Malware Analysis Report

2025-03-15 08:12

Sample ID 241016-j6ghxa1cng
Target 38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N
SHA256 38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962

Threat Level: Likely malicious

The file 38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4388) files with added filename extension

Renames multiple (4846) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 08:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 08:16

Reported

2024-10-16 08:18

Platform

win7-20240708-en

Max time kernel

119s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe"

Signatures

Renames multiple (4388) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\jfr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EST.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Mozilla Firefox\nssckbi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Manila.exe.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Matamoros.exe.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\custom.lua.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\Timeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\OutMeasure.svgz.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Mozilla Firefox\install.log.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe
PID 2084 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe
PID 2084 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe
PID 2084 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe
PID 2084 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2084 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2084 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2084 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe

"C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe"

C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe

"_RunTime.xml.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2084-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe

MD5 31f887769c674d270a9ec6cd3879309e
SHA1 2dc92f6319eaf51b4c9f28d35f434322d0911e13
SHA256 54fe726aa71f846f329fba9d0f58795dd9e48e1b58dd20b90f8c2420f6bd9480
SHA512 e09face54c6f562dd2c1c30d6219a73b30c24884525c6472326fe3a2e260eca2de15a572affb70fa60e37d66579a7cde8a1e22d35f0216a2ebbc6a334f4985db

\Windows\SysWOW64\Zombie.exe

MD5 a45de0cd9476c9036b1b2eed1320de97
SHA1 09b4528f57f2e5c07f864ebbcb284536faa0f347
SHA256 5b1e6dd19d7b9fc3342d57d521ef811cbea477d87e4d1e00caefb83b72a9c0cc
SHA512 3ec81138ae4f55d7f5bf9e578807540e6e02347247f081b6ad63661ba48c818899c2b74dcadb412af29e6db1419557e2a9776eede9e3c599cfbad602c1dbd86e

memory/2084-13-0x0000000000270000-0x0000000000278000-memory.dmp

memory/2084-12-0x0000000000270000-0x0000000000278000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 8e499ea5ff5ead53148ade979b260cd0
SHA1 3e0f007d4065865a2f184ce37db9a2dc00ac6c7a
SHA256 699924c3922a363d7c3f0711faa62950141073da40f18c82faba1894809744d5
SHA512 6bede6c3ccc696ab39a61aded77a785803ca12aede4b8a391567675228821849b8db79859b3ffb3cbd6d48c46710f331ef115cddfb33b41433f543b928cd4c1f

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe.tmp

MD5 65f041e271be76e33759bc4c4e5242b9
SHA1 25b487bf206047c2f1b86708d0e55e82a32efc64
SHA256 59173d325ab4f91862c190b1421c61e74b3ba653f8620171432eea908e1a3cec
SHA512 8da8804b1f46ca89a8c1ab8b7fdd4579eb66d3e0b472f311133435c2faf54eac18f726a89a5d7f85fc073aafd4a5c1e23e1a4de0024bb0c1be74e576d7df5a3f

memory/2708-29-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2084-28-0x0000000000270000-0x0000000000278000-memory.dmp

memory/2084-27-0x0000000000270000-0x0000000000278000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 50b6923f2ae28145229efc10d1a4123c
SHA1 d59543d92207384cbe8493814c1d4d471afe2ca3
SHA256 28f32bc8f91c0e34f8d0ce3e6b1a927e19694b822b9216fe13c273fd826c0f1d
SHA512 efaeccd9e83e2078088e0d15ee88e84f58d55241dae6509ac14d2300a1d3e7a71453b021556ddac319a5f62c8d4e070cb6201209b92ed71d57dc6c9930063e0b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 c174a43859266367c10af7c10ca0cbd4
SHA1 130dc5232a7e88154d90269bc8b0e6104a6b9d8f
SHA256 34c34cb05507f40d4e40c0620be58dbfd3f7f84cf0122207118bc3f9a5644e7b
SHA512 8c6810beb0ab219c6bbc8f1fc41f4d584d2d0364d8ace3c2ef1c6918976e03ce92f8ae7a0ab246b2e61225e8082ece4e7e13824ae466f32c9cbfce64faf23e8c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 5cbaf6a6f4a8bad2460e076333dd0b98
SHA1 17ca4cda8c398b7934597a76b0915c8fc1fa60e9
SHA256 83d1b2075ea2955df89d20a2cbd7ceabf5c6ac6ff7d99dc11c82da07e41a96fc
SHA512 088abe42f44042c54c738f18104a93d87d65b145d4c963c32b5e1f62538b4f99dd78df4b194ed6a4fc77b4f03584002340f858d0894264b55554f151c1540c55

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 5f77bbb1ffb9daf0218999fe4bca83f8
SHA1 ac21822cef03498025ef83a5a2e7567623cdf5a9
SHA256 5c3b34ee74e87aad1d9fe3a54fd270293161060d50c9974d8ca677a7eeb0c144
SHA512 ff66350e9a96bfc0194982781d02160153754692c0b808fd723b6f58d187f85ea886cc5ed2e1775d3d787abffa6e349df767d9258a51f23e4864764e6e6b9fc0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 f3afca374ba1cc6edafd7595606a8095
SHA1 5d795225561620287b87d09a1b3d071c36809082
SHA256 5a621c2e9192e843a70b27c4eaff6a6e227751f4f7b056d9b4f8ec2eea6ebccb
SHA512 6620f22c791231a71b97df9ab3e1100116ac14066e102b0d11ef7b9e5a6c26d5c1252a66c28b84284938989627962b629a8144d3b5fea26f069b6f858f71f329

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 61452c37bca75c989af9187b7dfdf56b
SHA1 52c1a0ed7c3618a6a5706a1ce646ea39ce0b1d17
SHA256 e46df6693e2dc6ba747e9259cf035f97b43087742d91b83fa677c6ffe43eca72
SHA512 a7d46f198fd95640d2571ec32b56dcdeb1ab0929dc34722ca7b48d62d35c9bbbfbbf3c94d6d352cc19ea01f9ee857cbd97f3dedc0592c44e65373420b03443e1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 c825210a0ececc52fe8c470bace1ef5a
SHA1 7e913074fa69ab0e97c0bc08b04f61dc6098ff7d
SHA256 ba0803493e8274ba49ddb545e2dc028afc195e9af3086862109df9fe0404db48
SHA512 8b1c4029120044cd83eaa3277fd66c2e4115592f30387ecfbce8d01635fec46f200cd7908397e612b80b62a8e78635635f6ebd79941d9731821e84bf4fe0bff6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e0860ae8339ad2a7748b74a829f314fc
SHA1 29ebafba7cda815bc496c3f55c5093d374e83c09
SHA256 d959b312393411818cc6fef806d10ed368eb2b666eb9f65ee100fae9ff9be57a
SHA512 d6e48a1ca8ea72de100190c19aade85a9ebd6c988c45670ff8da8dc80128d707ff1c1de10765fee8b4d2291b98a1eef7284efa0098483b6d88d6a1a76afb87b7

