Malware Analysis Report

2025-08-05 21:57

Sample ID 241006-kx12ma1bmd
Target bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N
SHA256 bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528

Threat Level: Likely malicious

The file bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (342) files with added filename extension

Renames multiple (4692) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 08:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 08:59

Reported

2024-10-06 09:01

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe"

Signatures

Renames multiple (342) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\bing.ico.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DebugRename.asf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Windows\SysWOW64\Zombie.exe
PID 1980 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Windows\SysWOW64\Zombie.exe
PID 1980 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Windows\SysWOW64\Zombie.exe
PID 1980 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Windows\SysWOW64\Zombie.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe
PID 1980 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe

"C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

"_services.lnk.exe"

Network

N/A

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 b9dbb36729f419efc16439ebcb049fe6
SHA1 9921c9784edd77716002856ea5dd4e06151b4c88
SHA256 eb9d80263b931e8b4f6bca6ff68795acce4ceb01b6c04f8b561d75ddda34c1d9
SHA512 297943881dc057bb792673d41ee28c060781d5d08582aee2ee69eb2022920300b2820bdeab3e65ff849ae269d8cd5a91f62804eba373dd749d92e2716c6e8a4a

\Users\Admin\AppData\Local\Temp\_services.lnk.exe

MD5 3dcde6c140debaa8ab3bd8a75f1682ea
SHA1 c7d098ff96c3293685d8f4b01946f437a689b1f7
SHA256 a0cd745fc6bbfdb2617107d8d60cc9b8d02ce621fb3b098fd514441ed74358a7
SHA512 7f99a935077a2000382007a25cfa284c440c705c8d7f8a5e50ee91a98bdfedc7241ff40d283aca8c5fddb2e115b9858b6907eb6168ae4ac2dfcdd7317c7f980b

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

MD5 813055ca8c9b9b5ea0fd21649587638a
SHA1 0bf59ab79a074795e41e7901338166c5c4603e65
SHA256 3a59f6e99ed96903f6097633a0b09b51f282b3be91cfd2e0b41fba585f40b7d1
SHA512 bfd6151ff20c46cb7804e5f36cc955ec2560f8f823938d1c889bc183609a089b1593c615d0b5db795f357a5f6faddb489bc993af5b161f443204a3489df5cab4

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.exe.tmp

MD5 65b4304175b467f392edfed8534366be
SHA1 cc530f58d8296154517e2ccdd6a4df53e10d5b0e
SHA256 22dbf88f7af4661735d111f3dae6d42138a51e00adf5bf8e194f83c6baf0d837
SHA512 1b1f68399ddcd0753536b4669719436c009a359b597b3ca184d96657f05388af289683d9b7d9cfba3bbda08ddeeab2102c811599c5b548f18ef3cf82c9cb4f9e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 adffacd52c34e50aba78abc928c783c5
SHA1 9321bd8437b8441f6c58cd2f381befc9f3ef8469
SHA256 1551d8e81f670f5c73dff712f364abe8c5830412058b10e3348c25b641748d8e
SHA512 61920e7301c01bf8227ad344fddabdeddaa7de69b2092ee7d26d285422abf42768b7fe594aa9f0f619f4e0e54544aae9a93cfa3979dc8474d4cf441758907815

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 204555628e22a24e9a8218e251923f37
SHA1 c0d2a1eb312f79029fe2f3901eef6c157220d7b5
SHA256 f78da9d77f3232cbe76a26d6a7db0df3521b348a0e5ba132e20eafe60f18a481
SHA512 42aae1083498e3e2bce0f3463d64f20f935a2809e6e806018b048f78772cbaa04687eed3204225bbafe9dab63072df2425fae4148ca30487b4fb1c34bad0b670

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 eaf1bfdd4491a9de5cba0f3992ebeb37
SHA1 c634c3697e748157416c602b670add7297a6cc93
SHA256 1766d0fbaab01a051462484a234cb97c36fca9d27e91062fa8207817cb977505
SHA512 60a7e6d32afdd1ef9f87e902d82f6cbc8c3502fbea43bf69436cd10cfb191a876e59c5afbbe5e5418a7245c20044cb8cbe29b697cd34f2950bd9333fb75e1ee3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 e93de6a170199ff0965acff451dee424
SHA1 7c16e7bd8256376442ef51915332531e40acfc6a
SHA256 b239308ace8d0730bf99f726455e403c0c0194612208bc6f1ac8a893852b8a28
SHA512 715b720f0a5ea6213c8f104e9c4b62e1a0a2414fee95cb3fdd85850e92662848ead45b5a7e2a2ec7726002a82df3433900fdefbb9488094a0dcb4e545b7ac951

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 f13b7e5ae8019b73ffcf4dce0de77aec
SHA1 8607441445314fd9d47008386c8da59cd37498c5
SHA256 9b79ca865ff52cab990e0045bac49b6481561d1794a957221b1aed338ddbe253
SHA512 af32889c834f931ca95882fee33f57d2f52ce487a899be91dcc80cc73164ca4bbd0601ddebe61576321c3f40ede13ed99b64b18b17169ffd3af6eed90974d4d2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 bdaf11e2733464802110998df476e41e
SHA1 db45d24101de87d1e5d6086fd7e3a24c3d19e46f
SHA256 5e6f4a2fa26cbb824bc9c634f16f51f2afdd82f54c8e73716a9f5a4407f4f88f
SHA512 9dbfeeef8b5e41976ce0ebdf43f5af5a775be3f7a1e0f896996c6cdc9002a802b282d0f9d7975c980eb2e1de6e91c22b526ec91839c891fe64f2ed75fa10034f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 aeb0511726fac2f7c6508ed316dd98e4
SHA1 509bd2e7fa6bf7aa98e09fcfe08da1c9c8f7b48f
SHA256 7a8b35e9cdb42167e9ca074834a61f57bc6332374b50243f0a5873894b330d14
SHA512 d19d67913218d4e64c2fe76cde3da337f65bdca579820493d96d3e39939285968620f5e6269dfab1278144660aac116162dff4c4e311c999551dd4e8688d923f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 30ef0b409dfdcb3b88bfdac98f9fb356
SHA1 08650c64e3205742fc243892a6cfd69695962975
SHA256 2d1fa7f2085a13a0a18259525881e7e11c7f17d819f7dbcbfde51bfd3d90f27e
SHA512 944f3173ca2dd64c4903ffde38f1f74ecfaded45ca263a4122c64fd7056b328fd80a22e41de3b8eca86afcd5a3a35f665b7e56e6f2d6a4af310bbe33077002b8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 2fe8fc67e86cd55e3c37f8bee6087b73
SHA1 31200c8240c491c9ee23d649f3e9bb460df0088e
SHA256 f6a6b9d5396b0796593606b061af1bac8bb60a3e9a9f0f8a9406ba8623624e1c
SHA512 00cd94208570ad346162707d064936ac280e32d611a6961810dbc61160bc8bffd728dd3944009d4b0a23bdbbfc053c5c8797b142281effd60a0d108092642cb4

