Malware Analysis Report

2025-08-05 21:56

Sample ID 241006-lzvs3axhpj
Target c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN
SHA256 c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccd
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccd

Threat Level: Likely malicious

The file c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4723) files with added filename extension

Renames multiple (3665) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 09:58

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 09:58

Reported

2024-10-06 10:00

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe"

Signatures

Renames multiple (3665) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_stats_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcfr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.exe.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\orbd.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Prague.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Gaza.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cayenne.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe
PID 2228 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe
PID 2228 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe
PID 2228 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe
PID 2228 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Windows\SysWOW64\Zombie.exe
PID 2228 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Windows\SysWOW64\Zombie.exe
PID 2228 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Windows\SysWOW64\Zombie.exe
PID 2228 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe

"C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe"

C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe

"_MS.LYNC.16.1033.hxn.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2228-0-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe

MD5 18f1a9e850cb32e0f19b72fa7d72b624
SHA1 a0ea8d6970d950170fbd6267b68b97539bc44352
SHA256 a5c39404d5e9ce4906217e5287843873ddba920ab8c0eb1c89ebce7c2ba64f31
SHA512 71358a573bbf1364a7a4b36f46364419b75c0e0abf0140a7a2df643c75d0ca0dd1b9009dd91f9266779367915000466e733fa7f53e9a133c6907620390a06991

memory/2648-25-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 86827ee45f3cdfd2fcbba64fdfe3c631
SHA1 84f37695ed39ac8d50d61792d46384f48a8d6973
SHA256 f46132032a0834734b97f0788a1ca5b35a4470367d6600928ec00d3a87b1cbc0
SHA512 0ac98f19d539c139cbe7c960dd186464b6605a9329da48a8c2462d79ecae26d42c13a69149ccf8f9feb7aea8513c5f676f6646812d311242d89c5c1f7bea859f

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

MD5 8505123538b274a8368bd682701f8670
SHA1 e31abb4339ce538d32026850b1131299a4928b7d
SHA256 60500dee5722a751d33927a7b22a3d0450daccb582c77d2d732058b92ab7dd2a
SHA512 8904b06d41cda379a78c06f36c2ee6c877f6419164e1e6572f511148db3ee64992ea9627c3b828c782da8e7aa74b7dfb8512baa7d49835f19005fe50afd46968

memory/2228-16-0x00000000002A0000-0x00000000002AA000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.exe.tmp

MD5 0d9fab7e9d4d750a9e07238ec8c9e84c
SHA1 a857e5d3355e51270a65d9b90a4ce08e6bb80e2a
SHA256 72dc99dd0289ec894f216736618709654a7e7b4c4bc9706001b7a2f5031e1fac
SHA512 4dd32bf16e9749e071ba1380397983d4f8dac1b6a84c0d2144557d7a4a98e9fc07436c871c4c73de04692200d0ec64340946ba06eb1181e0f318a34378c91f39

memory/2228-11-0x00000000002A0000-0x00000000002AA000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 cc39854635eb070c39b644f27b8cb7bb
SHA1 529c77ba1c8b8c0f1290e72af9870b41915514f3
SHA256 aefb6a350fd56b9d150422655ddaadc281cbee62928022e1242d6e2b7a8905f2
SHA512 81d21710b58b812a4640fd2f5495ec43159969b2d362eab139a4b497bd58ba02380db3d38aa11268653ab24b06af553429b2912cd61b2a469df671b926573edd

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 0862f8922301e576eb334e14b765fec9
SHA1 8980c7bc38f99fd8db77e4bc8adea13d90722f54
SHA256 1c5a07ab22ead36d623cbd1e0d090bb644b756dd57b07c51a334573669283b8f
SHA512 1a486bbbca6c8c470a70ff4977bdab49806a725c115d071c2a63036a0914d02c6d89782c5710b21fada21f8eab6359b58e2868227d3a2ef72df59b2071f91492

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 9d290a78d01b3982a8f66b81d9131061
SHA1 a0da33801874a1bf2455177f3a1fe4b5c521b0a7
SHA256 85e64054377ac92f97b2f955abafe7040093f39d5e480ab499249c9dce4ff48f
SHA512 99b60a3d090f58a8a2e0274a34b2b83c94dcb320e4ee1a3323cbed435950b3f3a22fa6142b50d9af3c5b99c6801d5e5ad94bfad05123494765205449fff7f51b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 9cc92a84092e2f37820fb7f35b9dc408
SHA1 62648c2a5fab7802fe919abdb5b47dd072e68f45
SHA256 556f0aea753886cc1aa3b87cfb3d115cbd8fb982d4bf553fcc5d805550103621
SHA512 a87e9c71701b5c0d58f3fc781690b794fc5e1088f5769179344d1e5370bf4545fcb7f6868d2afd2116343d44e20b8825fe3b5805f9a2af3f58dae13035c8db80

memory/2228-55-0x0000000000400000-0x000000000040A000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 c1fc99550944b731e3ff15b944d88750
SHA1 142d26b3d8fe3c7e885b2fcc27f2a2dc36b8ed6b
SHA256 9a59a281764c53aeb42a276aa02e431ad736303eec39b32bf0b8009f1994fcd6
SHA512 3b2315eaa38bee22ed4c73bd75925200332753782b07be7df166f03286b32142f4f50607c7765a6caed91990dbdcd07d57bd83182987a31c7277ca55af61417f

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 2e92277bbf3c87e700780f1f299c03ce
SHA1 68daf0a86938ae53c3a84f1429e05e8190397466
SHA256 610a38ad42df04ceb6932af72d7e7759cdcbc0a3ef3a942e48f5e8658f0d09a6
SHA512 27a17c1ed64f1b201ce96ab761e319b8e3aeba941cbdbc395a87c4f0b0d26f5667c825cb5708d6b10534b34e9cab1ded1aead84707ad07b265d9fc8e779820c1

memory/2228-66-0x00000000002A0000-0x00000000002AA000-memory.dmp

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.exe

MD5 012bd8b3aa11292301a2a4c1789e8565
SHA1 34562288e5c9869b8a28e69257ee1b3f367da34e
SHA256 d9a321faa9da8f5f851ea7cc11687a23fa46429ae527124a20dd17a795f67e3f
SHA512 f44995783d0ae4a6de3a189325bd9aec46546d6f258ccbfd55f6df4107fe44bf75fde8ebe82a529027461005e448c80677c1b83447e1f3d11ca52b02ab762283

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.exe

MD5 cfba6cc7c9757270cd252c08a974070d
SHA1 bd1f1ce1059f4f8dde84b174f8601290b2e656e1
SHA256 d1a8a0846c5295270b9788aff6377a8b3d8af633abf71488f5764098e9fe47a0
SHA512 d83a40662067fe9d161e8daf5831707d69926316b4d58ddddeae1374e9674be3ef6a829e6401c354f8af4c09b0ac87ae7290c59c187591ad186c2fa6487edf8a

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 d9bff6dbd4825dd3d2f7138955d1dc7f
SHA1 6c5e06e9ecd9f4eb8b47c7525527058533021d93
SHA256 c60e2747ec88b0508c598911783bb32f4c7bb060a6a74cdc42a4e32755d99317
SHA512 0f3d5b907e4cb7eb94cf45f0df042ff7f32bb9bbab6d22a572089575b347d1aa0db8f4335842eb5fd5eff1f25f8353e358dc9be567ca63f11c96058376f527ed