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 d4841dd0d182fb798845ecab3c3b71c9
SHA1 b4cbb1c30be76c0877cbcb4e917d1ee3a0b038a0
SHA256 4106306e3d37215a3059fea2bb033f35fb2deafb655a8009ebbad1646ee336c0
SHA512 4b9600de824305527d830639bb7db03812fcbe45df6ce9a97f23259cd586991f4b245e9d8b6273fdb0e49389bee2f8ef1cd4feceb652b617fc6de11fdab667ab

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 be9b15e90d7e6e7d7d0e1e89960fd075
SHA1 c78acc640d7608067b7921226a7133f46914fff3
SHA256 061dda1c76bda8efe64f88b6c4c151963226cde878f2ac3df4994d9972e9ac49
SHA512 b4dbc125612d788004ed53a4ac65f6865323ddea95c12636dd119e5a4923bc0fef826d6de4ee834fd6eafda9c18f728cd226c00d5094bc6d8926aec2581354f6

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 02005689d17dcd25edf2cfdd0effb582
SHA1 c266fe7dced36970e255bda5b019152c377848d9
SHA256 c4027ac0ac078ec9e04a1ff84634bfd90cbc4f9dcc6ac11889118efba65ec1e2
SHA512 8199b2b6ee497ee3cf865f8b6ab6672fe67a6678db2dec28441e6d3a48d20f4b71bc2f782a8c214d5237ff3ed9c9fbbf5f981f7787f8220cf019f1bc47111738

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 71e6ca71e5fb7fceec3a9d1eee622853
SHA1 e3de81e68c4fea033fc20e9329467b77b1c26662
SHA256 a90f05603f2cf996677a71f4a77745ce706eb4f224016933481c3192d9aeed99
SHA512 7d19b2a7fb7922b1f22eb2542746012700226820157b0a8ad328255c3f4740c9f665689a6af6d0b4f09c2d034db5742f580d2c8236ce5b3507e7fa1bd51ec074

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 4f5c0035effec29dd554a199dc0bd6ea
SHA1 4cd355dec549460a96df010fbd5396bca90e2fb2
SHA256 c672b15ed3c7166e5f915d7776087828b9c4ab1d56ead7851048ceaa8a4381e3
SHA512 2f33e974aa04f6ae14d0b513af2d2ed1d8f6228704bc86a636aa209a7b065a74681f985f1bd21e04b3ed47bc64a693e271ba472d2eb00c850f15418a4258bc39

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 4a394e1e503708022112d10f66a57450
SHA1 e4f085815257314609f3776e5c2fcbcc73d2de15
SHA256 133e7502cad92d1062a248648413cff5dc0f05ce38f5e393d2432cc18325b14f
SHA512 9fde12fc9e2fd9d5dc0750913fdccf10eca03a6eb6f7c0eeb11169278226e1d3f43f603b2498e6f752ff104e9bb181d084380a6fb5be6a4c1da08d3d198a0962

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 e9a7425050d24344ca98d0acc80aa9b2
SHA1 2b9301d16d70283386895ed1d618fd358c9f0b04
SHA256 2c8c99747662326ce7a6db26cd502f627fbb47c1a0de40a5d95cc3a04e4c61bb
SHA512 e6d3307f09341309447642f9a36d04ac1d5c270119ce113a6092597f5274561632bbe76503f3df64c18ff71435290641f3d56bd25bf0f68c18a267a169c7bef9

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 8cd0b5a36864dc10c251d5ce344ac478
SHA1 fa0b222e819e3b9c8754d391a624c84251fa094b
SHA256 bcb95e24938775a4a4eef86993beb1e12ae988ee9fa558f1c31880c52ebfbccb
SHA512 574515ad67e4b9ed1ba1967b4719f28cc1e5f9637994b0edead245293cc5490e6ab02c4da15fa7a5ac6103ef5daa4ffa8b3e62a5f5ee462ae80da5826e17307d

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 39139d6fa1f4450a678bcae3df7190bd
SHA1 edffce903f83b89099c2e1f90a8c8273819b2b66
SHA256 db91a2f2d7edd4ef6f75f420d1339ce7b6521e72f02d3cce5d5623a7731aee7b
SHA512 9ecb2367135af084f736dcb07ac49efef5ea32137fe0251b04a8ec1bafe4193090b967a0bd778c1676519c235013847785ae22b32b1abd64077808edce7f8419

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 32f5078c3e7eed7fd5e68e3303bcaa75
SHA1 9540a19f7433cf0e27196db51332417d50c57999
SHA256 e6d29c4f7422a2daee76d4cdfc7a505cb67aad9f684bb30088c2ee8430d44f26
SHA512 fdaa586d08dc827d216e3e5df369f93cc6f507a0cbc2896dea61cffccf2b6c2e14f6186862351f93e2ab0288d23a9149c72e6622103d7da42a1ac00ee7b11ff5

memory/2084-108-0x0000000000270000-0x0000000000278000-memory.dmp

memory/2084-109-0x0000000000270000-0x0000000000278000-memory.dmp

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 8fa4e28a2113bd21f314364037724c3e
SHA1 aed31fb989e78c563c03ca0c338f8556513b7946
SHA256 2c28d8384a761778f2470d03d9641f2485d312a8972887b01a7a995578087bbf
SHA512 e27ed07089d6ffcf85ba5ea52ba999d0bc535677c27fa8da76e6838f4442214ce6494ceb2352a3c29b75bdd9bdeb9fe4ba395e777a3e584accf34f1fb55b58b3

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 2042bfed85f5176cd9bf41c78de6784f
SHA1 6abe4a2662258d4c395bd0de55da3d132ef9ebc4
SHA256 97fc57a1690b4044011e4eaa35d4e0ed666ba6847eb9aa46ce406f53dffa7023
SHA512 71351004650d436cde74afae95fc1bf7d16d6f8d8311dd280f2175fa6c4d6ce2f57cd2acc7dc6184a998f80f081f806076ecb3c10f600800e3dc34b4d9ba64e4

