17ade165e79f4ad1ca4d402f5e162c799da
SHA256 3e020eb3633acaf019b065c8b8e19e70af9e49553925788a3a1ccc65967a8e45
SHA512 c7684aaa5458c1ceff8101fb3e12503b6ef52da5420bd5747926e496a18310d4f91f4fec7b744548f56e93cb5c916ea05fe4122b3e1f4d0fa93a5e7faec231ee

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 fdfbbd1eeb9b72680ce3dd25e140511c
SHA1 db48ad756d2b11469a5be365946cab5a4e2383e9
SHA256 6482660b5510845814a9d5eb279a39b5d7325ea0d2a249c53e4a67a611624a19
SHA512 3b7bd293fda54c67dfdd3c697847c21ea6864cd4081832fa4e401412128d774cf3ed5226d247a860f9f98261a20d0f5102c71d4f1e08c1dc3144bbbc9ed7a187

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 fd57cc90273485981248cae525ff9085
SHA1 a0eeeb32d6bb12a89595a5a623fdd9dfde622427
SHA256 afe3f47ec416299546ded48c00fa49799db612dcbf35b1d86c65b02d2d897016
SHA512 a7b39620d85481cd7ca3c1500a7a8b14448ad06ab7620e86aaf84c644ed55f4e921eb363ebc89c27e90134a422563e5d3ffa804cbbf14df95a84f9666111f4ac

C:\Program Files\7-Zip\7z.dll.tmp

MD5 8dac3fd208b43fdb1b94b33246c60b6f
SHA1 ddf04cd7cf728b43b14532c557446a4177126131
SHA256 412ce4feadd3f6bfb6d5b5c9d66b2eec7df197753d2dccd0f7c1602bf5c3369e
SHA512 f64674f123a711ac235d46a0ab0e5cd13050663278fa4cbb7e9a956a78ad94c76928fc5b4455286f5d6e531767e39bc927155706a82a55c07af2ff4d87298550

C:\Program Files\7-Zip\7z.exe.tmp

MD5 2486e469277e7f46d5ec6f726acb1072
SHA1 e94c061202ffb1cd1af98bdc85447da687673ea4
SHA256 08a39eabc6f803e69f67490a914d038530f50330b7552879146c5150b898acf3
SHA512 55eec48389bab8b9bd604b3301eb838bc72a787c5587eead262df236e1fcd2263ca0d3854d33b5ade4a4dcc503404a6e91530c207fa59dcaddb8872786366a35

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 7b815fc37ae5810911996e28d9cfc3ea
SHA1 9a6b7eb65f248b9a168c29d562e2df5dc2ed8e86
SHA256 7e02a0d2646b927364f85bd9d89e7f465c1516fdec7f13bfa064163108f91fe6
SHA512 ece1b4d932666630c0ef9edf3e4519c7cbb1ca0824794ecf2d258336af7c1104c8627052eb6e8d7db058a5316fea8e68c356f7b110b428a1d7fef0e16b9d78e5

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 c74a60cdeef3d9abd19345be86e786dd
SHA1 6a80faa1e0c36d95f699e8f0a3db6c5501ef3534
SHA256 acae29d66bfe9bf6fc0ebcbc01c2a818379f88337a52fe682beee3656eac1eec
SHA512 81df2f076fc865d34dfd67fc71f74d77bf21cf3a71f0f4fbc105c5645b0ec773028bd75854c7799d19a3382803d7aee771a8fcef7e8b544e043600d50d8a6f1f

C:\Program Files\7-Zip\7zG.exe

MD5 bb5e9ddd2ee6ce724b664b8bea4806f8
SHA1 6bb779d1e6cfbe5af8cf56112480aae9cfd3310f
SHA256 74d519de7e39ab2fd6cc678aa71c8de817523b55bec7283e325ee08ecc7459df
SHA512 94dbc8973192bcb252b61a72e56077abbec55d5ba2715c6d7c2d757a61f906fbe2eb4b26b9df966340a0879cb1a04f197200172b0fe92014d8b6426e036c8259