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 048eaed8a7bdee49cf7cbaeee465f552
SHA1 5439010f0ce9938d8abb1df719c775bd03680db7
SHA256 fc0826a1ea23d0778563f51f04f2b8b560b5bcd11ba0e90a0e4b232b86ecebaa
SHA512 49214900662abd1cebf7d4b19245dde298ef611db47dfb7cc38579d5646331150b847196c318471c190f4e94b99f8b0b727adeb60abdd50d8c4ef3a2ee23862b

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 3ceaf37fa9775d358f6c9913d064212a
SHA1 048bff8858a597938fc76293d1725f9e11c965cb
SHA256 df8eaa57957492111ce68e9d223f723a38327e28b418f868d9aca9c6e8638586
SHA512 3fbba3d79457d85a1f85a52846740ff74a4f2fcb78445ccf91f46b4aa5201f0db126a117b61f94a464159b2fa9216f23df593ceb9418cbdf480674d67ad037fc

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 ed2b6c877b201ac9dd3ee68f2ee179fc
SHA1 16ee69a1a1f52e476938f1eac6e07f619e357585
SHA256 3122c89400ff055ee8be63a163e2242ebccc0dea45b530f9d60d7fb8c48f7e42
SHA512 164ee90d42525f46edaa1d94fbdbcb4d1eaab20374ff0b064c8c377e310433ec4df39ba2a5fc63d28e26baa0b3c4e0c1a6bd8e47e54b56396eac3e5e2caffd11

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 4d11484caa2835b3ade64701e8229409
SHA1 4aeb7e397a98c4407bfdfc4835b4223f2a78fb85
SHA256 6cf9a76a857601e0327ca7425ca16875a854a0473f52c3b67444aecfcfd03963
SHA512 3c096009a744d528d27e1c22c77f53673a8970af2cecbe2538317b2d317345078db2f3b0e6a03b7226f9610b135e4c1ed88abdb7fb8c06d024b072d5d702e0ea

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 7786e47c539e698beef476a5e1e99d51
SHA1 4282b70c91d64550026ddeabddd0cad5458a0af1
SHA256 b0ed17a9f3cc8db674fcaa216777d885d3d428e569e69ab7de0141293b64c0da
SHA512 75f71f4066fe6129737ec34e30bd6ce0519cb1dc87caf666ed428b0b8afd798aa5b898833e9c1927846433eec1f34537bd8265c150e6102596a50d7f971dd0db

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 9cc017a6d7f5fcce9b386aed7d174a1f
SHA1 524724f7f977fb33a04eb475e13ce4b57b5dddc4
SHA256 2eec4e1a510390a3d947a263cc1b2e15ec3ff3cdce6aceadaf7aacced5c38c0a
SHA512 4f269a1e3756bf119f47d9969eb37cae426d29fd9a00eb886fda1159adf77700f9a965031b1287ee1cbe0eb78c176f17695203a013ce976633ff7acf18c40ca5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 42e6e70683295c022c36000aa6ad0775
SHA1 80cbd1b94ec17f549dd6d0fdde6a5defb66e5d84
SHA256 1f8fba1800eb0f72d59022467f740d1c46096bed3cbae269e0ecce2e1b948db2
SHA512 d34860801f0adb359770c7468bc4f3646452a33eb0348597362ae926b1ccfb1908aad3f0f32fd295c9883d85a8c355ef7007db43956faa350ab23e7f980a6d16

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 b70d64abed5a12100dcba4fead027392
SHA1 0db41829607b74bdeff914507fd6c1434f7f8455
SHA256 8273304bbffe3122f8b2b81ec8b93112057f7b0a0ea47684a7c850a9cb119b43
SHA512 cee26943b379eadfa3d00651c8721d4ea0998060377a6fe9ac277c2630e9c4054e97af0071ed498c178751046c49515e3dd6ecacd4e8dcb371e824b45494692a

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 5d1bd5961a75f1aba992792008686861
SHA1 98362d6d8d4e7fbfd75936c846dec781ce139727
SHA256 431f874cccd15f93803f50b273c038157a7d7bf9e56f68c4912dc81678bf0c15
SHA512 93465e824ffb00cd8ef427c1e0b74031307f95c2b41feba0da863ebb8d670672cd499d0826d1fb7b30ef964c6c1a034b4c9dcd3be09023469b6f05aa82cb0725

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 ee5eda3348536cfb2a7aae830dc46804
SHA1 bab6b9338a61de57151ba28dbdd50e0d012e7269
SHA256 b53ea0485f0cf74a5b230bff2f8f7bf4cd07cdbce897ed2c9d821ac1c5768671
SHA512 35c6759e5ad9238f1a24fc7c2f63b9794c4751673a85d9a41697a5628844793391b6c340fefb5f706c6809ddc4f4f10d6437ddf8404189d8f987d4a8476b5db3

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 24d20999a3ffbd944fa96c1b63838fb1
SHA1 71b4fb8910b22a39f87a3fbb7741292f8db6b52f
SHA256 7f7a4e2728150a0b6c6bcc695bd13ab692c123e989e11165cbd341ef722097a1
SHA512 2cb1fed126480cd4b3a00b7685921ab147879bda143d22223064803b066baed316086e0bfa2619bf4160efb15e72fc2b055e43b8f34d6891c7a71f5dbc3ad967

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 62c74b60f426e6dc59f20021fed5d7b7
SHA1 96ef57f28dc73f23c460417ee24d0e5c7c713d7e
SHA256 c02778fb1564fcb9f5bb0f6193990ac5daf4153a49522c6939211b65dbb1463e
SHA512 d734df0d8063aed87f416ff7d0ffcbeb6c4dad847e63f6a8c05ca78cc56e152336ff5f0fd7420b98b0bcce59db4ef20ba4855adc6d09d2047ce7a44add61a228

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 1cc6bc4c4183e842cf67775fc339b6f1
SHA1 4fabb5a894849a7f75d1849d27dd2650443f83e7
SHA256 4b2b820c5af266b7be3789191d50d02a070695173e943b5c358ad403dfc16c2f
SHA512 fa241f6202bab928846354f2f3ad71b0b950c1ea3b91c57cb1a25580670450e20140215e3a14452e6a8d07307c01b0313a6e73a19cda16471578d67c43b8e483

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 1ee3b4a2d49df96604c5f85aff31de53
SHA1 9ee77c927c755090f53e1fdd8bbcd0bd498eafbb
SHA256 c3adf6a88b140af12e2b8212a8309bdaa245f0604f6e883708a5064fcd9f8184
SHA512 af413be06488e061188efa14249dd0600a7f7503b19ad61390db98295917ecfd07eb74a7184b7de6d4e17acf721e7ced72d8949550201cba5cc52805bdb07a99