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 ceba30fca5ff9be95122bbd1fb7c59ed
SHA1 dc2e881a0adbf09e9b37d10ee906fc51dbcd560a
SHA256 6d58de696c68b50cde1f9a3f87f9487d6ec08f3167501e36b66dcacbe1a86a55
SHA512 7ef4c0bd5d544cfe4f0f5a9240cb5bd48816174f9bd24bd5a1cc07b788ec5ef38f77c0d37edfeaa3dd630aea701ae32df1f8052bd78b379d560c0b602f59057f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 8fe5749371b2ccadc7d90136ddafbd6a
SHA1 94ef7697d691628b70d6be20c0f1d99c99c8e82b
SHA256 6b107920baeb836ea9f32378b3132cd9f21144dd934135d369c42945bb8683fd
SHA512 6f8f706cad0e0447e4ba43276d24f9a327b89f420142f0b55e104207877d24b81850ce61caba9617419d1189e737ab6dc49835e113840e181d44d525f1054aeb

memory/2084-138-0x0000000000270000-0x0000000000278000-memory.dmp

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 59701e0fbd3bb7375564f638aa9279d4
SHA1 1693a2b3f0701f66db87bd63d6aeb932a2b8ec43
SHA256 22336149b3cbea2e8060a250e8db02df038ac5c7e76bc13c2c8e7967f603faac
SHA512 4e8f0de1511d09f979a22a72a6923da6d2fa91884972911a0d25b3f95751e69ecad8b5e71534d47f5b65b19a42afca04e31dafd0305fc6defca7b6e8b09177ab

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 60a0efdc965d4942424eb853a28eb63a
SHA1 a5f7909a35193bdc9d642d6ac17f450a4a2ebf7c
SHA256 321d90fb5bf969693c716820e47d36b1a6cdb131dcfc169c5ed082e22aa8bdca
SHA512 90ebf590d440aeb2c84ffb73d060713b2c61a1c22aec01227ad8238d14bb1c3c02f59cfe097f55312068bfbeb5bc4e0729a5e4d30ee335085a4303cdcfae77de

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 b05255c32fcd8d1bbe4203d157af4656
SHA1 1976b8468724df9a6614cba89357ddaf04568590
SHA256 9c037c375e73004ea8ee90541a33552c4f16e81271d5276341335af9f1729778
SHA512 12ae2d6c4385deee441ebf51942c62aca9f6371d13a8f0a8a4aa33bf22720e3ec445e59caff366af8f2998c4b3d4ff39bc88d6877a1f463e3f31a14d79d3e9e8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 01e491cc360ece1ec3bd9bf1da295b0e
SHA1 6bdd88ff717c31a6465ecf1458475fd2408aefcd
SHA256 b65f29dcf5ade84ab20becf41b40cd0bd7adfc04785606265196d071b572072d
SHA512 cf02db8f113d8f1e417a179a91c169f80845fa912c06a645452ca5885d1945c2ff8929a32aa9698ecf21ecaabe20312a95780aff81485173332df9a8881193b9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 49fcbf6e318ed7cc02d62fe8957170fc
SHA1 4374c45d55200b9ba7af30b9f2cd0e6757965376
SHA256 e40c9adfed9e5bb6cf6dd65ad17798a7ddddc87faf16744ce8700f077540a28b
SHA512 629f978533b4c0de73779d7e45f88bb789e1b0cf97305233ad8f988e45344053e2d745523f669f8419fa932237e2b4181666b2b8463715c65ffcfcd2a31c5fc8

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 2453d944be8b5e678633b7dde71997aa
SHA1 0c6f6641e057b7d3e0b04287eb7043d46f584843
SHA256 ddb5d810b134f1f95a135cd448edc65054ea0fd8e7dcff6596b8f973950feed4
SHA512 fe6919402733e00b2ebc78355a0c98ee5a545ce55c5acd6a0f4070bad27ed4eccd330b45ee55441cc084d3a929f5f0bf1703e1346880a51cc0e55bbeb727969b

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 0a49d05221d0a21636bd19301f6cffe4
SHA1 df49d62c422b44d3fb292cefb4b141ae977f0ce2
SHA256 1177398512bb7ef10527d8048ba720037b3fdd147465be5b8d5c699a9442ccc8
SHA512 1b2a27e8a387af325be4b34a231c405d84d0b94db878999735bfdedf11cda942144a920387b2fa31f414c106abbf1602afc4508d33a766e196f8a2d8fd448532

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 c3b495f2e9abb59e09b25e47c3b7489e
SHA1 9d1fde556c969668d870580840cd57394d0bfea1
SHA256 c6b3cb0a92e78858337380147f10dfa4cee60f06ef9dafd8b85709e97b675d43
SHA512 a2b8edb6e39acda8f5efd9c0cfc0c1ce2aeae1df8152b354c13b82941cc80d357c60a4c5c619cb8d6433bc85910f8033d10ff831a71b03c34b6fd6b4a9e29e6c

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 2f8776e18b4bc6f5a6e66dfb389ad9ed
SHA1 81761ed30c0debe23d3094fd1c6160ddd417a218
SHA256 a98f587f4dad42bc72c455543844362c3888d29ff6ac9ff49f5438defdf8649c
SHA512 3561d1ea56ce87adf9327dcfcdf143198b21d893d286eaa644b0285f889822b0d3369cdc804c736f87b10e9e783a3194cc3391bbf93c8b82a5ada37ec5d8f5e0

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.exe

MD5 bc34e786fb61e491ed9de42779203673
SHA1 43124f2750b926df7a90005fbca46dce81a166f5
SHA256 eaedb561a809b5671d680d02c9963de100b94e8437bf56c7735ac808241dbcdb
SHA512 5785adcf782cdf4bf17625de9ed760cba6e00cbd57c4dc7879fe33500830f193e564d6d9d13290cbd83046d708d6df32dab1573c500446648b07b5a721af5694

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp

MD5 5786b8f32620d934bee6dc5cb7c4970d
SHA1 9c2531f1ee58e3bd78a94d29de14a1edbee7d03d
SHA256 bcf81b1c85955a05ab0d088739d393a81b85d64eea8515b52d648ce55006cae6
SHA512 7b839bdd0f65e835860eefba7f79b59eb77939e2bde701947d368bc771d606e1fbc2a6eb1778c4392bb14bb8d68fea0baa356e8f8cb5426b10be54cf07f436cc