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 bfef89bf4b93f314865e345308467ca1
SHA1 c31f9e9c079699a39ed66b4ea4ed4fc2d8c84277
SHA256 bb642db30f917216b41f84680f0dba45b99d9f16e15995590471217eced784ca
SHA512 3b0a81a67d173fc446ffa9187a1d352806a71ff12da621336f6b2e36b727fd56e41196b7159f62c3bfadcd2540a33f1f463d4420cc3b49a7eb77cf9807a238bf

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 9b2f8a480456d3b3b975f87c48c6e6c8
SHA1 0bdc2a587f0ddec8a960c2aabb4dd7c1f86a41ca
SHA256 b0010ea8269c65e38a33e1b33955509508ba0ece2890d685d398e495f18d0e66
SHA512 9e82c2c4140706318ca0d2303e188629fcb6e5c28e71b380d62a5bc8aa4031937dc24b09236535093626ac65a8dec937a3f84423d4e12abe3cbfdb53e1d09c81

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 27e6899f259e8d5533e12fae767551ad
SHA1 4d01dce2958a4ec433efc454640b90a60117cc09
SHA256 30788fab6dc7287972ba2ad2d86469abe16f5ecdd1840d10ac1ab36b20c28203
SHA512 0213f9dc813509e738eea9521f0c6c1e512168efea908a02586493542254329fc14a0c60d41515ca7212045b4b2c975fa950bbabcd6801451efc2310b44e5ccb

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 75f7e6d6ec492593c46033cc3fcdde2c
SHA1 608735d196f8269c4a51afc6277e613fde3c9476
SHA256 2053ea8e4c52b560b984215912fb29d480afd6ac3f2fb40011ae500d2880e19b
SHA512 bf39018e30e15e27952a5de05f06a2397faeb1fb333b877a47fc5bcbfbb336900f60d6a28b8b2c169dc3e655eac5c3ed7c2ed9b93ef675f2fb833d73f4b7e6ab

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 e6bfaae54f23984698276a5b5fe41c1b
SHA1 84dd4e279fb35917775e587bc6494481234185a6
SHA256 850e313b34d0b841ec07a83cf6da74451c54045351a0514979b7e4b67b95d317
SHA512 d6b9fb8e30a5381b2bb98226386caad56fc588e2dc08c9ca9b53e88624da4ee68a490fe38e54fbc5704f19a91caf2c9496f067d7c6d437f358bc459b1bd1ad69

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 6b96f3874ae901a173fc2f254dd0ecb0
SHA1 35d6f13729ca7e321d4dca5108bef9c18fd3f01d
SHA256 a63377dc0eccca8214c7ab4b362f3183d493d11013eabf5b6016cd5d33c68f0f
SHA512 825a51d68699ca521b1be120f8af4d5004138004302b60c3c7779467f087dfd7d52a0cc3c3422adb917732e301e60b1f1ae7985541396b01b3cf2fcd6351583b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 d7060a67061c8895eab32120293f0e8a
SHA1 05bb2c800dc12bada469043d1a367970576d4c5d
SHA256 6d7c322be3fc864635583f2cf0d0c28e5a188bf3da9e2f0f7ebf10dcbcba3756
SHA512 88bee2515092f10d5f09084af8d666c731e38c73c5528363666602707f5c86fccd65fc1bb4a6a01511beda3b2eb44127dc1ef76899ff13414dcf8396a67362a4

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 21d149f9c963ef7d639582f9e14687ad
SHA1 0601c2c8d386af3adb33b087a22f54250549c5d2
SHA256 57a501a534fec4ea0be945753262e1ce7e7949acc444d1a9673be766002e88d7
SHA512 485ca9918c454ffa2fa142689ac8845dcf0cdbae9adbf4ab4abf243081e4e1e5eccec0dbe4098db46dfc652c08fc5c3f0cd45f162cbe79a446f5f3c18f339fcb

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 bf1f1e4c29cc1bbc6cee79e3327f3223
SHA1 f9acd2720b2093f530ad69551f29c8c87fab8c37
SHA256 f6270f5158b9c041ae4eec887526278eae434ce406ab8f7cebe9f9d8f624d204
SHA512 267592e71c39a85d0ab24940faf4cac96602041b2f6d43f2ea3ffb6ddadb23c7ac26d32312a7ff072cf5ff8eb30752ea9f1434ae5f7e23bf3dc40ae4b85d4aee

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

MD5 6eac8209a0699fd6e2d5e47b52fb9c13
SHA1 dcb89b35c06b2cfe3c8a9ae3beefb3600f78a042
SHA256 e745c28dfa060cc14050308b4260300220bc738f03d7f59e8e5fbb58971acad5
SHA512 91ebe6a9af86c71051cbc8ab9ad9c1a36d52aaae51d6a1a5ddee93e7aa27f971fe796b20bbe996589d5af94e7d9b8070ac90a698bd7873e2bc8962129d2e66a7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 f9c80fff843ec704a55ee7769fcb847f
SHA1 b1b589bc93456d87e4529c5cdb9230e21919ffab
SHA256 96319120a228f3534f5e9f7892bdeeeaf8fdf562d733bb1b0913e8290ebf4e21
SHA512 114a056a972bf626c54261bae898263d7c6deb6b73f99c116cf9457a68627ee41c9a7441892263c6f6adf9a542dbe7bcf532ad9f6a0342a14ea0265859090a1c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 f41c827d43c82b499429aac9c89653bc
SHA1 eaed1f88f6f79c8742e71596a1b3c3ff770744e1
SHA256 4101b395a84e48b37e00c88bfe1b3d80cf01a4d273660de93ca0dd84e0f38513
SHA512 9b61e0d1739d24acd391bbf418b404448be6a1f6d1f7deff60b6e56d0cd4cdd37800c100308289b35eea9272b9f50390c762c4294a314f6c8a9efaa5277e5f4b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 be5307fefa5137e525e002ccb0fe8ed4
SHA1 834070bffd90699d9904040063b50f873b96c880
SHA256 b7d2fae42d30bcd05e55a56dc764c0fb1451b9e5937c715ad4d7da08b35b398c
SHA512 1950e76d384fe5fcf0a5ca657413e8e59717a3c82124cc8b483a9190f4428f6fff4c76f3e7f1934cc1fc8c3263b00e995b89f115fe2349f379a55d91223ae6a1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e8b69da9d32c1d84f69b2dfe4d3bba69
SHA1 1ce703127fb3967ce452901736b0b3cfe573022e
SHA256 706e6fadf3679a31ebf9efd2d2c8ebac9d85febe9ab61454078c2e0353e3011e
SHA512 a0a6bb0071f3fafde8e2bff55630fb528e0705b9c32bc1787fc2628f716cc9b9b66c11a77f68d3988c5b1d628283c184b2e39d718b5ac7ef211d39073c3915fe

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 dd5c5ffabd8ef34543ee3e59c226da6b
SHA1 e0a53a34de8c2e3bd571be5f60c43bfe0fb7e14a
SHA256 3c763486672eeb2d194fe6e06d1e37f99b1daac7241e9257cce8290c1b846195
SHA512 49d869bbf4538490cde8eb38e0003ec409a276c9360391f968005d2706cc9508029ad00032c117a9db9a51ac46833d2b99c0c36daf512dd0cc1c9145d01b9694