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 327f0709dee4fc5798b886ae97cd8599
SHA1 62b2413bc84088dd45913e87e390c88ec1e3d07b
SHA256 2d238a9953c9e045fa561ea60d9cc57a43531ec6d504acb49fd28087a42dca6e
SHA512 f55c47047053379cc8abf3608866ffc43d94adbcc5a09f21b9a48b9dde92662eb3cc6d1f1aa171c8f0bb7a39389d276b6b62e2135e746ea5c3799bf4cdc8c030

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 b85aaa81b59ff12c13d5a1e2f428f3b7
SHA1 1ae00990fda48824b731b9523ca04e19ca7fd4f3
SHA256 bb1c9a8789434072f5abe696cbcb98c20b08ca1d9c23964f3625c4d205277e23
SHA512 563554e4d1e1066503113cc008fc157f670ac013e21621d799f810daa529518e2e96894632f9192d87afb852c5e5c04607484ae1064330bd37eb60e9fd0f188f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 87c45e2dfbf89c26a8117dee75cd9d13
SHA1 10c692eaff2b42b14f6c9ae354ea2d43a7fb25f6
SHA256 cca514cd03adff2b1829b96d40053910ab97bf8a83ab91f3f755e0ba8352c221
SHA512 f3c7138110fac441fc3a5bd23482ee552bdd6b2627dffd5eef93c6594ac8237d97c9f88640aeb736460e79f7b64d756670955a09bbd932076892a9e7802ba0ac

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 50602daa55c69db4fd6588ab2853302d
SHA1 8cfdd0428be6754b2da9cf14693931c2423cc129
SHA256 c98547c476fac645693c164ff25410b3c414745fa3b2637cef9b84f271e0ffce
SHA512 eb53bdd29320d104064f3d3e87f8350b873e7eca9f5f36506aa3cf183e6ccbce72b34e0ba4e614c1b6972f3501a151cd095848d3c94e305397dec80cfcc803b6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 2f604d047ffb4bdb8ad73b1cc82f850c
SHA1 70ff686003ad4ad72eac492ad63add7b266d7706
SHA256 27f1e3b28d244d401348bf5fcd69999c63dc1fe2d4ec030abc74f5366280f499
SHA512 121218308c89d53d07597e1ca148866b08f7d4150caa3720573e3af4afe7adc0a5ba4d8b38e9a8c64b48b84c41b4cfd2cd1b4bbbe777e929c44db6bfb7fc58a7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 65c5836e92543a6f13d13a7413a5bde1
SHA1 f4403412113916f7c3c7754e29bb1a356181d0b7
SHA256 28ebc6e1ed8924e0286a9312a091394888ca2e163db926ee2d37a24acb24abd6
SHA512 689a6969e0d5f015dc4431b7477fd2a56bd2c4a9600dd0439d9883b8cfc2d867ff7283cb6dd239f2500581e723c6d694bf74f0d0705dc8bfbde4a1ef4b6df9ac

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 6fd02d4ad1058152ef55022f0c28bf6f
SHA1 f54fc22b8f762edde245097a4bea0f8730a9a6c1
SHA256 d2a4b3842ede7a7b3709acd539580660be0745cf7e262abceb2543f048331de5
SHA512 41da76602924423e32679f4072e57e6dde5642935dbcc279b51ab79d6db302decaf993cc57c37b6cae29607855d1d64c8134951d3cf22210d8c955d7c9107e32

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 20dfc6895b1e29a69e00968134897a41
SHA1 6b0f38be1bbd3f12a5e72e8010c30b3d830ff73e
SHA256 714e572dc8ff595db24cce2484da2599b6ffc6f0ac7b0fb188feccc5ad99256d
SHA512 4132350bda0f1721d01485d86b526f11b24f18096ab616975932def749b0e4e11935c25950f97ec7df575f630e34a08d1ce226d1ebc858d4920cdce32c207fda

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 91a4d3e546a6eebb8515edecb28c74e0
SHA1 8b03c59f2552701d9352b9263740f6d11336c47d
SHA256 f6ceb31de8b494014096b6faa8b1155fa419e3a350aa5aad6edd6d48332167a4
SHA512 fe3bf4f5734dd42171cf44369f9b6359ef7f52f0922589aadfd1914f05ebd3519a08d73bc9e024a116f978fb85f304512d5172d39fdd8a4c5cad943f5abab3e3

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 bfa470a3de1747c61e7b9413cedc7b90
SHA1 3b10017ec4e95bf04e5038694922744f568fae98
SHA256 a0b4ed56a418e12c999cfc021a94bcc7c6884217b14e3402d5546f777cea1c99
SHA512 c699dc25d57259d6d22a5f1348418635e404fdf33da8a7449081769454a0e46cff7c04d612a94f43d23154440b3c54193dbf304f9372702f692e2e9768e203d5

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 a1b119f72114cf119319f2da6b6b1f49
SHA1 ef3947b1a4154e4b27efff502fd668a501c82187
SHA256 2fb0c7cf35fde84387b3584a128f76e4a11ef05a488fc59d6684df87eb655c38
SHA512 f0f2672bb1349ac05b6fa16d94981ce8a6c8f2756cdf0d498e357ec8e46932f4939f90929e1a9c73905a10deac5923fc88a9db83c28d6479fb6261546a6d34a8

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 e11924bb5489b15ab0f8901ed975440d
SHA1 851492b4830793c84f4b9aaf4f22d372631dd653
SHA256 2c20017b18ad29103c9bf0cc14bdebe520804a0514fd4c981c585e5b9d211b26
SHA512 6247b826576445038b0a99ed7a4a857e44f8c86fe60dda93aeeac223c20fd2efeef18aca668fd909106c7c7fc002d5cd6ed209c19169827977af25bfa7f5b22d

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 988326714cb10d0588a5b926af329dd9
SHA1 279dc56269a8fbf40301e3de03e5f2c6c3e89724
SHA256 10db9c68004038823b12ada6dfb200dc641d03da7eae126a559911ddb300eea7
SHA512 023228f01df3b8ee52fd188cd72ad85f506b5dad534bf5abe8939cbc161f8153715bfa08518385767687a6bb6fb5a497cf5967022a94344022c012cc7949e912

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 b164a6e7faf745b490b105138239b83c
SHA1 bd82d3be10019b905957a8d571dbd071712d8a5b
SHA256 2395295893f0e262433bbe9f69878921dcd466bafdc2fbc47aa29fd23eb4f7a1
SHA512 852eed4630ad55116f429d81e63a961897dcb11b6a5332df1d6bd31f9f64660faccef1ed52bcde120e8cfdce76c6e79f505aadd254dea5f6c8b019d745648c24

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 9a1f75bbf00871afcbc435f454ac4236
SHA1 3bc64e4824cde51c3a5d6f2fe83e585b1cf0700b
SHA256 18a92da7696c69dec0cd297b648134f7694ecad1686cdcb3aea8d8974019dd19
SHA512 43e8606cc2792f4d9d0302999c7d763d720bbb1114647db370acede6483d0b01c29be7e0675db1f8b256e13856ffcc3f0191f2df8827d8112c971fdae41baf92