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 d907e1efaadc0e231fc39d5558178917
SHA1 2f33204299400531e48cb6f1e21c5c05458484f3
SHA256 60f5c4f6737cc848eb40f1b65ca078dd3b8dd3e9384d31dd0d9d99c11840ab44
SHA512 c727758d646b1bd4b3c648d522c95923d16c3547adf1c28e05f17f7209d4e0c8b3b43091c5ce53fb2db3a3cf9a11bdd7f0b251b2af052de470f9e4b7f92e06c9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 225880e88d426e34b22651fa8d16b34f
SHA1 d36b30f3a5f6eac6a5743ba9bf2349a64296e396
SHA256 18f769679e7859aea65e8040efebc075a128c4c9200cc3b9816fa226881be280
SHA512 5dc4597382aeebd5f3f111e34144f8cf4ceb674cf8d07e0d498a2d57d509e9d75af6a0419db1daa0ffdb05938c560159218a5e7c593cc92942d05f344a3d245e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 c7e0f3bbce3a3231f578328ac138e30e
SHA1 18626dce94bfd7311e40f9a792c450d48a6e2c6f
SHA256 825f1d0b43b06d8d9a696900f7e22a809d6467714b8ca018356f9e8a1e0f5772
SHA512 10d17c2294b37a42c14007d7fadb9499cc6fb09181aff21f0a7b27ad0460763b3e0e4ecec81d02242b7cc859dabf51598ea62d46969f6f7815db3d9de7c95990

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 f64146023d52bcf9d5f0f18620d4affa
SHA1 1511d5ac6713737289dccb8834c4ce523344ef2d
SHA256 e9587794a479e286d90295c82eeda01954d3c8945d224608dbb4473514ec8070
SHA512 503b8440997e2aa67fba587919630e10ca72f6852e0199936ca87e3b0b012b189a4408d4e78151581086f4453770131c5a78a3200bb57887e235f1c36fe1c7c4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 210b38f0250d53d1351932d04d241a50
SHA1 0ef1cdc64cdbc41b1ce3d4f7240839b0875a43a2
SHA256 769ea7047cd2713f0084b2915491c763570257ddb41bcafe6529276c555fa753
SHA512 d008cb2c1046c646f0ebf955c44e809b60e7358120057f78439c4359321e4973738639466106a81a1da703603bf0652cd133977f245a3a62d6a288d0407f9e99

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 a32485712a3679176368ebffc34848f4
SHA1 36c36f272685448b613bcc2cdbe77e5559b8fdfb
SHA256 bed1f45d5174db7f7dc7f6cecb0d49c998392179f5e5864f81c275698b22e9c6
SHA512 5f5789583bd2a879b84c879b1420b3b580560ddbb392dbd7ecea50d65200605204b9a02c6414c3327bb55c9c0d973df40ae11870713c116a95d3d532badf8586

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 67d3fa3b56f54c8b5186db3a34284e8d
SHA1 745749d6975b7a871365a8c47d8980c453f184e6
SHA256 e9200d3d67e20bb422093d2aa2624dfbf3b4716667d44d6b4a2b974bd3201780
SHA512 30e81307fe9e058dedf86c305c472d40e9859b2434bc7fc4d46d6fb7fc919c163f008fa7aed6afeb6e2f41667c5759a6ca8d2a19b6731c0d3af4d1e932ff118b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 9b61a08fd3b3b7383cec82e390aec065
SHA1 f4d3099fa461e5495f7abb8c13fe44d88c8b41f7
SHA256 2ffc82482124d1c5ecf1d43e419ed42f840b7b9fb93ede1d67f6ee155856e1f1
SHA512 bff1c022e9e32da00f1ce6da030f795dfe8e2a74ef7a00c400e324f538a876100bba3cb73d2b7b94ca0a231aaa73afeff162ea0a5e1999477edcb213e27167f8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 0c2b4f3856cea1611c187a30f1c9ab60
SHA1 acaccfad901a049c3ab544c74f304dadfb327d32
SHA256 f7c3f11e1e362b1c45ecce3df365d73ee59808815a35c47b61d1680890972480
SHA512 f204e9d6c7121617dc5df9641df81dc9ab83875d338317460084a07c6e5bf8fe1b5d23842e3da5cd88abef04cefd2aa446b6a531f8edcddcd5641f9e99ea3c4b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 5171445a7dc269d075d62ce5f310731c
SHA1 989246423a6cb768f0860e154c2602a2190faf56
SHA256 c2735097471bc98dd968a3ee018bae72a480da55fc601091fb1fa0607269703b
SHA512 b91bc19087081bf709e76921bbe0b8752eddadfb1e25438d595956ffe12b769a6e667ced0268958937b014838dfea58e79f71e16e99c5cc28d43d551d9340dc4

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.exe

MD5 cc5e9d34ef74b107130a55e59d93c494
SHA1 4bb2fc262d918478299534f8fe0a95cec9fb2ee8
SHA256 00d88c43518efa873e6c532a526acbd8ab7762d60662e340681c2935e37e3ac3
SHA512 a1560921b660b603df15cd1ee3148af204726e198b6970fe60af3deb32ae2b8cef550becd3eed7d39225540f7a0e7d21a25be6fee7216b850eb252b7758fab53

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.exe

MD5 b14410d9e23ca2dfe64e6e3f7d018feb
SHA1 e083578043919dbae7da7f5d04885066b9919882
SHA256 c59e20b4bee486f08c1fff29f5477127b3a78d4a74184ed264cf0318ad122649
SHA512 3a4cd68595660a5dd2175c7f746ffd13f3e354366b73f0b9103b2dd70a0e661f1c82f2822d3ecf3fa58c89e3e938df23399492d21222d4d8621e559bcb287668

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp

MD5 e6e04453f5a35ee7ee2520a7d8bf9771
SHA1 8b8a8b49c9fe56b8891d38a5dde0bdf2edf3c738
SHA256 4b1cd796c6455c1e5ef07a3809459136b6985d3629d4a69830f04cdba4a61146
SHA512 acef64f26d1bf4f089bb3fae8078ffa31e50ccbc4903b40a1df7aefeca39e501fb3492adcfe9d756bfc5727529c3bb2865a6a10be6ee2683183ca0464d840233

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 be3d165a4a22b5da7c022a7fd3b29e5e
SHA1 5db168cbf6f75900b84d683a16b002e889b463b1
SHA256 a3cdbab4c3de79bb68c51d2c0e18c58681864f486cf90225ea2a5bbeb1d091aa
SHA512 4cb7fa1650ca34879ff2e32a1ed0687c8a89f0a4a3b16cd8ab857fb86403ef906ce4aa84452f1b7e65eef01540cc5f795e0e0a7ba6ccc8806108356b3ae87bb1

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi.tmp

MD5 69719ac22eca660f2ba341fe80485630
SHA1 c8c4e2bd12a97957809e8c6d69e112c8dfb21eb9
SHA256 407dbd612a9038ea1c7d8213054d0ce03a4acb2aa4cacc843b6488813fcc87ea
SHA512 eaa52ad62992c189346d74357489c50e28fe5069170f99b75d66b7070fe92ddf1994aea9e8d119b005b85aba44cfb97d90d4ced70bc6c41ead8ef69efe291441

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 08:16

Reported

2024-10-16 08:18

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe"

Signatures

Renames multiple (4846) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NetworkInformation.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE.HXS.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PPINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\he.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe