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 153acd6eae63523813515c6400288083
SHA1 16782f91414a921c29db35f2c432738b348d0386
SHA256 846fa25cebf03b1e97b236a4a501fd046468e045b39852bf6853132332113be8
SHA512 37e01d705a79da535000baf78622bff35757f3dbba7002efc80c155b033ced29dd2cab02818237e3f3bea71102db341a4e0cb8dc2912f1eb28ab46bf6bd14ecf

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 18acea26c0b83e6f484075fb30c34ba2
SHA1 b8062379f4526a5b1d4ff4514b214dacb60345b4
SHA256 28a443ea3a156cb7a0a5f0abef7a3bb619ee12c502cd5174e20edc3ba958bcb2
SHA512 78b4ddb4c7f718f1a3f66c14a63a503a668948a1788507fcd18d68bcf3153d2deb2ab9d4839f52c436887c73778945456a3ba24734f7734645260120db1bdfd5

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 e77afd0e5c4da61fbcf4b869d70f2d39
SHA1 3578fa6edbd0c75c44fc8e258997821d962a7fbd
SHA256 c7d3c032444b03f1aebd5104a6f7b00948c345ae50d4b4c56c996a4b3b2598ce
SHA512 a0692842c62844be85af935709d9770335f4681ca333718a20ba5c07f9a9cc0a0507c717bf1c1ed14852b2983a5f9b98e99039f5cdad10d239435eefcad27109

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 4782827050006293185a530740fb87d5
SHA1 3b8e4822c384fb439eed373d8c6310be3499b5fe
SHA256 ed656351e8867a2c4bc936580d345637aa34bc8e8a59dcb3e6c9036e46a5b3d3
SHA512 4fa1d1cc9d181ca7b83e3174023de17a9111248948519d91453ca55666450568b54d3235c0c7d9cc825fcae99ec80ee4b967f629f61232e1cb7e166bf623706a

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 52039c6f0d9fa9d7ee8ecd9103e1fc97
SHA1 587a25528c97e412f0b3af8a978535aabd3b9f39
SHA256 13027ec5fa963ed6fd2e11c71cdc20e18db23b3ead0fa7107b820fb9a281120e
SHA512 d108bbbd6c689a99f270068884b8b1220936f3ae2ebeeb7cbe748ff259704ab15f3a909fe6d3980e66ef8555b869e056c3f79c40d597803ec383b10b2e691c26

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 03ed974b6070efff4e93741e7092bdd2
SHA1 1b34e63db4916ea16f9396a53219a27bdefd68f5
SHA256 b671cc47aff454ee80bd7f3e23504cb16c0747e979559964a331aecd32c59b00
SHA512 acfeca7497fa9ee6aeb383794b4c1bf112226b1a634689eb66b659343a1749e36368e1a9dcefd9f36a9f06de3faf1282d8831a78697e46d44aba264dc84373ea

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 14d024c4fd0f45b0ac706446fb29bc57
SHA1 9e87ba487785ff072ef82e7f24fc9960f1704a1e
SHA256 f04cf1255602f158fc2e8b65f61ba0fd824df4060366530f8c48201385b05474
SHA512 846d35a73ed03f08e4cdcf55780cf447a3d1e6c91afd76153eaa6397b1dd8add7c22914a9f314c15521a7cf7ee15fd0cba229a555e126ec11ec17d0133dbe3c1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 74b6b7bbe56407b17c9caaa68323a54f
SHA1 3a6b4784f66bd10ed9ea8d768e65cb7afe42dab6
SHA256 00a54c23587e683d730adb648a762325c1d6c5422f7d0d54e491e19a8c8928d6
SHA512 b0a0731f3aab060d472e5fcee7a64ada3d7641c9bddee5b05bb3b5933997355d38acfd9e4fa74c614500ee1d4ec04124a1a795e0429ae22e69b916642b8a3aa1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.exe

MD5 00b2f21ef493ee5226d670f2541a760f
SHA1 d6399798cb8eeaabf678e71b8bf26f4ee0fd66b5
SHA256 27461bfb55cc8a85da622fc8743af221f03c62935fc7f04bdbc661a11dcb078c
SHA512 e1b225d68fd72eb94cf537f17c197b7bae812d42644917286be841835310610407c102307eee9f8088596f0530700a3731180aadec15cef3019fe4d7cea64250

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 46172ccc949fa63b9cb796b60d3ed8d1
SHA1 3b258a530bdf8f7690f0ca41944accb2cea5c866
SHA256 33e6777860862be44b8d31d62d085e8b59aafa1bec636f2d8dafa25f0e81a0a5
SHA512 9bd3f014bf3e7ab948b9fdcfdcb8ab6788dc418cb3f4feefd77f13f3e32192151d5afabfe44aa0a5ef0a2df4aef5761e23a0f3c8e1c4322b19f20e093f40459d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 8678fb0909026945ceee74ada5d14748
SHA1 47593105110b30438786194ae9091c968d80818c
SHA256 6fdfeb775087771287d3b5b4029db0531938142be3dee384d37c5c4bb314c268
SHA512 41e698652faf366887ce1ae238bd857a87bb3fef39f3eb7028c53ce0d77557cc2334c35ce6592738463abe45046b6f72e9fe0f4184d20f5614217ba6e95adecf

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 67196693a9960205096bc200991715dd
SHA1 888bbffadf794545269c0b4bed1989b542e60626
SHA256 b36384440a3795ac4b106aec1b0036ff2091782d7552d50755536c3808582c4b
SHA512 eb06821a3337f5b41701f3ae392636e9658f777581ea1149b9b172b695ede01aa8df288ae51b2dab1e1d148058bd1984c7cf09ece7746e62b53a266384a5f319

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 ad5839315970fd5a491e0bd355dafffc
SHA1 b01f5d241556d48d43ef74fbd0c1305116ded4c1
SHA256 d2f4cc4a3b14cf9a2c4dff5e4f5cb4aada4dd2f20322f65cdc8d8c73ae960598
SHA512 6584c3d7056e674b47f45121764caecfd019978ecea44492a98f31f08a580fe0c6fcad109be452bed447750dd4b590d49619f4dd4af8a9bac8e125eb0f0faf93

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 a3505fb90e0191ea853829eb3fc6626f
SHA1 9000a5d87cf09139e315e69527f857f0df4c519c
SHA256 10db626a21ef623e3a194eec460d6d68d4d0474be6b069dfd989af6a6f5e51b0
SHA512 84e8b821e8a1664877369500c8770d734d7d6ce7da5366b56b62dc93beda2a918fb3ae7a3f5956f8f7ce9a6b6703ffd55bb952d489f14d10f09a01772d68e269

