Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-dcj42sygkh
Target 85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N
SHA256 85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734

Threat Level: Likely malicious

The file 85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4698) files with added filename extension

Renames multiple (4366) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 02:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 02:51

Reported

2024-10-16 02:53

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe"

Signatures

Renames multiple (4366) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Mozilla Firefox\precomplete.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Regina.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtau.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Maputo.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\More Games\en-US\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\dumpmeta.luac.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\Filters.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Cocos.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\Pipeline.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\jsdbgui.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe
PID 2980 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe
PID 2980 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe
PID 2980 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe
PID 2980 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2980 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2980 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2980 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe

"C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe"

C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe

"_Adobe Acrobat.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe

MD5 b1a269792d8d85226b407e6507498ae0
SHA1 190916cbc7220e8190b432f0b538412d602b8957
SHA256 34a690297a6bca89a7f93f4971b4d2c48fc2993f5d37c534b3dff5a376f38a49
SHA512 cd3e965cf3a9f35318ccb98bedbff8f80144f39e0895110da3212fa83b716f4401c56b779d45a99f8441eda1ce45de29fde83da826f084a678c8ebd8541ee262

memory/2980-12-0x00000000003F0000-0x00000000003FA000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 7bd453fa38c8fc04400d3ff2171b5250
SHA1 40abebd090bab3ad353741deabd7edddf31cac8b
SHA256 6682613e6de95f5fdb208de140e19afa38333738ba22e04e75166a51ed6e0e0a
SHA512 939b933cdab712dd76b3c0ce2d72832fbef2896cc18838c9b79c7cf005154d44eec0cadf0cbf7c9169d80fedc8769c7964ad55810424f3976917b873e8dc8cb1

memory/2980-21-0x00000000003E0000-0x00000000003EA000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 cee2218215ee8821eadd6892cf17606b
SHA1 b3b10357b216b9e4c2505c89c52df12a357827a6
SHA256 858c9d54695d756a4571ead199c194e17a62a299aa2cec043f511b100e5b9218
SHA512 b772575937106be854be215805ceb637e7397a1cc4ad0060e185487602ee1556178673a7a04578d013b5972cee0aefd423dee0a9102bde371fc5c475f1cc9951

memory/2308-20-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.exe.tmp

MD5 9b8ed4acdc4ea1b9856c89fbf551e717
SHA1 8e5f215a187064391886ca1b0e7389f270d7d317
SHA256 073e81f141e7f43f01ddcaaf7f0b2f0775637c70a1050a49a654141f43a421a2
SHA512 1eca162a6773e03731b1f8c9f65049f7e62a1bce22992c4b4f3e9133d1f22e1f9591e99e599c0f6e433b8183ef8e3efb70243359be11940c94f6615445d1cca1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 1d8f7c11fe16259f012bb599cf3fa461
SHA1 8388be2fd07a3d119939382f827d215136e13607
SHA256 4a2da988da960ace5a77ded253833121176e4abee0194ed36f88519206bd2aca
SHA512 10bc2852887ee47869c2223ec81004b2e45134ac43bd14f37ae34daab6bd3e03e43730d5839f202d3642e040cca309a2ec2b8b8df94ef54cfb552d44dc6a60a4

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 19b89d32548f6b25c7e6f0a83248954b
SHA1 f0a9ec5d0f078b4f8fefe2fe10dfa393eea89bfc
SHA256 8cf4c1ce5b66de29ef2361be9e84a3efac39736dafc00bb32779e92a56233afd
SHA512 d55b555073f1f47677cbba5e310168fc387cfa1ffc1ba99e6eff02d1ff882fe4bbaea3008fac3f2ac95e13961883a2aef3babd052d9bd4dc03edd52cc9d8af2f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 29e4a794c43c33838a516ec1d3541fba
SHA1 2e7a89d770dfe5ad9caeb70a74940fbc7005a63a
SHA256 35c731dedb9b0e8b93cc6bfea82905d151b1de1d7f4de7b970501216bc556646
SHA512 9ad607bdfcc7b9bf03bb82e33fd3bebdedea689854adcfc1bea0c89fcbe3adbcd19d3b0fcef1ae19d5dc9ea6e3e54adf75da2c8004736a9d55e1856d07453b2b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 f0af5bb1f6faeb48569c5534a145d2de
SHA1 6487c06c7279be2b5f6a34e6142e810c285191e7
SHA256 a0661f8fa115daec58b90642874f80ebe5301df80fad0e1d88647a65bff8222d
SHA512 c0f4995d7f2042eeabe8860e02b433bbe4ab6628c30737b80b9c281dfb882b05c85592c85d934e1e7a5cc39b22f951c40efa0d28d290639bdb3cac3f3e9f333c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 7f771e62dd6838bda9784064eab14d1b
SHA1 77254dd78ccdd8b41210b55357112edab5294940
SHA256 da760343dbd7b17233c26c70affa107e20cee9e996510948c31f7e311afd5c23
SHA512 f8009cc5ae8b33ec831349fcc31c346916de32f838aee6864f61b1eb7ea887e4d5c9ab9b91bc8b63b4e9bd308afd1c7481b828314eaabede8a37f30c2030b383

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 ee26c94eba47b3774d2c5ed633abc7f8
SHA1 174b112a9257d4cf1f4a486930ef5f980863bde9
SHA256 4a962a61e333a4814af40648f23063eaf7a31289dcef2cb9d0e08b2f058c1849
SHA512 696756ccadbc45ce0e87de5f41d733bc61daff4fbe7cf0fcf1156ab3d6e551b4d3ad0a58d5d66f3a02586b55b4eac216179efd77148a7481b61ddf63631ef418

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 63522951477bd96424c809d1f25e9848
SHA1 3de7361b641fc94acade693b0db38df49c2a90e0
SHA256 aceecd2fd4fef276479dbd7d597df1d49099dfeec890270816669a0d45f4ec1d
SHA512 782a6c707bb02de1667a44475e2bc8c909487162dd3ffd6ab48ae546a03b0f1b793eee02e61d80c5c7e8c4e9b54a7474f3fc02f52ef8cbe2574c2acc7c65729b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 718f67031d076b65396d151fe7a154e7
SHA1 4ec5c84fc66d313ca6688177603e22c4e22ddfd2
SHA256 2c12a71ff53819cf9c120db5a4a287860aa0b3190857866fe80ad27313d9a757
SHA512 4559dcb98f045e4d0e962b982bfbbb5ba4d81c4580fa47b7152a81944c65be6a766a07f2c60c850850905e69d999e1cd5626ffdf379b2e4ed45d93ca835f1f82

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 6b34acfb455dc4711da42af3eb8052ad
SHA1 2f10a2fb88d77db9ad70d5a8de897b394aa37bab
SHA256 3862b3235c9fc7a1bdd623da3d180f33eaf0ec30b71442ee32cccaafac03851a
SHA512 28fa13741335404869a2b063c225639c55b281367ad321f9c46642e5097a8de4b820a7b674f850cbb9b78a7a62af0eee4ea727b0af09774783a285cf56d57c88