C:\Program Files\7-Zip\descript.ion.tmp

MD5 ec0a17c00960fda5d0610a9585fff375
SHA1 73bb64280028730902af8d39488f1ddbe959cd9b
SHA256 368387a54857c4c61bef3a708a09d22f56d84ccfb9ace7c0836fafccf280e391
SHA512 052edd794adbe6b28ce17457e9774dfa86bb4c3ecb0f2095323341b045930db294535dff64b92d89f2f94b148537673fd9a9754431bf7a152706b3db4d4ce3ab

C:\Program Files\7-Zip\History.txt.tmp

MD5 fa8757fffb9e6827cf5e868904cd98f9
SHA1 f7fcb883e148cec4df4430da29145515922624f2
SHA256 dae516a69b9ebfa1f604b09c60914f99c3d93cde68c0cfc1575e94147c294b75
SHA512 5f3a4cf15254966a73b50f1a7486dbaa44a178c0b37de7b547d657736d5c823f8305787be12bf126f5f4ea1932f431ffc4e77c382b000844e8263cf59e2264f8

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 064f9a2899ea524c0e1364258fd658f1
SHA1 e2cbf15076389b57b339b5567ad888d545542c73
SHA256 10b238f936059c666f45ae66795712101f340f679104f368953ac5c604f9f269
SHA512 1a10b323cf1fe3d894e90bddd75c53df1e8ef2913f84023570aec90e4f8fb9c3d57242240955d8a54f792a4ab721ab620869c3d337a60f11d6bc104c73b3efdb

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 a7866a3ce13bb53bacf3aac9e510bc0e
SHA1 67d40c7c8031d140a306c68c9acbfd88ee00eb7e
SHA256 119041886a2f3a3c4254732c532a87ecaafa1f43b422c21987123b3c82ec1c0d
SHA512 e7bb03beab18225411439fae1e10d646d90cf5e71c1ae54c110eb6796ed590b1d101ff8e017cb4579770c21263b896f98bfce5ebcd20e6b202ba0c0bc1b4c652

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 d72c543da5df961d29b7e57016e6db7d
SHA1 b5cee7054c932e9bdc6811a3a0e5013665f09700
SHA256 a3ec905527ce4d5d473a22dce923d0564075a02039e67a8b7fd9cfafce86e86b
SHA512 0c559d24e497a458be763f1d23d50d3597ad8af1bc469028c03e8c098b08a6a59e25562dcf1ffce42547284411383f393e1dcbe047dd862210ad3451470ac445

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 20696db2e75b49ccde6db2785a7a927f
SHA1 fc6d196145cca802b4e44a363df2e30fe119d8f4
SHA256 c5ae27b1f06b1338aa1e3e22c07a18745047b5f78194e5ccd10b9499792fef17
SHA512 bf62c3008fbdeda497ed68037a2b56092a2359a37adfb03d12bddba59ecc2389ef309b7144c4f23b4492f2f05b2ab4ff5cdb2c28c19408e46b81786396f5db03

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 f963793e158a215033c74ac94d1d1a72
SHA1 5fdd7c0cf6201009e150573d78edced36fa65b47
SHA256 09ab3be1537ea094780904fe0beac5b59d26f47196e2f9e4d49c7a25401759d1
SHA512 e5b55a1f6bfa54924762bdf0168b23ead846193ce495dd2210694e4383cb081c87dd1a7e0199969832a26e2d08e0f785aa4d1ed0398b34cf9449efae5965f031

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 f870b0bfc34dd346754520be732082cb
SHA1 ae16a8d29057a5c66fb345a79377dba878285c66
SHA256 4cacf59a1ebf447d9680c426cd1efb9b97180740060b4d10cf3a10af3844a46f
SHA512 a0cdb39a1e6ae8be61ca0cc3b4de2f5e65fc98967f04c446d4f2700b6a3bb95818d2694594fc09debe4437544e86ee9a3b3951ac9a19be5d70d1fe3c8b3c56da

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 0248eca89e251439ebac7665c91ab0cb
SHA1 85d40ab5509cd9670ea59a30fa5a586b0bc0a8db
SHA256 2c5cebf0d426cd7d6de9d33c07eb6431ff23f914c9a4875bf5e17844f430e418
SHA512 7435154f663907441e8bbaf11d0232e04fe43efda374af34e11fad9d2a4416feae6ddbfd0b756e3c323b7d17ebef0435d9855dea2b0ae06543c6418e000fa3c0

