Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-hfs9casbkj
Target 2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N
SHA256 2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12

Threat Level: Likely malicious

The file 2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4860) files with added filename extension

Renames multiple (450) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:41

Reported

2024-10-16 06:43

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe"

Signatures

Renames multiple (450) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32r.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\audiodepthconverter.ax.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Internet Explorer\F12Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ta.pak.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\perfcore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest.exe.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe
PID 3024 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe
PID 3024 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe
PID 3024 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe
PID 3024 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Windows\SysWOW64\Zombie.exe
PID 3024 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Windows\SysWOW64\Zombie.exe
PID 3024 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Windows\SysWOW64\Zombie.exe
PID 3024 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe

"C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe"

C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe

"_analyticsevents.dat.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe

MD5 34c743440b14d7d7747bb50276ea0447
SHA1 fe66eb9852fe21c71fda26dbdc02e25373ff3da4
SHA256 dac15230b36410d31a111549fca377c8b2c5dd46fbb2015dd07b4578f4a2931f
SHA512 0ade9a926cb4a2b1b545563b0ed2ab5e72efbcad961f76c59b55948fac9dff83972f9fb63ec525d0b52ec422b83f7b7cf8b1e7e5538aeedf2493601ed8f0dc8a

C:\Windows\SysWOW64\Zombie.exe

MD5 78be7edbf955974fd1f785801a4f81f3
SHA1 6c79888dba7d45816995ad7347c6203150f44cc3
SHA256 9ee1b209f29249e28bc8e01a2734fa262e46c98fd8aaa709c2f6b98cf2681020
SHA512 0ebf58f6468e510264af4e4dbf1848f974bef8c0c7c8919fe53863859b6dad0ec5ddd1ee49ced608b943c15ba01d017eee04bb8c4cbaae24a9f6125e6f97908d

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe.tmp

MD5 478172deeb2c798888873857b3de12b3
SHA1 12158f99913d9d368c907d4a6f7d9a2a93ed3312
SHA256 455059dc3d6e43c4062198e8ae57bb811b7999428216ef9288c47f7366e64832
SHA512 e59aa902aad6eeb914c7d3bfdea767c644e5d0fdcafe8ca322bd4deb6c004e6aaaa57d45457f1b2be7d0382c209bf8f01f960c67313d86016ec6fc7dd59c4dce

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.exe

MD5 c16db62fd012856c7f5498318c245180
SHA1 5cdb15eaeec08fb2de901e0723bea350924cdf55
SHA256 3cdd293b88b1663f35501aedb74a8806761ba55dec136fb4d7cdf5afa232a339
SHA512 f133db09023d977cf5f8b20640d8f90a330519cb208869dba7774ce2eccea9ccfd64dd02d3cb829d39026e5688c6e9f591ca199265657aecf62e170960deacbe

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 d211ec5fd0de841ad02f13d56373684d
SHA1 ebedb84b15a49efe1ecdda6b39235b0ae8a3f54e
SHA256 507931748e150e49f5727e343d58c95ace8265e079686f55d11475ebf4340b94
SHA512 4f40032464119a4a26e73d1a446524c30fc894c8fa493e5a4eda4e2f35fe56922db18c91ce839a94a6417cb9a6153a6d1a10eba55c1fb8b93531a473215cc604

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 1a54547898f3f756a1a547622ba69af3
SHA1 fdea60017f8020c8b01b264d7f9961a850c11051
SHA256 d592c8fc5ab82ddd8c30e9a1430798e6f088da4ee1e76efd7b1b339385b67740
SHA512 9be0ef7e62b038cf1049187ac3b801ef187aafca5976dc65329a640ac876d97eb3fa3bae44b7646d8b8b4c6dea32c20a6d3210ac33d5fe600f5154c318d0ae0e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 89e4bc378570f1c4902bd31ad3a64b57
SHA1 4ac948db09b226a99211669fc0da4ba4a7efe9de
SHA256 5ae48bcb795be1837e140f42f185c2759c7b4708f1fa2dd921db3fa2ea75251b
SHA512 1d3d62fa57f48c43816b77036009bd15ab389f2693f76157dd0957b61821d32ffffffd3e8c5b54ede6981904af97d719030f67884d318ab920ef06e8cff9173e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 8a4b2f0f9d4cac11014a59aeb53701c5
SHA1 7b5ff68570ac495f57acfd7fe53852de893e4869
SHA256 ff20f547dde2666279125bc3e2f0794266468bb5d68546cea868eef63eb0a063
SHA512 1dfa89d7b5adbc493976d7dfd6251c979d0eca8f1ed5c18b9907567c825618823dc47db03ef8bfeb21eb01d0fb60f672f1b061315d31616d455665905ffc3405

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 e44ff799184e00339b6378cbb996a38b
SHA1 fa56155c19d07ea790ee3532ac76065073d09fe6
SHA256 02c66a65baf14ac70e3e0f8341c62a0c01db865af7ef1378aac314a1579ed353
SHA512 31b992ab296020feec6466af3a6a14ec63e81d19d69c66f60b7a162791e7372882fd31f00710df15275097c268fb616ed6cd104303e939f888985f2d34eb7109

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 bed07a41e85ef74b54638e28c10473d9
SHA1 c953adf11f6cbd075d7699f13715a3b1309e5178
SHA256 d0e1d6bda85e04472f6053e2165361961485bdcdefc3c0889cf152878102f1ce
SHA512 e0939af2269551eef3132cc3a442117183705ca25a6db3b5d3e8813b5b14ae4882f1edcb523931096a8768a72c1aedd8b09c86b223da2186f453a8df3a0d4f25

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 8eddf454311cf717e972132e71f3cb8e
SHA1 d7117b9c0fa34923f6cdc8ad901b12fde5922609
SHA256 2048c0e647de89a462fd88d2c9ad0be286e864c04db1af72f9db478e4b27558a
SHA512 43ffcca8c777f365cecb2367a2cd15f8a52ccd5f67afd44f3302158ab1f370826beecacf93d86ddedc29e686d05dc11a68186e9cd9649b11cfe21da537875924

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 1fbc88fe8c7506cb88eedf11951483ea
SHA1 c43d2741d7ce59876089a52d693c7e1446e09691
SHA256 be22131d55d37fbe3fb100073159f1cdf1358ee36fabbdf8b0355f3653d5d64c
SHA512 6b24a1a305b25132eeb6bee72fa45324f41af005e294bfa7e058ded4c907856711b6ba6eb54444969ba832140639966e3b1191f9f0308e33f8de3397b4ee4cb8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 a95952b55564aedefa3bfbe1c701d61b
SHA1 4aff085a96da9224b90896f6ec8ea4b55524ed70
SHA256 12131d46613eb960cc5b60c6b035d958e21f896360da4a92f603acb4bacb5883
SHA512 5cbb92a71a7f38e479411bac66b11502a406fc62ff89e2611ba1bdb3ed4e7c05a1c8a4973d1b1fed45476ef03a653f1cdf94e9fc25c3b779227e9448b91c10b0