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 8695c82fc19ecf3c5d7ed3472f00c522
SHA1 57a3058d16c8d06dfa2852870d86ffb804498107
SHA256 65c95c85a8acc50d98bd46c706d6ba8758282ee8f3307d89ca2b5a511ad22395
SHA512 22a13c08e69c11a2e3a59a4632c461116982157e39ae4dcfe4e7c67f4cb2a86f343d5cf6949d774c2afa78cbb9aa4ad91d0fda5e7ecccb6958ef41c3487088e1

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 c91247a971e3919e0af53100a19aea97
SHA1 a21754a2ef607a00071c356dde9d595b8bef94bc
SHA256 9493b95b5b5ff2ff6472f7000a50587608d0b481eaa3d02ef4636c18d20c172a
SHA512 92b8c6bca6916849fc30b47fe6f60d15205ce796973fbbb068671584e570c4f571f8069fce266294e6fc68b794aa2cfdc471114d7b692a997d35e83f8f7afd7e

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 0c0c0b591b881c07e7b38562cac32581
SHA1 090b8f8f5439c76c988b6d683009faa067bd699e
SHA256 444c0d11a6a0d2429a976da48c2a870bf9bdfe9b32c8d5241dbed12c8cec8b0c
SHA512 c797dd6dc50f90f966b12a5e5dae1a71b09fe932bf2c7a0f81b4ce7e48ec4002a369261e9096f04aee8a101b5c5e49fd64c50414cb451751c88d59be125e9250

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 77fda4e5c181f69bc34d5b4b979a242b
SHA1 dd89c55ac5ec35673871a9eeb8d1b296f031ebe0
SHA256 e737289f320c6f47be49983516c6312eccd48dba77c3ebc6222dbfc22874f6ef
SHA512 86ec33a95fbd0c103df81dde623e966bb5e161f54dd0d480dc1747d124381331ddb49056e41c170ac0bcdcb075d328f3dc21401017157f7390c66a61806e585c

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 993847c25bd9a596cb7c867dc0887fe0
SHA1 dccc805305880230ed9bef7351580c4ae42bf48e
SHA256 399f44bf68e92659ff30c42df928981a216a2839a131a058994300a0f4affcce
SHA512 d242e558ff181f3dc10082d58f84c375370921d3180458e45b5bb2d0c3590d55de472dbd5af49a42f9bc19eebed5ae814d1106eb437f13367132da0d3839882c

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 d24c7a35641dd9d56a63070278911acd
SHA1 5deed5eb714bb25456297ad5c7ed55d72de90ee4
SHA256 b8474eaf6678cdfe37e8c102e25cd3470db419c04342f63f5a0dbc3ff430bde2
SHA512 c3850bf5a66ac67199924024367cbd9d52039242c86aaeb2e38d393fc93fc02798bcec377da6eb7684f54bc66334c1c996e5b1ed6abccbabb5a92188ee9c70e0

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 7d937c3e5e82f86275eb71e64de782a7
SHA1 c18e2eda6781cd563be549eb2e81dbace2ffde2c
SHA256 4fe86a9c530b56df372eaaacb076d35d37216054944a57496d64dbaba49fba4d
SHA512 2b25c06e7e41d38feb7286c3dc806ab13ee0636ca1521d2cbdb5f5fb200a606c134f93fe285b148c547de4ec413c40c340b02071b015892365c349c3ce49e321

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 1c9154f167df91a752bfe44f1d52fd94
SHA1 324c16aae4894237a70c729c3d63d867b6b324ea
SHA256 c0c2687935a6f75ef3220b31b29500836def8f326437c8174312b5600864471c
SHA512 54da4718bc157ae8e6117309c924582fba32b2a91c44a530f578c2d40d7fdedf2c1f0394e5954bf6ef96ffc0aab5f7c4aef71c7484f2ef49607f22916e4317a6

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 06ab42efc9d564a4cfb8d29988bd36f4
SHA1 be21accf9e99b5eac4bee0a19e4f4896dede3949
SHA256 37af402f51e5ea2e393d17e8fcafd3a6056f06a69a715b46ea13c1bd8d01a81a
SHA512 345c76d4d1a54e0120f491b057581850e382a5743813ab8168e379e9ae7266c39d479c3f51525fd215456a687e3992ea7a166dee2c976e68692a9e52a43fbf48

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 42ce4e1932b8ac60ef622b62133b17ee
SHA1 6677cf7baa6660438e43403c6502b84f6d316d8f
SHA256 d7a3d6e2f8a591af4feed138a9a2d34be5a3a1f55eac8a356ce780486870bda2
SHA512 7940ef591d80af5ff8faa5c42909f6f6acd021aec5b3997b0267b4d6624ea0dc82773d47af05aeae778f34692790351b1d02619685f5d122dcab6087d61e5c26

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 0e5a5bcb850258f2838d72368939f672
SHA1 e1d4e5280b3ce2db5b3e06cdc9d991a5600f7dfc
SHA256 ef3f8ef810a4cd1c32ea71b51f02e2f8b6e84ac4161a9069c6bd94120d212dff
SHA512 8c47edba620fc7755c6dcf9432574f22802c2955710c44d4d058d1a392a4ec8926fdaf2a6dd7a752f63e296f46efc428c8dca204bc7b7ab88fdb36487204129f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 fb0279e1c665030e19adbbc9b0b37a2b
SHA1 0b3d11ddf480086d67b6ecc122c5b145a94ad723
SHA256 eb719e4be553f2912a2c9ec54f8c3bc5a23d0340082250a7f30838bf219e77b8
SHA512 bff136827dad24b3ea77b1cfcb048accd213b5213ea5d8da2458813cf4821a96f911824888f05da6631263edcf9278d48ab8001b8bc203183008c4f22ec25f1b

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 cbae4bbbd75cf01041bc7c8a420c2812
SHA1 23806e9925c982d5f74cd5f6d87b9dd6cbdaa30f
SHA256 f216fc60a400fe5c2c8c22c1c327256ca1e808fad45fb6907a8dae397acd8ecb
SHA512 10db57371ddbf15c101b28d79325b29118a07ce112a9a0c1dfe293ca4aac5e29be567ecf5fcc994064f6c0759a4f0238db1fe8442cca0c7ad777a3ab10180aed

memory/2980-108-0x00000000003F0000-0x00000000003FA000-memory.dmp

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 bb3207bbe4b286006e8e3e25382798b0
SHA1 ebc59194749960dfab86df2972b54d0406645c47
SHA256 31063b8c868956c3d341727067fa8db6286ed8340810ef66d8864bcb8cbce33c
SHA512 0ed417856fda031e58a3992312401ff106d020c126946a70937f141175ee8085b0e85394ab659176c24ff7047208df41b2cbe3fe9858f95c77680cd5b5893599