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 0249cff72c05a2acf34f3ebaa991930e
SHA1 61ed0e0a8562d9b498f9087e25e21ed5c364d797
SHA256 5b5c4b33469421bba2b6af050b0c7204abc73619011f1c2cc508b366797a853e
SHA512 815659977579444aacc0c8ae8560e9464c386f07ca71bc8974ee1a39384120b2620da2985ba9ede78453ba992cf44a3bcb0b669ccda4c89669337af2a2a40ad5

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 ded7a0c7610afdca37a0f1bd62d59869
SHA1 458b62fd8f78bddc6e4b8cbcbbd4b38acefcb5a6
SHA256 731c1f92d5547fbce49efe2558d0c98225f2cbbb7c28213cb36f55e4e2ee8c35
SHA512 664d7472f7e9bbd3e22f65497e713bb33670afc7ef5775b045518cad299aca44842658eabb74930c5a792c06745be43fe89428aa807b472a9980b37e96d5caed

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 658442f3b26920d3e2db1626e9f47dbe
SHA1 fbaac5ceb992524a91c9659233432e4c017ab120
SHA256 f083555562d3eeeab97c55f302beb61c3922545678e2df7591af51ed06f927fe
SHA512 48cd7313992a5ffae56e91a3ca43c00ca2ad1d723640b8b87dd1b5edf94491db76259e913a61b6eed3da2cc93ae76f40f40deeca8a758ab599e7b4028b547a81

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 69fb7e3b9cb35a171b76a73390019c85
SHA1 9483250446f7d6cf7dfc9e4461b6ac84c68a24db
SHA256 636ec0ac1be5a6c01d0c79d4360569f3090012b5925c919b5a10c4d26ba5c5b7
SHA512 c0299e7833e1d38c1c0216bc9eb1c62754e318f8f87f50577c07e58faa5907e444d8072f7cee184c59f9238a5e6cb246ed5f51783d8ea3ea245effd26eabd45a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 0c0a24526fc4c7b01c4dab4e12ec8bc1
SHA1 e72f0726304c0d1e52380634804fbfacbf0224c8
SHA256 d759da8b7a7dfcefae4e519a2c3080163630d1ff6060558d286f6a5601fa4bdc
SHA512 7b89f62e1226aa34bc53995578299cea9f8b2c9e1dea5c54d437e19fc4a6c99259a43eaf1f63f1ad219e5f4a7833d0409e42e9cee9e400da6e0e3e6be6d12776

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 eb8b74f8ed9b9951d1e32b78880e667a
SHA1 975921e8dea496917fb23e21b3467185193818a4
SHA256 8c7fb6c708b6c2c8cc1f9d2a28b008071639c9402efb18b33a8545e0e1dcc10b
SHA512 7150f1b22d6c9983f772d799f8e2cc502e7fff6c857ab5e2425ecf68fb73280f60a293768e4dfdd5e3c907b1ab29bd6fbe65e96bfda896b8106afb4d41b590eb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 d5af1b67e09df377a4e56545fefc6301
SHA1 7bd3e8509d291017b408c81fc5f49f2287080c4c
SHA256 dace1f5aa137f5e01ae457d8ac64221ed549e25e720b79d72cd45bced630b184
SHA512 dbb30b50b02e1d9c9c7e428e858e76c45504d6a1e37494ede04b36b01d0a72ad896e008dd46cce6ae8b2cbabe5501abbd5a5adc0f5c6e4c39d661d5b62fee629

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 56dc383099220c8906645211432e51b2
SHA1 87dfd8356de4747eb3d3bba29e49c62e6efcbeb6
SHA256 f287e4380407bb82534bedabf9c3297aa45918b3f8c6543f7a7e8b89885a49bd
SHA512 d19a187f209d2200c6266c5fe8e92c43ab53a6c9ecf6743ef05301f24f990a25017ae1a681f893fc3fe5ed0c1d228b9ffa7c8e9b041f4e6a08064fe9e97ba726

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 b479797a626653178d84c9aa7e56dfbc
SHA1 c455d2fd70890931d821243dc2c99aac7a6623ed
SHA256 c81f0111b147598590f39de652487220acfd9f49aa9e79586a7560d790fd3c6d
SHA512 1eff2f2e19ce17d3134c58c9a82c567565542b14ebbed4fdf2ff2bda932f8a9649c15cd0f51534f260e6f7496e7a200f24f277ce604444a728044a3c62e47aa4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 af1dc2a191340d03a30abb8993cceafc
SHA1 2bcea14d10d5bb8e199dae47f62b6583eb16c579
SHA256 b73c7846c6c285685161da5d09e209b0292edc1f7926deb7efc18372cc3ffc92
SHA512 c8d1908317abf1525cb84a31e5bcf4d8485a6a24609911b1dc53c2fa8984fc5d0ff64b04aeb0d7e7d0a59e0941a167b8971d215fa5dab0e96b43c7514bd8dfd4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 a7640a52f4053acb9751bbf760a07714
SHA1 5f30808965be52e26c4fe49204420ecc97cb48b1
SHA256 a4238544cfee0a1065f1c9eec2ffec3e1fa2d437d1946706b17504155c678f4e
SHA512 70a4a39952cd8d0c4f274565f9bbfdf773335186e1fa10ada795553770ebf6d32dfefe81dfc0c0cbe7ca934405af7bae10d141c16c9117836f58922785a6fbb7

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png.tmp

MD5 9fab283b8133a007e227f7fb1e1d6b6f
SHA1 0fedb24c8d6bf665ab7bbfb28653a308837f698a
SHA256 6d078526ee0d57f01cd3f1142203793fa35383e958c5b06be5379eeebbbb18e5
SHA512 f25b940ead07c1fd083726e4508f7b790e3d728f33e287bd73fe33cbb47985009b818ebe5dd2016aec26d25092e4273049d1591535322c0e05fb2cc55f30cf3c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 08:59

Reported

2024-10-06 09:01

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe"

Signatures

Renames multiple (4692) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\BackupPop.tif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\am.pak.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jsse.jar.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe

"C:\Users\Admin\AppData\Local\Temp\bafabd46bbe13bad1146593635cdda65ff43adda3ba6cfccc894c9f67445c528N.exe"

C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

"_services.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

MD5 3dcde6c140debaa8ab3bd8a75f1682ea
SHA1 c7d098ff96c3293685d8f4b01946f437a689b1f7
SHA256 a0cd745fc6bbfdb2617107d8d60cc9b8d02ce621fb3b098fd514441ed74358a7
SHA512 7f99a935077a2000382007a25cfa284c440c705c8d7f8a5e50ee91a98bdfedc7241ff40d283aca8c5fddb2e115b9858b6907eb6168ae4ac2dfcdd7317c7f980b