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 f7b92709ba66d7ef5d7e52c9d2d18cf8
SHA1 2333ae316699e4737d14c02a1ef0432ab1527ce6
SHA256 b58b981ce062e5ab6f4d395a1d17838e88e488ca2765e394abd6c28f49f06c1d
SHA512 5f16983491214ad11b77df0a788dd358607d95c0acc67c05cbeaf5c460121ff05139d5869fcd1f3b1e5a5bb40bb5378e652bea76b005218c35a2f6c44d017981

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 283b5886348e568d1c444206710fd0ef
SHA1 4a482765a8f46bc2d7dd42f50a27bed4b03300b4
SHA256 630d39bc63684adfb227eb0f1483fa2330b15070cfcfef430f232890796c4542
SHA512 ecc7fcbbedc46bf53d1419be17c3314914560801fbc5d64024db0465a0e6e197f56226dfd090ca09d5d94fb164ef6961601c4c4173e77deba6c2965e92854f12

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 ede31594c6871bcdc6288690ad9c09c9
SHA1 cef061ae4b88dcb709fd0f8b957538e7e53de658
SHA256 d425d9969a568327ffbbbc5a4eb62276ed61173473e367d377ed5eaa7991c23f
SHA512 a1fe9872f7026f18af71a2ec3adc1efbf534f9cbf9381fda2fc9c4e48d1ebbd436e57daca374dfeca0b02ed2805d8dfad19509a86f0ddca979814a668226abc8

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 daf5ca760970f83bb53839255526e928
SHA1 afdae8f29c3b7e5b93113b1c56c13fb39da10b0d
SHA256 8138be1f3ebabc6cdd72253fb635bf10657c18f726d885f22ceb4190b47fcdaa
SHA512 252c6d21b1d76f7ce08c989b4aa27b52ca07bfeb7572c5e7f46cadcf63256f1b4da2d152d65a5048d4cc11f51d0cc85a48ffd5f08998753f584e9766269624fd

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 afeb5c4f8be241c6cc7acb2a8188bf45
SHA1 b891dfbc64d3b274a8f0d50e21dda644945dae66
SHA256 604d03bd79b14357c85bf0da7c961df8871e1f14131270d1be6d62cda4c2b93c
SHA512 5b8953a06d42e84fce9574663842b65e64dfa385af53babb5290e4716ecba0c76f3ca747bcf2a42ac7dec07eecff463b16f59b7562fe21e1406a44e7c9a4f8c2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 809abdf0d523e09500d0dabdb4e9295e
SHA1 77f690b0e41a8e575580e9da70f4d495e259c65b
SHA256 e34dbb37bcb40996d37d0d199af1cd407527ad6951a591b735d826f909ee89db
SHA512 e996a1cedf44f8d324c126ecc07879a46665a30e61ccaf23195528e93a1771d9a0186565c89e28975ac32cc3117ce74a62c5387b80db3f7e240c3368e7d49a9f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 bb9d28e939ce70f4898d9d747c33369e
SHA1 a22a418bb954ac61dbbb707b76652508febf273a
SHA256 c741461a7998fce21ed025fd166b76c2daaba005faed00cd3ae9e9ff9d5eb545
SHA512 84da3dc58827e4427bad7c51021d41702878d24130f80252afec483113cbcb108864cc3729ce6b19d416a572449689bbda8b138392c94988cfe311b6773a23a6

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 bfecde438fa7dff2288862e65b6477be
SHA1 9c017b0e7fa6388cb70e1b529b164653c51b14fc
SHA256 42e7bc0c74ef3204ee35f1cc595aa83c2ebb8e20cc4343e33a571aacb1157cb2
SHA512 cd525ef6690f0b4e9d992cea9f664161f71f6b8a2e38e7666675dc78bc7c717f7580fa1fd3ba13863ff439f276d74f1c3c83acf497e7090898398c8849237ab8

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 520250d3dad9902bd6355e224761e8fa
SHA1 d0a843f7800fc084b7cecce07b08f9a93afe1046
SHA256 8ea756cffbfa7f6fc6ade157b389ff6a62b73536665c3b87986bd44958c7e8af
SHA512 5b1e2ce1c56f547d2b24f3d9652ebb3110e82931703fc98f432947062fd505b6c33942c8f3cafc7895cde1caa27e5a1648e34e2cdb1790d6559d8f327df8dbdc

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 2b5b0d6c9d6b124340e2b302e26b66fc
SHA1 933e6754fa296b4e81aebeab3b90e7e3c893de9e
SHA256 cb70e1e090da53252c3dc0c413466e069d31c1d93c58da32e4ae63435940bbb2
SHA512 0f3bd20f6d025a71372695ead28bd6e8a3775ca400c9e0551df000030c6dd476a7a4d4f6741804112e922049957f6aee1cfb27f698ce8a0f7594a0b30f5b9d2a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 cc1eb39c8ca3aa6c71241ddd256e48b0
SHA1 69de37f95fe0c06a0d872c6a207ee721c3eb91d1
SHA256 01ec568a72f2167e05d7d0e625fc6fb513ab1bb8c3dcc354f49c377698b4d738
SHA512 96a1a3e92e67dea36b3aa0f127c98dc673340175fc5a6c240e9a995fbb29f8b6112355713183434e0e5fd01844c55bc51bc7d4a17eca72229150d0cb1fb70ffb

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 a497a19b4ce95d3df38452d4e8cf6e7c
SHA1 b34d6fc18cd3bfcac8819840881b1e4f6ec2efe4
SHA256 ae0a2c97d275f714cfc7862b3e13ed903dc2a9596150c3b212874e88f473766e
SHA512 2d805fbe782088e7d929a432c9aa0b027e59339ad8ce3bed9936a1ac97d7fce347464a830ec91d88ab040f2e30d31fdb796dc43f4edf9ff3baf9771fda2f9a5c

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 916196a91b67d966b7fda9b23a6fffc2
SHA1 9c2f4d1872106ce81ed3772217f94e6f8d735d2d
SHA256 e9d8ea9802457fb24adff981146def3ff2b3399029d65b2b230b6a6eb411b58f
SHA512 6fe2085975aed0d77907a6f2327808148a474f0b97e5e69d17c32d8e2e7e4b74146af69f571153c1d14b1784defb934e2b6a1f2187e7c8bf292654b9aea37ec9