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.tmp

MD5 806025e95ac9d954b01446e931d492bb
SHA1 1fd87ca11cd7fc9bffa25ba53c26d6430705a0b1
SHA256 35762ca68465b7d54385480cd751eacd3a2e7de6d7622c7e327958630a9c0e3a
SHA512 d1cb77a45230772be46c9d480424540b1518be7bb7a8ddd372db98b6526902b0837b431400854f013b528aac724705a1d577c4fc081378e8113fa301798a9edd

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 dbe850361f600fc50078a3c86b3fe9b2
SHA1 5a05495257d73355dcfdb6937e494c568bbe7a32
SHA256 882f17001e05cd6c7207c2e084e9f4f450cd7ae5d48405e02cf93be627ba705a
SHA512 d4fcb4699ea9b99c601be2b86b49c58ba794a03f418ca4b12194ebf2b6b3941637454f2571b703f0c89c9448a8b596cb165036c9a9e2478b0af576f853d1f290

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 4086d02d5bdfd518cb0a33049af40638
SHA1 0b8fc3ea22e8f8d5b2486b4286da05731ad690a9
SHA256 85a6c42a2e8b68108d30ace92c58bc2a0e261178057d972b38a912d09f68b243
SHA512 4b18bec2f97062b02b646993d0b8729a241c0fd49644734f263774dc819f6492976943f27e9cc5cb6432a8fee286d6498f6b1079ce721abf67e787b6363e3623

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 2bdda7b0fada8238a3559a3afcf4b285
SHA1 4d2d88e0cd6469b8511fcd220017dc0371d7c4c8
SHA256 6719c39474a0e32a69d86db229e90a11937f19722cdede4f114b0f85b08b7b49
SHA512 3fcc6aff73d846d02cb0e9abb550a664380c40d5aaac093007b8109663769d348bf98222be6a1eb5250dab69f6b7f790bb17bd0ac01e227ce5392ef818c1aea0

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 a02cbb5bd0cdac93751a2feb72dbe901
SHA1 4385f99671a182d7c2fc3fe559a2a5feec4ab4ab
SHA256 9c5de2f76e917039b50c474b0fd21f473eac8f21a0a057ffbaaa2d5c57b28d5f
SHA512 94d0f62a9c7ebc1c29535b54fae440deaf511ea6f8f5092858b90cd3c4089370dcbcf4010fa1c9e6b34826b3319cfc59b31b66e83cd33e75e76f540d84dffccc

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 881196cdbcbf9b8cbe28a718512d41a0
SHA1 93b97c5983dd8c19e4ec488d11cbea4f7bc96975
SHA256 1c81b32514d21ca876fdd6c01c95051b49c85df96fc2cdc05bc5564bb523ab27
SHA512 1c12c96dae214cd111839e02971c4085ddb9c92d790ac3d2fe5e0a1889451fb736c5cac48c5c2ca86f949c858c363c1b4b46ecbb03f3624ccea8e3494a077efb

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 d2e4594163bcba31133d09623d0026da
SHA1 f6ed16c2d7f92481bfb244be2a2429d174494d46
SHA256 d023d99bd863f5ca9683cf66352f1692a15311ff184d5d4096099d7fa3b200a6
SHA512 bcac592a092badff46a90c588fb4bcbff587128de7aa1b049370d14a45ac6cabfdc13a14c505c6c5eb805fd78c551ebfe6245eff2cdaa09fd87c780a80af26fa

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 86b1b1b79bc3ba6aba42b5237c3d3bc7
SHA1 cb8168b0cefb52f9aa31c49fc85e8c6ba083fb0b
SHA256 ded4a8c708d404cc2d3a65c7c034f45d4cd0a155eb4448d9addc72ac5c2ae2a2
SHA512 87008174d13b5130c9956a532262eae99b07c92e49bedacd4352059736954e6fb42ac9dbbec3e85c96fe5ebfb091d4c8553b5da7c5e8363ed1d538daf8782fcb

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 86a37c63c30daf3f52d2b224b4808b68
SHA1 94596ddb8c8399b6582f6c4930ebbe1eaf3b4b6e
SHA256 b9dc5b753a7def1483369ff11adae455a4c92fad5ac04b675bc8d810d0ed38f1
SHA512 7f3d492f26f9ae2ec50c46e86ddcf8a91afa5594b477f1a1de1c871fdc97fafed95064d72ccacf47b991418998d1b3c635b141297c876d9b15bfa6d649131d01

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 4f51b6b99bafeee3e82084761b46929e
SHA1 9b2368e595ee5d8937fd3146c7ddb3b0ffb5483f
SHA256 343a91ed8c0357ae595e32224a3c7eda2586c6219483bbad4866b87567dea644
SHA512 c73ce2eaa23e956f9e6c7abfc17e1a01fb77ee0d77de7e8e3b9830c754ce599c010c6a34e248070882616d3118d6955fc8176a7ab7fcf3ac8829b7ceb36fc15e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 dfb40a9f8282bc8ef9fcf1477d877212
SHA1 52b902e0a1ec2e99503233bd3aa04613c53f175d
SHA256 58371ce0849af0cdb77965aa58cde3b75e9d9f127eff8802c31dd5989ad029f3
SHA512 af0585c60acd29a77016606f8a44a5c5395ad34415149ff57ee4ce7ba75bdbefc4942330cff7125dfeb9f600ab3bdc3c9a5050451cdded1d7145640b2d7c0349

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 1f549685b3ab04be25579692b606a98c
SHA1 e387fe55ffff7c3c24223f24d2cb843649e529c8
SHA256 99a0cdbc0fea148439cfb7b40062394126da000c1015f81f4774348c897a7447
SHA512 7c533e196d68217fa874691df254e874a6fffe6611677a27cb0550b55a9948e720175a106315afa8620a9ed07a23a4ccc6f6a9b089e5584a4f45aac2e72bf544

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 618daa625b28f25880cb75d7481bbb2c
SHA1 e5eb2d108d108a15ae3732273d3908996599bb6e
SHA256 b628400e2db3e6b6e76741ce9bd626f8c24ce18d7cc320dd63acee12e1a83ab9
SHA512 37601c788dc32b0fff1945e57d29e2e3f06ce548abd346c988c7cfa86706efc909d7c7f25ef34943167a8d1e2f6bf7fd1f826c68ec4aa4e0eff40b2591efaa95

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 7005efd1f4c1ece323c78db4e1d6d474
SHA1 17506a616446a8f2b1fb44713dfd9347d46a9f7a
SHA256 e2fef4f91f81b87133ecd4028360dd675300595537d9e782dc040edad5c17250
SHA512 dcfe9b3bd3f89c362b974a599599cb1990896a30db81c80eb30264de1fa7cfe6cf67ae3c6e90b174c506b5b70ef6aae8ee38756d20480e0f686f4f266adb6b64

