Malware Analysis Report

2025-03-15 08:13

Sample ID 241016-gk66bszgjl
Target a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN
SHA256 a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499e
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499e

Threat Level: Likely malicious

The file a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (334) files with added filename extension

Renames multiple (4401) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 05:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 05:52

Reported

2024-10-16 05:55

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe"

Signatures

Renames multiple (334) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\ado\msado28.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\OmdProject.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.exe.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 804 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 804 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 804 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 804 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe
PID 804 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe
PID 804 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe
PID 804 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe

"C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe"

C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe

"_NotifyIcon.012.etl.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/804-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Windows\SysWOW64\Zombie.exe

MD5 266a9c2eb02fe0678759ca8e3b564103
SHA1 ddd1ed3d96f75a5760298956c67ae2fb36577882
SHA256 451c24857875369763f420401b87268106acef10eaea270c6c816b9968824c9e
SHA512 d3ba28a39033e185d83fe3ed3c361322b51c05167f6002e889797c70f6608f004ea16580c2cd57fa7846ded616b9ba1e62628974480a0ed539b1cac6e892fcc0

memory/804-15-0x0000000000250000-0x0000000000258000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe

MD5 005719ec5d21121b9be482491d77616c
SHA1 6c720df65bd191b81176e8a9496be71878a1c11c
SHA256 60df1f9cd0a9f9034d056b9e72886ea030672dfd3f09f39c00d624f8ba7f6ab6
SHA512 8762790cd56ab52beecd22c857b376b1e54d1e6f9ff8418ebe320ecf5c3f38484cff951f17a2ce86dc34a9ae301ae2cde25202260150468f7888c579d9548581

memory/804-14-0x0000000000250000-0x0000000000258000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 7d2646feae46b0741073ebe4e309bc7c
SHA1 6ae276f6f5e05a14d6b4651ac164e113cd6fa491
SHA256 5a4928c6882a2006efcd4521bd2a38ceef5e749b3c0b4e28c92132fc7055adef
SHA512 7038ebc288f50cee65c3e426600a0628cb5dd38d9e70cd951c8670565453a62611cab8b6541539a753ebe880d79ce64ac428c462edab21f6b58ae7adc543bac1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 f638ae616a1bfe86924c0256f205df19
SHA1 a43fdd398b67f66a6aefa131abcb0fa43a0bf1ab
SHA256 12dce842bcde8b0d980d33ee68cb8c03deb9f51b4d8ca11bb207db8f95c14a75
SHA512 8be3d0c351926f59577a26a95d63c04cc4f4de3291e0ad78c367787ca70849f9387021203070c81dcc1f85cf7f137c15be787768836bd6b8e4e6760b0bcd2fd3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 386a94ff92d9732f73478d368fc3540c
SHA1 f5bdc250f135fa82b1f264f5cf5dc155c4b9c1f0
SHA256 a9df327460966a22efd417d3421fc5f1d1dfe77c08380aa9195c50a462206293
SHA512 98b3553720581ce08526bc2d3b68b99dd2fdb4c5859b96d56d0bbb2751bf45f4c3c9e7db048a20fbbb0f1c05563d9f93fe232406076cc9e4c91f28c7b05b9fe8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 7a9703eb1480e706fe53576a133db291
SHA1 97c731482e6a1cb10b08d96b3292d4748bca276a
SHA256 781f33f33d4fbdd39a5c95f4b90fb90fafddbab749819877324640dd788c21e7
SHA512 ba28ca9ae14d9f60bb5d99c204fd7ad5dc7a0bd2bdbcf54a51dcabec25fd310e7116ee3ba6dca81ba533cb06329c8a01100dcb44b9830f7d3f2d7b57ebbe84d0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 298cc91a9719770ad12ee8e4ec7b8ff3
SHA1 90a07ddc45197b4fe3e67c9402a1fd46e99e5069
SHA256 9839092f888031377e90261526c9ebcfd3a87e20327c97a6c0141d4dbe7fbbc8
SHA512 c860f13f43a39ba99f9b883f3256dab620beae59ab977a8d15516cece9516f5f2be0f34dbb5c32363959b9b8eeca7e64e85c870545b807409ba20640d0cb56f6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 ccdc32c056c8ca982656b4ea3ca8771e
SHA1 7839ce8c091900e3779db4acad85e0c76344991e
SHA256 28a05492b6a50f0fb7af7df8b2ab960b93cfbfae18b793ba6d4bdeb5801b18e0
SHA512 eaa0583db43429bc1a7946c1200e0f597d8fc0ba2deb55c63d6f283a928495ed405e59898a8979b5ddf5ece30843d37c40d0cfb5a83f520673aa60d38c58a152

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 8baabb738dde2dff299d204a9fa5450a
SHA1 42c12b27463b823501ee3ae06c5f2cd5297c6dc0
SHA256 be94c2bc9aeb5e776c799ef9bd0ec2b17f9f801a1f26ff430bc194d981e6cb93
SHA512 84cbe1a8634141278f9ccb431b0157403dc03a9c961682620e61919bbde7fa920e372ff2c8d8e7a653b71058782907a3171fa3c58c91fa51952a1c0b4fafabc8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 ce999d276bc1a76a4b62c46f984d21c5
SHA1 6e23c0bb51bf031431ab843f6fdecff8f69ee1a9
SHA256 954e5b19b97adcd9c661877233e1daf2ff2144db8a73f5565bdf532e4a764357
SHA512 488e5a15dce720c68a969d1dcad32d34dec5e4f8e20c3e245da46a170f1b6cd51e1e59793fd23c2dba3eb657ab2cd476f498210bd92b122f2f912c828b300294

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 9a28fedefdd53b78d5cfc584c13dbed3
SHA1 153a355186828e690f0db06fb196540e93a793c9
SHA256 5ce7c8f0de9ccf5016f55f35b4635875de20496baa2d50faaba068a906ccb636
SHA512 bcd1cdfab5709d611ed53fa068985bf5beb95cdcd41033cf3066bfbc72173c61ac46c248a871eef0765cdcbfa9be97f139bc5aa43a04e939e7d885a0273ace3f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 a9b5d030c71c7706e14136a3e7ac8a90
SHA1 a75362efcc83b0274e779001df5f0fb7a18f1574
SHA256 bd91b672572d63724873a39b3f7eabe5e33963d8618420ea42442376b8386ac2
SHA512 f144849d3e53e8cd288c6e1e0f9bb89786048e288d6a427d6f4082abe599626e0410ea5142f3ea3625227cf749fbd6ff8c48116a8d4662c105d5875b1837f83c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 650c6d129f0d240b97ad9ab579787e0b
SHA1 df1feea757a59045fbdab66e076eed2a69280825
SHA256 74cf368ac7c1698e6c39f8ceede85c494fc6ca44fd1a9e6965b4ca00d30492a0
SHA512 3a1d133b04f0d32b68d397689131ec5d1e5ff730324b7a9844c829b1c099d2bdd7fbe3fa84a2c6dc389a71f86083abe7c304a460f776e375ef1dbae6185282f7