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 283ed72f7a695dd33bbf219102f3c48d
SHA1 f798c15b95961a960a6077b83599abd69620f7a7
SHA256 9fdd8845842cf372a7f7781f43a5b4c80ef56d8294e660488407b200f95e84a6
SHA512 73a8018149a06150cd8dca56c2db00091d2f03982d993ba24ba8462b7f7d4e2ab6b42aef639ea1ad77dc9a9385b6e79351047b92913b8e98136945fc7b2f75be

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 036666f165923451f10117b8803ecc56
SHA1 b6ce7287f20abb8146d5866d28e28dd664543a63
SHA256 2ee6709d84935087fa18f98d3fd1eb119916f440f79b0a65e02cff2d78a83c2d
SHA512 6c0c1dc84b44f433aedc6726d225a1593961ee03a4c0bf3295cc0a5b263269cd15cd46c77ace70cd712757a9dc8d2a8c5768518cda25158632689e06ea92fa54

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 8a48a8523db099272599b0650d1db86a
SHA1 e20d18b9f98ebf32e1b96b4bf723812f3c22f80b
SHA256 fa655f465f910db7fdcb12826de5667699a0943adfb112fdc5e74321f4243272
SHA512 8bf280aecf7d4cf394c25627ee403efda884b0e9e4b1d4580f6da81ee2c33f91a35475b1f153d18d042fc6ea67104991b3fa3f3cf903bd93d8fe369204c24e6f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 924532d1e3328a72311c7f963da6dc30
SHA1 2acc5995798dbe93c2d1fe4a181a112f43fdc68b
SHA256 aed7dd6c8dfdd34911ff06cb1cfc02490bdc1575aa948b35d5731bc9a01905c0
SHA512 096779a971ec596d290c7618e64a23a53e6c6aad01d1b5e0a4bc0782a3f7ee79ceb79e856d7dc8df9a6e350313e394c7eefd66bd9f25bd7b3984c260a788a003

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 e27798248cd01a5c2315267348a4fee0
SHA1 5f4cc4b452d0d3a0154d71d366acc418ba5c6a9c
SHA256 0df5e69c5307961cb19d14bcc43ca013b5973a6cffe08e9b2c45242b9e39e0d0
SHA512 344b188b05d52c8ed823cec8f25002be2ab8c040db81353cae20ec344580f95753cc10ca0328e8766131e826f81a3940d9966d0b203f540b59ac6b21a86d9b44

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 aa099cf3d0f3edf1c4d28bda03c853e4
SHA1 29ca5c9067c515e2856a8f7b52e15bd3e944ac85
SHA256 ae3f9f8f0884c7c43d9d897b04ea1a969fff28d58669058fae45ed3273bc165e
SHA512 5b1b14e0e5ea9edd19488ea3238017304527cc27655ae2c9c5a1d72be6971b74917dff132a9d1dcf7746ec964c1771fdce0ab3fd24bf8661713828603a518c74

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 04ddf0b9c7c6022b0d0fcdbeadc17d8d
SHA1 529166d58ff24a6d23ce95ecd7b1a8004f82de14
SHA256 6ec45c107b3014630820192f90747b6fd9e3014737d2dde2c7def97a130e5693
SHA512 22ff6532668f0effa0376f2e4eb0addde8745f7b9aa552a600b30188d64d60e528d3129325a4cd21dbfe84ea3fdc3c0c60efac6c2ce567e78634e52804881727

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 8ef1bb34af24de569f57186b697b7197
SHA1 ef64ea1e8d308f36efa8505750b7556c3d76d0b2
SHA256 34225f3f517a08d9f9507d214c904b1f15e6e009e7918952e15145223daf996e
SHA512 65045f19228f5d74640ef935a8282665a5f0e63ffb84c5f71c94ae037f11b08dc7e0bc4ead9fb8108b9af7cffe6d865d627c4954339607c610296954566bcb71

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 516bd881a87de01b11b118b9172f1975
SHA1 c452498e1c8a489d55e5ffef1238a18645bc7fa4
SHA256 c61bc29d84d7ed95230c8e9c041e5a8b5ef6fd54531df80f1006d494a1f9ae2b
SHA512 c967037dddd3d832e150d14a9b082cfc20c2b174c5ea87a6678a33f1d4c11175f75ce7ff899818e4ffc91640701c7711904891a36d429c6f84b429654c90d959

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 fa0eefb61566d3be71e905862297f394
SHA1 66d2824ef091e3669b8997bee1748837781693d1
SHA256 1c590038f197fb4ddd57002eea88cdb36ab25e4eba04c1df822fad27c19322c3
SHA512 ebbfcc92c7d35cf219b5cd00ba9f3a4fb39a781e83ec9b1c76a5e3a8f3b1b82b72b46a13076f0661070f5e132068af97631f332c9c9f23261219b9d74a919ac2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 7cf5076eafabe2bc6b80c7724553725a
SHA1 32cbbf28dfddd86d28efc30cdde63cbfa19f73ee
SHA256 40ec750e328ee3614916f132cf673ae08ebfffa856f11c98009b6e3c3ec7e422
SHA512 7e8f377d73618f008f689ae2fcac46ef1ba5a043c713a3f87b53de197b79dc9d35df627b9b4d81a2286c919ab9f3df8795f1cc4b229ed0108c1c3a09cfaf1d97

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.tmp

MD5 4bb19881124c528adef94190b09d8007
SHA1 ef4617c028d2966b9754301746db469aa570977d
SHA256 164389f9dddcf9a4fa3d8e50b20aef8c4830896552a7fc5d998b8463f9172b32
SHA512 113d0daae156b006a190cd63c01ce394981cdb38de4d77e7b63a836301453f4c08817621e0d8946805a8e7b841b8762d9cf5e93f8cf533fbab852c229b7ad839

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 485fc7e940553fa4e05176444dfca9ed
SHA1 d1af473e1cfb8db5f7ce2df5c24ff495e0e63396
SHA256 8eeaa581472871a0bee256d8020761557cbf4bfe3c04330aee6d72da2a680f4c
SHA512 6a2856e83c62df5e615985f68d7ae9928881b340fb50e5f0e2358bf601ea4294260e1a7b7dc9ea54cce9cd429c77c886027c8696ca23c111b481324d298cb53a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.tmp

MD5 c6991919fd01719e36605db952b039e5
SHA1 816527077c53e4a3436f38c43c3d2880153c951b
SHA256 507b2c4067e7a48f6df4182d52fa9bb1e9b4ab1b206e2683e9a99e98fd77b56b
SHA512 42ee279c93f8ff3093a60a3fb2c8d36eb3cd21b6e5dbd1f7a511ad6f0bdd62e717e88e45f8e13752889910e7a5ce0e30e653fda36e568600e6e9169b6131be91