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 2c87cab12153249c7147bfd97f0f243b
SHA1 aad3f29c5e45ec9ef79f5cfb0e64d35c8cc2ea14
SHA256 db8961dbccf7df37151037a848105d03d5d1debee3ea04562f27469fbf3c8d24
SHA512 7420462cb75036d6bbc63dd6e03710cef2a39a7ff19e572e32fb6d01b2122247c5a4052c7a22b01bccd6431ceb5d34884cfc2903d251b60a79a669866c683c2d

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 ec098a6919f9c16dd422e43a1de87a89
SHA1 f039aa578d99759e80804c581a1a73eaa214d7a9
SHA256 a00793db49516027821f94c2f12f93ec0d01993c9a5b139b7340deddc8b4872c
SHA512 0373d23e4ff4304da07b208ad5d31584a706d89ce267011d1fbabca7194f74704b6600f655ea48f65193d384c0c765e521e4067979bb59930c1bf125f054cc13

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 0c2987c2714bbb6d68f9406de9423bd9
SHA1 6dd11de491d06207c8b1eccc1a5687f44082850b
SHA256 43e329938cab385d48ff38774676a4b9cbde7bcbe89127a8d1984106b3fbce02
SHA512 a00556e9e4f22177056a816923ab6e2252b28299ead8865ea2de9589a15bb69f6d43224769dbb8735937ef9ac1ace7a666a1c38021ff389d6e673088527c932a

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 2df0abfa79c4ad527b76b443f0ff36f9
SHA1 50f7141a3bee9b9fdce3f60effdcc693641907e9
SHA256 051ae2e81e0a34c6e0a79b60360aae62ea1db70c86d9f44aff7a4f53509805c5
SHA512 073863a01f6e2636d95f27e4e0917d96d76ae7f0a54841d4ad0825b52ebd40c9d882feac337c57e042e6ad6c634581bebe54400777b6bb0a6a8e5cd1f3eee8f2

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 1db328ab3424efe84d29c881f97bf69f
SHA1 f953285c3bf616affedd921d5f3f86a77c044121
SHA256 8ccdc7d3c2572bdb96f6fa3fd528d36a8a254f136017ac86558eeb42ebd40264
SHA512 2f39737c81b7222a36fcadebdfa5b26bcfdeb88de165316c5e55980ed772b9711bd54b2659aa4b7d7a51fd79fbdb53d888de897276115d8edfb90de7fbd781c2

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 9d7303831d8b6b595acf4b146747d006
SHA1 69eed1f2928f62a1c2129f0909417aaa327fcb85
SHA256 bf5c9c86dacb918cab037348c34576aa5a3bbd32e2c196735a525f13c764808a
SHA512 c284864db79a3856cf1fc6aef60b925a58fa0b52fdfb778cf75b2ff768a3127fc7f70d999b9dc4be352f3239509519efb28be1a537c98738ab52919db116a74c

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 b3d6399f077f28228ce2c02b862ada76
SHA1 93cdf63e04281a315180b98fcfae1e788f96a411
SHA256 2d27ce945b6a58d0102904c08a525e8de355a0ec052c72837b2ae2c81cb07b7d
SHA512 b41397763121af40acf8931880831c9e92154ae5311905613de16179032874dfbc181cd99c35ed575d6a6c5595f1b97697622ebd250946666147f92f6235c7b8

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 4997f22acaa1460c0ed2eadb021284cd
SHA1 1f8d92ffccbee3dcf7c4d86cd495852188530ea6
SHA256 4bdae4c422f64d0c580e337fb0ddd6bc5a278c0c799d71aa5b27b97d293c031b
SHA512 8a34af36c16cbe7d2d68bae9863e1b0c91826105a45c31de9e0d60a3cf3e83912f84e5c00dbed6232049210f5b2da6ef81f76863c24e83693d87610676302e96

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 3022ef1f6087056037e77f57f8d3fdca
SHA1 d88c3498245faac33b3195d53a8755a1e727f445
SHA256 ad616966b8cb31f834df27b8eb944b076e321abcfc991cc64ada28ee56669c37
SHA512 17621a98eb4de65eca8018847b89062e2345b10e65c5f84b0ba2ba9e6f6a9a19f66ac0f9c908d91fb51ed40d931579197e7a5d67f7927d17ad32a17182c4bd2d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 fe71e38226796e74a27a40b84acbe549
SHA1 61417ce7354f3e2b393f4e3531ebf7452b72455b
SHA256 b44ff6e8ba579f0332c491dc770cce77658f418a47fd33b518328e14f4494bd7
SHA512 b091145c78fece2776d338eb8641c6b766b7497c1abedabd451c351f33dda80bdc23162aed212ecb959699816bbd88db4243c807cec7c1b21d192ca59be75540

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 e3b100ce39c5da4184fdb84db10b3e53
SHA1 b94eb90e04ac5081c89918aa233472c56a38a987
SHA256 ef24b548f21bd168abe2df3904d5d1b2e7c1632166acec51e1b2308da2dae1df
SHA512 1ca03fa3f0476509a6ef44cf0c114fced7a8d990bf8160a3b736abb6a150020f6f1740aefe4ab06eb343c7dc486e557e22606f27e225152cf91c0124bdcb8a7a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 f3a52b26f72f21c78644b30b8126a89d
SHA1 de4199b5fee0c04cae0317ac8f3ea9a1bddb41a3
SHA256 fa5bb73e6790fbb065c486450f3b5a735939905533f0704c91502ea30236d0a7
SHA512 85108ed2fdcaed1dc7770381f6eadab76bd8f33ad81a012614a90cea0d21129b3af1ba26dfa3fb451770a39804f298cfe53f8268cc1b35e8f1903a9306f24cca

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 2a1eee6a0b862c63d7bcde7804e1138d
SHA1 1357571b1f30c601586798751f7813cd0aa7e0e6
SHA256 93d9ba8ee418df224f89fb6d7f7787626ae2aca873378ae5a7869ff4e29d89d3
SHA512 be07728d16edabfbfe9049c2d29aaacf5c12723756306bb048d53140f865101d6b6100dddf87f10167d95e70d74710d3888f3c6d87c0c77e220b67a7772ab600

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 9f260a7849bda1014baff2320c51909b
SHA1 f600e46709bf889d46a533f86cb616119f551adf
SHA256 7ef48f0dd6b497a7e9ceff4c58841f0279c2838a5540a847130ca13a5d23a3cf
SHA512 3c1ade0cf2e0a8b0322eb0b04c322316ba8ffded4114c81f3856349023ec76f16567c07767fc10a2c805ac3b69bc37c1976b191103cf8943cfede8a4588d7974