C:\Windows\SysWOW64\Zombie.exe

MD5 b9dbb36729f419efc16439ebcb049fe6
SHA1 9921c9784edd77716002856ea5dd4e06151b4c88
SHA256 eb9d80263b931e8b4f6bca6ff68795acce4ceb01b6c04f8b561d75ddda34c1d9
SHA512 297943881dc057bb792673d41ee28c060781d5d08582aee2ee69eb2022920300b2820bdeab3e65ff849ae269d8cd5a91f62804eba373dd749d92e2716c6e8a4a

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.exe.tmp

MD5 1776e310f75451c9ab7e6a6382c68e15
SHA1 fdb41dc42ea184c1725063ee1b0dc7dd04f2376a
SHA256 302a82baee7c1d99727a9076de0ee4acca3e14ec182f1fdd57d2e7c269b4b2a6
SHA512 d8bb27c6142f13528e1f46d9a184aee29fcac19f038389872d54cb742ad5ca6a46ad24e095fff425feca80b92129d33eadc0d5945b254e91fc7363fc1033411e

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.exe

MD5 6ad768bf4913b8ba40d00a5d4cf02313
SHA1 be04051ce801ea615b60f25c8db3202c962fae6a
SHA256 2cffd3b63c806385f6e3f52fff18f3989e1550ed17c3d572d82c0f04ed5c7248
SHA512 e45291e092474b98a4ee50116f06d487025ba5b0140691583fa5da14ade31cc147a3071a4454c12a629ea9ae4ba806bd8746578e03574cf1f35c97c520bd436a

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 87b5d409c091e3d8cf746bc28616afe5
SHA1 0d04b9135086c28cd09de2e119819396a7c84b20
SHA256 9a726f16c69058fc6b14000e77b6abb691f4094513e842f896c2ef75e31c4333
SHA512 5abf5fe101d1136207b51b1f3b720a4fc9d478cfc0c6ec8a20321ac2afb7b1975f1162e01de66c40481f30b1a35da0638313a384526ff7acc8ff5f84bf7e303c

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 ee73fdf87ab9a6615e53f1e14b26be57
SHA1 27f0a4da36d405e9ff982e6c5b4cba8a35144fd5
SHA256 374c5ffb02ac04a743019c51f3b44d3faad38cb879e9cc34d4508eee428e3be6
SHA512 a2b784232d592785a6ea53d2f82ba2540f6ab0e133f7769f73575c38db8cb9db72de598b6ca76e4351ab26268dbfa78d04f95c4a28efa24f28c0cf68afc19cc5

C:\Program Files\7-Zip\7z.dll.tmp

MD5 7eeb337e09cc63a94bcbc4d2a552134d
SHA1 ffaaf2ba77ba3b193b6755691cb425deb11188fc
SHA256 24e39f30891789d4e8ab0c26ef531a73c5e171a06a56768688e768d26f3b43c6
SHA512 753e5d5113fd598983aa49b1238ba4c03b82c621fdc334baed51eaf34968cf8d07c5cc6dd5c700e4a1a0e04443a71fe32fa4cccb23176b28b54b3b920f1cefa8

C:\Program Files\7-Zip\7z.exe.tmp

MD5 12619e92af937eafd6c1997cbe4dfbd9
SHA1 87f43f3f3e4dea8d75e2e93e86a8a1b58760edc3
SHA256 668270bbb6482ac9fa8ee22b1d2e193bc24d5673e2a2585055e4738ddd3fe931
SHA512 4353a02c762fd26507a5c889e3c4285386f244a17ab73547bef7e85cc7c73f20e8a1dc5fefbb577f5dd3233de45ee529166d54dab1e0262a51b51d7e82b052b0

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 daf8d29f9a82c27236d01b4d86708852
SHA1 3a0d216b781746f3c580f88607a5e018f4fcac40
SHA256 0565dba3eed9852053dd08fd6fc8d63c39d64a5dd985ae4eaefdf512635dd32f
SHA512 6608fe186aabb26c2a02ab2a758935f16e92a03b5af4a559f339f99b696d8a15feb2c3d6b4b3de1f2cb82324fb0369544441c862d395b3ed84183bdfcbf63703

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 8a239d3f047024240ffdf51b185cc16f
SHA1 9a78ee4cfeb76fddcbc9a9670b0235e5a42623e1
SHA256 a3cf3902467c3a14de0f0e270aa92615cc1a665dc17b8a8b2e04d85ff92ea399
SHA512 d9941023ebb09cfca33cc3047cf4e12a993fc9903edcf32ad0575bdc064ff7721fc4fc7f00e2020d39d5ee590df3de5430ed016b3c80f2d5bfa2e2433368f4a9

C:\Program Files\7-Zip\History.txt.tmp

MD5 b6d72ee8d803f4251e971474af625aa7
SHA1 2f827a2553cae6e1924050064ea074c4d4e860e3
SHA256 048c23517b1a7168fc5420a1c1bae3abf86cdb98bc0941fd2f73cb4828a872b2
SHA512 0055cc9716e1b7f175cf85528c158886908cff3770c28dcae661288c0341a154426867487fd0b968399fa5728926c2573361cba900497575c055a5b5ee651d1e

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 ba450bfbbd0639b0effcdefc15061add
SHA1 9a6451f4a23a53b2548b17a43997d64890404d8e
SHA256 5decf1ce95ca7c3abe3ca6fc576d0ac5810c7c9419360373882a14cb65e1306d
SHA512 58e9ab0dc74b81744fe9f3db6df9f1fbeff76c51ff5d9260ee817b2afe969beca7592a44425e2d438e765f569cb7e91e876202a503626fafb00eb1dda6d7f954

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 978984c89b923dc141f8653f927d5f1e
SHA1 67348af6e1ff63345fa66e83ab5ac12b12e1b8a8
SHA256 b09cd05a3bf1582ac836fbc2d987a51b453114675e725d2ba9ebdb9c3e8e6754
SHA512 5a6fde8e51117636af989f6c69f0e73c33e2a46afcab18144f3b756ef253ab68e5ce104b660c43ea2e32b5c81dd076ea92821f052c1fadc711f0e4f004932504

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 01945acc7664142e71991eadbc2e0b0e
SHA1 54ccce383b2fff92f8a5939e0bf2e4f1d2651d69
SHA256 4af4aefe3c6e01124fd395f1cd7a4c41e746abb2461b0152702105a7d1ca4f50
SHA512 1585fecb1e54e69002800a746a5ee946b576dbbd63727f3bd9cfa10a404780f2293a1189d5b764ec7e1f59bcd4e4d53ad2036144d6867f2f364086f25abc4dc7