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 e60c385fcc4cb0323b32547e15b2472d
SHA1 e0916e9bb6f9e58323d382504ec4a2314deec941
SHA256 5f9ea0e41940906c28c40bcf5bd9e382f8c1c578d6ef4bcc877195f1b359c1e1
SHA512 98f84e22ceca835babe33f53f32898faeeeed8414a77735485337c66234fc6bb2eaf0bb2d004e7aeca217484575de443baabff508c642be92862b44258a387fd

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 90b4175f78dc654d71cdb9d9bb33ebbc
SHA1 9f22cd51ec98a18144ceb94ef7badfb35d24dfc8
SHA256 ae14cb8ecf039c319c67213f051a4a304d6456029bd71740ed7231ac2e581d6a
SHA512 ef66672b6f9daee6c3fe9142acf1639c49f783a14c8b6fab457960d7a9b2700da9d8c1b3efa03670d822d77864bb21e4d0fa60b07ebcb02c542e2ce4a23bdb20

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 1439a50b902446462b9f2a69ee8248b2
SHA1 d5387f007e505e85cf48237cb09879d685a60f63
SHA256 9815060f02a9d8874a55318d8f445facb562ed7a4f7c9b1ee9fb0ad448f9fda9
SHA512 159ee7b014ddb39b323e59086726c3ef515a5fb6dafe4a9f6956420084fa543ebc96a5538eb2db232266a2262d983065b11a5d30ef74da3f127f7994489256cc

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 b4e06e2beb6f7ed639cd229b3a84e178
SHA1 a561cb5d538949ec6ff91de2a0db578a5266800b
SHA256 c135e3637de49031788bd021afd0f245b50491284f51c7a70832882593f72794
SHA512 3a082bf822cb2419ab39a50881d60fd36031518b2143fc35d3264b147c74f84a16ce6ae58725dd9b31363ced2d3415927919adde6c949dc61606d212271900d4

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 0ce534938ed2bf1c74ed2212ae2936b7
SHA1 7c2854bdc256fa1e286939cf2605405692e315ef
SHA256 50e79d3e8f3bf5ce7fe11687005c4dff1325d214debc856b65525368e1e6ec58
SHA512 f5b341103ce0abffd13b24ec741c9746b5daa1d2af16753c5ba14d906de5dacee64fbcf043fd708a9ea8fc84d9ea635ca80f13827685f97b079589002e52494e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 1fccc4a05aef1448c61cee6fce49ef6d
SHA1 532e7aea814282aecb9c8ff1751e9cb091ad8c38
SHA256 5eda3e5801dea604ff81c63cfa41007e0a0125a16bc5f79a235b16dfacb06463
SHA512 ad5a2900f8c1adf9ddc2e04b62d66faa806d79b754f7696098e2bcf0723a284d26aee33b8049054888bec38bdcbca0b39d7b951e3594600877a49267d2bae3bc

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 1319e48f45460517d9461bb44414db47
SHA1 e4874b5b4373e22cc88a499688c852ddebae8980
SHA256 57fc3b69d1ab72b061fb2269f877900d48c7f6cdc92ac40a4348a758bb769326
SHA512 97c38bf367e17a2dae1af8b7b89ef60a56ba11506d20d41f83243a2498e2828e7f54ed668d4489092a1db311f07f9e7f71b474d99cb511d8bfe36221733b33ab

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 1913beedd9794a7a08669cc76f52e631
SHA1 7df4217d1ef39a230cf75bc154457527de29de1b
SHA256 e27021963606ba32a8dcef1744614fdbb4e4adfe2d254ff5ec4bb16cf1b5ea6d
SHA512 4878bf2f9db3896e802921136351cb9c42cca98274be6382fbdb0a6f964923e0411e4a4d181229084b1c18d6ceeac3375da3ce779828b82f3aa391963e72beff

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 1dd4ad693115c3da23c9421fcb7f4642
SHA1 0f6693299680bbc3e68437324ecc102a2543f8ed
SHA256 5d92aeedcf8f4e29c1008700a786f5fcdf96a2a06d1a4f46f6a8cda647d659d2
SHA512 1c03b6c20c8a8f6a3e2fe915152876068973ce4a4a705652aa9e29b53ee39e554a6167593e44bee59cd9139bd85d66aece1c1ee8cb5952f9ea2b42878f71d476

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 10349c01f8e35a91c6b05bf15d95edb6
SHA1 fd666e49245448dd03925062f10d244fb05257e3
SHA256 a6c7a8861fd1a24ea555ab174cb0226abef0b5feae23e23233386f99ae358f05
SHA512 d0f8530e8b7ed039d2478027e71e6e51b56f4f98918c7041df47583318c9386f2ff84de97bd4af99aaf7cab0266ff2e18259bb755d027cfd7bde45deb420e2ee

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 ee71f5a4e70783049f011a7cac62a7f1
SHA1 2b51feae531e85e3c87d6366be4db93db81cfd5a
SHA256 280fc5eebc0401a1a8d53ffa5e5552d50c2fa0332966c5ac1826753f54e2014c
SHA512 ee4d3ec0fe3867e2360ed91e03a95900ee9951cb09303f17adbd7e44650e07eab3989a1e467c88bbf648b9d03b19dc9ddc4a22489a9e40c9d4e362591f86d3bc

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 6a7ed1526e1db770092b504714be65db
SHA1 ce0281456276fd6dbb49d8225af116c2664a5457
SHA256 7c74ad5774e14792b0ad077694267ec271ba32bd69fb5645bf9555a40c8215f5
SHA512 c57defed7a2d618c6a4097f072065410d2e258be8368c3e1d973e24f42ff36b98cb3043bb33e5b056dcbfcc5218631479ac21e50c8d655318aad58557dddee75

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 19136a23e9dc2d5130f3858062c2152c
SHA1 470a634874d293e0d06e6885154e734fdcdce78a
SHA256 fb6e5273d4fd805618e2ef141790e7462ec598af9958245dfe8d5678294b1abd
SHA512 3721e514efec35a2eea3e4f46016e81f794cafe1f7cf2d56260b4faf7fb7d5e63df4d1cf4f2f08f1f8d7bc142f5222210b2deac90afaa18e9fca2bf35a672a20

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:41

Reported

2024-10-16 06:43

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe"

Signatures

Renames multiple (4860) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe N/A
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.PerformanceCounter.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe

"C:\Users\Admin\AppData\Local\Temp\2b6bfd1e1e2cee09f762b5953d15d38f05f840c8d62d2fdb151ffe51f9df8d12N.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe

"_analyticsevents.dat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 78be7edbf955974fd1f785801a4f81f3
SHA1 6c79888dba7d45816995ad7347c6203150f44cc3
SHA256 9ee1b209f29249e28bc8e01a2734fa262e46c98fd8aaa709c2f6b98cf2681020
SHA512 0ebf58f6468e510264af4e4dbf1848f974bef8c0c7c8919fe53863859b6dad0ec5ddd1ee49ced608b943c15ba01d017eee04bb8c4cbaae24a9f6125e6f97908d