C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties.tmp

MD5 0f08f2656e9e7471bbe138088d204421
SHA1 636583e2f727bc1884df0e5b9cb9dec4fde8d062
SHA256 7156bc5b375d19a61b2e0e9d5749c3a397f55a42145cee592c0baa2d8e591a62
SHA512 9544f7be23e7fce18f14e101113b2ee1cfac73938326ab8c6c2cceac6a01d08ccf9a813c8c3ad3a90906fb41a006a9fc37d0808da01300e8970c4c28a5a40d18

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 02:51

Reported

2024-10-16 02:53

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe"

Signatures

Renames multiple (4698) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.Local.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\VVIEWRES.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Accessibility.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\net.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Linq.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe

"C:\Users\Admin\AppData\Local\Temp\85b6bf428db16fd5ea4da91d7a219aa96fbd1f11fb3dde80d9b8b49532fbc734N.exe"

C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe

"_Adobe Acrobat.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4704-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 7bd453fa38c8fc04400d3ff2171b5250
SHA1 40abebd090bab3ad353741deabd7edddf31cac8b
SHA256 6682613e6de95f5fdb208de140e19afa38333738ba22e04e75166a51ed6e0e0a
SHA512 939b933cdab712dd76b3c0ce2d72832fbef2896cc18838c9b79c7cf005154d44eec0cadf0cbf7c9169d80fedc8769c7964ad55810424f3976917b873e8dc8cb1

C:\Users\Admin\AppData\Local\Temp\_Adobe Acrobat.lnk.exe

MD5 b1a269792d8d85226b407e6507498ae0
SHA1 190916cbc7220e8190b432f0b538412d602b8957
SHA256 34a690297a6bca89a7f93f4971b4d2c48fc2993f5d37c534b3dff5a376f38a49
SHA512 cd3e965cf3a9f35318ccb98bedbff8f80144f39e0895110da3212fa83b716f4401c56b779d45a99f8441eda1ce45de29fde83da826f084a678c8ebd8541ee262

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 39958e964f706b10c313ffc74bcce5a8
SHA1 9c1eb7799f4c3da6c86dbe71c8a0413b50fb02fc
SHA256 ff2b7ad0f93ee2feeea0ec97f3473b3d4cbb02b78c3107df4f18ba69778be69b
SHA512 abc30103b5503f1d59c828beab9303776f977b5b2810887aafd78aa02c5186ecd5b03e4618bc9d1ee1736f075441ccdfc605b2bb2eb41434ab20f6903824c80f

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.exe.tmp

MD5 08fc90c12ec13615d6854cb49aeb4cc5
SHA1 37d2f358c4e0655677b8371eb185312f2d368b32
SHA256 179c8423a4f8505abdac421a753d80460df98bb8247bfab7790cd1e3b0069732
SHA512 e2b7788c0bbc3c612346e65fb11197dba16e948484281c94473a8688b6b318b21b4efd0431930ce982759a26effa238d9f9cc0e3525a6a6d3bc4c6a41d0fe771

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 eb752b7232fefd66e2e1bc4f8131b62e
SHA1 071cbf8886770fd41c1f09e1a41bb5407548efe5
SHA256 97e08deb6a5f2fd2a460424cd55b2f25af9abc15c293f0c1ec92cc0b9fa9195f
SHA512 83d0bcded8d79d4162a8c983422b7755d74e03bc13bf2f7a4d42adc2c03c9c01623384bba89234d29d29cb06adba65d9eb06562d350da87ce7384b6ab1fa63bd

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 d536eabb933d569cd9c1107bb2bb91b8
SHA1 c31bdf993d9973c9cb421488085da47f17030c92
SHA256 08a2f6fca0bd692ebceea033096c1cdda66ab27878adff5007da5af43c490808
SHA512 6fbff2b4c3aa45fc7cf523cc9e89f00f786b6f392135de2b52d77e312e52dbf72793c62876b9e6417ef230389c7b7778e610dcc1e190f78c850040c3fadc8064

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 b52406828546fab2487c5008cc9ddded
SHA1 059889ca7028d08d9aaa2d72b38310a1808f4e03
SHA256 bd9fe9f7ed8903dd4feabad4f9b74d2af5b0f55d6185724f24e2b8be304102d1
SHA512 196a66e4677d49e2c31d8c72ec4f3f381573a81eb586f9f543497aa013c8b458eea865a4a0dcafb18800f78100f3b2a583b28b0ced4f7cc2049b1fa7f7a67923

C:\Program Files\7-Zip\7z.dll.tmp

MD5 f26d91d8b5862810565ad4774d95aa23
SHA1 b81068992f7a3b0cc61c67191b189692acb796ed
SHA256 7f2acf608415ed54b7123a5e0ebd26354b13615e12d1a71b9a9e59f05064f287
SHA512 bc98f45cf53a493a1384760348bf192897b9170e66209e2235c76bf1704ac95f053dea0ded211c94d1ecb5e22ad4f2fd4c1e1b0c9f0bdcc4589cfb09d0253d38

C:\Program Files\7-Zip\7z.exe.tmp

MD5 7a4f2085acfabf080b6741159fbbc25c
SHA1 6d488da3b6888863c19e25c182cb267a9117612d
SHA256 d0ec4bee49314fa61dc0854e58789db85cc62d85f094bcbbf2398d501b3f3b30
SHA512 903664de7698e182e095486a53698168d4349a9c345d7aaed9b805017b60963090673e23a0d52248c4d18e5513e4e42f08c26ff9018b268c44dc57281a8dbdc6

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 765239c9e68877d1661f4b9c59ca6688
SHA1 30d01468b694fd3d4a5afbad43d2e9d1b5632c7b
SHA256 496c0db4d25d3dc2a8b754bf55347e545dbed7decd25632586563c84c8f2767d
SHA512 7b551a2073b5ab6952a1134c7391d73fb29fec179909a27e6fd208660f9920bdd40922e75ca0741b63e0f2b09835cf6dfeddb71e46be72a28e3d0015e20488d0

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 f0d7b1002895c55db898927f214e3a01
SHA1 4270efd5be8867ae9a6b09f1bb5033ee909387bd
SHA256 7070b98fcc81aabb11e214f4062f1d57bda0ddf0bcf5ead9587a4e18e1687e7e
SHA512 f41baeab82644d31dcef23ef47be1cd2234092cf267c3d17f304d97467f1360595a8762c27b6ed70898c51adbba0c2c188122855ec8f473fe8d348f8517cda2d

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 fda15644f1c19d33a2f7275d05ce1909
SHA1 3b43e922ef884448e031eaf1a771e350b0faab6f
SHA256 d66a57e9781f4a3d5f298230e67ba13dd3cd6863bc6a83d7dc417499d1ae508a
SHA512 eb975a521c025e2546d11940effe6dcf34197fb6a1106a3c572b93042787763f519a694ebe308898d25523df7b2a2a93d610b1a5df73ad9422dfe187cddd3d34