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 47b4d846756911df81b55d8662c62a9b
SHA1 fa9ab5c87d641a485ce8f922b6fc421d6fb684d0
SHA256 7806006fffe9bbed13ccfe40a0d5f5d6b4913ebd048965d4186f3297ac3328a3
SHA512 98d9f9d33f16774380c896896f4a7c46b25946cd8a825ec0efeccfe4fc21806069a468a367c14704587bdf9c1137c962d84c59c35b3e32533b08b79c1bf750fe

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 08239f5a5e6e4cb2cadfb9d398dd35ad
SHA1 069d186786ce5673ffb8bd6dd75f0c493bea6a5d
SHA256 d191241557b4cb9a25e49f0a54b6ddeb7533b31e7a41ee2c85c493e3056dccb6
SHA512 d598d858ef76c8017a9dfa1651b678ceff1c90c10f5b2deb6b51a5bb4620ac7a21996950b168f1ccb3ab220d79d9de2170f777162e5a69d53ac57527cb4bd5aa

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 2babd0b343cc80d26f91040ae819cbd3
SHA1 6d31beef61881453b0e91c15bc0b641646aeb476
SHA256 763f5baa3cdee6bb177d8d30989b4909b32349207b882d72f782e74131da1eaf
SHA512 9e87b432b20c2253b1b2612fc5c96fb8c56e61b34258e3a0f1b418514631e41125e1d2b95c6b02d0267728149ab9e640908b7dfcc2d3b578ec5c3567d8c9c3b0

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 1bf5c13da3ad4f0e3f832a69f615d310
SHA1 24ded9a76ca2b111ec5799174b586e78aea57036
SHA256 0641a2c18d33432cae6fa547755ad07c05d627df244f605347851b33f8067dc6
SHA512 4cb1fb8ea105c0579855f6b0aa70d98568b8e83697a6d540267393f17068b01ed4db1512d23f2f24f5a5f4ed998386b7d4781a86843e253cf17515af111c9e9b

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 ec80a7f19f737d240ddf15acaa2c8d6a
SHA1 a7042c1382e8648f5f5af55305723d9133dec94b
SHA256 9ed20f6e2dd8095ed55fc402e195d5d9a0878546705bd1011d4c2124604c8916
SHA512 b31232a78621d7eb60f965bb1baa96d0d9b8594f9fee49e205b128d11bc20b440465d606f5ae23f4065cd37c5832fd232d4e916e26649d17b6f38db421c97e54

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 0b8ad7e7384a5920e1acccf1ba39c6e4
SHA1 f0d18bb71a85a04dc8baac36a6d478b690c813bf
SHA256 9c9fc2de25c9e71ed0d0b000101164c2fb2af847de211fedeb0e305209836542
SHA512 ebf61aad717ea29f41458812cf4dccb1cbfc5868c728c34672788fec3f61bc06846ba7cdd035b023c4895d4402fe2a745d6e85a5c3baab0ddc7e3dfb13d8f737

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 bd0d8ab8bbd24c692c0ff73909e945d6
SHA1 6c988c2a85897ec83553a0ee2e389026fd9973dd
SHA256 aa114eb33028cdcba1e620f4f85de28a4b14670c70645b0062bcc0951c81616c
SHA512 7fbcc0df1d24c8e018d87d0a3ebe27997d450d1b84ef5b383d41793950a3d814f54a33b3dd29dea03e892d60b691e14de349a8a008500de66b0f3880b59816fd

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 f3d0ce9937f0526c0540ee408050c806
SHA1 069771aff1ac22737a34d4ec3bd3ead5ed31b8b8
SHA256 e72bf0c28412baf11a712b21ad7a81ac8b815a18b86599fe1324222bd61fdc25
SHA512 33a1f966af91df15b76438d0c996d743f89333741ee0735246cf53f9c48b175f17b270926db5bd9a10a8c8cb9120477d32971ac34ac8c07383610b4e81fd7eea

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 3fb7fd5df17512a4a002c1feb2d4753c
SHA1 bdcf5c6c697ca5109e09381a13d79d5334a04dd2
SHA256 ca22bde49f973b7034e4b885e62971a735d3f6ed5f244f7d3fe62a36edb0879a
SHA512 ebde60b2fc4e58c9a435ca9a1b013e8242aa0b93f90a067b3c5762e2afd452bfac5434a395567c6f67ec91f9ce05fc15fa5077b317e166682c125a97b447ea18

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 129d95b326ab874063100a0dca96ce3a
SHA1 c6a3cd75300f8cda7fa26833389f6c833ca9a658
SHA256 ecef46b793035c95ae70ed1af4070e452b0d3185f8224fcb48b4310ec4c0baff
SHA512 adcd1fb257d1f52cfedb2a89861f35b6c6e7096a7c6ddad08835198c21b5b85dcc1746aa47174142726e11b227854bc08bb7afa7435ba650741f6d69632e53ad

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 55565cfcce7aa88991e0840ee60e8af8
SHA1 c13181a1166989cac35db4c20a870b09a079862b
SHA256 338a3cbf109d4e2d6dcacc96605335f13e5669a117296411883bce4b3e55da19
SHA512 aa870efe0aba611be485cb03ec79043b58739f9112f3e27c0c68f9d19d4d36e02e17323b703c9bccdc9f7b13f2b75afe3d813bb273647aa8bad5c61f66c7613a

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 7428d373f31868e27b4939dd23e6dccd
SHA1 e3103e479b15df48ec579a9f3816f8918fc4642d
SHA256 f985b75759c2463881036482193a7bfd46fc47b796795aa844c06d571bc66de7
SHA512 8ff0cb4f07f333cdb4ba030495e226707c611cb49fa8ea36c54af7f7774fc0c46631cc221943ee179bfeae6705e12154856971928f8518d91f798344ca6ff49e

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 fa3d36a633ece2cbef0da5d0b9474365
SHA1 3f80ad18efa7a7aa279f143556b9ee53fe6f602b
SHA256 52e5222f0872ed4cdc992be7a3eab7244d8c2b0aa131463d4165feaf441423d3
SHA512 f6ef0f0c24508a0bc3b08746fc958d9c8e333045730637b81a6a52d11b2c96bf92e90ae326b5857eea5e37849427c5e792b921a4f18ee92520cdf21253434af8

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 b04c23aa0e7af1f942dea81ecf1c330b
SHA1 f575978062ea0c78b5f2fa91c5325f8e087e5de0
SHA256 a008516ca184f6d2ea956580ebae8709dcb9a127478c52c206d145fbc744a7ca
SHA512 b1e95f0c9511cfb7776dc1aee02abd3f40181285b29076545d46cbc1d92699fe3c3be41a324bb6b15cba998cfac694395c42be0b8d3d7d24dbef320f9cd26ef4

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 26df173e6fc71da8bd8a4ce97dcb11b9
SHA1 0e2b8be7164cd153f409220bbccb1680be7beb85
SHA256 0167b3f3180436cc222e3d75583b3efb8b90469d6234a9f32bfa27e6ab92d522
SHA512 dc15f11d11b792bb42b346de1a631a4cf6e05e95ef5c307ea2397417522f7dfc2e4e289d5fe5b1dbf876ebb1c46a4a366801a96ec0f73877c550d4ca1408470f