memory/804-52-0x0000000000400000-0x0000000000408000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 83608bb7bd2f9da4a2bfecd5946e8623
SHA1 623f146b614f2a68e73a7a182a9efb5a779efbf8
SHA256 cbe7054f19f2c56b8d2496eed13cb6c50f6e36691283598f2c861db30fb899c8
SHA512 1cfdf364672671f74e2e16439ac6137ecf5ec550368eb07271aead705545fdb2edcbf245f6ec16c0ed588d3175994202a2b16e1482cf04b7ac6059e08735d058

memory/804-57-0x0000000000250000-0x0000000000258000-memory.dmp

memory/804-58-0x0000000000250000-0x0000000000258000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 e5cee35998098c9686403c799821731c
SHA1 2a428a56029fb6eeafc4135c1ebbe92c2d13a4f4
SHA256 878a6e1a305d9c914f1cf82e53d449aed0e3b9f9abe6ad88b4b83a57abdd1de0
SHA512 997625c251734c7a565b9d434cc317f739a9953ce5f2772307e5718472fb306328c2c3330c8713b6a9b07156851d5487351f4ae0f9aea4a839d352ba9feaf477

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 89f3fa16220b0be62c0b2c23a24b4597
SHA1 31ec8e9aa43ef639956f97a32bd70629410ec7dd
SHA256 2dd189dfbab2f13153263c70578a6db57896d3c2d5fae98aedf65e74817e421a
SHA512 5f8b9c9e6c13fa1f3475da8544ece04f74c8b7795c0320453796bd4bcc77deb723802e6ec2a9c4b7b3b26160106609fc0c38132281014d97c92ed85c7a46ba90

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 03edf04d1ae7ce36f9703216461d644d
SHA1 2a635693712048ff30afea7d8f94da6521c3d661
SHA256 87dd86bd97073a9bb3c2eec3b43c7c9fdc9761ce20f7e3edccf97a1d85650e85
SHA512 fa71afa8579ad12a1103756e95fe01540e811a9d78fcce121f2892b224274fb848eadb12386b55444024f026a8ea54feaead04dab9b60a77e91d504e292e1caf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 82571e7f7223b533b26e3e313b437721
SHA1 25872817ffb1fc968da970ca3cf23f1dfc693ebc
SHA256 d986d6b8ba23ec5d732afddf644636ef7d4e536038b768c557bf1042cf7835c2
SHA512 f3cddce75c2601109c20fa6ed05f5ee0b3dc41b9e9783814988a907138b9f2790a340952d8a372eca95e9e8e7af97f3298cc081469d66519aa4e381f6ae4b2e8

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 40ee32bda3ca872156e1afafd1fb247e
SHA1 c42490587ddbb2c40b18aaa7255bc75b6d37ef24
SHA256 80e0fa60772ff1c4f0fc3625d2dd821719576be6c58a59e67181ce09413d5b25
SHA512 529405b009ebd27983545b80772cec817f3bf247107f3f10f2834761ca0481bc8b2f346eec6d7ee6260683859cf5cd26db9eae2020596198df6f16ef83132660

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 9909726790d5259f7108776a946cdaff
SHA1 f56c222042714cc9915a0b0f26460a5b7ca10715
SHA256 95bd957671b0adf7518a71a1c9ac45f7271ebd09b73ac4aca2bc25d57179a62b
SHA512 e372bf21654de6814880bfd75f58542d14477e5a0dace86d4067a09866fa20f43123a9ffa9351a6b0842b61875a4e03de36b86a804c668bb8a0e17129dd7d707

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 f880375cc5afd065041c3de0d41c6c57
SHA1 f53f710504dfb1307ba267d6bf8fe590a08b9507
SHA256 a272f95f53a83b79ae06cc11948412d2fcbe097b1c43407e29ab86d69e2d5fca
SHA512 0aa9d01b686e5238c33c92fa2442b9afd36c35c7cb2a65707298e6e2facd51c22a2464a2f89eeafcdb65406a32d536520fc7a7be45837b2b5bd0b2efdc484dc5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 3a4e3a2809e1ed7b958c77513b84c201
SHA1 f13e27f90044eb4033fef541c7b2c7d6997cc491
SHA256 3b736c5fd9f17a6e941e5a11ff9f983811a874a7e82f32079c370606d6be9eba
SHA512 57047362a338d45f8cd06663e8f7df2b4aadec0edb496f863f736ac3429753d62a54fb99014be0045a5d19c44f3c11161f805baea9d49abdea65f744a8ba8f10

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 bb2fe0e7183dd4eddcf8f58334f2b3fa
SHA1 61470bfbee8c014f88061341183f760bfd6025df
SHA256 f57ffd815253684dd9883d3c380624cf764e209e553056c83c9265793c4fdbdd
SHA512 5fe3e505d832e617401b3249c28af1562d5cac282245a0ca7eafe3c20b48c8446cbd25eb1a4064fc6e47426fea25eca5e922d2ccd1b2e71e7f7cd87c86111a3f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 e7eb688d6850a7557ffa6ed3d233074a
SHA1 e42dea909348dd523b16c6eece669d5ac1ec176b
SHA256 85c149a762eb1c60fac92ce0309bfed373c1c4915e98a760ccc6962a15800509
SHA512 2c805e8112927753e2d3e02c9271d8226890b33553c50160fecc04716c7ac6ecbf6413afb0ac7e3b0d68805056779a6c4a71d9a57163c5e2e5dc06f31a043350

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 1cf091cbf05adc7d31ac2c2414fe56a0
SHA1 ded7d59613e97c1f78ac3ceb3b2e42cc419b7558
SHA256 5ebb0f3e2f562c153f0a86aac3a359d1daac6f04b93b0262e34702c525cbf79d
SHA512 dec73c61f75d2e165b88b0187ffa6272cb2384b588d35812cab35aac507151db7802c9ef9713d3a34a3b0d9d0b107cb43b072fa58432509bf074f42ec1cd8309

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 f374d64c5d92af23083ea19d57983dbe
SHA1 81d881eba8411b0d353440cf92caf4e974816ef6
SHA256 1f8d58db42ff159f14f325ea61da6a4718eba977344f781ef1af0f78835e8332
SHA512 1eb817d8a662bf858248c5c67ca7c3bb777068ec24ddb587eecf14b4a105444a39b87577926f5b898b2daf2c212bdf995283d34df22fa5bfd1664b2a572d0708