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 f466de5576348147081a70aa817a5043
SHA1 221e1ac6f0a31a790f8c925439d2a516d8e281e8
SHA256 518ec887b1784be65d8070927218aac78106b1faae14e6448a8b9a722ff9c96f
SHA512 1900180475ea87b4661381d6bbd0b39bc760f1d710f77d6348631198c51add8dadb07cc0253b72ec795bc3490b42eaf002b2da13df89303eae5890046d013a3b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 ea52bfb849cb294e7ce7fbaa64daa64b
SHA1 c2456954b1cc1e6fb3a03413efdbb1ea36d91aaf
SHA256 b05b85f07567f7c3584aa0f3eb6b310247c5125cc5a0f900f7f12187365ca134
SHA512 3fd8ee15ddaeafebbc558b49dd19406bb78fcd9228eb091076b3581688cafdad67b5d18097b94d46f1884d014bce1aae9bd38ba1d4bc6a58ac3c0554d2809bf5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 008849ad8dce96c78be0fc65a51de13a
SHA1 8296f3079400a073ef173042af8bf03a77ffd61d
SHA256 13883326d2866107f552e5aa471940cee24acef28816d1509764dce73b3ac84d
SHA512 0aa9039fa3fbabc4d5468a384fca4d1c80f818886caf53d339cc7d354cefabdbf7a10affcbb084f719fe4994b2bfb438265bde6ece9514b631f47041f7a6237d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 b2c40ec32c27dd1eaef725b1f1084749
SHA1 1de4cccffb9a593c073abbdc0f4c0d013c67cbf4
SHA256 da476c5fa53315ea1fd81b35119c9a358ff27c19d626595281ed20d2f4b7c0c5
SHA512 bc4d7d60f82a2fd91a0c755b089c9f2c6dfb27787ab3c8f134dbca7736a8183283fafb43739be245428b9dce274898308312b80e232adde5a5a9f3f25ec67611

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 3969bcf0c2b64de98cdbedc68c876606
SHA1 b13e1bc7aebbd7a92934883cc3daefa9ba151124
SHA256 0e49173d08411b7ac0380322a274d19a5e3f7ed2fdb76a18d33ddae39e78489c
SHA512 cac91ec9f6c1c1e871e22b0bbbc0543f3dbc21199f7434c4ad52be7987be03fa046ca5684dea94a85f59416e41ebbedaa36e20e3859404bd265f615ab3d4836e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 5d0640b55f0cd699d648bc1b2469e08a
SHA1 3bd8e98b023015c40b5ad4edb38efd40c46c80b1
SHA256 5578faa3a0ff18dc2c7bcb854afd564bd30fca408d59ff94960b85b721e4be8c
SHA512 efe15bbe0abc5765911a73e6841369a8e5d0724bf2064c251c5dd1ac687de863e0ea36e6d659f21832c83212da11f7a79825fa217f23e54886e13591745773d1

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 4190f8b48a4f6c904422890a5aaf9f6a
SHA1 7a93e1da29496d62a3e4cbbd978a4a250b0402d9
SHA256 82d7de6e6833a6756d7265974038e9a0b243d959a3e94b13fb1bf94018f9e662
SHA512 42eb0644cb5bda53f3424f4de2c388375ed391ce30df05019cedc2320bd7d7272191f94840e80ec8d51e73b094e06ee294e545f5dc410bbb39492730eabbe1c0

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 e9cb4e423cbca7424dfdec9def89b61f
SHA1 34e99b4efe150eef78043a04650e67ba8eca4071
SHA256 f0f8ab7c629e03f9609ce5042557e4a0acad4441c8853c38582cf100bead042c
SHA512 c7bb186acbac150069a44058f7052181b0549dd929ec6e0322a50526c6c0f6058da009b94f87e12c6ef7c8851e5cd3c6e824b2941676c746a49c4ae47f92e7d5

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 96876e2e1c48d88c35c3cbf01acf3505
SHA1 1bf8b78f16e5fc4358d60bc3433be21e425b09a2
SHA256 7ccf58a2e6f20cfa740c52d6ad50422dd178f48201ac3ef6aa16f1c3e74dde5d
SHA512 d25a70158ba58f9b9fc946dc1f976a36bb03ac68b05d8d60d31fd170ace3ffe6db410ca47474f3aa4353df937502474bf0875c360c82071fb6b24c3445f5365e

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 31fe164acbf8ff2cb74e51e0deaad253
SHA1 d7eb3575af54423643b3622cb548b3e6b92742b8
SHA256 16db2a56c533cfcab0a8f6ae16a9aea705c566a94e6e6dd71212334abd41c725
SHA512 bb9ef1a381b8e5357225fb3a490070a1633038f021a2cd54200db8545a86e0d04652bf33a32757148ac7652a94d221893de34e7525784648abb9bcfcf2ee6aa8

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp

MD5 a3e17e953bcda3f3a207c082ff7897b9
SHA1 a45a10b99aec13d256998fcdbf2ff38750650dca
SHA256 ccd0e91248d5ed208153fce23113e3e141ed1880bd33570c9e816e8b556ee7f6
SHA512 b983f844f9d6e9f6eefe89e3824cf566a4c33efbb535e43848a213de34a62b61985b60efd2fb124c17a53a50f7cddeb687f7d7aa51e2408a16b097c23887f479

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 12a6507153160d69855899793369fcc0
SHA1 6ee51527f3206f125bcfc311bc79c3a5b9e2eb6e
SHA256 edcbdd3a21e39c54bbe86bc31ec4fa0aaa2b1647af5b5ff6aaa3331b6e778dfd
SHA512 25d296930389f287595c7db457163c1ab38b25dd1004d9d6a9f6d2fa419c8226cd222417a2837da2440b3d5b22c240cc61db2cf81a42974beed5f753b9f77bee

C:\Program Files\7-Zip\7z.dll.tmp

MD5 fd3f76471d49aaa82f600afc144b7a0c
SHA1 780d89b024ecf7b5c74e9eec0e8a925332ff0306
SHA256 b1f4b85d9bca5945fde54510f34b5ba7f5e1d1b7206ba133b58664b05fbb22a6
SHA512 ab7e44418c1690b1669ff13178217da0a294ce0b55f2091886bba51f4ae6a76c1a2e1211e4b023ffb0d00fcc9cefb0687f3b32cb4bbe37708fa4e9e6f8277394

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.tmp

MD5 2534c03c8ec92ae9427e2a2f867f0641
SHA1 8855981132159dcae5a715a61858ccaed6866e8a
SHA256 74011612ccc91beae8b575ab1e6416405d6bf593eb92c839caa30cb34e13b2c6
SHA512 2e2aeabb9edf8c2531ce9f36a67b0c3684eda26610f69a7f5f3ae08775aba4b4951df3781c9bf8ada073187b0d6e715c67a485b593d4379f7255b8364b515584

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 09:58

Reported

2024-10-06 10:00

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe"

Signatures

Renames multiple (4723) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\EventSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.ZipFile.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlSerializer.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe

"C:\Users\Admin\AppData\Local\Temp\c945c932fd7ffb22dd28d5b7c7094c31913a94f6cd302211887a63acdcbebccdN.exe"

C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe

"_MS.LYNC.16.1033.hxn.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/220-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 86827ee45f3cdfd2fcbba64fdfe3c631
SHA1 84f37695ed39ac8d50d61792d46384f48a8d6973
SHA256 f46132032a0834734b97f0788a1ca5b35a4470367d6600928ec00d3a87b1cbc0
SHA512 0ac98f19d539c139cbe7c960dd186464b6605a9329da48a8c2462d79ecae26d42c13a69149ccf8f9feb7aea8513c5f676f6646812d311242d89c5c1f7bea859f