"C:\Users\Admin\AppData\Local\Temp\38e9a657802fb761045eda0c3f5f2d8206a182769a77086389e781ee6b4a6962N.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe

"_RunTime.xml.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3260-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 a45de0cd9476c9036b1b2eed1320de97
SHA1 09b4528f57f2e5c07f864ebbcb284536faa0f347
SHA256 5b1e6dd19d7b9fc3342d57d521ef811cbea477d87e4d1e00caefb83b72a9c0cc
SHA512 3ec81138ae4f55d7f5bf9e578807540e6e02347247f081b6ad63661ba48c818899c2b74dcadb412af29e6db1419557e2a9776eede9e3c599cfbad602c1dbd86e

C:\Users\Admin\AppData\Local\Temp\_RunTime.xml.exe

MD5 31f887769c674d270a9ec6cd3879309e
SHA1 2dc92f6319eaf51b4c9f28d35f434322d0911e13
SHA256 54fe726aa71f846f329fba9d0f58795dd9e48e1b58dd20b90f8c2420f6bd9480
SHA512 e09face54c6f562dd2c1c30d6219a73b30c24884525c6472326fe3a2e260eca2de15a572affb70fa60e37d66579a7cde8a1e22d35f0216a2ebbc6a334f4985db

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 f684251e9f5217198ddf4c67f1c7fae7
SHA1 4f014152ba8b37ad740bf296f32960e640273d6e
SHA256 0fa97f3849d093ae682d0b05d5b9d456ff421b066a71477c62304343a6c5610a
SHA512 852d254b9fda5ebe6e0895cad131b75e3db8e611030f4ba44f98a49f89b34ec0ddf2ce15376e78d8f999de428586a0da99c9a80ad8168d35f03480a5b41903bc

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 f4ec089bdcd49844c5305686d8ff9882
SHA1 500b65853ea4abbc93ef4c9bd5d825552a2cdf79
SHA256 2f9da92a18c588da1f6534c7999a63d7962e63aa80fc74f51b13711cf3da0fe4
SHA512 d69cecc8e0d9934477ced13901ddb9865163bd1a8341a58aad7d24040d0b0f744c5db6d04ff0e147dcd6d89e36d573cdd665b8e605522e6da722e3714c76ed37

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 7eb0f1cec74cb2da461e6e43d2ef883f
SHA1 a808e2a7463ea0ef3763bb51b4732f828a30d685
SHA256 a04ca3d7d6116b9ecab4686fbb3664b2a98a10335a39166ef93728de2ae2d291
SHA512 d4dda34fefd98402e6ae4ec214ae31e0a3eed9f2f4145e579b3218805a12e85d578d13fe78ffeac9d91e06d2f2e0ee7018a7a83ed15fbec5798d294df10412c0

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 bcc19b1fe2e1823c6eb5f0b0854810ae
SHA1 4aab33832a0859f987a9cf72ea20868af24765ba
SHA256 0190a8079d1385f276fcf81f3ce168bb2a42591279d4a656e92474ba5d110463
SHA512 f7b54153c59f60bb4f9973ec90a23434761ca5d905c5d41e4fd704ddaaccfd5827a5afd8f2116ea9dad50d2c0531c8cc3f81cab596bf995643d3f0f547411e6f

C:\Program Files\7-Zip\7z.dll.tmp

MD5 aab5a57c1c4993edc04cb7509659cebe
SHA1 d3881b5507d7d4c8c129a5e7f8834078275aa8ab
SHA256 5b9d7e7a78b5b5f6e90f565d004f1ef16bcfbaeeb3c31635dd7a6cf608c63a1c
SHA512 a41b38c6c74c6e4cfd05e9bdcfe0f533a0744399281431463a8151e6ca57e63aa152338b19219ac5e184bae66cc6c72f09a5c62149324b2961e586cecb9cda90

C:\Program Files\7-Zip\7z.exe.tmp

MD5 c9e80788f0fb64fb3df60183e0e91bfc
SHA1 a8c2c2355087286ff859e334bf97e0b10461d3a7
SHA256 d49b841a6ba0ee9dfab54a93a51868e8bd1edd99a1b57a623ddcc5f233de0704
SHA512 8c680e5ba95cbd1f9088ca87b87c1d769ef47256ed3182775f892e6b15afeaa55c78c34fe6cbcb137087a1e440c2fa1b76dbf9ac75ea8d1a6ba1d3f63982ac95

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 9204993738b7d7ed6272ee7ef06ad55f
SHA1 bf6da3ded0440ea9de6adc19f6ab92637e1019d6
SHA256 df960d367591e2e29225960d24413f2834a2ce28d131f253744d669619850ff3
SHA512 617e8f422db3a6bb44d3d5de249722c0bdc85d33ed00937a0766a25867b028acb851b4926b03856005432bd3b96f1801154173d74a32edf74f2dfd50eaa66950

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 fa92ab56db6510a3e291ae70bedd7bbd
SHA1 c7e5d5c9f379339caa354750c3daaf8ad8e9b3db
SHA256 dae5d8b7a9a2f5cec6ae0a8f354dec97327215a43c2f59fe4464b9a10ad0ef34
SHA512 567c8b13914797b811d14d9e25905054738d21001130aad26eca98ff644a569b1bc7957e7de87ec51f6c688fa4b204af505fa13efce53899922e5381399b08de

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 e333230bb418db03fa9d307bf3b5539c
SHA1 bf751f743d7eadcae939b01183b8c47874a257d3
SHA256 9238c8e9ab272dd5cb5eb6479aed2f43e08950d9e861762b4745c15eb97368f6
SHA512 5b78888f98d519b8250d6335204bacfc94c1ee9d6547225a8fd397a1332d1e52f5d143f7152879ecf27c1f6b2f4b7c51a790812bb1e86a5d3fbc831d66716da4

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 8a60c962a8cd012f4ff3e61d0985ccbb
SHA1 41cd7bc0fec1b08c56ac897f1eca83e9f4683b57
SHA256 07c48065752d094cd1a0cff2ff72683fc1017edb244081f8a5a9b4d1353c0059
SHA512 95be5dd7239c06686f33e98113a683d1a386165dac424115732e117f4625f6b286488ec93a7f63b0dadffa83c1a178fecc58890a6b693cd234ddf2f9525cc097

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 13e98e9023b5c088813edbd5e8548ebf
SHA1 c18ed3755978e7ca44ebb2bb801b236b7fb8fc70
SHA256 036b06d56432fd2d26e7083dad74fdb21c1d7524094085dbbeec53ef71f61e02
SHA512 f1529b9fa43f727116e413d94505a5c5ae8e430909393a2c3ab423dad445f5337c0ace9815b0930af8baaacd58cb65d1ab7585cf383127c232ce21997746f9d8