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 6a921f67fdb17d6467f655bd31bb7681
SHA1 691afebd3dd1e2962eeae69bd61043f62ef185c5
SHA256 e8de626f94cd3b4bdf348d436380c400b51dafb466f56a432c66083c5b6b692b
SHA512 e588de585bfa24795d2d62d19f35dc3aa4fa24c25a117f52c19c51a78c30baa32c18d9e78bbf614369640fac1034fb6eaa7446001ab55edeb41085ffc3fbd140

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 9186636303609916c85f4640f20d25e2
SHA1 f9d26c7c317018efc9bdbff3200de6563175c169
SHA256 24e97aadbc18aa122595f39a5d133a274eba9fda97480437bb9352eec084cd37
SHA512 a878557e09a6baf51b43afd88f9d0e5d7ae683e5d41217ee5b8a9f478e226be4ade2d3c0bc90c37a8f6d2e3c929e333a410fe7053fb380eaca22f5649388ac30

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 16e13a0718bed64da07dc5c46c84175b
SHA1 5daacbb3a42b34b0e846c2ab3f8eee63f187a455
SHA256 efc7609c49112eba0a1dc968aacd54c6fc5e0fa93b4c12149f4876c38cdd664f
SHA512 a3fb6bfb7426167be2e0e5d0e8bc9458e21e8b82f86814bda213785ddee36d9d599f5916f85885a3e1c5c70d514d9754e23dfecd5f3273278bcd76cf164892a6

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 073bf26a69fe09e6a723b829691def14
SHA1 4159bde6a21e6555d8cd3a7ded0bd6a036473ecf
SHA256 0f269a721acde686f5b588c07b468af473a9f6fa5aed4c20fb7203b4ce50b50f
SHA512 7013530ef69299ceb843ded26838150dc68954a31ee5f4c859fd67decb687cb3df6a9837748442b1b9fafe469c60beb24b7259d8d6e300530760f590beea9688

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 7bf172f48789ba89959ecc34f4adbb7e
SHA1 7ac9c36799040c6445da67d4bdd8fb2232df0c4a
SHA256 8c047ce1d19cb9777a6165d9169c00ca5548c4865200646ed0866863aae4476e
SHA512 714747b3d5a512f755b0e38bb869e20b4be9eaaecf636f41aa1a40bbf3f1c3c2c29dd7294dfbcd5f722266a3421101874f25b97f9eef78648a4f1dc4cf6c1544

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 7d866f3ba40473cc6b65b5699f5f6308
SHA1 d182fd963ad65ec3bae71d95d678e68cfb2bfaca
SHA256 ea735fb63b289c0d3b9470aa2caabdfc4401b80f644e1a952265b74876f44daa
SHA512 a7c8e16fa163355f02be81b34e396eb063034b8be039b24e96e49ff922ac75ecaf483982e75b2f13b1618da93b91be01db9806bbe63e96f453dc2bad68e2c917

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 931f3423784b1cb7cc64c9f153ea2cf7
SHA1 9ab5870234df34cdd1aa6eb652d6ba97a20e5942
SHA256 efcf702504724d464e941bad9431c127ae73f2f531396d9c6ef2d42f967dc0fb
SHA512 58111077d0bb1fba5d3817b013d48459581940fc1d9fc4c4cd9a85357a698bc7e3a2919f58351b565fd2523e28170e1cdcd8db3e33d10118dd2afb120e6ae9a8

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 77e115759f3e2eee3c89ee00e4ecd7f3
SHA1 76851f5b13231b14933484d28917c90fb5afd048
SHA256 8580b4007c6b008239bca3a8dc9cddfc86c7fd79d140643b135cc0b02b3b4bff
SHA512 bfe5eccae731a731872238b6768e7086e4e39548f69217ccdad4499b6f581b3eec976b5f5c0ae8f9ae852657f290a9a48602dc051f49cfd28920d4debf3c6b62