C:\Users\Admin\AppData\Local\Temp\_MS.LYNC.16.1033.hxn.exe

MD5 18f1a9e850cb32e0f19b72fa7d72b624
SHA1 a0ea8d6970d950170fbd6267b68b97539bc44352
SHA256 a5c39404d5e9ce4906217e5287843873ddba920ab8c0eb1c89ebce7c2ba64f31
SHA512 71358a573bbf1364a7a4b36f46364419b75c0e0abf0140a7a2df643c75d0ca0dd1b9009dd91f9266779367915000466e733fa7f53e9a133c6907620390a06991

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.tmp

MD5 32676cb4369ead6df12e498d529fb63f
SHA1 194f1d483e4f870be504fb17b9219e829ce334bc
SHA256 82d38e010cf87f08caa5ec39bae3dabf66ea4521225373a87017a1e4814f3e0c
SHA512 6c446e2458603cf277edfd0b32ae569440f3260ad3f97604192df197baa8cc7bb51437540799434196b97aa837307130e0cb1ba3d7813ea1f7ce5eaa8cbeb387

memory/1484-9-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 2ad91e3f0e1ce71de81cf6468f426c78
SHA1 fd046b7ceb073beeeb7f76a0d802992658bed0ba
SHA256 10a336e9407e7d6c5247ffb816bb58e1b905c6d1e22f18171409820d24be7e11
SHA512 1034e9fd145ef195046c89c2734b2e35890a483d15521096e30b5a0718a8cf69ce3300a9f9233f7d10ff0abbba878598240d7486ea539976ce95a280fec0d01d

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.exe.tmp

MD5 100821ebd842446a90c31261b7f3a140
SHA1 d57241e9c7ba2d12fd758a664cd7636bda2c9640
SHA256 5cd70b0b0f0463742ce2aee7ae02142dd29787ac5feebd7dcffcf596acf9d2b3
SHA512 92bad5d8dc239d149bec5d274b4d99922aeeaf15ca8bfed7c05c46eefe16dc19fa2bf5406f106fb3a0acb38ee14074f974f849ed48ce3b74407b30b740be075f

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 23e4c8d1f912d7453313b92d40e8c5df
SHA1 4406233b4349d793ba9b50d0282b4eb7bfe55706
SHA256 bd81b6a34d5bd54ffb4d0038b474dd3086faba71fe39b28c98adc098a50c5597
SHA512 5df354add8401bec32e5afe24410ef2f064d3d0929adcc5120ed1efd3de64f19478a5a9eb100951c0028355196e2f68da2a2c915d62026a6c51da6a9553fc22b

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 d4ffc529127e0438e1173e4a6351df3e
SHA1 f65f99119a75e55f258eddb0166c994848df2842
SHA256 0c07dff51d99e23c15503d2f4544f2226c8d032e4c9ad474096b6bda554dbd7b
SHA512 15243a0b193cd99704ae7e122de1059db415447ffff07cca57363bf2882f70f2de376e5d8e9ef8d9e6fa413b8995e0db8453dec4c062af69fd98b1f56774c728

C:\Program Files\7-Zip\7z.dll.tmp

MD5 5f9ac25a05936d6a29c9e7012caa1596
SHA1 dfb46fe0303c46de7f4aeb450d5c7d0854970978
SHA256 59849b5d0a53c8add3e1c727b231a180f18876942b9c29e586b987de482f3ccd
SHA512 dc73c0d5df94aa0c2cf42b6aa514a880f01c157096b98e9ca62703ca98f39250d72c8d32d9db9bb9305012fd95fab4563c9010a5e1463e05e1fe19c56fa2da91

C:\Program Files\7-Zip\7z.exe.tmp

MD5 288bb202d65bbec35a92acb9e22c5441
SHA1 e4ae4635e0ab4832e1da596909a5cf452b233d5b
SHA256 5c6031065a25ef29a5e08204af456cfc241975d26c31dda64bfc71ae9f81bead
SHA512 22a8402b5dac894c314913e6e1fb4fdc8336d3e9fec46b6f546d5f9189c05d8aec3ae600b7f6615cf91f2b0fb82e90e301dd16078d245dceeb2d9dcb75f493f4

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 5553b28972951f75576b27d2537e79cf
SHA1 e1bbd842166cba72a2f3ca2b396392ca6031f06d
SHA256 5c34d8c33e147dcbb25ce780c610a31d709a6fc9d71a42630fe2a3dff047d1d6
SHA512 e3df9d2b019df10b0af120af8e4b4ebcedb02f90d930413e08c9f1656574558ef5e5b663d08a37f86e343b74e5d01c9b228d444aafd8f48fa1956b8b5797b546

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 834ae6de31fdf72b757646261eaf68b2
SHA1 f445949bc6e08baf2016bcb8c71845299d7960dd
SHA256 4b1a0000703f5b6e1533abeae658a6bccb05e33053ca532b50f0bce6f8299f8e
SHA512 8879d9fbb5f0d81ef54eedebe05e1d2754a13838d451f722a8130a920b7f3a9c3343a018ad9d8d5795ff1d6aac7801b76ce2cd0b6e760b24af369d2b99677133

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 27780b6dfd43432ccc19aeb1f7f82399
SHA1 ac004a3eb5b14c41d4787616bfee12e58cfd3af2
SHA256 874c2b209b41ba82b2f6e0c670d3b85f5cf6220cc2eb2400feea6f0d2592197c
SHA512 88d1edf9518481ccca14eba4c86f33b0f7ac93b7637acb69dfc88b1826579033cc353ae88b36c4175396663dae1ee2ba71bb34870e34198325ddef4f3a63f696

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 4990a44a98c85863a37def03d4120700
SHA1 c9edafacca7a267789f41b7a55c069b6b7353c61
SHA256 0226cc5bfc7d3cb98e0eb50141d3cbc42c843b69e33a982422e43d98b1588a5a
SHA512 aea0bcdb0c27f7cc4144d668ad36d79efb1a1a39ff83d7181f097231e8a890b2b6cde9392917771f63677b8c0c234c93311a1ee425e9fef5f525699762efd895

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 4bac3e0d2f0f7be4be63d71823dff942
SHA1 cc0577efd8b7433252d45248591b86c93492a727
SHA256 db7ef43d0c3dfa443f9a6a803b73cedc58172071bb87a6abba923f4dcf529834
SHA512 931bb658525e78ea95a53366518c71dbfd671ec60d248b54cd937ef384dd23acafcfb3f97d5c4ab86102e2c508f3bb47a9817dbe3b944e198740e7b57f585c24

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 3b8f43a2c58a7f3fc278559f0e235bf7
SHA1 b1ad0301dc32a20f4677976b6011b52cd0014ef7
SHA256 1945161ea434b1c29ec8c99fbd6b1bd6590ed6a4be586723fc482ad8be8a4018
SHA512 44b06716913351c4f0c746461dfe309e6116c5703607f194c3c6e3ffa602bdbedbd9e409b37dc5e83192e668523e315d271b462a2e886f419d8e6383aee3855c

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 41a952e2d0956d4fd644861a405dfdae
SHA1 196d4429f46b84a69293b01d05d802c20b03680f
SHA256 3cbc9887741f01199609d11632315a3c41204ad9f525f76980cfde3b6a3c9d07
SHA512 dad2a6ee38c46f26971006b0847fe11142eb03bce28e6899bf589c2690fdd83b9b1e5d7db179496423b70b78c951e8c4321515eb8fea1884da659a306028a0a2