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 cc58bcef2af833e1e3dcf3a06218abf7
SHA1 8c90bec1b33d38a85dbb4066352bc5b3021d3d82
SHA256 d3f4913189667be19ee253c7491a91aac2c4ee8b824b27bc5a1b74aa87869252
SHA512 88871f79e9219ab0be89addf719e998b77188c86557f441c5fdd8603713c150df216ea8ba83a3eb18556e9dccc26f712ad0c1b78812c163a9f729b8d7b604642

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 47c7cd0edc4d77242bede60959213723
SHA1 b3c049f70208a58089e5f6d0ff52d3c6336241b8
SHA256 171b264da8a6068361335e89b25725a5898e10e72233afc6cee5a3d955df7f73
SHA512 79b4bdfcf635d07977e1180ed683be65a6b4ed8c5f0db2bfd1e324b3ca8a8cc1e99b8c86964504bab9611716e4745b747b84019fe851185069b5940309db39be

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 5e80f0ca7f375867083ced4f117b1402
SHA1 a3082183e42386336ba24ab4445e92461d09496f
SHA256 9eb8d288d7dc2a68927a7084e03f053ca09c29264f19b06a6a42634a8feae76a
SHA512 ac4b07de07553ebcd57a7e344b851f90b161d56ea84a54e05ff3e3f3034e53240cf02f2e166d3429f1b2a5bdcf3c53c1c43a8d8b93e3669637bff6a41f91521b

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 f556ca179c91132e5c064e913d8107f7
SHA1 b6bdfdba67751b2751312e311787a612a0e07afa
SHA256 7c9f60ced73c97cfc1b3791187997561721d886b6fc75b4cdb4f6ddf7757619d
SHA512 05665ef43ba86e82f7deba4b7886bb049efe129c86ecda9b99e393b8ea435884af144946863794df6e85b4d3e929d3911a731d2a832e2c20a9d24f4bbab46757

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 5c0ca805719c1dccea6cb3539eee5be8
SHA1 83c5bad1f0e1a04005ebe218668ddba12c044522
SHA256 d7dc2b4e5479589a2151b2c7c2a7990ee8a37fea117de93c6cb5fc2180254b1c
SHA512 71e0deb1bc188bd75c4c111a4dd70c906cc09f2294d3e2b534912dbbb7ea445d578556f442cbd57e64329e5b682cd327a16664c4fe098ceadbb1cefd852cf733

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 d31d8c8beaf08b009702b8d6fabc9089
SHA1 05ec38f69ae1e97c1e38a95a738df768e4d6522a
SHA256 e8286ee6c8345cb40cc2be4292390ccc5529d58454a582cac9517d81a52357e7
SHA512 59aea332adf48d713fef258f55c330b03a6975626ee256a51e3ca6e12e77e45611bea917b2f8b5ae8c0e688d8ea0888e71beee673a6cf0c688ef6a12a2b8e548

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 0cb3c40105de62a16ad8738875530b91
SHA1 01c0df9e777a4a82eef0952ad2deb2d10b01d191
SHA256 4c7083c04e88163debeba75cbd82b51dd27e39fd081d2d26d1b166a9ef0d7ec2
SHA512 2d7ee499853c5a986644cb9d08f0133f4e0253f4d720326269f46610bbf947a6e73243330c6f2871343dc4321903d565ef6ec5923c095ac728892f258f9ee616

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 61c35846edbc820d8470f2f6267211e4
SHA1 9516707069737337f236f52c2baeb4dd577e3f23
SHA256 084dbf2ea5824feca729b55596aeb8689a6156cab6e97bf5bfce034f30ddd1e1
SHA512 0a775d46e9d7af959f1c7a2aec05f344e3097869aa9f32e22ed7aa931eb154e5d84b0ddbfeb2d52162221292e8d3f92dffd6f36196ed5cc49b8cbfc07596cb0d

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 7b6d475084fe87424c8766a6a9a30b29
SHA1 ee5a7d2ea58c237079ecd7d46a721aaed6823667
SHA256 b71d7028165e6c5759bd6235b1e74450048c3a9360b3aa1ce924d6918261468b
SHA512 ff7c703da2dc3ddc38a38e23047610821fe97634989a6feb5058ee36b38434f578b3b65dc8215ab0fe522064f0c833f235b58742b334778812e9062a9796a929

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 d9330091323bd80f3c58673751d040c3
SHA1 b72825bfad10231b1f0f6058946ee1c8a4fc36cc
SHA256 99404752f4df550183a7f0d33d1fb5953b4b3628910b3b694632d60a2fa11d60
SHA512 9a998c4b9ba15f0c78d03070cb54ccd731ff1ed73975f58c42194a665b2f98effb7ec76d5c1a2af26f072f77c7c726815956c4db9912dcbdd6da447c0e23d0cf

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 00bb2303587d7fc64b2c4fad36689374
SHA1 70c4e1a7e180f3c6fd9e0235d39687a402b37b2d
SHA256 388af4262fd5df29cc83841828d24c34672c3078ddfc5449d8ddf1b0582ff5cb
SHA512 78496f87ef050ad4f2819039fd1534b8809e2c998f4c9829184a611c142226f42fd25c9d9247b59f7a6f122e82a3e7c94f44ad8f1fbf70515f41744a525aa1ef

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 541e5f4eaa9657acc5b29dd63aeaa858
SHA1 455eef372300d59ad163fd0c5dccff549372202c
SHA256 78a1b76314e634c76a6b80bcd9088c689fa6dcb6c84ef8908a4c5ab15213bb48
SHA512 7781ab0c3a0a029149a70c38d09c91e2dbcf27dc9d6a7454001cfba8447ee98b07a14878a1cd2f2f89bd51522dd50c407959875dc60cb15f0b7494fc27ada042

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 7d89e85f7afb09e460a043f98e5f5168
SHA1 5e7a1e04439184d8ac8037e098b89f1c58048ddd
SHA256 7f9df9699e4dfa55b67aa375fa7733014053cdd7265a7ba77c2c724ee8232881
SHA512 3f76e1873c4bd660f04fce7f51db0de6c40e24eb3c35d4e30bda0857507310c99b35169001941d6d885e44aa01b2298def49380626c950fe3296490095d60d6e

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 32d8f10698e52e599c32bfc7f8222799
SHA1 ff94f9535971189853f40045c04224c8e25e7acd
SHA256 a9840cb82739f5f2cb32682a01c03723daa8d9669c2c91a978d37313589e13ed
SHA512 91e825f968dd5478f2228aab5d9ceaeab7deaf51a90a214204fe5d1220cd7f89fb2ef24b9f466fbaa78341e663dd1dc2c20a4776a9cf30813f58d5117a8e020e