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 20d59fa937ceb661e045c5647c4d3dcb
SHA1 4850750b096ffa2b8adefbc40bb5515d4b9ddbf9
SHA256 8b1451f043de08125b0f3d633fea37e00c097bc89ca23318fa879888d5371135
SHA512 5e665605e90cef34dcba55b85b993cd182e395da8f545ee59738b968ffd06bfef9d79ccf473a337e0fd8a67e597ed3e00e00514fa6845b9f9b34ec601b592922

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 b55e938e5d04d52084feec23f3176ec0
SHA1 7ae855886ab2d2c6f2320ecba5f738e0fd38c7cb
SHA256 c579db782baed782de0ebc1a65a937e97198fa82ca5e5a03e25c6d741d0f63dd
SHA512 73e5c70602d23f9b303eef60f96e5c8d2104a5246e7c82477f9eca527e9cc8039fc5a1ec15b8521bcf342b45f4af63aadf01f69379886bb249d62dd6096e9d5f

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 ef1b643c3d6b9a94d600c60562d533e8
SHA1 f132bcb4d9fd19fbf9140ffe43ab3020be5ca03c
SHA256 b1bb2e7fd67e9058bc41192986a4f11e98755a8413d3830edb277a4eae4d2cb2
SHA512 9486b95f0177c70d0a009f5d0449429540fe511cb60166ed30f30e9e3b0a2c4d4ea4fa8c0e84daab7455b338abe6dd6fec14dca4639db679e839b01b613ef6fe

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 2e8f61a65f925d4998ee0caa33a6c2ae
SHA1 dad7e4ea6f9d8f0b5dae65ee8c7fdd0f2ab421bb
SHA256 f4848c8cd8803fa751aad48b383f4fe1d0ef9ed30adfe0a1e72145fd1b3722b5
SHA512 a21a96f909c72a978d927ff521c08f847e61616cfd652fabc65eafed7d3f20ff1d9268058da3ea34eb4fbdd186ac20f57c4193e6281e5a93856ba750a47b4282

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 5fed70468d918f017fcabb16f7673d65
SHA1 e3f6eff3c459c8a0558e291efdc361fce6f38497
SHA256 a4efd8955960c87d9ebc10fdd1fdd54515670602fb6e946c7215ed4eed13fc2c
SHA512 ea1676bae7d047cb12ec79e72771f7d4d0da85191a4f45a8134d50cc1b15ca762b7a4340415d4763c9d84c0dd2ca8173a995facd1cc0cf7de1fcdc8b95ff43a6

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 8dfea80b9e07306555ac02909890ed07
SHA1 5d2b309ee09be59088dd26f00274a5a78ec0d709
SHA256 2df7f331cd31d816c83fa05e1ab0aa90a2fe222d2646aa5508019187d3d45980
SHA512 a6e57eb1a1180788402f5fedb949e08817110737208bdc5fc2e2af6fb7ba33e437316b24cdd0a7271529981e4c727a3f93eb89e48c8de00029be7349f55cbfc9

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 602dad9b993eb7e61d82c8916e23443a
SHA1 74bb94dd7e5c13647fd0a9442911043e91b47efc
SHA256 391ec8ab22fc8c5027d8bcf094c5b5e5730c9818680ce79272c18bc452df0806
SHA512 1888ad5c905f2cfdab1489f18f6602351f64b24dadfd59c0321f86381bd0e4552249a70ad6aca8f419f2a513370f218ab1bfc384c380c5379aea22a56a4c97fb

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 bc10e02a48821a76c1d1c864be8ee3b6
SHA1 bf843bb95a83dbd32a473e4d813fa566e2f57624
SHA256 9e973dcb9c791e7167066fcb2df16d38c33574027e7b184560199f2b41b92b98
SHA512 293b6fbf251f891ca53aa6e49c232023c39bbc471c1366e32a84ba02588aa91c672abb477a8a247add7ee805ad93f77fe533c89255d9e11231f1816ebcb69c12

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 c45cc30442a1863bf2132b00f088591e
SHA1 867995d4f9c00743c56e84cf8c363d041137ea17
SHA256 a50218684bdcb5bab3ab49c86b40ff6a07554b873fc53f876a079b38cc78f2ad
SHA512 63dbbb6006a568aa38fec289596deeabb0c9e865ed949ba154659b35511c32aa90de8bcebdaab2e322194085940a3af07ef5a4b13bd015d73c8e409382938853