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 62f7575ececb4dd95a972f8b49281c3d
SHA1 6af29f62672214c73603db4aaeab9baa44c7637a
SHA256 d9b68ff4b92e525f1f89432b7a147e9ff9eeb2a7a856861b4abe32c23ab5e506
SHA512 ba2a2d87892668b0e240662a56ffc30d6cf8332ba1a24423ed04ec259c836e5510ea573fea2df1848eec5252fbe0e71253e92a34558cbd4669ebe9eb1c4b6968

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 1358b2c855d5012ddb2a51599bd164ca
SHA1 d1cd17237c561ca12078199b6c121480bae952d0
SHA256 21dc9407623dd0c081e82f66ab5fee6110609c71f231a6e2df7dfd5ad5639113
SHA512 ba6b19f7616de6a166555d9af0d38fea03801f7749f9b84321a5aab80864155cb618fe5aa9a3c5efed7994dc6070b2e84004310116ac0e0bdf483a9061a5b1e1

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 e0a468eaf3f1755642b859a1e00de69e
SHA1 a290925e7c05afce560d5fddb7d29c22d6fe6417
SHA256 1cd0bd5c0860bdd6c098f9d96ea3a2b83a571d56cd5075b8b81a298ea0d11abf
SHA512 b2527d6e2ca4f9978634583b89d6b5ed511e4ea71b3b2052907312e02bc601c1e96cb9aa65f168839dc7f5ca11131aa10d7892535d4ebae1b30f97b6eab086d1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 6d6f6a7082082c7ef5933f7b4e3af6cc
SHA1 7941c569e270d850eabe0a1130b49d586d68566d
SHA256 d040bc21ab5aba0ec6926c8783b788e63c9d604f2911041bb32da4f537819648
SHA512 21607efe2d8d92891f6c6dc58a01d5a9415190c93bc53c3c2b500723e9c1d24406a800bd12c1e8de8affe218559c21f40d49f41869582a874b8352ac80d4bab1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 cd51263dd437d05a02fd8114f2275a3d
SHA1 08a7e61828c211d2ef5b1b97a911ca1ce45c769b
SHA256 914ba604ad60e5c73353b1135054cc6f124fa7f30f6e956974b090ab18bd5b2e
SHA512 615ce8c9672e1e732a9b1b7262c582fa4d1ba5a9430edd1a3854aa0e804453008f339076d63a1e37aaa2f6d25e3a0cff267642f9ec32f276343e7434ba7af1aa

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 ad4a2cefd490bce750a960172269df8e
SHA1 95b6bfece110e51e3b3f01b6decc71d9238d1f48
SHA256 d7cb4eb74a39c626636df979e0ad487aee3da8e38634d481179a80b0f760c265
SHA512 0fc27d6d9aa91f0b96539eedb52e7d7d8b14601fb06bcca767d87f0f97195e09eec3f497ab819399bc7bc64683b8c2bc98f38609f7141032bde90a343fe6ce5a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 188b7623df8fa075495b36165055d795
SHA1 3b172e011495faf87c755cd1a1e33e6bf1291a9d
SHA256 35ec5534454cd1957ef2d0fc5080ba83dc83a5fc5003beae599f49031300e11e
SHA512 c7f01432b243c2ce31808abd77338a7b17460acdd9751e4fb2c7f09fe6de126468fb7e16dc5440f740fb1a8099653be9e03d8707991498845564f2402da336cb

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 0cd9703a4c984b70c02ae401a7eec1da
SHA1 ba889f01c4c7a7ccf4f848d04e60d4ea80ffe2df
SHA256 e32933e552b54f7e92d21611494e6bc0c968c1904d2064d729babe1f7a1807c9
SHA512 1908ce04b2f2730455166431018dacf13c4e36d0afeb36220470513946c0fdc2e82ed51c900f761768f75c14a5cdcb531dff8d5bd163814916c7ca761da7f299

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 53e6af20c7fbda52b0c71b12cbc93b85
SHA1 7bc5446342f2f7232bc4c2bf3327ff41a43b2762
SHA256 b41fe193dd65f0d8daea3063506369c7e5e715f6d54690c7c2803c8ed860a7dd
SHA512 86ffba77d4611f0197416d8d1c82f026e485f25741ce54dd9361c2ff9a2141e728fc336359f45a8ce6ac5bc85e0cae1cce0effae5488e7a2ffe922be65656c49

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 427047741c246d56a9f7fd7f43f3980c
SHA1 aa25e9ca79add1e89f3766e3104a267157f30f47
SHA256 220cd0e9dd827f4138292c6c800869e4703a9803e62a315347eff1073229db99
SHA512 c96d86b181024137b9188c57e91399165a39eec70fef1b3f6772444b0877b857997b380cca77247533537c02e3945626fff8f2c382cbdf035128677e2fcc3263

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 73ce8d86164f8dd8cf73db72e8f3efcc
SHA1 8100960a7b6a3bf06a911914748a280b2d24aeee
SHA256 1e579ad6d8e8deb66452aa4b776ef445f71c0c29977d16ac1fd83076eeb27743
SHA512 6243b9f642e12d4b0b077400b37ad77175182bbbf7dd13f5a7f773693b1f39e2ef566c37d6c916a8bdb331fd80dcb9a8ef393189da19b1be2b52c26d5fe4e4c2

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 8b62250a16aa4673a53c17ac02074eb6
SHA1 7723c04e530a856a2c04f29263bbbcdaa55a3a4d
SHA256 c0de046eebdbf24982c5fab12d943621055b7ed14f94a96c16c2b081d86c35a0
SHA512 fd17da79dc535cc29d0c4628b86e076ad3ccf748c3533f46dc0421826584767512d54b169c6836fefcc23fbb4fcc0c1dada29b99f38cb7bdd1f46f509f2e4cc0

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 4bdaaa4079d08916f64e612a46f628de
SHA1 74d6116fb5f97b625ed5b3fc2cf90a9d263ce5f1
SHA256 6d2e226692ae99408ecc3648073dcbb8f1e4a3d0d8e9594adc0cfb853e85b094
SHA512 bc3c9f5ac92f5aa1d96e6bf09e7d8e342df012456e88857a3bb64a049e2d89254fff963c76aef354150bfde2e1f561954d6e9852aecc055b28c250cd964966aa

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 2b82c1b7ab429ae0176faff024052a42
SHA1 2e3374b6b1f8460eb3d1db1ad98c70845a12f0ac
SHA256 38ada28dd9fc08552fe3fee04c658cf8c95c3a77848328f6b00aab7c507bce63
SHA512 0094927ea059a0d131dc6ddc01d57504a267f808b8651695a0a04a6979dddd08d82f4d7a4d756d615af138086a9629e9a9c9d36319359b3accc8e7f0732efa1e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 c2983777f7970a2e38b622402c40c62d
SHA1 e0e68443cc045dc87ddc75914c5dd7867be8589e
SHA256 bf7abcd1ce93397670b9440d837396205ae79c97218a91bdd54d26dd447e65c2
SHA512 19b5b490f6186c95dfee3eb820de33248149097f88423d5a4047d6e41ae4be42a32913286a3a41083f0f8a0a88ab1f444b90d51b41beb0df654b64303e6e8981