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 b0eff7f9aaff68e830ed82b4d92c1d12
SHA1 d3934fd2dce85b7646b74b7bfe7a6e86b553cdd7
SHA256 f38886f1fbf51ca3fbcebe901a0b4e099ff2d4348b8f868fec67cf0f55db28ec
SHA512 d5750b9648b2787319107a1290a6d414daa8bcd3eafa9b0413346839095a466ba8f125e39bdd302394d10ebb2cc220fc93ec5bc47bf2ac23d20dbd4a8af84c2d

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 23d2baf5e3c2895fcaecaa1f3cbb7a43
SHA1 dd15eba2fa9e206e3f1e6ddc270631d57b167355
SHA256 ff7c28344b127d208a254376d359f9b820e7c15003c4e880bf8476b81a55c40c
SHA512 7efc860b97ab2a61b90b1971247008632e427e955538c38e89ebe3ba7789dfb13dfd7bb91f5d7981ef5f592f6ac0b7ea7fd0d826a61829200006de0d29f3a846

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 72d36fe35ff20a2887821238905d973d
SHA1 1d1d254e25963e97d02c69dd24f3b428bc2ac43f
SHA256 283b99f9182b51659ecaeeb4ff966d950474bb3c3a20c4e9a460d373455b2209
SHA512 bf3673d465eb776f55357a43486e2b2b95d3eab03d5af0e648c1fb5175a5c126bebc5ed9333237c1e6d3c3a51bc28fbf5e32a95ca0eaca760d738bfef27ce562

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 c52c80c6eaff5e29fa48d99fd9dc5786
SHA1 a7d990719ee46334299637d69729b193e3bdae1f
SHA256 500e3dddeb2c39cd27bd34ed4aca128b0e0aa7e06d096ff6e7b8aa9932fb31ef
SHA512 6e029a3745f6ca0a277e47b88b0deb872edc355102671a77ca1f507923539be702b654c44dc652e3d922cfc253a02274a1fed25abf3e26211ddfba420cc367c6

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 169d738e5746952be96a270615f62a21
SHA1 8b6bd49480e7d82b66bc804bbb6bbbf4cf7755b1
SHA256 80ce51d6e08e9da22f34695c346426b2afbbd41672db5296eff4c4c5a0f9258f
SHA512 4eca9d9df510036f715b1c40aec249b30988010af2b22ffc0dde6e7d1afca65a4bf85fb539cdc5b93a82deab9f48194b866072c41781cf39e00dd054fc00c27f

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 fe19b40dadc8c2dd56d76b6e33876d02
SHA1 8120ff4e2e21cecef5e79100d421ffd9420875a0
SHA256 ff225e7ee5cf3fd17112e4295788853aff33a3f535ba139d38d48ed3b0984745
SHA512 d8098057aa714d97c1318565c70855e83de673015da25ed66c72f2d2959bef31d087f36459f171e90ff2d95d45c7021dab639672c61d4430ef6a6da6f262c2bb

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 79f4399442dfec175c5028e03572ea89
SHA1 17a7ce1df155a8a002f490c2b241112b1578d6b1
SHA256 d5e2b0991573c43e8d2e68b561f6903ccd6e6538afabe4aa0a94165a5b9a5ecd
SHA512 938b39756ca89f5b94ff9ebdec27db8cd638c4e7e5e1e5fb736929e3520e4bea71016b52590f0e68de62874c45cd529b0b993c6377b79c866c37cd559297113d

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 4b14323f69b22674c37eac41feb3775f
SHA1 bfe6a9ddd71c27e037d0e1263ea511085246ee43
SHA256 6e40f2e8829833542109948bc9e920e092e0542eb5e91a2a12cec490f3108b6e
SHA512 c359f602e6566a175940c6231cae5e21f78b5868301782a6342cb428dd79dca644fdca3aecc3d9ed331902b5f92cffc4cfb30349597667cb679f7e1b4cacb9c4

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 c729ea7f84737fb583df83c8eff112f1
SHA1 a31e72fdbcee6572bffb31c31cb0456a0f31bc77
SHA256 9f1ac139ed842cd4e1bab4794c0f22285786431dd72693086c7dd38a5ac3d88c
SHA512 069a87d28c465310f54e841b3a021ad70517d5cd90618bcd77e2e79f2a6f6f61e850fe6be6e45513d1126000073cca7280d33b9257a4b1d8f35e120a8ee64770

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 cfadaf00ec3a85aaceeaba63e1bde675
SHA1 a86fc1a3b21e20233163ce52ba99d97f3a01053d
SHA256 cd4c8a1f6804f455ef2dcbca30475103ae31f2618c5606bfbb24053d01c06471
SHA512 6f62fd952dd577e826f55cd9c4b0dc6a1bba9a8e8cdf8ab99b7ef3458941a90bdb2d56745a10e08444774a3e95e9d4109aa7bb8df87aeb445cd8a8bb961efcda

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 e96d1df62312c99ef1cdd5b0920fde58
SHA1 6cc8c136febb03c6a6d14403c728192988dc4797
SHA256 b7f69d122a449300daf3784b1397863fd3b95248327628e2f3a6e17415c08cdb
SHA512 fb05d499a9118dd6a9f191588ac47aae4da0f67fae137011c059e51c26478a0793d2d68d7519b1c01ed3ed405c69fd886a2e1728db56da47df45fb28e1479727

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 6d0d874a40e55f9def5acc6e982964d6
SHA1 d17e334d5d920d9b008d48d517d430e56a3a1244
SHA256 0737fdeb6fdda9174e00eaef62bca7934c565257ffc9a1489738daae2fd0bf2b
SHA512 cbd9ca06b3036a8e2142894f5ce4b7d90eb2f269a49ef3bfb6fd98a340adf6444834030b0c8d11ee8239299bdef0df9fd6576b1fbaa92757480b354bc8a939cd

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 18067a5a5aa5890180d09c23c1dcf1b9
SHA1 5361e491bcd02101b4fe91e52bae1e279836b758
SHA256 1c635147e8dc670bca989931213bd649a0753eb82f562fcd8c867f80a77277b0
SHA512 a6d3b04ffb24b3c95e628e789a7a5589a245bd11929c52035dd9fbde46a88424997bc6bb4bfac5bb74d698204499afbbda8e45e1c4dfd2d8049b9d767612d452

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 b9a5d5681d08662aef05eb8bb47b6148
SHA1 55ef8ca45bc5a7a95de836b8abe68ef7a5e83632
SHA256 09f38ab6308c7d2cd7772caed96a150f037be835d56057add9e964ab8302a2e3
SHA512 df68fccc9e663d94cf046cafbac95ba38af041615bce4cefc750da0818a79f9a76be1120881e4ff6cbc19420cc70a4bc71433a339735bdf304e1aab0d3161a08

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 ae28e80f8eb15f6003a6063fcdda6468
SHA1 68df00b8371a58f879057cad68296626c561e290
SHA256 a92ac5ceb5fead8513851f8e1f22c1f8a5f5120ecb8c7fee21c43a204a336584
SHA512 10b9da3b47ae02d9634f100253c0a6594d2532b2505a31b697043ff6e90c0071db7ceba745663ff850c99b36c577deaa2d4a4b8f533d6daacc6cda58c2271c41