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 4830ecac3241d2fe4ca2ee8ef24afe6c
SHA1 01320fa4be6a10eae7c0390fd7c94b7c5722b9b6
SHA256 587c196502cb4593793ecf14c59bf18ed7487710de461109ff4bf15ff414d5df
SHA512 6dce914f09a045b4d1724f8c51f359dee62983aed6d12be7c6fc6ca8c2469529817a682f94f9d3c57bed3d68778c73eee9cfc7b70eda6476bf2a7999d5ed515a

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 e5b4374409355ddff6af5813d4df37ec
SHA1 52447e3ef985527653063ce3e5fe800c85dd9efd
SHA256 84c481fa7e75115b5f1d61ff02bd5b99ec0fd4d53b9ab4790bfb113349d490a6
SHA512 ac01624bff5d595bc6edd741de296f8e0a0fdb59b0ec704aa73469dce2d965a7c868c2b721c8312a1d24a6454d284f4fe5d009a3ebcc0fcbd5f85ec6cebd2a22

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 24325334cf7a168ab04116c86611a8e3
SHA1 60dbb975469e08dc44e0ab5e66e49d428fe5906e
SHA256 2a00d8db8d87fe073e6b2ddc30f9b49b4bd5e2a9a273adc84ea967b20d880c10
SHA512 7a2010a573f5c21aa044addd7510a27151e86cd247ac9d03eb4ca1bd5c6097d376ade8927254650aef2e756bd66ece1b38a6d48be9a016f976d0e30899e43191

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 6e562df3d13dd43db9beb96541374629
SHA1 00fd05d0465c1dadf48527f6c7e57297e3b02391
SHA256 6fe992017f746f8fce2e7ee17cc74f38ba9914af70b7f153544ed037220f6416
SHA512 4cd7e40fc247f54882c41a96dc030ce37540afbc3677a9a96876f1a2b2490db6c6bf7c12e9054d2c2c97314e7ea807f4be02f09066b9469e7e1233f0bf33ee71

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 709244358b626425cac16ce08ea42295
SHA1 2f29c7c94b2c7e0da76086782932d2b784e3125c
SHA256 40475b9d88a6f8fb6f4da4db94ea2adfaf37db578d80c5ab317a22b15fedc8bc
SHA512 4c4650394b7b947a3b0d44228c0746f07e5841ddac4e26981711b47ea376ab394fb9213d0530e61111455a1c0709eb81713da9b0f13aa0e180879683256d920b

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 a241e31ffec19064b72711aad68c8129
SHA1 e57d391a207ed10b8d28d315a6c4c5163d7c359f
SHA256 d51c5c5e1589499ddc52ca2e3df42e2e956030b958ca184d8855922de15ad90f
SHA512 0bbd5e19c4eddeb55877da7fc7fac198024ef3e208436ed2cb2477e8392b4f3c4d98bc4a3121675c0e6553b1c2ac21bade1713a9d9a26e0a9cb566eb87b06760

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 dbebb98ad070c5c9c77a0e858ad20cae
SHA1 89e6eba2413dee0ee421a726651d702ca2aca634
SHA256 1a71785e430d75f2be4fa2f9dab52ee75299e6f2e89155908cee7cb0863c3bcd
SHA512 967df18d872d8639aff54d69dcefd8abc78f204f5103e2283637e9b96fed4252f12d2db16b6989127e077bc713f049a1f8a8d828e3db14cb34460e25d46d86f8

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 eab46a0fcd59f6731541408abc7b1248
SHA1 42e70e9db8db8209aa7e71029550346cfa8cb860
SHA256 037f36de926d70f1e34d553ff8a98289e2e510e597bcf0c8430bacd1af2b5bbd
SHA512 27f40ea281639771fe97a3935a20160959cab055d896eaf4bb2389d2045700aab7108ed2cbb400e49c16f63bad674031e638fc1c2a23f442a10536ddc6e844fa

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 bc6e91d28554d263d4e515cc681fbeb7
SHA1 9a72fd7ad8a35dcb2bcbca11392ef4ed3e6653b4
SHA256 5e25f7217182b277f23e4399d40695e6305cd6b9dda44890a52aa4474273201e
SHA512 3c6fce733b56f1db4fe8297940d1720733486b6c206a06353ecd7eb31bd2480b7464d639c3d96f952e7fbecbb5e5c30df69a02e98c6a24e2d22b0d84ff6c166a

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 60450285c6e2233aacee4be0757c6a6d
SHA1 34dfcaf4b1aeeac7271181075ef187986e5ad713
SHA256 369f909a4156c3d3303c9dee39be69aa852e2be7a800e197c1ebfd5a457db29a
SHA512 f641c635a70d0666e37f578f581df4d73d2cbf686b68c4858fe5fba811e9db7a8af8ac5cab51c28669681bfed3f955207a932f73e1c3bbecdbbf5c47b3e5df87

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 2ca6e89dbae9e70230109e8d9d9aeef7
SHA1 c0dcae07f229dc0410b53536552afc6433e75836
SHA256 6e1e00b573988c47a50c875350934ad0f02b1188a8474862f2206b2dd8c08b78
SHA512 e29b13b3d6583c1247225984f16da8341a7035044c9e8c02eb63b59bb86faad526a9bfad03538bc64ceb00224457937afc6e65a34e1a2b035dcb002dc77a389e

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 97c60f1dd290bd5fcc082955fe1a6f44
SHA1 41d5044760f3fad457578b6af34c5a7009978301
SHA256 3358eab4a5c669ab82633ab75bf65ba550762cf21e049913e95f9bcf7c203444
SHA512 fa6188eb33d7c0adc3ee3a45d617f155b05d341e1241379e9d7530df1d2363860d20c0c70cafd31cca03d98d363a1d3187f9183800127d4495acb226c49998bd

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 74f6ce14bf65cca870c719e9e08a2f34
SHA1 69a0fefe038b71830c607520d37904632fffad95
SHA256 39079c0681915b341c102bc8573dca175ee92e6c1862a8d69b640e184d05afe6
SHA512 fc1a4c3fd83fd3ef8fa2a3ef7a5863bfba53966b0b4bc44021a273fd03a92aaac6932b24e414eabad926dd7d63602ee5ee602e54e483942dc5b2638b8ea66a91

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 8eb2bdcd1fcc98a60b69ba0f16e3bc42
SHA1 3bad8f7f0943e0af1009f22348555c5bb96413ca
SHA256 e1319b029a0208f2b0f9488777bf6991c74b0e72e74a1e56e9136bdbcad98f73
SHA512 119cf8f2cf8ba0a2b55b253c9d6341da025827de1b80077ac54212fa4f7d2123861d35a2666e0d1fdbed5fd08f7d532231f350f13394942d3927e6de4c6bfbb6