C:\Users\Admin\AppData\Local\Temp\_analyticsevents.dat.exe

MD5 34c743440b14d7d7747bb50276ea0447
SHA1 fe66eb9852fe21c71fda26dbdc02e25373ff3da4
SHA256 dac15230b36410d31a111549fca377c8b2c5dd46fbb2015dd07b4578f4a2931f
SHA512 0ade9a926cb4a2b1b545563b0ed2ab5e72efbcad961f76c59b55948fac9dff83972f9fb63ec525d0b52ec422b83f7b7cf8b1e7e5538aeedf2493601ed8f0dc8a

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

MD5 7e75b689f8963a014a1984ec395c8f37
SHA1 6fa60842bb38e7dde4301c94da1501039a2d8428
SHA256 73f72ee98f01cc19a4d3a0cfe36b8e5101dcb30114e9afccf612d04c94e02681
SHA512 fa0c65c64d5378355ec7605b2d6f4ba207e5e80cc6766e3d6268c009e1c76758fd5dfad6bc122a153098d28b243d030f4168d4a804abd1386f556e74a4bf537d

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe.tmp

MD5 ff9c0956bf0e2a31bdd4d0887acd65b9
SHA1 4bc3a513408d74dbd4b04bb7be1aa12369b47876
SHA256 11b8b7de6d1ad6452bf43bf94cab2fedee911f9ac3671f9b749641fdee3ce86a
SHA512 8ff6e5e6665fd3362c34dc8f62b43eb09d5d9d76ac8fc7f928c101ab4c9d42741848aeeb2c2fd1e6d71d3956f90a7305d45438cca9763cfbf675a0649b83639c

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 5d3df9c160448e1328638464302a81ba
SHA1 db8d1ed7364cc68780bfd15f6b4bb6cd1cf92f94
SHA256 23b285417db2b0f977d56efe5f5259c92a978d4f595b50ddd55ea859cf6c7007
SHA512 c2ac7ef9c9482d6db92e776a2c4ab5f1b9aea8bb2c3aa9e164cb4f111a47d970064ab591229557e9eeaf0f70872c5ced849f70af729e7b5e18fe9c873b31799f

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 cf366665ccfc96e7af5e52d2563d584f
SHA1 f6a3b5ac1a00e70af852d38a8f0be101a261a7f7
SHA256 7ae11b5cb6df3444123262aadbd72847e13e3a3709266993f40d30d3b60c285a
SHA512 e5919e077bdb764a3dcc518f1c0cc59f913216c8f9b1d0f0166f2d17734caaf03d680fd5272ea5edcc2c2a973beb00813f368c7db134e53f36bf53553eba39fe

C:\Program Files\7-Zip\7z.dll.tmp

MD5 f4b99f829827db011ed0c77efd76a7de
SHA1 3d8201a0d8ac425e1b285cc9b9e1ad9d4bb678ed
SHA256 a8095fdf9e119addef12ba5a20e54934b717292e449553d9b8cd633b3a4569f6
SHA512 450ed786696f43275d58023e99d028a6d249963ed1d2f057b5b6ee20d36c9b39d1448a21eeada71518bac891ceccb5407b58985865012111989fe2a6e686a352

C:\Program Files\7-Zip\7z.exe.tmp

MD5 a336208b7c24a315b460de06cba2eb71
SHA1 bcee387d6469fbe6d21e6b2625a795c45ee457d5
SHA256 cfedfa3c1b3bb4ff68fbb51de2276dc8cd0f2f1a141fea61607aa92b8b98a383
SHA512 8c31c607d88c37cb0c741e06b456b3c532efaf550203ebf4c9c96a46e7bdad446d287b93c5043e83e1bab5c55a81c3fbbacf7961373d9dc85cace2e9b43cbc13

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 c471856a40a8fd0edf9fdfad15523e90
SHA1 dd26931093f298f337fb6806b5856cf08077115c
SHA256 f2acc58da777f8ac17ac004127df2616b1ba886a0f231021c736fd68225c2ba9
SHA512 1b71496dd446ac745c4afcac14f53b1ed898d0aa72bf0830382a8a0fe33c0daf061ee4433e7ac03ac187876f77bcd65d7ae4e16c67603996bcf7586c824902dd

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 cbbf79c4845fc5272bbdf8a149d1f09e
SHA1 f0c1302e702de3719645dd47a0ca3acf9f09b5d8
SHA256 ed32f4296ca10623f648c5d5d7722b8e747e13f867ef758911d079e9ec4f1a25
SHA512 31a5a45a919d0f1bff14205cfbc23ed287b01cb3bbddbd09da0b5c63a8586dd3575291c07c81cbb09f1f90a742b6de834485bfd169ae2668856259d9e430c541

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 3f23a6c5bf58925f96a7ae3de3184f18
SHA1 afe47d70434b175d25e9408ec74a4d3b459f1209
SHA256 e64ef81f5e65a9ce7c4da417ca20a283defdf5144895523db7ebe319cadad7aa
SHA512 456042858cc9de4f281cbb2de81224255a4ba67f1c2312d4431374aee22605e93ca68f260a75b9bc81ac1fef8324d317e791b1d9cfa18299498d497dc06f917f

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 d8266be0e6d6d4c21f53f6e6e8ab0571
SHA1 465c481f8f773605188b7e8f313359e529e3de20
SHA256 89504f31a29c716ce248d2f65de90b4e7dcf951f4c6878404583c9eb86e43bcd
SHA512 d785c543bf3313eb5dc66145be8623069faa540c2bfe44a72a8f3f1e62b9e90099e7c687b92e415f3f325122a6abf5bf3c1ba4ae2875ac7e78338ae1c00ab1ed

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 38ed4832914d68042d5ce67438204533
SHA1 976433441721cb4e3334255699834f994acef558
SHA256 9a9a15a8b576d6275d202b082c776665195ba4234954dceb9210ecd4f2d2ffe2
SHA512 f6ef378511729162ce552549dfdf3fdf281fc11c1e6c7a2c05d22a44510793607de8aa4168a244d1e1ec88e4667146339b7ca30c49f199d990d3726887549cc9

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 cdc33781999664d06aa71a991f01def5
SHA1 383894b5bd08a7766fd266e19fbf1c77917e68a5
SHA256 97ab59857928b38a31987e36fa86c11924fdf0df61c5f9f805a9e34ae6229912
SHA512 824afe3ad4f31a2c9b3916a150f6d88e9a910307765d6ed2ac94545eb36b38db12ee62c57e9266f58c613e70ebfda3e99092f5e3df741de02cdd519f707759a2