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 5548eea0366d867336ca803a61b12bbc
SHA1 2fbfb4f6a1d990b9a250f39571a6410a90392a54
SHA256 6f4158de58b65ac7230aa78a48074811bd2ee3e5de77b24988d06d5cc13d3304
SHA512 ad36a062681042652e2bcb55ab0a2605c2c5506c5bcd2c95313ba0d7e28ca4fc88bc182a492b3798968a5ef7ace940b3a6813b7cf8d27ee8e1a186d32482a408

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 78d10fdfcb4e31e81a6a3cdd199676ed
SHA1 48eb13582ea0bfb2a7538f64336d455113809ead
SHA256 08ffc5e3743bf84dca7bf112095294486859141f24342fea046986753ae345dd
SHA512 d8626526a1a1833be33ec4ddd7ef8bce7b5f80efff0c06eabdaf484a0db17fb60e77da0d4e8499b3ddd4738c6eb9a4ec0f791b9b73d83ce876a5402185dcbbe2

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 3080358e8bd47db1e71d91ca7c1ee78e
SHA1 0ca7ffce864d0e6edcdbee7fd4c9696d9862209d
SHA256 19589209250d6573fd9e563b0675253b8d38857b1904ed1691036a736d3be1a5
SHA512 6200f25639311010fccb03431edfc4b4f168c68d360f82ad6e4f5a65edab6732453e23ec3a20be3170837c15ba1e132ca9171200d1c0653452d5a1956bbbe4a1

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 29efd09211498947c2fd6455aa0ad84c
SHA1 dfcaa8af0aaa851a88ac62982726662257ad357e
SHA256 99956e09077b4ff1a6927048bce9482fd72da2c2a6e94663af1fbfd209aabab9
SHA512 ede823168709bd26322e83c4cebf223c584c8a5d6077789271bc289b1a26c46ffa7b9b8abd6656f49040924de0fd4a78048080bdb0d8003f84f669860431478a

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 6825f6b2a56de8af737939b603432aee
SHA1 bcf577cc542fb57b4f6246662ca047d14cea44a7
SHA256 7b04fc98783118c6b43d5d8a6374938c27c1228b532b0b3eff79d26a32b6a384
SHA512 8018cedb2520ab88c0263c6f14cf18bb30cbeebf33c6d69c7af02848216cb7fb38b65f9033786d077022ed363af945591b5cb0737709a69c6bd3f781c2702c15

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 4b9f85a6e9a70c16d31db663f7c1345d
SHA1 3189bac262cdee1cc5c3d959f640935606a9a082
SHA256 3a3168e75647e0521f4a1528cc94c2b0ff880e6cedaddd32b5b94a50e5f2f493
SHA512 46722f449618163338cfe513bfa5db9586560e59fce4ff154b65e75377e653fb7ed201c3e4f0320514fdb277f32d83265a530e9c1830ccbdd1d97a0c74dab856

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 d2c1cca96bc644d3c6d11fb2b34cbb70
SHA1 fbcd326e1e301b0dabcaa561128d4e867a1821b8
SHA256 46c8f9608a2e2a508f62164c1dd67e505d742cb34c668e512f015ba0686ce538
SHA512 57b320648da3abc75bfe5688b696509551cb84c3f51f9bdee7b273e5bf43b2172c71013817742039890a20f54e82abdad016c85a4e27640097607d5f790a143d

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 f4d98287de5e761405c9b8b24173f3ed
SHA1 ae8ca0076467b26ab9d5650545100e841f43c0e8
SHA256 c6853db3792299ae4400c9bc32b10614f9ba6c5e7089d16e1fb02484dabdcf97
SHA512 82757de7d76995825f12e955f15df570f3042f7757fe497254231c7406757300f1f160f6a8eeabc3441b2b36be31ace08a600413a6824e3752d20ab1d25ba29c

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 686c237bd8e8d6ebdf09a7d389ebd36e
SHA1 f1913912bc067bc90c384cbc3a321d97827e02b8
SHA256 c7af60bc2ac7d45c82f611f617eb26985ab9183f6eb38764493d6f96d6e228a2
SHA512 d5c57a9ea4e0bbc53e0d40434be3e8c620ded0c82c454b6b96b4ca764e9aada329e4047423f799750a4ad2f94a20e37e4d588f90d3e195548353531da85ac588

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 af196dcfc4a8749c196035a87c1b55f9
SHA1 27f4bcb0a7cf4b9902115043702e765c8f3a1980
SHA256 89168658d1d55818c5d8a6291e800b64562f3dcd493b503248e40e0cf433ec1d
SHA512 eaeff9cdc0d64d04add28fc1b48ae2af5c2516ac5cc4aefb3cf33657eb2610bc40ad542aa7dc64b253652ebbf0cac9a4b288ddde69780fb1e02c3175b9c0c649

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 76b62bfde51e3ef0bd89197b7f40b952
SHA1 6feb34cc2fdef5d7d3323c7017534f2a5d13f28a
SHA256 d37749b0e90901fe70d3e1c42d8b590a1c291047ddcaf45482bf77afd9aed7ff
SHA512 5c6b3f0f8a19ebeb170a3f4f5921bc04e421fae9525e01a7eb9e14662f4d51a6fb8a3c2bbc0f9d3b4a581838488ef05861d5ceea51c5d357d5325fb90eeac278

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 67b08d8286d4545b6484c8355587cfdc
SHA1 824825430bd1015f218899d3c7285fd63eca8cb3
SHA256 ae32c8edf9e67e62106aa4e3b7baef1dd224e1805a151b1c0a4e424b471517ec
SHA512 5b4373e683bd10459c06022e2aa168d92ffdb0a88b7d3b3c04941e478d80712a7f24fcbd9ce480bbd0d42d4c5d9f4f8e87b2e45fee6585115289f340b88c6b5b

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 9e4441b52fbf14123cab6bc1fb9b75a8
SHA1 ad8b03e41ed500e3de31aa49a0d2caad34f52bb8
SHA256 19ce0e848d528e531bc61313daa32773ed20a1cdae43643f88ce151545518a7f
SHA512 cf1c30e7f4a3e426f96373f579e15a618eea9dfedfcf941c7f06443c477bc48cbfd8982c0bb9cfdb6c62cb0fedf05327253a9b5939ee4396ff0d1e452251649d

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 58f60ef68bd0153f68ce4580168add46
SHA1 a69b490839a976e51e46a97676d52311855cdfe8
SHA256 abd90a28d67fd34ee26a70b99dec085821dd9357d2acfe48572eb67e4e446f37
SHA512 bc47e9d0df57e539c4586b19a13a9735129e20d7acbde164b3191adbfed5c95d4b279084c98e254501ec1ccdc61e6549327d0277223522ebcdfbbfdd88924d86