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 8b14863dd189a6f63b9c58beea23a187
SHA1 c4ddb2e33fb98c792af08da6ae387a31d7197346
SHA256 cb211baf41ae2b2849afe751685cdf3ba742953bc3a47ff9e59e174a0c80db10
SHA512 052d1d8e144b49ec89f6d7d03d1703b0b6f66687ea88c03fb29d9a821b45443533f0d2a69c0febddb35db395f75da477234f7f4b75605c82ba58efc28c0f60ac

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 459ae5b54be1a95bac1b0d1d2014e02b
SHA1 a505e7e6d95747fefa0a1efb5bdda57afadde318
SHA256 b058a32b77b3eb079bd9fb971afe0d1b35ded5c158226537dd8d1b3d2005813d
SHA512 d7ded536a38261549986fadb500dc7a3e8475125c9f1cd9f730dd42c7b6ce4e36e7683831e34b343133af1c35b8f068af0947a3786ed52bcac78db5c524f0bc3

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 31c9d2e425b4a83a4b3ceb44511f1063
SHA1 46a934c4d3c01bffc26366b0c2ea2b0cc3f5c316
SHA256 bbf37dabadf3b3f16a2c8fa955046a2ee7691783e59b274a5d17cf9a5c7b0260
SHA512 7a4f55eb557164e1714b41ecccc9850a2bac818306d69d768217d0eed0dacd9a4f3a449d16a5f59f0d466d65d37aceaf6c5fb1c04ebd7cc6823b97113eba6485

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 11d6f7f6f3f55788bcc390a7d2febe52
SHA1 d7d1149ac5db684b4f146438ae6641b663f4ea89
SHA256 35dbc8142f8ddf3fa8a318fa12dae6af7db82e56f609da4e15bf349c08b198a0
SHA512 2ddc7e81729a0d625c5a80bd6ec5d7134ec6c187920f22a6c88e6b14e12f8e1b359d26d14d63567fdb8e0e88751f620fe081e6881f224df84860ab69c3c7fd08

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 951bb11018a16d25124f288a5bdb76ee
SHA1 07303a59e4060189f579cd89d7fb97a4ca78f40c
SHA256 9b34e1571c0e0b2c1b248993026a632dceb4b8a213a360e71a1c52f3bb38a4df
SHA512 4bec46e6b20f1f5bc49b6fde480951b75a0535d590c26736bd85758c87b99ea7d6b924ca4e43cc8451e8c007fd228a98f516e6ea9f1185f236d9b6ba680a6e02

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 4dc014f612ed76bf8ceb822b7854e087
SHA1 4e6548cc89b4891bb11ffc2d526b0820fe7b7fe3
SHA256 4659944f8c25309abf2637f7f7e9325b1aa6be15cbf48bbd49d91e1b6e6133b1
SHA512 132991052a6556e74cb1920d9e32169888a147b8b2b708232a47ce8c68de4c76ddc2466fa9a96bdb0c4a5d925857aa2759756d3250e3f26a17f2f0a7e1d37c70

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 8cd73fd31000f76d4078537720d40d9d
SHA1 b4b85b6eae0e6b918562aad6df0a05af70940ec3
SHA256 079d3c02c431e7a1e990077d841e004f138661aba34f2f01bd6acf7e17cba017
SHA512 f41f7ebb6a84332afcb1bfa61b14d374fb9a2d1bc6ce1f2e66fd5a602db985b9dcc3e14d60c8836cd7430d1298af7950b5735028c8896ee29c8b58df5ab1342e

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 d77db7320e724e93985e563d140eb585
SHA1 2d595c8b631b8a4f89bf7189e40b98686a8a87b4
SHA256 874a288aefc9a387783726762f73083dc74c35a1f8e7521dd736af23c5e4086d
SHA512 281964d38b731b198959eb3fe86faf4e9749e731873f0b7d2d29005eb274dab60a5ef22069828c317997a7d33e4d762fd274541a4eecc562060308efcdcf6810