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 20ef1acabb52aa109b9b4ec6e0f6339d
SHA1 9050afb448d810fb241f86a870e1b96479597544
SHA256 0f26cd887242cb3a6b31496f31e878e1840e7866ab9aef2a7a0c81fcbd32cc00
SHA512 07187b413a2ab7eece58c503514e5c4321fbae4a81634f15ce9ed6004bc733395be389d25898f86d08bfa10ea0490062bb97c46c65ac95abc45e18414e2931ac

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 699489db7daeca2aa328cd51d4a47215
SHA1 5f4e9f55e9e619b84e6b07ece16d38539d022f8e
SHA256 8916af204923f5f40e9098124f520c9d303e53c06fc675da19b7942d4541280f
SHA512 995b9423da3acb8934c37fddc6d88896a0fa1bd7f0db147c059626112c5807aeb097aab3b51baa5c718ffb65550a0640bf91ccd4dba71a890fdbba65e8e3b17e

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 224bbfa597fdb5c61c5e9649f83464fe
SHA1 709f0569a2799aec83d9e898fdf947b31203aaf5
SHA256 0d50ecb8241491874ddcd88b02c1d102d2db27dcd10041cdd960b7bc403737b9
SHA512 15c604c7e0e08498f08006c3e33be21981b6b8a52bdd4c6a09e1556cb84a2aeaf085bf0a2d56c80decea6b0fb22b79a7c7956434e324d915dd2b65b01d7a7823

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 7870621a76ce4485ec2a1a1d2c5fa916
SHA1 06543684f8541f896e71856670d10bac4cff791d
SHA256 02e8d3e204786d9edd64495c0cb966be3ffa1bc8de478e3e005178c07738c755
SHA512 27b8f057b5bc66110956a52307e38fd78b953083d7c9e80faca9248d3a1c343a55727817c0ac093166a31b6580ca6b343280c48b8b737132e918c36d2784b95d

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 2a02b4410cd26c9c40061b5fafef7921
SHA1 bbd15e432d52a6b53704db943eece144f7fdc7a9
SHA256 5bfbb86b9a951ef34d69373315e59a4611a5656c885b16fdb87b6e2676798b8e
SHA512 038b827dfb4db46d63a6b51fa651d9fa4bcda2fa299a9b0425e42e267eeb166c863442a6edf2139ea33c571a7df6ebf94a9d6254c0fd9e1a966c541b55471df6

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 dd7cdfc5f039db6da89f18f8f7040ed2
SHA1 e9faf5a3ba3338a4daf0578e4e99cd065e2d13e3
SHA256 b03b45f0ef40c887d406e9e1f3801a8f3ce95b9896d9c3fbfa15b9c0a08022c8
SHA512 43303308ce15703e1317714464d9f19a4f0867338ae07066eef246e55501076dc67323a65bfe8e0bb757965f7f12bb2e05b1b27c6abcc720efae549fd122123d

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 08d64bc1b1f591cc3f190ffa8f6eb1d4
SHA1 ff43cae83bf8c7d7deb57c2bcd239810c3f11108
SHA256 8757bc04ffb4e1f2aa2f2dc5de2fa61690a10ba69a33a361e92e5d8c5055eb1d
SHA512 f5eb2ae9c63e2f802f7ddd739d2192d02a96fa5f6cd5ba36bb2b846d3c9491bbe27c3319e60224bdfac0abd0007b99d9b070d575e7371081504beb6c25dc72ef

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 39088fea34753c958c5213787f95f696
SHA1 7c39390f1e5de0669f4d5e66481ff97fc4ad892a
SHA256 933315cffd6af7d7d20f026fdd024ad846242d5726de19633cf10a3718e35b00
SHA512 a04f4333e4ecb56408afd3939b14dd1d9dd0c454436c5bbfcaea164b390b8fed11cae8f42774d481d215c8dc741efcd402428577013e8ae3734bc50575da56ad

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 41385a65ba7aad09b30b9e79324e9380
SHA1 5b2adb4d2f3df3a69bfb1f106ae2d7db8c9f2a65
SHA256 96621aae962392eb52ee7ec75374c683b5d56aabd752335a4d7f646bf6e5d306
SHA512 b8c91e59eb2afd9dfc0fb49d357af4ccdd561203d8c4083f476caebd38428728a6b226cb2623245c94d9e138ea26335e8cccb926277a50c9397ac4afb63118c3

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 20564a2075a39aaac1d79a80a3155beb
SHA1 06307f8da5b5a44ce8e2a1563fa3b63d0afb440a
SHA256 930eb07c31d5ae626438e5f1eca7276c36683305eb3207fce19663bc37ad4dc5
SHA512 aac5a6fb218d41e5c8c12a1630e472d00b114701f5ad30c632a5d53d9523560a4f8296de7019b58a9ca1e595e0ad0c69ddac45ad46b6b7f14c97853079fb870e

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 1282c0eee658710c7769f0a3ae51cbde
SHA1 a56a8bc11f0f2c6ecbb2b7d68538066324c491e7
SHA256 9faf4d733d1dd16d45109198071e0624264cc6785eafa6ebc7bb9ce46c5114c1
SHA512 9f516f155c32cc925518606a6c566024e5cd6620295e025cf495ffce42f329bca5fa48b5dd0910ac23431805c123cd0a3f9fbeee150e61b5909d5b443f9eb7e1

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 c7869eb06c803af3d016fe1c35df5888
SHA1 bc2dfbf2a4fd6544e32ec11809ba5e841b4529cb
SHA256 b8c08d21433eaacb3ed9562a2d38d03b9b940ac1534b2af0307795d69c14505b
SHA512 ed9ab0a1ad29cb794abc51bd4a92217828b65b03635ee35e38684c418a727052cd2be0f571e0590b68264125fbc21bd87a1e7a063765d3268fd4cb83bc5af2cc

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 5ba325818aab4a3e77f16bfef24f2186
SHA1 453f472ab8322b6773c241e50e784b630b626132
SHA256 440374bc7c0d1295c939c85b180e4bc57185c7c48ae1ae1f61c089237318ba38
SHA512 e465140513c713b57523471346a99cf615578abc27dabf5d4f2356c0978525bfd3e5c92bbaa49be74143d0e63c3dc4659ba247615f366280226833be733f5253

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 341320440a12807a0561e2df764a2fbb
SHA1 4fe2f92cacd9bdce7f0630163abbbfdd89e7bd4e
SHA256 ff35daac2474d53038ac64a75a18a08c4225e90986ad4a2c8bd3103b837000a8
SHA512 506c96b73e9a8f75ed49a463e832b500ca64f1416b0a997f291d8a49432bdae4b74db6f0b62e3140bce1b2e219fc9fccf115cabc61df3f289b6395333ef1f7ea