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 dc3acf74a45461314d87441414cdc865
SHA1 0b486f8f4c2090fa5d0d80a81275da944561a52e
SHA256 24d83b74abe11c71d9d36e7db6da79b7e9f43d197a208a55cb869d4a3c9c2111
SHA512 e47ef3fac298095fc6f460223524fef7b5a6f1fdf194bf769ce5e312e34fa80f148ca4e8cc13ab4dbdd1bec6d695cb2a0364e84af13040f293667dbc857e722b

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 909b3d16eb0583eb57fc5f03fb6026a0
SHA1 141d62339e49d690d4a26ff04cf8518194a9c305
SHA256 37ffb1e55412c1ee16a054bc32745d08619d8ea3cae866ce928813e174f357d1
SHA512 42c58b80048afffd7e325a0924cc15322c6de6b95789d90233fe7a4ce7dd0296c292ae4023b08cb2796e743ab779010a40f9d7aca12c8a002ef80da4ada9b06e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 1636ebdd3cdf49f6fc560d6823098e5f
SHA1 163664e4fe4e5aa297ae44ecb94cafd35a708333
SHA256 be8b96bb801076b4b07c6acfaf224633eeb954f1668ec46aa6c6dc8dc4f82f36
SHA512 5df64e0e65902da20bfeddb2b6ff884da73332d9f3fa479a9fbc0160a02163c3754db9789546c8bfaf08466190d08f0af465033936e595f4935da4be732b80c1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 a72068ff3fac7d115c0325854f4253c4
SHA1 525a765f0018da682d3f08adeb40150cfb1b1abd
SHA256 b1148500af7a1c5ea7f89c2aa1f6b950a5edf4ae1eb23fbfba7015431bc40d83
SHA512 09665448e24e046d6df690b8c7b7069d92d97d1d0e97357c40ed078b3c6a170bc23638adb793697b0164235d4f3adb0d41c890bdc0e9f1aff075333ee3c96518

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 8ef3467a15b0800b7c55335831b941ba
SHA1 5e9f3575b3c2ce57d068f6daf7d514d7f6983545
SHA256 859dd48a8467c4859ba19bd2bd623d1652324c6c4d0aeaba7fe9f2259b604eac
SHA512 04ad0010fa04efcfea5f10cb1d232a1c3f00d23e5fc1ba86824e25884b9d66ae6dd48b05ed8427bc77125ed40de85ec2244825c9454695f3e99826bdbf4c930e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 48be3f8514b939b6647f3a81106fa36a
SHA1 b28ff46d839b6c600629ecbdb1f030f2c9f6a4f7
SHA256 7d13d9460a533a658f341c11c435267334563576bfc616d797a7a4a0f031f3e0
SHA512 a4701ad821b25ccbe45a1c5d566408417572e1a73c709801d4e1eb75291ea358a4776db892b17358cfa2722f5b77c94c84f551e6e343f413fd6c32bcd5728f99

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 39f63b01e9ddc388640fb752fdd0d1e6
SHA1 1ca208e5d108b08098bf9a2a9a7757b1352d80c5
SHA256 15bca969dafa0adcadd0d866de8f64d9885ec7eb9b7ca3cbf65073bdab2b19a3
SHA512 41d4a44b44421e30de73c82af1eed202a5606fd0c6bb700132f75924063ff34fbf5a7e9081d15b8c2c5ace280be5faad68ae1079ef3843a40cb14b2877030d66

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 21d0d2b489c2207aee9db0986d85c10e
SHA1 db97317aebb71cd9907bbcaa11e621e59546fa0a
SHA256 69f1469d8aff4554314fb2a6fc94502657dc9e1f9999b08d104835eb9d480cc1
SHA512 4c09b4a8406da9b170bebd444433c26889f8ff00eaf58612d71231408be809a690510f689069c5ec8ce093e9dcf7faefaa588f9c69e99e774131e3b6050e7450

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 912b8883d88b8cda28fc75c6b8417668
SHA1 43f6ae4ca00b5f2ce7f592c204db008d44637b48
SHA256 9bc8df048d09d3d3ea777ba83e198fe9eabda02349cc13e0928ef596f40c2574
SHA512 80e2ebfbb0686e3854d1107747f0b25caa73c3a01069e4e97f558a97c4948a59d45e69770a5317be0c782657315ae89844970bba78da11d560b96ee228132f3a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 aca0007d062b68fe9b7dfc3d09e14150
SHA1 934b29c7d598559ededf35a0c444231dc5a9ff23
SHA256 8122b74dbd765216fd4022d3fac426a41e6b91cf18f8e0c57bebdd6ecb830c38
SHA512 75753bd0d3a974500fd2a97159b5620443f13aecb0d56906c1c0b0b930e694b3119c5b2502dab5206beed2edfb7d67c8b89848a6107ded0e554df6cd62e32af0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 5d8d90f0645cb863b921d41d345ba750
SHA1 72acecd6d38dffbe3e5390830f8e70ebfea5efef
SHA256 4d200803321fba7acd8df944386dde0338e10243b5af80c422bc93f5b7ba4677
SHA512 36bfdd868183c05ebd30e7d79ae6c74649f65ce7696b088ad583b723a55dea5104c37f4fda8bdce101da9bc8206c30917dc3fbd5508ca0fe879c3f115be916de

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 9708943787a3492f44501dfffb460f71
SHA1 a29e9e8de36caa2f85e25db571399bda897fd0ed
SHA256 e5e8fc2eec87349eb2bb3ad6d3a9c0b3f25f4d7fd60276b55b05b682c91704da
SHA512 17d667a0eb49ded7d46aa6078fa460cd86ba58f717374fd88a61dd0971c7c13833ecb0d36c780d4bbb136fece9b98364669a8d95fd1be9d161aa5064a8e80947

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 0e40425bcb084411407fbc98887cf336
SHA1 da205efe89b22005ef783524a658d903624c4d70
SHA256 d2d38656ce2b8aea68339c85091b4d85969a2c583f2667d88132e3e30eadc795
SHA512 bfb736aa419815a6e3ff8aaea30e0883043dec80435b818aa6afd21a9e1c941a52fd7428172c980516d84ceac3b969d43e33045e82987ae5e668fce09d3f642d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 05:52

Reported

2024-10-16 05:54

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe"

Signatures

Renames multiple (4401) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngom.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe

"C:\Users\Admin\AppData\Local\Temp\a93025ab7973335931ee0323cae04fc441ed17317f4d9c93337acf9dcdf9499eN.exe"

C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe

"_NotifyIcon.012.etl.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

memory/1204-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_NotifyIcon.012.etl.exe