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 1818476ab8b63476209049dbb7e0954e
SHA1 51db5281f1d716dd11cba5c5a155e0a8a89acaaf
SHA256 56adf772057248dc781952fb499964147c73057216e67c65d69fab557acd462c
SHA512 8b4bb831360eacc02a207f5308ccbd45587ff85d29c9c0798ec2957916f90bbbf787841b281255fe002ee6548365b768800881566decdc02d135da232e067c07

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 b6e8530e04bf844969c66759d19c3829
SHA1 a9e774b3b7545e93eaa5475a7ae79cc4aa4c1701
SHA256 839ab2db4f16952e95fcc8b5cb395738fbe0efb3a8e723981a1509719728221b
SHA512 5ac2d3d0f436acae3d62bb911753fb7c601fff88d02ef3ace86dfacde5f65b6d4e51f9842bb2a9a7b934ac5ccebe4df4ee2eee7ef3c65e2e309d55d778e53d62

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 e681c0fe2596b8518ab9d2891f9faf59
SHA1 4c131d7b204d2ffea0f3defe4c77fa86d7e8ea31
SHA256 d04865a404f31b33f3a1107a15904d388d9b97e71abb0b18cbdfa09111d3381e
SHA512 1ae9310816c0183623d6a3639ecc894afc017f047bf1200563251a35ae206fc31fc010ea7448a709a859d0a87cfc0eab7054423cb7d421567516262e65bf5a1b

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 3c1379933eaa93f314f9c9227c5a9bf6
SHA1 745dc95eafb5042a69cccb132121c31ae46cd6c4
SHA256 134df23b1767b2e4f4886e8ee16ce14a75e1f7eda6ca12ccab44d53ab34d577b
SHA512 af8289d4de2fb32361bb74f0c0373843cab18fdc8e29cb7592773771c7f9d5ac79aeaa7e769999f568316df247911ec922809147194dbd1dcfac3d2c61dc5584

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 8aeba02d9f59b806d86bb2c8d1f7d0ff
SHA1 7016fa1f42c8ea6b203c462159d7b3e9035aa322
SHA256 aa5203df04afbdcf23c21467551cc038b133fd5c0fec11a1eb9603de0f1ff3cc
SHA512 5761051b33de03f820c0db6d650eb89524c945be77cf8e6e74b16a4df207aa42f8208136e1ca1ef144f42cab5fae74e89a9ff892719812252fd5124f5618f84f

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 14af25e1d629cd68cbf7f9bd83fff3e4
SHA1 01cdaba6b18fc32f8ea998964c5d63b69164b727
SHA256 10d3a4db1f2fa1dfc5ef982d40f711a8cc64c6d318f09fd700ecef95ceb41dc2
SHA512 5fa0b763694884b29714d4296a94801e4451fa370072443a2b8247df4627d27de094e33ed87f8103ddad5654ec055288c7a29fe9d83dd62f680898971b03e6bc

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 84416ff9e863cd48801bbcf937e85aee
SHA1 617fbb6f6700f688cf86ef3165e13f9d007168ae
SHA256 7b93551ff704f06ea5c59fb852f5e2848c3c5e93e6e385393f78393b9ce99fc7
SHA512 ada5d8627606f49a344ba4ccca84dd262eca5db8805853409f8ca0458d6080bd11adb5d0e60d3e771fa9966c2371e84d92b0e076422757bb2c1ff0e59dec28db

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 2f6f338170ee1456ff15b9cef1b50f57
SHA1 fc2b7f75cb71fdc95941b1cec27808a84f8926ae
SHA256 8a0fcb8d6610c7ea292a54ef20a2ab3c32d3181f8d331ce32304ec9987a20d9f
SHA512 cf41ae0e183d04ed44168824367c602e0f81da0b939e189ded7ca9432d970837963b65f5e7746cbefbdcf7fa65f993b80574f4be44261296da448ac05614e633

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 24fdc1d21dee790fb0355f09605d9577
SHA1 03343948bdc893e242ba1d8ba2e4afb92e46d04e
SHA256 2febb971c4289aa214eb3e1c2d89b78d32b122f12cdd27a44cacc7812c4faddb
SHA512 c9c7eb7d9d1085090e2aea5440bbbc54c64aaddc41cbf2b965098ca982d0e5e6bdccec7c5fed809683c64bac8531c7c5a40ee91c8ae3f520c666da1b6a84d60f

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 b3b908e810c8a2624968f05630f6c0f3
SHA1 9d48bf7417c167cbb1ffbf1038783a2cd9dd2c23
SHA256 8df83399a67c968fb68e22d3d35beb022516420002b982257d5133f5e76fff16
SHA512 268d26021903cfd73f9d174b5e3ef748f880c9d926c5439a63b045588c680b0eba1026fc68934d15eb84b3841bac2637a8db74c5fc0a0fc75853bf57784e19b0

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 eb260be7b885f1d356cb7bf363e7d157
SHA1 ec44c26d5fe45d92082c06d09276ea8ac7bef5db
SHA256 4db090ab7e7c3c6ead3dda850d5422492352bacabe6780ddb24d1bf22bc6fd51
SHA512 71df50251f7770e0a20f8a775c37d9ec54b968ac4c73560ebd14bf8d7df912d2b718b41e952183b475491a14813afcc2c15589c5edd48cf52d4daa1abe0a368c

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 7957835e7d1353be27bdd2bcf945cafe
SHA1 fe116bdbbcae69743055688870cd9031b5a60f66
SHA256 9e898a3492d247ee8d6261d4abed2dd640b200519d51735138f973524031007c
SHA512 162be4d57ab41c97836baa6cd89466d33a9fb6eadc809f2ce06c708e1b49e054fac864bd45c558723944c1a235dc19b08a7c9bd7a7d493bf1a1fffd5f2926371

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 a1ef7204786f83864ab78d377f69b929
SHA1 b830e65e36d7aa6755c7314dfe01e64bc24a0115
SHA256 1fc95814b5ba353e7403096696b62d4954b9a69926a2f172355ee810770c08ac
SHA512 c9bb564d6b7f64c51c9fcf2bd1af7202e50a20246c34c9d3e75f0dbab55f996bac60683dfe2d9435ef341e7d2ab4b21e8bce684d46f33f7c41f2fec1b95aec5e

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 5765480f3c98209341932a088b024368
SHA1 adbac79b429c98355ff32c97c9b0838e2da0210c
SHA256 08e5d3195e4b21fcc4f768b35d4ba56eb999c33b49252a6c48eaf971807ef32b
SHA512 f6691324d4cc729cd6977e57021dafa137f8c07364cfff4b22374803bdd851d18d9cdbae9841072edc8a37a181b407dea1a0b429466562e89fd5f14ea4fff4d7