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 7f8755fa9ed7e2cefb64edd8b3750b05
SHA1 aeee6fe0ef77391acb06cb5248068b30d58cbab5
SHA256 d18e5aacc2fc5f8c57c7750380f2d75016b93f1164dd68eeeabc98427a82667b
SHA512 c7d74bdff7df1f7c46407444ade58a83cc5a5ab1376b67f0e23a6fbe8e5f19a48d3528c00952f64672624ec0737ce3b0cbd9afada488413e540ae350755e0f45

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 00f841a9456c55a1a6c3a177aa2d715a
SHA1 5457809507cd40d55dfb1a3dbda9b5b4147a66d6
SHA256 52249198362cf4bd83ff48e771ad484172b68daf392e1fa0979cf5cd0e57de34
SHA512 53df9adc0d92e6302168aecde9fdd5325ec12e02d3bd024c99d3719c6e26e652b24acd35096cc36e827a264c55c2b88ffeb4fbb65e41a68f4cec51cb724ddb8c

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 48ad533a7f0c4baf60e15ecd97d3f5d7
SHA1 0ffa4d02538391704e4fc0a37e6acb05ea3f01d6
SHA256 c563f28895c3ce66174799dfdeb5e1020974af0027bda424357615df798e942f
SHA512 447a3806dbb2163946077b0139f82b5971b500faf8f92f1a6806cb913cba30cf898c2bf3bf116a24e6c3deab5a33bcd62194d4ffb80e176515d49324e6d3eff1

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 ba274494ad415c6843d84b23c3e78038
SHA1 487761368e9921e2589de662f15a00aae22a1715
SHA256 fc5dd969b2041f7c17780995c5bfccf17635900b0acd13856ab211350791ad3c
SHA512 7d35881079e1a5cb4d5c6784b6dc5db6ab556e3c0d0b2af741132fbc352a9b10d27c169c5987675b81b9b157dfb4fa55a4c01f2fccd5a688226a79566e2196e3

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 7b4e7d938b5a08194b1fe6ae100ba801
SHA1 59f36e898304a61accaf84d10191f58c999104c4
SHA256 4e18837031b93f4b8dedf43fca0c3b0092066c254ec9eb4842ee31c2e5116d12
SHA512 6dfd9e58d0f423b69c3c4edd7d57e039741ea8f07e3006b4dfb0b6dfcb0d489717df17a3754d5f01022da18d32af133077f487c44dd81c5a68fd8c4607f73b42

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 bfbc206ecd2eb684ffbb2d604db85cf8
SHA1 1e348767afd11508b3944006729640f08a068def
SHA256 39ee75c13673f69e9a3878ef63d884ae9e0d3ddf3871d78aedbaa4df41709c5e
SHA512 991fe5b07a10a5cbc7fab2235d1fb4c5a43046cb833de4a356d0a5adcc1be8e57c3d1bd1193d638a12be26625633e89611ce5d2de054e03eff0f1507899a7a68

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 938179bb8661088008dda47312d8b15a
SHA1 e489d8198c24df64660881198ae9b83c91cc8b1e
SHA256 0802b0af3e12466ecebfcb5218f525c07d6e6b30303f4b2fcf2fb2143eee0a51
SHA512 74c59cc4706f4afd0553d617d17db5153c2d0f30960165ab438f4737c6c5626881ed87d40bb8c749d3d50a394832a6101fcc76c882b6ea9469c7c506305786cc

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 044d8f4f3c9f047c775308a17168b314
SHA1 25e7f6730c3115b2dfb818cc642695d062c3e7b9
SHA256 abf177d95826f1837ea596e092a5f7581df98e5889d2213cc797cb2a321460a9
SHA512 5e7248ab0703481930929d7356c755416e8223d0f6051ae1ee7aa36f5c0f50c2c0e3258253c2fcc348a794585c1086291b354d74f112801e2f98e1b275bb9990

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 5248f9cf4c0a5a872584f897e5013875
SHA1 3a1f55bad02ff59bf1952278520059d6f2f95448
SHA256 78769b1e5c8921f3f05a5e4c28109f8a83aae9fbba66a5591bd28ba0c891163b
SHA512 bf1941808c47516da732b15d1fd5445105a1702149109ad78e87806d8508580102be8e9367a4af8b3e7c81697935b77cd3d2085522b04fa5826702e0d4438242

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 4901186a76fe622cdaf34dcd6be1c220
SHA1 903082b2a979caa5d3e9fc2ddc4d9431f1e5412c
SHA256 4d7fc5f87675621135f091f27840542ed306b4bef9b26a99e3953d679d103ac1
SHA512 7bc3d73479cfeb98887678448040173502a8c08fa1772fa9c7a11ac3c632820cdd38e2a857370bf10f5d43720e4a1d3e9209e605eeae0a7fd2b34fff36b443ef

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 6f5da998d84369ecbd7042c920fc964e
SHA1 5f5e58248fda173babc362a9e3948d647d70472e
SHA256 a4b9e93162da4d6cd79903cda1fd61de6a3b7b1c70174d87ef11edfe98eeb00d
SHA512 8cc04a561a1ee28f76cbc843dfddb8b8f706e20a903807a1f25710ebe8471c944399c6db585f5e92c16a978f3892604d3e5fe6df01297794263a14931ff28b58

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 62d84c5f90076aa15840755832a70064
SHA1 a5af3c1ea8b34c79554a7dae307f1fad80390f05
SHA256 32a92257d3da731b48dee1e8b8aee938236d0f9116cf0c9d31cb6dafd83736f2
SHA512 dfdcea9e36ce4eaeed543a956a66de3f502e92ae82f9e5d9d928c60a4c7d4c4274a9f5c1d75b1e64e97897634255c8b6b8b58a6fb154fa7b2172a8b47564509e

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 518ee15bc42f98bcf375ab7ffa686abb
SHA1 56942d4b38b0b5846e1b49387c190cd6746e25ed
SHA256 904170bbbf6d77871f1a17934ea50c83204c7f853f3f8a63b6dd33c28823bfff
SHA512 59562cd90d564fd4210219d14709dc378f33019c938571b014f91113617ea53fbca6e8ba69e288e53c89f402a8b80a56017c673a2028c37d13aa7cd95ab89076

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 99f6ffc870a0e6c1580b8d7636929a6e
SHA1 5b524ae9f6d03db0975db48a0cf6d9d6a8d175bc
SHA256 7f44957a175e8f87a40f2786c0834ef7154d37c05975ec9eec7f8f74d1ab1b52
SHA512 4654a1d27b2700a5abc99658e685c78d951a02777ed24fb2238bed3c26a61eb717f3395d95b965473ca24f642e134bd2e90957907a78668d3be1a325d695fdf7