MD5 005719ec5d21121b9be482491d77616c
SHA1 6c720df65bd191b81176e8a9496be71878a1c11c
SHA256 60df1f9cd0a9f9034d056b9e72886ea030672dfd3f09f39c00d624f8ba7f6ab6
SHA512 8762790cd56ab52beecd22c857b376b1e54d1e6f9ff8418ebe320ecf5c3f38484cff951f17a2ce86dc34a9ae301ae2cde25202260150468f7888c579d9548581

C:\Windows\SysWOW64\Zombie.exe

MD5 266a9c2eb02fe0678759ca8e3b564103
SHA1 ddd1ed3d96f75a5760298956c67ae2fb36577882
SHA256 451c24857875369763f420401b87268106acef10eaea270c6c816b9968824c9e
SHA512 d3ba28a39033e185d83fe3ed3c361322b51c05167f6002e889797c70f6608f004ea16580c2cd57fa7846ded616b9ba1e62628974480a0ed539b1cac6e892fcc0

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 d8c78a1a0e7d629ca2d0b8a861311c14
SHA1 1af175b3363d0b30605b98614c8299757ae1a326
SHA256 3dc8f6e8d5eb61a67c4bf378ed82d5bea7f226a338dfc46db9483be0c609a658
SHA512 40ff3eccbf65f757a5559aca48956cc1c6c3090b3cac205b066d119fdaffc0ca991a786ae99bff8f739f1ee17fbb8bbad82846f7ea6da5b2644167ddd3ce1a9c

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 799226f6e17300f6d66bbca38c9adf73
SHA1 2181a7860dd4122f92c398fef5086fe3d6118c22
SHA256 b3d43168ea600e45ae302c101b4c8aa2d74a835658921ac2dc1f3ef4d4b1958a
SHA512 1e2e0f396a287379026b1b12a5261b058df8df3ff7d528259d94e575f8144b52558c39b3c19efaa88364d586306b7eae4804ee3b380be99b9947fc6bf50dc41d

C:\Program Files\7-Zip\7z.dll.tmp

MD5 31966c443975f0a74ca27f65d0db3838
SHA1 924b5a0761b25629b094a71e5bb375b070c463bd
SHA256 3d38f7c1489ab6d3b391b35c9bdc48913b944023c735b076f635563750a9a425
SHA512 ea6cf5cffe43e0f4fe915dc29558ca18852a77b97335c822962a61dc7b95d9fadb35b8316ca021d6b31e76b37a6072976f423ed2a75f2cc98883f45039e74b58

C:\Program Files\7-Zip\7z.exe.tmp

MD5 a00ac10aa804e15b87d7ec27a5dc8fa5
SHA1 dbedbd3ab5fb9861bc31f2e7083b513308c0f9b1
SHA256 bfd31b2d6ba197f54fb901809b50283378d8c19c74329fb7033e4393e2a05a5d
SHA512 70bac45ee79451a4abce0a59aeb6b63f455a8da52450e6a033c07a2e0625d7b425c273c0de5b929db1ad273b1f46d910cbc329ba02ca82cadfac53ba25f6eba6

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 d6cba152823955aa00d6498821703645
SHA1 ff128a88abf5b4f204fdd1b47e19162b9a60419a
SHA256 5dd9ecd036258a16a0f2e4c49f0d2b60824b4656282f2098fd13db68934e5abe
SHA512 731a6fbd9d6f2693a21fcf22d89ceec433b5a21fdcc9fa44af9ff412eccff5975688e1e77c5a010a209ed01bdf09573474d018a50c94f6c8009d63e05a820254

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 e2bab5de85f4a4574cac73870fd940e1
SHA1 e18dad8d058dd911dea344e64c0b44bda2c37969
SHA256 603119cef5b06e23a5f8ca6d8fd0aac8f36f5c0351a77cd41ec49841ecd1bfe0
SHA512 41f97feffcb5ea32fc6326466138d24a59137d9af2c721f42c76e862cd8f0ff6fe5b10ee1116bd760ee46c76638f4dc29501f38acf06088c2906856f14c42720

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 0fe63bd784f38539204d0e03a7fe5913
SHA1 cf60fb7fa9f5ca1c445fe48b59a9107f1051ee4d
SHA256 74095278c4e78fc49bd741bc757d73b5b50233f2b52e09457b57c908af3a0199
SHA512 e488e9dde22e1fc0ba9da4ee59e992f9eb698e2180cc24de135dd6e2ba3ea6861bb2810f04ae4180fbc54064187af236c2d73617b2910359e93cece82f9d6ac8

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 2f040e5da075d1d11c1f2a5ef6c59cf3
SHA1 ef531a5829815e4e2bd74e0027c3733c03cff346
SHA256 1fe8ebe2e3b1d252b0b25a7dba83403faf642408328d69ae0fc0439eae56a702
SHA512 75279f492c32a313b3891d4679f64c3d4dbc3a07479d4a044ee77721579ed2f611d4bf2cf31d9e4d8b3660a34edb3af1f01f9a2868a2687cf22a4f22292b57d4

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 15301977d9d4d88fdc98454894df34f2
SHA1 e18dd9b3f34a5c6111a0316e44d330cf02b22ba9
SHA256 7e25bf4a9bea49b056181e0e55878945b3d1c902a80f69043065019625c24e0e
SHA512 fed03b8e34bc15e8d995c2fd03fa5e3519ad8f9c5db7d5af12d2373f5259aae840dd28422d24397be4174f5174fac4091f22d812bdc38590369cf1a5ce7351f3

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 c00dc843d91825fe1efcd4ddfe72faff
SHA1 8feadfc5be0fa61b3acceabf9043d3a2e77d229a
SHA256 b550a052d2b54a868867404b6a623c2a317812249b79f218b57bc6888719f858
SHA512 e40ab555b9256ce09011d911424c88eaf59dc9f4d86025fb54a418731d65520b94793b3886d8acdc81820d6abf3a74b007bc1ef0090aeb8206349c5f5c7696d0

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 961bfccbddc7df8520b5fff3c501394f
SHA1 626eeee23f499b33d6e83c4436c14a38df73cf8e
SHA256 38bc30249ea10b4aff09957c7e3619c372ace93afbb3b94199a94987d1c6119b
SHA512 fa6542ef58ece9f4df3455ad204a77948e1295b26eda67d75f97edf4789ed6580064728f204064e57982a5f9fd71e63f08f155374d80cc9b8772e875f09c011c

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 1c07ddb602bc7436fe54853c0ee42ac5
SHA1 a56d207af1436534724ce40b624bb237c1374e5c
SHA256 34e34f15c4772e793aa5f0635865debf96485c455a4dcd10fde0f050e16e0035
SHA512 6dc133b874b73886015a3bfe52ce7a216dc17e435a403a0148189e63295b7f407be04c4de672389813048d9b3de78d3e7415808d63afade683b85379461b0a29