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 80c079a6f3af95e8787d9e618f8ccb3d
SHA1 33e724aa83d7f94a8b04f20eff9184531f1708bb
SHA256 4b95a683f806dc466787557ffde904784155c219cc7e7a9c1c8f152cfa908bc5
SHA512 7d9585e6688a2215b4216117dd0c60d73fa8dcdddd89a44c5223eb73bcd88a15b12546ed01ded2694b28a19fe3b362059d445bea9469a2995e12354111db0fe3

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 3d8ee3fcd39006ddd2499b7d2cc73d15
SHA1 c3917dc8472b718f49d335eeae9c788cb3ced859
SHA256 64ad86bb42861911537d161f0c745f4d8778b98abc41f15502f4d90983af420e
SHA512 d8abf37ef64ddd43a2e881685169cccb521caf21763aa3af66b558a5e51bdc83b00780f44a999229a64cabdb28d6d1ba5f53f377c69180eaefd738c90d065a91

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 c431b39b1fc9090c9f5c095727ec29f8
SHA1 33d89ba3b8c305b5829e0fd76607422504abe742
SHA256 a24f5968d508575e1f1d8ef95094006d40fc272ae72a1ceaa072654dff9da349
SHA512 77b24b9d88e2d540f42a5d0429b5132ce4e751f0d1b78f495d9e9fa9a0851dd516ebf1d0928eef3a5f56001a5c09f16cd9f5779361bf3604c6f42ffa5b58c31c

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 f252de394d39791584eb3c317cb5b60b
SHA1 80bd5c07f751e435a4624ad1cd12223d1dc17f2d
SHA256 ed8be420b9855a80823b48becfa4f004c6d9ec65facce4780acb8a5198f64c61
SHA512 7dda64f5f2dcc0b3904281da028883931f0afbe68c7ab6626e386409329beec6eab7cc7f669a35832b32fa0c4a0a1dd03c0e1762de93657e0c223af291d63d8d

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 7391e6a047dff8b4aea3e99a0982c27b
SHA1 c41b10a330ec9d510dce2571549a23c15b3c877c
SHA256 ca60ebf098c21296edf0a0b6025273e76b3ff2d13a04293c6e2841401c2baca4
SHA512 503a2392404eadd293df4b13235446043d13c0299a468fecf49bf258e12c154fb4c000c2255b9e6509977efd2bf476f8565e591d3637e93370ca945bedb81629

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 98f8c7a93b30979676bac10c0d3f2c06
SHA1 30108c5b455ef26a8c4a2e0c89056df164c7172e
SHA256 ded1a421e5c70a42f06a6ec139cb8cb20b98fdd1010a61f778d85b64013ff908
SHA512 d3fd25d55870c42b6d4ad2cd92eae1bc5a73cf93d2c1487de69cf66b5f247646b1d55f20994c884bf37b442f13c655cf1de9572650bae26455cd981e11690147

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 d20396d122f74d70d48df9ed224d5a4b
SHA1 1c721748a3f92ae3ca48f078602bc9f857bc5b4c
SHA256 67975a78452e5f395363961e6fa77626d338a227e6954442832f93654bf79204
SHA512 a551c2b02516a8998ef826691a9467806c414119c9bb4dd5192ac6b219bc6911c4dc8258d46a335ff26e008518a4163e300b354531574e7fe75d8e0d676d68a8

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 e9d21bce6ae3ddbf1f65eddf14be40e6
SHA1 a1797999111d70a40b0933dffb4a28ab28819608
SHA256 d4c03507081186f42b5a64b9c310f2075fe18a9b1f14156a9e8e7c8de7b92bd1
SHA512 f3c800904f0e154254735d9e56189bae9a818307c24eeaa104b5864d9e67cfd076c5df55096f4429b044511c608ddfb7ce77e0d5115dc0cdb07baea9b78c5d12

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 581461847979a178c69396b25df8fe5e
SHA1 0a473705a7a1387bc2a887d9d24df9f07be459ae
SHA256 66aa466f9d71492f4ecd8e46ac61a9a18330564eb439620f7ff3a888142fbe1b
SHA512 f48b6f33a95bea67fe1578b757757da617aaa0cf4fbbac48002bf1266479804dfcc504061d9fe8290c1dc4534d955ea502f8af38f186da9abfe4562b88ded797

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 d3e58e7c302b993d9fc698ecee394a93
SHA1 2f4cc0ee9c28e7d7e46aeceb9db04b31c7cdb9be
SHA256 9ef7f393b88515605ad9d614f09ac3dfcc67a0be55b2582d6eb5ea930c3dd22c
SHA512 49be782e6c16a5bb632902a44790d6b5f6de50605dbbfeb1d75ef1e0b7ff6d772bbf97f224e3874eb0e9632b6b041b78258f844c58215a8e83c0095eba58b4f6

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 30d09bd3d4f407d2acab610ec933e2da
SHA1 bd9ce38d3dfa5a0c22d8d5eb94d1fa19f5f24d19
SHA256 4896bda5637abb82693a1b77a7170dbe3fa659beb228e0bdde37f1725c9efe02
SHA512 934da8b664a8a576fb8136ad5cf223823c980236a4dcbdfdbb02535542e5ec11e9d9f4108a307d13145ba333551091d0b367b67a681a2398e2287fa0350497b9

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 253a072f089086b3cd202194d3e1fcd8
SHA1 13ddf7e5d4025b95c3a42194d85fb7118ce68add
SHA256 24e568746a1e2fdf84fc8decc8ef03b80772ff9193f78eaf3f7fb87e123756a9
SHA512 3cf17ac982df7f4f134e933363bd90c01e41bdc76a20c05c66e93703e5aa2d60ea1e549c389eea987df7142978e57ccd266afd8d60ee458ff3abd2a319da7f15

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 dd279307569c6ca3e91d3acea3bcd9bd
SHA1 c2d64dc89213ee9761e2e3d392ed9e5343df3966
SHA256 75d7a272510624582d651b4d930874e18d53e752dea60d737d31db9b13d21d62
SHA512 d2ec3d6606b97127847ba84306d5396bd92d503cfc00b1fde3b3b928b14ad7f5bc871746b34d7ecbe78b474dea9c0b56c7e66b0695262188f8792c8f4a5a0fdf

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 13d6e0ef74e510dc8168f0f57934fced
SHA1 f3e0a5d2ad9dff4c61d70d109b29a54fd1d9dba9
SHA256 773b6b7001bfd06f11858c0e96c7296499f32be1bb9624a00b16f50369cd5ebf
SHA512 70ad703ec57f040812a3d9489e268f0b49acb02a94884e577da3aecd28e786f4c940abbed31886c2f18e8b0770cdbd79a40ae4ce8f7d06b1890853f9994ed88a

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 14056b99daaf03aaa171769df77760d5
SHA1 8248515f029a821898c5bef473c73bd622a97867
SHA256 4b03566186d9578e0e5538d750ec6502e5554d971ea5d80ab8592b8c1e15c5b4
SHA512 02189d35b7ee941366a6c5e6808808d5775157618fa1046f246f13151c3eac2c15741a38fcd4e303eca85e2f4a6adb481be8ad2571e3871b1e4d201ccffb2183