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 9e15ec138604e7a35da10f62d88d2844
SHA1 555d5be6799bcd37fff017064ff8e73b1e083af9
SHA256 966bd90cdc3b358b5275e26582a1240ac93ca2c45393483103291b27a4f11bc4
SHA512 76dabe42d3c3b1819d733237db823d6b492426192fa977d5d12fbff97792d89a1d47a083ca022737993445e15dd33078b4b4174ef3190f0cb8a8ddb8c4fc22e6

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 794a8935b0d269263707c58c960358d8
SHA1 4b2cce9dcaa05730b88f02dc9239f5d15e5a1fb3
SHA256 a093e4aa3ca10364c971531c7a03851c25884aa6dc72f11e9d10e5696b96fe57
SHA512 74cf4dc517684b2c18a28444aab6f80c96918b8b3fa7448c6fe809e13cb58cb9e81767cc78f56858f11b7ed37ed46577ac909a5a604bc2b3dee7de5bd2f172c4

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 eba5409c5f60e01ce827baa30a9daeda
SHA1 6783cc6aeb8cf22aa456a41973ead9aa231579c7
SHA256 9e7bdca619391eed99481acbe1d538d98852e06e4660293c2dca404a33c96a58
SHA512 62d6280368468cec10b1f8fa3b1dfd989a8155ad9bee2fd477df505989926a458f97394eeb0ba2298c7b9b57a2e5b5a1705258d3b1689b2c563bb5fab3b315ed

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 44a63c4021c79893ddb159e0209a5f12
SHA1 1c4e2d6ffcfef6f82f5eafd487d66dc6accd17cb
SHA256 96d6f6a712d059a0700278b9afe37500dd202eb9862d79d68e14b28232c1c08d
SHA512 4971a2dc4b72dea7a31f852262ad5ead55aa32771e4489624eab04618119e735b0e59e1e8add33600ac6c415c6102b1ae7584b3f833a1d5a0db3f85a52ca033d

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 4421a0fe1b8dc1953857edff770ba58e
SHA1 7958d2a9b1c4a0a7af40478207e27e8b012e679d
SHA256 49bd6c5d54442baabbf17de9e9c5a3189fd73160fa1ab7ec19e2cd44900b0a2f
SHA512 66f02938bde6d591f203abbe7255e8bb2ac126b3b7199a4e0c9c3140ab99c67ad25fa7c24980454ac92d0cea84f3aee6a70baaa45bc3d4502935fb0a2aa6e5e5

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 08e1dcf15653ab1bd452182d56626626
SHA1 5bfe7409dc1fd19ca3c861f47a23c025655c29ec
SHA256 50bce4a94125fb97443d5741b5c5f55daade8636087571402e99330f4f602924
SHA512 d0a0e59dccdd57bf9c5f0748640242cb6facf8ac8105d99767a22889565865d79fea9c4e0b6e4b7a09ab11da99244b0495cccf1a62de65492b9eb83e2a6588f6

C:\Program Files\7-Zip\Lang\si.txt.tmp

MD5 5c5d544a9e11a3f3b17bc787b4aef1b3
SHA1 5ab311655af15c607f7542e85badd095d39d9b3a
SHA256 111751298c2617b569389c6f8ddd1af9e86a3fc79cafd74a65dd47725e95a843
SHA512 74c0efa34738f2b61690e69dbc64d050f0dc0dbb843ce26fa69ef95f5af8e8dbb20e47e872e1f6e0c515181d687551d345f83147a632c64b5b8d3f35bc32231b

C:\Program Files\7-Zip\Lang\sq.txt.tmp

MD5 51f98680457270e78ae342e505eb9578
SHA1 bbcf01fa58798501e8f5d50a18c38f9abb48347d
SHA256 a556b0f6f3e20b53d5f4c12b662a8b5bf3de624fba5b3ccbc1155969afd6ab2c
SHA512 ac2b52090739813ce49466d2075dd04311093303a2b8206a3202e5e9386d66fb86a9187a2014907fa3b9fe3a3af2c6ca77d7f7139c319737cb59f5a05f27a8d9

C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp

MD5 0f3a35ffa3b4667eb981f11d2b6abba2
SHA1 82de1f3ab12f4854a0dd1b8576e6b0b0715b2dba
SHA256 607ae545923d2320cc65e8c429d27488215117b7c6ffe6877f100cf9fc1d4ac6
SHA512 b4604d75f5a85845f94bbdb66d4627e3a21a93f4c1cc392215d728ca4ba128723fe0352248188a47cb673afaad3954351c048de145ace71d253fbe25ce772f88

C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp

MD5 7582f5510ff29f0c73a2b9b486fa8330
SHA1 6c157561511dd7b7379fcb057e9f2d270404177c
SHA256 0ed592bba34a1ff76824afb468c9d4df9e92e4665b137731cf46b07437a9b8ec
SHA512 9c17897da67b68084c76e10c80b473c0621bf060b637f838f5831755d5877c70966096a2087e3f08a0e6ca42172648353d3a4615eafff02951abfb0a9984933f

C:\Program Files\7-Zip\Lang\sv.txt.tmp

MD5 82df2346e3118178d51cdbdaf42a7923
SHA1 ecfdc328a10a187651b93e7056b7fba3091b75ad
SHA256 9cba40f14dbeac8920d1cbb6b5e5e64442fbb2b5647186b3569adf71dfd82dc3
SHA512 3a3c8c970a93dd9c3b33843d7a29059a6fc48eb564cda9c8dd3fc934ea08f041a91419e24aab300b65bc012b1bd9d608294bfdcdfb996156ad785872cb4c3f0b

C:\Program Files\7-Zip\Lang\ta.txt.tmp

MD5 a4ef9d0235af8f7bf221196cded8db89
SHA1 eb077e962747c307a31246ffb2c76d73867b8a87
SHA256 7f2a7d871f29036efad2c82fdeb06efdc8568102ab4d034321f7eda36ae9dba7
SHA512 6abb927b7d5d84ecf244f708d3b93c16f88ddff9c93496ee670bf9ff22477c38fe16933053f5ab536be57baf22e04849b0ce63cea5dc1b65dd1cbdbf1c5e5216

C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp

MD5 4b6f6c36096242ea16d63ccf26bb1e1a
SHA1 e67a73c0f17c213c27b3c619ae7045397974dfd5
SHA256 923cddf03d48d4a6025ecb9366f173275c2bcdde6f98c2a2fb9c6587403007c3
SHA512 aeaf5657441163c9f068677857a753c02274224eb9edf4a5378936ce0ca7baa91d1115068d33ff09eedd08c8c28a0726546cc0188c98befecb8e224dcce6725c