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 a792cc3dce210c84f42edda0c0e5b201
SHA1 3368a534db99a51730bc870a976eedc0b032e204
SHA256 98e5b6a26f3c200c77f25bc2f46066deb2d6733be837e0683db6b76404609c9c
SHA512 81a87e53ab373aa9cdc92e3ef2f2251fbf41edf51382d01f34745b0dde9ca5787693db81f1cd6ac8a5cd7a0a2571038e0b6206af09ec86c31c47c15a3b89ad24

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 9a6d3b5db0a46ab784004426deb8d908
SHA1 4f684e9062e750aea3c6afb6d0e9f595b8e77e8e
SHA256 43550c09a344d4a213d3636680debd60d7816956d752770a56ea82597ed06a4e
SHA512 42113abe01def378470cae5e904b545dd14ace785b648dbc7652e4803e10854bc98f7f324f619e39ae54c5b15e26c033083549b050825179bfe856e0615e1ed9

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 f60adc7668aabe3ad23e70125318795e
SHA1 58ca4ee60bf14d22e622fab7669f33169f99d6dc
SHA256 27f715c5a35a28ffe170410c1b3301705d01a4a6075797d9ab579ccef7759628
SHA512 a19cb4e3759ca0097138ac4e322dbb0e1c142ee73653f257d8d4fc90e01ffee05e761d08e1f2e7439574c3dd93f0a79db54b38aadbfa0d4fa88900c521b257ef

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 4f99e3c48a5411536251190d8790ccfe
SHA1 23f2b21fb253ae37dc4f10e241751b0b08612547
SHA256 2b3dce51d3e8415001a17d813c8ecdf1231655de1f5b79d9c3fa139ad4e7ee29
SHA512 d562815e241bfbec215c09305fe68a68fd5b99906b17b8a874317a14e6563dbbdb2bdb0f111816fc07882efcefbea9c0d870398beddaf8d37606dfee8b26e32f

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 6e2b9b349262b677aaf1976d16ee0054
SHA1 75175aa9e036bf7768573b28316e8b648fb9bead
SHA256 5701b94bb4afc1b34db32ea27335f9ea002888c43e839e0572a7a738fcb4454d
SHA512 399982b9ffa55a101ee40694d0caa6f3099fd9b796fb39849eedd9ef5476151c203f4b55d09536a19d1a47acdd1f537dc6c7eaa1579725a96f2148426313cbcb

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 534ae9159737209ad248b88d70f4ca39
SHA1 d70a1512cb577b9e88d406e7d9bfe26c42cc57ec
SHA256 e86509587bec57a4764ec11af11d464c1829f4ccd82480ca898076ca08ef6f13
SHA512 d509c8769b5dae8c4217048417d25c955f1f70f92c7ef292ab640568649bb98e1b6b047be0199d06e40b0092982eb41a6a20daa7eeb090452ce607e33e431f8d

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 d4d27f53499272836787560271ceabbe
SHA1 3d76304f09d30d68c69639974bb96ea12d232d09
SHA256 563701fe1cb39302545cf906cc1e9db477f26f523eadbbc07047aea18fe76ed4
SHA512 afcfd0a397665ef1716b477a95740a922c81d162907f0ee273337891dad5576f376fb785c90cc91e385bd51ced2dee9fc32d347314c7a464ba4e5c3348de51de

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 629d8306918cccbf0c9684fc2cf633d7
SHA1 c0aab96a64a54652c8a11021a501a6afbf272bcf
SHA256 4e34a119fee2fdc07cd69e7d5b86872075e1082f2949ea3c25ef0a7d4329926c
SHA512 5e20d4c1e29f9663bac1d968cc6a3df36c62f4aa94561087996bf17eb2455e26f65b65793a273ad7b610666681dc2299c06f1e7e13ec78dce183195d8a08490a

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 ac7c9e7523609245c526573226d425df
SHA1 5e0e9bb84b12d2cb0c54ce44add14ac0a1f678cc
SHA256 edb5994affb77d8cc290173d08c2687ef4282961b7c08e93fc692bdf70f0be92
SHA512 49f09fb795f0ba38293674398744ebe38e59468ba833fe70a734200101a4955f4e4a779668a138d4f8ce1bf7313730c0949f15b95ca32fb958913407c013b38f

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 114d6c46d006c42a77a9ba11728d0d27
SHA1 5dc1cb7bb2a88a59aa4142ae15d3b67f668d55c2
SHA256 53611f2a7bc5149d4baee6f4d6f65dab30aadc4e0fed5a911bb6040efe8c2faa
SHA512 700667551bf6c2758f50ef780c5149207db0a12f72a23f29868e67dfa491260022512e31560d1a998b07d28f7ff1d1d607503b63eda1a09aa0fab9751b0dcd9e

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 c0cd221e0f54ff176185e9ddf33895b4
SHA1 6983c9fb5affa80cfcace7c390295e4c1606ffc1
SHA256 4c8a2ad76545f7e1cf3f665e1722d49951023bde05bd9df45501f083bab5986b
SHA512 e351a5cadc08f7ee37cf8d0cd0af77e05f4cfa168d0f5eae91c10d804abe16370bbd118f493dbb71a2ebb39e8a787d43a14d195e8f2327000148905b3dfb28e2

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 ab6996101a95c6aa2d6d769c5d0a1f7f
SHA1 a66599b1a7e7f48ce2a51f012d25523ad7c30abd
SHA256 a64531babbd8a3b127c0d1d3a162ca2183034ad350112132544d375f37d58982
SHA512 888bebb7edda12aadf0461ba38f48b091d761e7a99825de9f9bd48e150ca2d25c95b36aab0190f284edf5adf6137877169a1498069b541913afd27ab57b6f6c9

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 5d52aacce09ffd146396858b3b086946
SHA1 5e9e4d912d0f4bfddd4ddba97d169579c581272e
SHA256 13df92d81a66d6104e194f8548fe4fab0eb1beaa83f2c7a3f7f8f81063efd0ad
SHA512 a8a8d060fa949744e5c843ce26c107afc1717a53ab4b7b3a5256ae1b83f384daa85bfe283dbb545bf0b9a07311663db5b6e05e6153e1e23e5b6ba3a86393452f

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 59bc3644c91a4c90dcc320551da0e3f4
SHA1 50c3693424482de9c4acb49e3993a9d0f7824ada
SHA256 a99e7b6153cd62a2bbf3bff9ea3e7edc21a2bcfb0fff86384fb07519b7166d3d
SHA512 89a4178879e6d103e191e3f3daf6841d0acdea03b1d86c720f549235321723c93d0c00518f3549f91c5aa35acebf79ace359fe47a487d88cebddb63f51eff901