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 2d3dffd3e884ed3e4e3ed72cdcae0a2b
SHA1 66874c673712f16230d565df056b3f3803ba396f
SHA256 cb016f1567eabb61e2dfdb53276b61e5f1fc671de73073c2a3fd46d65aa10018
SHA512 dd7d0d7f4db92df3780b1052ca2d20c37c1a30cfa8e8e690c945f4b85d016335549ce5731d988e5de54e139e7804593b2233376bb9ca6b03db52c11d61927818

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 25f1c459c142a718b8d197a881326668
SHA1 3a9c88c8e907a958d13ec617bae32f9b7bff45f0
SHA256 a253c4f2a75d8ece55ba466aa94ebf04da9dc4a0f61181f6c303451334bbb042
SHA512 2dc92992ee8256a6a1cdc5124bc058949e20a623a7101dcc1beeb9fec699a16e8eec6f51489426205f72d8c9186a72df3a9a5cc602fb6214d03adc2b7d6d3825

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 82a1da7183ac9c564a53620074a4c964
SHA1 71ba2b07c8653675915de1a93f6a05588a1b6941
SHA256 1cc017220ebf9c1d6afffce9ca0e0b92c8ea9bf3ab02d5170ebf38a74246394c
SHA512 bc0254c5a25574be922abae8a3b2537805a2d44f3953c94349ad7f64caf09154468b7f64e7b2a6a9792870fe67ab2c4f813af3f5473768631961ea3b460886a3

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 a2eacfe806c35f8b3a6ed12dd02bc395
SHA1 a8f9237e29a5a1e2676d897f36cf35485d548e28
SHA256 46779df2297822c7735806216c3c1f8c03327c22517a1deeaa994bb7417e5143
SHA512 b46c88e9462c93e0e2acec89c47109c9a6b0ed489f75ef28c375adcaa55d6d16c93bdcc0d8b539e2e4bf1e7fd8ef8e47a33cd235833ea12329d0310978441fd1

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 00c01e140bb3ff4282bd95c9f7492e2e
SHA1 251db201b7bb75082fb5f0c2c9f6ec26116485bb
SHA256 855405cfb67eaa7f3590367c8665a868743632d6f5397f2614a03f3d63d944bc
SHA512 35e1e24136310d2e2aad98dc7aef5c1de4160028d6eb9f310b7f8fa613d30ad1bab19f37bdabfa4094a832669ace0441ea657102a3995ed806a14a34e38104ee

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 2df4611b467d1a1d8115f769f3fcfc6a
SHA1 e70aed7d15da8e0fe19dc03c2b5799b0e2630e4a
SHA256 f0fea020f181bcc49c831eafc63ba451139c91131d97aa031dc1426ce9a76034
SHA512 4bd08758d2904d61d9bc362aa556fcc13eed49bce9cc5f9800a78f83e10e6168b60d41209159f6ef546a3933da00cda97b2b13719bf6556954ad2db5deeaf04e

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 ef20f5e405bad57912f3433189517c86
SHA1 bfef0c12a85f01a530cd9113fe89ed4331f77bad
SHA256 c584f7ffa84fa9c77c79a6269eada4a57c4282439be4e2723e5e67a6ce3746bd
SHA512 87afb83f1d0276ba83821a4b081216e9f3af3bc1233d8fc782eb8db1632182d07e6b50678478a730509f2b88f67a8c94db4adabf559eb925929c41ad61c66bc3

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 9288baee30c202216173871f191a32da
SHA1 431880bddb137282c2826af3dede1bfaca66603b
SHA256 32aecb451045e164417d3127afe60e1f0d61503ffebf8b8540e42e972fd600f5
SHA512 1cb4310dca89309cb562073e1ee6797eeefec121b4fcd090e6e9ae69ba256c73166a48e0079b087e76da1fbca15176b757e9c15c25ba5b99479ef28f48b804a2

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 5e35b7b13cb6260ccac5345deafbbd21
SHA1 5b29ddc8bf4d0fe7666322a0ea4b71c047f02050
SHA256 670edf89e19e02cb3b89f3646abb9cf1597c1845a9760941f1a2ca5406eb7691
SHA512 c2a14d326e300e68f962b609aa8b28a80d4a19c2ca9dc2fa7ebf661b894f18a0f7bb9b6a4c16fcf00be78a9080ca1be359b49c7b3a64495af16dcd5cfba37374

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 6b85107ad05f5b0c7c21028e055dce94
SHA1 5c2b4c25f702b9094d18d0023951c3f1318da100
SHA256 5ffa6aa4416085e1f984025c2c5b97fb9078e1eef1bc347eeb863a06ca9f7488
SHA512 e12c22a6b2c1755661a98fa06884b9405e9603fa223936267c7cf9fb920fe7446ac911c11e4b1ab07feabb492a14ff1a98930ea7334a198f84e86a8b5109cf72

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 3e72ea03f77d735b91ae1febd5aed5d1
SHA1 2bbb38623855f596d99ed52cad3be8fec98cd7b9
SHA256 a56fc01ddd50c23fa5933069effcaa646d081b7811b3008169ba040e50e22e41
SHA512 d44a694af94d9ccd2d0e8aa6fd4a219fa2a77b1b97dd461c7c4778dbf8b799aaa30fb35e758ab48929f084200ef0057953a8154ed45c02e2c8e6be25e583c49e

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 b3924355846e7a14770b0d1de4a2f0cf
SHA1 93c395cb0d379bbc08d64ccf62db28a01a6d5136
SHA256 e87039beacad3382521ea5642ce8f3c30f7f60dd159a8948b43e5ac352f88b02
SHA512 b67834178aeb4a04d8930aa311494446208092d14d4c45b041321a37c724b87ef1177ffd29c95de799cf364cc88c90e84a5a64055ef0c3c7cfa1e49fb7260427

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 8f5437280800219be64faab5ac979061
SHA1 71a74c0622eaab7eeb5a804c53623974b9ec7177
SHA256 72bc596e36dd66ec44e978e12e9ec7634baa18301c6f792add05a3c6b33c9583
SHA512 ae3d56484e1ac416b16ba124e13d6fbcb5f6e482c6645cdf2bb51578af47f3aff2ed5e46cff16078eac78a47a84588161fb604e48cc03f0f6a281b42b7d7ab39

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 ef3519618eba1002813358a395d22f3e
SHA1 1fe784496b7db9a61a98fbaeff52ea48b116eb50
SHA256 a8ec12eb6706c98d7b4202e4f36660bf7186dd6823e183828b24bba35de3c8f6
SHA512 744af8b44094e28b14eed91cb16b6538dfc94fb945de0c7c11470ee53670e0f793714403cbd9dc1f59cc017f810c5a465a5052eb437c853041a0728a574ca100

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 bff4872006254f26126b7fc7729c8384
SHA1 750af45006e6b20dfd5747319402b6603454fe81
SHA256 33ee6773d0ab86efec7db53c40228d90babed8543aaa7a1d67655c542bbc6a56
SHA512 6b031d0bae5707206b68a7e01e79babb7d2c1071231631fe480586df041cafafde2b8794a6d1820fca5c8e58bed2f5073c17f50d92cebf55ff9600510bc13aad