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 693c85412674b88b2d27ad3ba9e8bc29
SHA1 9ea9ec1533bcd6cf8e67c5c1279c92cefe22b6e1
SHA256 4b2e40942d52f3fa741c3ec3b40e41e39a5c5cb6a498d0d1a60ddc5200d290a5
SHA512 7bf1b5da21e3a0550afbcfeef2075572767de9c8beb74c83c9a66c1c1881a6711aecc1666e7b44ee915ce6eac552533b4de8e46b8bff77bbc96d1977a232c771

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 497007cc6de69e4f0b6e095eccdff951
SHA1 838b406bacde9c2fda17e07c533efb230f190eda
SHA256 aeaf31b4aef4eb4425a6f59093c74cc04423a498b41004adca74c8c330767f1c
SHA512 477f18a90badae3f498bd6a84e05eb694c9385ca1440eee7493c8a6efc5f74e6a9731f68908122cb22c8fb7b85df8fad7ac56a3152ada048e684f3dd8915ad8f

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 c478e0de9f28195caf3f1e92da4c78a7
SHA1 3264b28d83a5bc4b0bd960a37832eb9c515aecb7
SHA256 03291338b76791a7bb65f75f5327b32bdcf907e029ef0376f249b9f5f5066a51
SHA512 7155515152eec6c2bb74fb1a176167909108dc3c88ea22d62781d5cd06122bd35e4ad927d14296b5cd12edaf706e11fa5a52a1bb21129b173cb14fed57657ebe

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 6df66e598d5b580c29c4acd7db7e7f02
SHA1 3539dcee89ffeb00c5d2b080635ebf52cc130ca5
SHA256 d36c7d3c9a6737ba6e3f39930759dc639e7e06c4210f4b52834d9e85872e91b5
SHA512 281fd654624395126fa4859df04987441c84dc2439dacf7ba9ad6018774a2477ea724e2b051c297f90c5b7cc3b77f2621e7ec88d902f81eeb8424f995acb69b0

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 5990dca9293416bb5094f10132b0a076
SHA1 ae820df25be2fe631c551d6715c00939367febbe
SHA256 1edb754ecca69653fb6afc67f3819cb6355db9e9816a91f25a2a6e8ef89d06d5
SHA512 7aa7448fcd41da81ef5dc751a4e3a9f2361420429f030e17dc6b48fb3ebb0d93d3da04e672ca1225b4c8842f716e632d2e25664c5f7198fd9372f59fc37a01d8

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 43af9a7a5cb7745bfe5c7314fa724b49
SHA1 240533bdb9d5dc1d02eca1e28c706c741f51ec1e
SHA256 b86099ca61962899871a03ac8030428868cfc34e8c5125282d517a8f001d30dc
SHA512 cdd2a403f39fd5d7c8ec8ad3656ac9cf3969e828dd97a6ef46abeafeaa7f8589e853eac2723f1bbec05617ef88bf1b94b0078e6dd8a1c1a2fb9bc1a86dcf2ac2

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 22a1d7bdf289653b24e58e7a44f3c41f
SHA1 0f90932c345948f2c043d451c7e70494bea7563b
SHA256 f48b164f23c5d08ede7d4f3efb732f99eee3510c694b49bbb49dc1b20ddad300
SHA512 ad1877384d4d09e218128dd50f081dc638a395ccb231b564aa763a46857f2411d75777aa69d50bdfdb6238f110db729b8de41c5eea967f0fa6eda273b97f8960

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 eec8eb14d2e75cae5dad8e65562c10d1
SHA1 5dd5e6581013f37713f86365509bda15ea4f4c38
SHA256 0da4f0d6478b2dbeee8b2f2db778f448fd0a3de6d446910462d94afc3355e33d
SHA512 29a4a03c787e49ea12ac80f6e3da6298cce9230ab9af14867976b0d45855f5f7fc7d3d9a6a61f74ffbcba75a75c83707c21f255451907ada9798b2d9b06ce84f

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 c6f0581a0c627b56528a4d80fa6e76c8
SHA1 8ba2cf1137a5de17969196789f51a0b39eca13cd
SHA256 4d2d925e2cfc7bbe3bbb3769d1acc0f09e05fac06b63a9459a21a1c2f03faaac
SHA512 c562548d68c7d098c6f305eb0ce620d18adbee1ef12a4f1c7e86feba8fa223d77a3416bd17ea1ee230fc34cd6ccea556bd084a5731012a63b5c1c3cefdfbcb03

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 19038a648cc055a90dc5715ab2de4f71
SHA1 8a2fc1b71f84b75f6cb5d2638348912e6eebea93
SHA256 64f934aa05bd3c958a6681b864eac498c7d32bcc1ab99c64f668c8eb0f64dfab
SHA512 305385153945f7d6e5b05ef75f1bde8133df31c93373f08de3b39c493054a7dd3c8c47d6355c9fca6ca79dec3074912ad0b504174ff6be84bee6ddcbda902df0

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 7a76d45d27d8c43c740c8f5473050829
SHA1 cded87715e50412a11a446171e5fed106ee896cb
SHA256 a273d7c9775173f62f93e3e5c69c36532aeb2ec4800da9c0eeba585040edcdd3
SHA512 5dd3adfb8ee1f81c7467c0e8c2400148aa3d563a438e602fa495306b8e3d8d0fa671f4748388426559a76c655e1f52c15e3a60a8281b12d4b6651e29eee0cb32

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 39003aeb994f1db942d1f336faade623
SHA1 802a2e6e0a273b5249a24be5b3c657377003892e
SHA256 8ec903e787eda5031410630cc76d1a48b41a3d28be1b3da5d003b31f97917865
SHA512 1bcfaa6c1f57fbf18381f04fdbc96d17fdfa7d854870328e109e69ed393503851d1d3de839a2cde1755dfc9bddf37b558ed20e966c499f4a8f78c4fe5accc377

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 18baf45c1afb461f8d1a423c44b239ab
SHA1 edd2e536ad575b9bd4e9d4ba739a3fa3ebba08fd
SHA256 20a23ab33c8dfcef10fba9145686061bec935e1cc935c41ff18aa91294f64a04
SHA512 197b36862f862057ee777e4095c2aa5a81f3543aec45868c099b6052633ef3aac6112fc1c1ed87b2598671970248aced6938bbe82bec9ad334e1b03f909710d9

memory/4704-959-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp

MD5 07fb7fab001b089e7f148adb1f3594e5
SHA1 f0c359bd69fcea49a14835b0aee5955d4b2f6f1e
SHA256 9d94e7f33f8441313fe52d50ab9e48dfce9eeea629adf629f4fe234520e829e2
SHA512 3751274fce975bd9e4f0136e1b44ff1b69a37571f67f20f04bee025405c86ad92237201ac40be68c28a0cf095d4839b852ef0e9f9deafec4520941378362671a