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 47bdc0c793bc884823e449e849aa40ac
SHA1 0b66abac1829183439d78a035ae2ff2e5238196b
SHA256 edd8baaad530c7a21aef319e0b6123cee2af10b61ebade18dd1587418ab852fc
SHA512 cb3d6ab601ca7f8c23329a6498c5a656ec1326db0794e30cb3d49c50873381947e31be46f4a8ba1564e66637026125f23835ab944d049c18f6102c0836102705

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 10ee2ebedbcbf80ebe8f2f3bc57bde63
SHA1 c60a96ea783695381da321190626d5bffd6e09ab
SHA256 9f65916ad8da904d17c227364b5880e7a2d4ed79c28fb11a9f3444e1c65f1db6
SHA512 1888c6703a215e78d3161f6f5917309b2101b720d610b03a45c3591b887bebc52b658c1f718807c0f0016c06ec1cd54bdc651de5de55980a7f054904ad185480

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 b60d43a3058caf8116d2db16d43f15c8
SHA1 14eebcfee593d5aec16e826beb3a1a2d162b21ea
SHA256 3a0d9aea846930bb9cbaa7f8e4bf53ba25134084e4e05a6c68f0379f8255c091
SHA512 7f91ddbe2fbd900c11dd0e561e9c5d28502f44fcc4a91c93bc63a13ae8b0aae2524225a8209163b2b665e4293c8b31852f5f060506218248093dbbeb84214e25

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 4e17d6bff3f31eff4faeea8efbe03608
SHA1 576c0b96986493e83351348c4fe507d946bc3fb6
SHA256 0e91aea379a2ce8d98b3ecb82a9cc04f03f6ee9623c8ba2e21f11755310fe63e
SHA512 a3b41109834f6a2e825aea787eb23622027c3228c721fa6ef77b08b328b4c186031bd11ed44b2a41cd6077c0895ddebc0b3b29a5b60320c335bf0387b8c2d708

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 8fb0a03174ada6493a361a57d14e6366
SHA1 3f187719fff287a5bd7de4bb2809d55d36530ae1
SHA256 a2c6aa3edcdd280d3a3c96d5dba7ced541d2aee96972ac2285456388594f7fbd
SHA512 faaae983cd1e182764a3868266052816d05315c29f8a6f6bdc924f6708c76c21277e330eace116110585eb45d22df463d0135c07264ca1d3dcf5439781845c64

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 ca92f2802786017ab2cc7cf700d3bbc2
SHA1 103d593eb4aa2820f3d1d718c6a26821c040da17
SHA256 d4b12b2688ffd726df8f8557c4ce141fac23f0a29ca016b776b38b5565265e4e
SHA512 6899b2a582a92ef8cc29a67a93abfe3b378e0f2b53ca8bfe754cddb45adc96148a9cbbb5bc66ddd41add9dd3c52f31e70c2220b621f18c9cd4846008e53c7a23

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 e090e537649aa32da21ae7b30cf0ef5d
SHA1 a5351fbfa2712ead07024a9b3f0b25bc8a59e2d4
SHA256 0790c35d725c171dba7deed0a53bf824db3ae87f3f1931c71fd5b540f2309ec5
SHA512 763f7901c5acf980d797fac8250cde26c1a9067f93acd327f599a07ac275e17543a925d14fb6f5585fbf9caaa0e61ab5a849a6a283848fd80012abbcfd260e9f

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 1bd98908b87ec9cc2aa9a4c8a2c7e362
SHA1 ea38d2e4c9b83f3ae0584ab76dc425fd381e84e7
SHA256 cfd961e5c28dce44a2174353be183b214ff9b2f4d3d8e0f3eab618735f4a6e5e
SHA512 dda07d4053e1b8ec13aa4e5f057ede7e857139775c553c23230e9c9bd40ff8f64c480f5369b0c5d7d69661d6246815fbe8cd7723f1acf4106dd46e631b5d6b86

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 ca6d856870a4391568643402c038e428
SHA1 f59fef852865aae7e21e70c3c25ec6f01ed0e2be
SHA256 5006c5002718b0065472f5194d41c765cc8d8dcfe09750991cf7ef835050b271
SHA512 8cc3ac4e8c1802f768ec805bedd7a851fb2fdb5acba0200ac8815243b390ce15054ebeff79feb4541efa00181ade3aa46efbf42ec524b545028e050cd35863d5

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 ee3f2d8dd584dc3d3e6ac28e73e159e2
SHA1 c47f2ed1669768b305894b45ae504f2e64ff62df
SHA256 0f53b5461960c7ccdb5aa2b803b467b53e3ccbe1c295fd0eec513fb7f00170ef
SHA512 cceb3cc275160036461c6884d6ecb5eb874dd67bd7051041e9ea0b639155c2ac7dd3bd7ae9e38be1631a47e27b25a930120429b25040f13fc13d3ad2a57b219f

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 9ea42ecf581ae732db562fa5b2d33d45
SHA1 c3eb03bc222955024b67350899fdd339ec1028d6
SHA256 675d6f0a2a1fc006c547c746e91fb043c48d0e10bce40245084996273f88bda0
SHA512 922406fda1be6f1c58d3502c2b2a9553fd3d328b18686654887b1467075cd671b60357f52c66f4c1ea2106b50d9d6b697f31aa3d3e81e41f5547b0be876a11b8

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 4bdff3950f21e325853c064570564167
SHA1 60586959f292b53a67db920ffff1370595967974
SHA256 0cc2ed8852f3d6236048bdf322f05c7e0b67bc0bf34de646b830307b51b0670a
SHA512 3e7bcb2bca58ccd3e26454d19e3b1e411b719f8fd6c3fc9bc51bddeead84c45a3e75bfc30cd8dc52f0923823c37311de189bc9adaf3f4aa82d2f6b53dec853ce

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 a2610bcdad80ec771bee7039d823664f
SHA1 d7166af53289a6c0a98e9d133a5ae09f6e975650
SHA256 06eebd4e6ea10886347f1543d5386af34a27d686cb8736f47f75eb663fce950d
SHA512 e6f66733116daf5ede3fb74f2127477fdc77031048ff652693082b05e8c933a151743b956aa13815d4ebd58a88e43c7e732c81fafd21ab38baadcf9c3da2c61a

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 005310e11c081c55d2c37d90e2c067bb
SHA1 d935ef60a77dc1cab3aa34b89ec2306aa7919f1a
SHA256 cbb73ee524668e7d1fbc30db346e53173eb6ea486ba736593744d539156e9d80
SHA512 01d416e0799ff70a4678bc8aa77130094dcb705170ee2da91cc58ee53cc3e781c7a2e82698e25101732014febf17364f132654446af2f0bf1ae090f530c0bbc9