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 213f606fc7e6811945a26f11d4281bb6
SHA1 562e3900d73b0e64757fe8a31ad6351d216810a2
SHA256 f7fa9e42d5611adc8022ed221f6c8a523d1d16eee841ea2480ccc29f9613d415
SHA512 cafa50a696ae50b4b5095e866ea465cb0fd28baaa4586d203f07bdc846b9e18e64de5c77351474cab079c949ed11ff087962c43db27dc701ccee6a71395590f2

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 bca53e371c219dadaeb940118b6b730d
SHA1 fd017f511de02f47ebb890d1b365af6e94eabb58
SHA256 f7c09532444b70c55e4c790ee74080b6326b767e60fa2c80c0a0b6866ffcd94d
SHA512 59290dfe5028aa4517e09159de29eb2dafdd83370b8a06b753f93a522133d9204ed60fb60acde5e4c64a4d33b9370ae1eee9a4fa2d73de5a4133ffa786e012df

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 b0189686cc4faf75a0d660b2afde2e90
SHA1 58064d716ceb10889a05a2cd1828ffcd1d614c36
SHA256 9ca381bf887ab5c91d63f8cd0d4ee3aac1dea9b921904c2ed7078c2e5455c007
SHA512 a98c5d7a0f1f9f3bd954fbfbfeacaba01edb94e0fd2cc40334c7d2ff21dea3c2f2edfd9b751c0998d5bb6c198dd0da1e70b7659cb71697f6b50da8130f7794d8

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 e5f5b3741583bb30a38f4d09996d86d5
SHA1 81f7b2d2ef1911f20df4311990482c93b93f1c2d
SHA256 e472f1f9ebfa26b22a6843fe42728217b191b165fa60019aec2fba00d73ac4ac
SHA512 101fcc639085018b5eeb0f26fc0e8abb04732a711a48f70f3adf84df71bb33e79d563924afde275f6793daf954e119a117450143628bde9b1e34511bc127148b

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 ca69b78d71dbe3e18b5a3e653d4fb4c9
SHA1 f376e9ba9478c0b145e42b5fdac442fc4b0a0541
SHA256 1eb40f944a6561117f48e177c2410eeb260a4dddb7a4f4b2ebb6f04c0bca1e57
SHA512 735b2bcc204c1aefaecc76c1cccb4b89600d09779d2bc701558fbd4b337d9da6c3613f362607e22c4b863840c99b51841c666526a17578f5fd3f4b2e00fed17e

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 031ea7441b49762b737acd1e878bc63f
SHA1 e8eda12b1a0a2b7591dc1b2d407e67619eabacac
SHA256 d45ddc41c68525a34b7a5bd41854d018a9523924c11d6c936d4dfdc2e92c047a
SHA512 107b5af134a9d8ee3b4bac259c2fbf7bc1b5a5ea38dbf834c92ae47b756cad752222714e20922aaae1098d774fb8385ec85503f7081fb6edb487771cdbfd697d

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 8c5871f7d68bf42cc892f400226e53fd
SHA1 3ae45a3a4e9ef70a8bb7e2d4c091b51d0e6b93f1
SHA256 695d7697f60373e10dcb6ab300c36ca8161d7cca4d0b9d23f79b1a673c5dec9c
SHA512 2972ffbf408e6b4b3c6ab507c2bcc03d6004392025c0ae37db94fd48efba6fac1f92207840b3828c9870dac2910e29956f132cfc624fb02678e19800f95923f8

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 cf9a3d15dbbfa93e14709ffd84615092
SHA1 cd706d01a481972feeae1f425eeb9dc9107a268d
SHA256 afc24b7d461ccb00f46bfa099a35872f820c7db93aeacc75b706e949c8216ba8
SHA512 05037ff55267542c17d70a3a74b331c65d5fd059702509e0641171221519287739ed558f2c4c85c00bfdf1d3bb2c07dd7cdf62b1f393d244d8ebc7673ec0de8b

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 c9f5d370b9646af8483cb79f38943b2b
SHA1 8cb8da23e951300a1eccc58b2101664a7f6f4d40
SHA256 2f873d7bc26aa5b5006a549def320bd8fa135c8bdfb87357f002ab45a6d1c627
SHA512 12d77cf6a57eb32cbf73962a2a3c7515b6b378c8301f19ba9eac0d66937e50125972e691630eaa2eb0fbe47b50973f73454163305018775abfd7e832fe13bf8a

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 3b6856b401f8175590eb02b1d1d1065e
SHA1 0b7f305699138c90f64c7d3331bd3fc69f7ad378
SHA256 53429dd3b9bf734d087c494f4af5c1ebcdba427a83a7929d7e292e2b17cd0559
SHA512 8e99cd376c9d1908f43d95e8ffe052953a20a7cb1c43e6f798a7724099bcdb8ebb338b18a7a8537505a9019d9b7a50ac0cbd38f1a5f9972cdaa19805803e0d49

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 d2dfc93c8e247c669f30ec579ab42087
SHA1 a373304f05355e90f8a8e026e7e7dee55be912be
SHA256 682bc776b4298c4fc8177ddcee1da93552c6213156a7f72e47548bc5c580849b
SHA512 fc6f552af58abb3a459cb2bea88a1e7d270038bcd9bc02d5587350ef23392b7a542eaeed112aa36599ddf74945061b2a03e03c393f8267cd15f6410c10f331c3

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 60a877bc722fa0bf7a9f0663cb296d14
SHA1 cd902340519ab7f1e489bc35c83cc28779b11673
SHA256 a3161dbc3f855be932ad1ebce3883790779fb64e09a02708f809c6b30089126e
SHA512 81b4d7e5a29b1520d21af7e3fbe58621acead1594e625ad6a5e3d9eb5d6a451b38d6167a844f0d07e31bfd01702915d0e92cba4b36020a62cf82cfe463184902

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 69a7826535c94824a57a24b3ce363b88
SHA1 7581ffb6203471f21a270e6a091932dbe1147154
SHA256 f50e0e9d9214e01ad9994ed7d6b4b1d1174eaba7d4f870e0c334e9bbb9976350
SHA512 bbfd9990d38a01d07db6ef3184416520ed544e55be823900546cc71787f0f01d0cc2e9c44c778372db65b15388af3af42754f5c6570f18a74c53621f354a450e

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 4e9f7bc452f132b928d466e58094bc7b
SHA1 5cbdc799ac8f7746d0c91683d654e469dcbea0ff
SHA256 140ed119d98da0b422222b0351a934c029a785a6b3f05e1f7343ab79aab60683
SHA512 edf561f2c615982035123c915169f50fce2bf46db920fabc0f77ed9e208e85342c5a780e97ecfa4d19b0c1bfd13b031c7b9e898623a5342b41ebe23fcb775cdc

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp

MD5 e616d72a2fdd531f7f0bbedaeb6ce2e7
SHA1 cd86af38719b1507ce27146d0622fe9cebd44c3e
SHA256 f2eb24b86d9a4e3fcc9b1c99114c65071424487458d8e64a63bf5c954f59709f
SHA512 e309455c34552cbe92b4de4f16f626284cdbe08b2cfebbf79cbdbed04dbb7aee08e7a0c25507939fb701ac0a19e1e71a9c5c671b46194308be18359c1b9ffa70