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 b8e9e01ebe889d18e450318d88623251
SHA1 3fcc349e6be70825da051d66fb0f16bb29e5cdaf
SHA256 7c19d8ec5b45b29a78216e2876c55974bba77a11aaf005b5b758d7bff61c7386
SHA512 2c573ee9c2baa4a585ecb114e5596339aa9074b017d7861c6d65ab181de2ef1a50a6fa3f0218d68ff5d414522608981000942840664fd346f4b9a391869e6b4b

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 be39d715807a09cb80c6f1b0c4a460b3
SHA1 3b072089c82feae09c8201c50985e11509c2185b
SHA256 cb3305bc570dee3e4007bcad4038f02715720b4863615275ce45d0cb0340e256
SHA512 4830a48316834b603e031c981c480bff32ea68460062761bc2a2ae68724be83f2877e343b5a08288b508f6bcb7dab138a6beffaf90335da04d875d382c40f19b

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 da0118badbca9694b41e351c9e26cb01
SHA1 0c9016fba856d9fa811761aa8072265d25fc0808
SHA256 23622388e934d154a6554b13133b1bea0eb460d2bae2426f77705631c0a31453
SHA512 a2b2308bc62aad0049bc1e19ba984b1c78ecbb876292b78a1133151e47c2f765cd59657da3f348bf672e758cf77b7965498475887bb1490123b52eeb082dcd02

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 282f4d2f01d1b08a39a78a6a8b849414
SHA1 b021a1cff15de59827a46eb4d4d4a5ccbfa21e86
SHA256 68764a6e66dc296776533c003f1457f0e1563ca0125d9abac70222b31d1b09ba
SHA512 fcc4230d49b1d238066a7e6ae9fde177e9864c58a471380154236f1936cdcf220eb4dc81832b93b56382c7635defde0ab282be3fe5e66f282a38b1ea685eef9d

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 1e79a278d899e0bde4442427768acc18
SHA1 69020fddb69aaf75450ec7237351cb21b501c955
SHA256 715c4fd48458dbbf20955881b3a0c13d28d9bad143ac861b7bfe2f21ae0bebcd
SHA512 a6cfa1d8179c55dfafa566ec90a7256b64c136c547f0803e21d3088a51c922683e2f5428e364d7052d11579f54409ed8ceb02e9e3ed700f1b7c646666cfd6247

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 443d8d4057ce06413648bf8b6ac803c3
SHA1 46771cbde36a37d4362c1874e637ced00b542320
SHA256 f027cbccfd42f46bae6f95e62c83d7bc92dad3c438d877323b8901fca5fc129c
SHA512 d5076a019c93f92d9c5a7c25a5f81198fee240a05b6ecf2931f323c3262e3aecd2ed0d4ca161561b0cf1c92f959304dfe525242e09ad6caacf237057eb23ceca

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 1adfa6c062f5cec3f1eeb37b0846c5d1
SHA1 5801c4b2d95a708f4c24d8b916e2520d05bf4064
SHA256 36ee1fe00f49e0c5de0b81e8c61893b32e69c766dcd3fd19b253ed458d51da95
SHA512 df3cb739fc25f1cbeb2174abe1f3311b0c62dd263cad1ac17d836e96c015e03334040f5bf1d771a30cd4a15f4ac027e7dd48c9b74e356942164341fe8b5819a3

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 d845296a39cf683a4725a2bce5ceb63e
SHA1 524286d73222c99e095668ae593375cdb5162772
SHA256 c5d0584987f3d366f8c20bbac25adcc2636cb9d4eacc5d7501a39417c259df52
SHA512 bbb386a0fac746ccbd493c1cb36bd3167e8813c929fa7f034b2000592c53b9560a8bd1f57b34047e4ef290eba4b08b59d0339800887685e362b94cd44b484812

C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-pl.xrm-ms.tmp

MD5 9bd02d6812fc5db8079735fee998799f
SHA1 c3b2f6c2a7e94acd41009340a0b8754a828aafd2
SHA256 83b813854d3cc8bc994df3dfef79264c103087ecdb4c067441a605513041fdee
SHA512 c2e3e97fa89b8ccb2d29f1c33ca3e2e805fffce4a221d5b12dea967b59d223635d65e343a2afb2fcbe85c46b8b10fd9ff1900343af02f82af9624ef871798c3a