C:\Program Files\7-Zip\Lang\ro.txt.tmp

MD5 ba88035f0e6913f5fb5e8ed28ebe8d20
SHA1 94124e3925d7a75634ffd20f0600578025f068a9
SHA256 d4fdaa3f0df687c8b37bcccda3f9a74182e3ae26bb79fce4579c7b73f2273be9
SHA512 c8b1d6ddb9792704d977f9cf4beceb60637738c3cebd85ecb3fa2b0727ef71c654006c39f01d89809055a5e58c6cca26b40cffbe181a5f2a9d11ce0f7581f91b

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 161e08cd1b5aa74b1d0dc0e7f53479a5
SHA1 976608d98832057a3c6df629aedbc1e407935c1a
SHA256 9c3374479f7528369f944a8d0af825756d2873eea2a71f28421489c93973785a
SHA512 72355f005a90b33a2a4b64cf88335991e0fa9ba30ddfc6a83e7f89552e3838a5964fd5f1a1aa25444e59571823bd2e19598431882dc279ca60489a671edbb80b

C:\Program Files\7-Zip\Lang\sk.txt.tmp

MD5 eab5e0133f056beb71731318c047aca2
SHA1 7a021cdfe41d91f44cc88af2d42de32c46fb103c
SHA256 4edef54185165685393dec5ca4037697505919c5d80572deafcd1477dccd0d65
SHA512 d50a0548a32ab254b120d45b8464724cf5dd0df036f7aef1da05992594d4659efd24caf04906e7fdc1b6bfdbdc022fdb167dbee8682eecf1d5fabd5aadd577c4

C:\Program Files\7-Zip\Lang\sq.txt.tmp

MD5 1d0b87ff8f34695dcbe1f95a5ab058d4
SHA1 1df71f4bb307a58098214c41778bc67c02d2d3b4
SHA256 c42677a2a7a6a7357c1450f2433f433c26b5e75959e2fbcfc0a2ae6650b1917b
SHA512 28b9802a45d32cac396875652ba085a531a3a20761f61f517ade130f102d6d0573f4c4a6fa98403165e539f988b52a249ff3528be8ffcef56a88b4b85cfd02c4

C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp

MD5 308f6df9b6a3a0821ba62ab1d03eb3cd
SHA1 475e70d7961670ffc10a653ee1c753aebe0320a0
SHA256 ad3d2e7741587a66482241c469f4667a8206075e2e030a981c4715889328428a
SHA512 36f27d902474c1328129bf5118866eadb02c1799c4228254d7621a8520ae1e4b4430d9b52df007ff14eab904fecd9e165aabda56a7253b67a7eaa2abd510171d

C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp

MD5 15bc4e1f564c97e9b354863a6c17fed1
SHA1 a8219406e6d40020dfa013fd7499df484dcdfdc9
SHA256 edd2566c5bc37789eecf40f338f9db953b73549f9ce95110e920fbaa7b8d87e6
SHA512 f21ce98eb89a6ab3394a83ec930c24c3ea92a927d9aa5e61cc7bb68a8cc467407603fcac5f3c9ff7038cbfb93e304d9e46421e03b6ec624656abbcb6202a0bdf

C:\Program Files\7-Zip\Lang\sv.txt.tmp

MD5 a745b0537097900fb6490e81cbd199bf
SHA1 fdba79d221c4f26fcdcf0d72e2416cab7927683e
SHA256 38683db9246091ecff4c9901a90d3e9fb565b6cb5d2d6346409dd7ff7041000b
SHA512 40dc28f1661e32e2aa248b27855ccdc457552aeb3ab273ef1bd8f7f2b09d04a04344d52d654f77aac301f877403177165c110a1c4846dd0a380963d8aa87abae

C:\Program Files\7-Zip\Lang\sw.txt.tmp

MD5 2618de7faef011761b8a5478de3e0da1
SHA1 e6ff0e933601d8a9001b20bc492ec6148662f781
SHA256 2b7b1fa0811335f9bf5ab5f7c9488a515ae4477e0c0fc287b8e2bc989ff58fa4
SHA512 c3cbd4acdcc93c8585aa7bdbf2ab78fd98caad993732b2815db893e916f12bd19b70dea83c74a7cfa87f6722b367095cf69816b4a93c703b177db2e4945c1504

C:\Program Files\7-Zip\Lang\ta.txt.tmp

MD5 3e03fc1e819013a7666a9d475d81d5ce
SHA1 95b2d8d45ef80fc0cafb4a1b5840fe8635f9123e
SHA256 afa2924afd759127620af679ac30269dbe91d0cd06841cb74fd6bb818f19ffcd
SHA512 a1c6471af1475016b355326f381e0696fba85937d07b66c3a0bc90d50ba349f5cffd775ed78758ef161dd8b9d5dd1c99b6c4f1b5d85f59a073a1f68600f21e7f

C:\Program Files\7-Zip\Lang\tg.txt.tmp

MD5 c8890f336bc570025e1353fcea3bc59e
SHA1 45658a2da597eb6fce8e730dfd2b468f6b81ed5e
SHA256 2e4f2de68802d6041a6b536b3ea4e70e161d94a16b106cfdc4e9492d4c1f7b66
SHA512 5878f44dcf4fe11a8cb2766b99b66915bf0b80a97b12b1821fd816fbcf203000872b2635962bc43f35c363375cd83daff4beb97946825550b6cc70bd5a9acc81

C:\Program Files\7-Zip\Lang\tg.txt.tmp

MD5 9bef836c0c285ad19afc73b9855dedb7
SHA1 71447b936926b9dacff946a5a9bbf4c70e15fee4
SHA256 c5c0e3703e4bc7fe9f4e4d1bb8fbabf5fe8b89e1eab27927c7f163a1c1e96d3e
SHA512 9b55a9be6f146a578dabcef3657e5e99e0d83e97a8256275a7f4fa675c188a2c8b2de47c45503d8805c4af4f08020f8e9f41310e2967d48d9982cbb45a0c1ce7

C:\Program Files\7-Zip\Lang\th.txt.tmp

MD5 491fb8584868ec3e791199e4573d97a3
SHA1 46a640741c1edf72acdd002ced06aca06a8d73b1
SHA256 09549bc06061fd99c2377b258f5c314ee045460ef3f3bdf270dc38f5e92c6443
SHA512 7ef025b293239f35530f3c957fa3f9c32f08b3b9735ba50c332d1379d4a97a44ced679c536be326f82ae332e3cc90d55834a3c4d7ad725d2a6485507b77ef588

memory/1204-942-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp

MD5 69af951f633025ac252fb06eaacac8bd
SHA1 d67605e7ddc3dd17c0bac31a4e83919bbf3d10d2
SHA256 e86e6f2f9497234af8e8fae6dca61ee78fdf9b38880d7a93eeb7a2ccdbb102a1
SHA512 e72bd415c5d466e4f03f0f509eafebb5497842d527cef3d8638d4cee2091ab62d4c5179fed18bc6269518401649090849d97d5ef264d4fe1ae32b753226b1e67