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 749e4f3a1842fe6673424c4a824fbea4
SHA1 b166c41ca7d4d4efcacba98161957f0d5b6598c4
SHA256 060659b09de627c2526bafca4960c791ba9f59d60d57e0c211d9bcddf4830253
SHA512 812136968855b4e22b26d14f622a62e336f14416e7051bef9446677ea25e28e11e2e1dacf8597c67aa30f5c7458eef86621552744af6fb5dca5a7cdb98d74778

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 65bdff04734b25689d1d80d3b33bd137
SHA1 d3cd2395428636a43cdb450e32eafcb8176874a4
SHA256 c7143665b2cb7691ec16007271e4079972f5a3f840b5a80b6c71cb2ab99e2be2
SHA512 c3788cf35f5d23ace69c9c1075f71d4dc68f3e77415ff83cdd780a38763a3f52026f9ac06aee45b0b443224670324ed4c175eb7a906276f59ba7f5efe3c6e166

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 47cc75bc0b3b81241be346cf6d0bec4b
SHA1 aa944fb4025cc18388d89dc9ab1c8e18f3865e71
SHA256 8cd29a0c1bbd2c928b606ee092f677400b0a7d57d8bd32e4b8bd2954c7e184cc
SHA512 29f3324b5be1fdd71ef399823ce0d2bc570a659f721fced1840b6b6856d6d4ffb7f22aaa3be81341da63b3cafe59c00b46085fdc2ca795f12be15ed89a3328a4

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 678d85eddbcb765f41e7dc7063b9f2d6
SHA1 b7ade1d8d63c0b300769b0ea8f16c5473dfe07f9
SHA256 4c7d5e61ea6478d96042b04d1bfd7a2956a08ba3ac69c11a8f8783579ecd1ad1
SHA512 c4b241203f9a3edc47ab7dbe4c356f0ae984082f047e852d06e7865b2ce84c40101338f4052860bfd8248788572c093dfded88d08a92c81af609e49f880e9735

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 0ce4d7e4a0fedc71c5ac362178461215
SHA1 d788c83288eaabd36b8283a737fd1cb08dcb3499
SHA256 648788a874d5e8ebb4b86a87f3539bc0ad621b5b4bd7a35aaf6beba555788a4d
SHA512 2bfe550c756ef3ae75a5ae71fcf0d5af9632fefd98ed544f2bb3499e3708628e36cdaeaf8d13f26f17bdc4a96ac5796d0f1cc2830cb1d03c14538a501795896f

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 9e8c8603e3ba569b1cbc82f549bb1684
SHA1 199fb91c45f0548b9fefbd673aa8ef2cd0211965
SHA256 dfb4361aea5f23430879dbb357be4583eeddc9a72596f94fbdc13257910bca8f
SHA512 c9ce4018fcf5d11dd78ef94cbbe56496f818606f2de57af68eaaab99703230afec8b3fd75ac47b102054deaf37e93944b891d9fe65c3ed6454edebc958420b88

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 fe50e06f21a9e135cf35ec6211002fec
SHA1 f3055694995a0d59eae12d43906392293461d17e
SHA256 3ff222b134bd2d325b2d7e111700c5d4c23e44746a8b6639272ea03300163d0d
SHA512 a234f5ed5f9a46f6548563c6a216c8c0e82985c02ca5434883b16f7fa9cfe24643721b578ae9aa4b724504f30eb933314f8655b13eab7f94a40104926cf7657b

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 28e7c1c7be27eae8d6a66d84e7af56d4
SHA1 b25578664139a133b8cc6e2dd74f60129cb716a1
SHA256 679b7fbbdee2071fe1f5ea6cff83fcb12183aa466ebe0b0d102de993f531295f
SHA512 2697e64815e9a9a42756e06de258bb47cd8ba8c753decd8dcd1f58ac0ef6dbe6069a05bb95ab07122bad8a5d1f2d01803c23211fe1c69497e40194e22675e792

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 229b30b38bc75487a7ac1738669cb3f7
SHA1 fa30e924af1df2f839a595eb00837777cb9c3f2f
SHA256 7d85f3378e2c659d911f48e4b8861cb5225f246f6774469261ec77738deb7240
SHA512 711c2e12212c222177bd69ac98578a19e70130cc7a60fede3ca12c38a3675299aa52bf286aeabb2e43c018fbfefdbb3302841a35cc35a72975572f7b9bcd4b1b

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 613056e59d26302c8e00a82876203580
SHA1 1e95abc650a07c9cca244d748ab7dc8ea6c38845
SHA256 def4736a8c05a511da466e82bb7abfff5f6f1d564992fdeb8ce07b78cce59386
SHA512 ce16514dcfe1b3c592558d727a3fdfb5e3c7b347675b52f4ad3b487c658fd513e5a85423d021dfaec60b2e292a84d5038f1518b99177ec4f9d7337602cd7bfcb

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 92adaf966a5b5a9121e19a2c96230af0
SHA1 c52f31405963dafc704078f548ce0772d2d6f754
SHA256 07cecc7ad8ca6f782e1e20d485d1a9d58d8226fe17ea783608222ec0e2dec47a
SHA512 cebe17f683c2fed55ffee704d76de42d720c7699686fdd488cbd50d527efe2d6b583e1cadac4d351e0d13dd0daa96c2b470eba7a2c0f22fc37dbf3254626fc90

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 005797bbe1830e78ca9295ca1339b8a1
SHA1 5b8de1854b34400a00d4278b4c46884eb5f2e802
SHA256 67b5311f350f3a2ed665360dbc9048e9140d4346d3e06f205cdeca4b44205dfe
SHA512 da3dc84e2f9697d6038ba1a0daeb0a17c093e6da4b48233bbb1203a598ebe8c3cd640faf3a457f1b2de709131d439397cfe7f7268344239b884ced470db14882

C:\Program Files\7-Zip\Lang\sk.txt.tmp

MD5 81e236a3e98ffb3eb4fec16892aae836
SHA1 ccaa6059d1c559e7055e9be913a6ce6b67903e57
SHA256 721797a796cf7be37b44fb422d0f8dafcad5a0ddce9e87119f406c7504c462c3
SHA512 a0f87ece5cbfa3de2fdd90627587280efe3cc3fa93acb1dd32a85aee24b17cf6e2234dfc3a77e13f9138b492eb1bc7b814b5850340fface6485450e2e9db0423

C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp

MD5 bf31941595c42664051f769e6197e1c8
SHA1 8a10192b466c1974413937af70ff29e25b6d6ee7
SHA256 68ae40f7e207ebe5ca9395a3085dfc6714a7fa04b94898bd3db74fb03fd8aaf0
SHA512 22f9f822e6c14f5f8d2734d7ffb6bba6b2f33306830d4376cb4af1c16735bc0e67d6df27d603c83fef2a46a7650b48e20539b1f5861f89c421f840560ce6dc83