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 0360fee3f41c73896b74d521415b9899
SHA1 86d5feaaf8ba3d3d855fe4ca5e71ac3ab77f3f88
SHA256 6be5251fe541ea2eefba2d397900bc09707cc8a6bb35717c58805a10bcc17df1
SHA512 a54ad00dbac3babd9a188e7a0a1750cb0019349a06e24fff7ff3064cd75136e9ab81abf546322605429e758a8ab6f113f4f2d6cf58ee8330d6bea8ec51a4119a

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 37d4bddaceba985516a757707b29feb7
SHA1 3d53f7c688cea4fddcbee9b1c4ebf4dcda2ccd2c
SHA256 e76ec3f53d70fa357bc21acb183006caa3cee5a73edf6924b25150bf2f0c016a
SHA512 8282fcb81de66f591fa85a5a39ba041d8c9920afb2a3605ac19164b7f68287bfc02c67ef4278d61ef5ea9a7f91923bb0d059bec99f2aed056090743fe01b7a03

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 a6a11c3edeef603d9a0d77c820358a1c
SHA1 5f6aa426b8378fa9a8f6635867e7654d22e2be04
SHA256 b2bfb14e47caa0bf1c381d44a37d710847139710aa6418c375ff409a85b96237
SHA512 78d08a17d84d5a071d0cc5f6563f1f1c705af669b6916edd7678e2996af6efd762d009276700a2ece14aa6ba8a982331b6370419c8ec8d56b5126252ef528666

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 150fcd1d4551475a6ad9611bd04add6c
SHA1 69461939edfcc2b41a12012590a26f4ceba1ee93
SHA256 9ef89e9abafd583377784c2801f0a12af5e26bf3554ebf2dc12ecc8a3cfc182b
SHA512 f0a3ef1ca175263d55ce9edc8244296bd1337789a10999ec32818987a8de1c32d0fb6bacdb9396f3848366077af45ccb5e4d581dcde484b92a6f1df7c7820a93

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 ab22e8f4c26b9fabc95746f87b13c0cd
SHA1 152169e538925ff04932cbd601c5029f4acddf84
SHA256 b6eb031494999a31c635b25932172d9b8cc92a40c1a555c76d825ca3c1f193e8
SHA512 3fb92e98a21b2005636a67d55556e73cfc1b7193c486ad05e5be8c47c8b839e1ce48a7bca412f0c12e9bdab991dbf6db9af54cfa0e593206e12760e21094861b

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 abacf38daaf871d00f6f5f813e137b7a
SHA1 e06d361ecca0b39a13665012f1aa4f09999839be
SHA256 1b6ca21327857642ebbce2b481cfbed148a67a045194afa7283a83eaa6f801cf
SHA512 07ed015d57962cd9cc264c2d0a7592f185aae7f29916a5f2d2206334838599b7d0f236c3a968350fb971f390c8f91f3242dda5d828c6f19b9cd122ddae2bbbc0

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 24d5b70727ea7796a8d13d22c754425a
SHA1 a6315e7f330ce87df1c1fe1810befe676d3e76eb
SHA256 095ce4eddd06e808486ed030097bdab093d9f241b532f2c937988f08dcb62f63
SHA512 6452825cb7fd2ed8d2cacc146feaec2603dc2e4c30c26534bed2c251b76342a83be56a2e991f815f64586344bb470f9cdd6e124c3ab27d8b37ed6fefa05e7f32

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 178bc685c7df2dd3bffd45a2b2d54873
SHA1 525d36a879a4446e96ea696e4506ebbcb144b000
SHA256 40907c2313d2c3226519ff1eaf186bc11758dd228b98aa75197ed997cc4859ee
SHA512 570d6c2c4e96244ff8edf3d8b065e77b9aa7174a78f7b8a0c9a11ebe41ef1094600bd4fd42437c17aa417d75c67dcb37157e4bc157322fa398b71e35b58c39bf

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 650e63394cfb539132cedd5836336185
SHA1 aabd44afff5a185b0b0a7a198faa886368bb66b4
SHA256 765bc0d2ad43b75a4085a1dd8322ee2433db7656d7c0b24de28d1a918d592918
SHA512 bd34c535330efc4e97a93735a412113d21763dd86973c31e7a2b10dc7b80d1b42e45d58d7eff62e4cfdbd9255889b70a2bace9363a490e728056a3ea2418a2a9

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 cb0c2fbea16d24e1871e4a8ffa90cf4a
SHA1 5beb0b0b490eee7206cdc17b78472143234b6a03
SHA256 872333acd44fcba8f34ae10f8e0f0d24f2e8bd1fdddb86414e903639154220a5
SHA512 61170105ef6bf5b89220e7652b891264f665c2e0817b27463535251d574c4c4f8d0480739aaba1480bd23ecaa273938dc523ceeca0b252a93bc5b6a29bb1b552

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 d12f2818280ce58415c414a590f031ee
SHA1 4d2a3c5be230adb0be0962f763a365182501370e
SHA256 e10ced45e1f437c38b8a65b8da4110a20bde0664f819080f594d5319d76c9967
SHA512 5611fdffdee033d84e132902bde6f7256c00dff41bf00817d9c79035a7187dc5b9495375a6823cea639dffacf0bbc4b67403b44441eacacd432d58474cd7b175

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 2a19232c4e20007ed666b331b7d8e569
SHA1 fb45999ad8008afb623673cc3429a86fb6d98490
SHA256 d26cf48544429a84a8cbcb7c34505ee8dd4002680482cb78da76396bdbab9522
SHA512 5d4d0131d530d42e8f473f3a5585793e8b9afe0cdc96ca868109abcc054d7af9925bcab87ea02470d805dad98eaaeadaadcb25d07a1b5ebff982ef62964b1262

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 89a934fd9e30fa072680c4d17133ac3b
SHA1 bd85ab06979bc4fc5c44bbd9722da79279247a9c
SHA256 a00066354992705afc8647eb85a60e36b78bdfc37b9db3b1280faec386ac1f56
SHA512 5d05e7863d79952cf92e3eb4e3800c9d108ee1dcb236774171eb1f2b7375d6ba226fa83812242071538c8bcb748fca508ce19e2ed0effab38826e82c7aa093f0

memory/3260-1003-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp

MD5 bdbc7f7494ab4f17b33f7efb54ea8475
SHA1 110893691d44081a8accc1c06e88e0c758d9fdd6
SHA256 8328884df187e62fbddefde7addd453dbe5f4f49c5214d538bea1b57b7f2d46d
SHA512 56e62fb22f8fe7ee3ca8915ffba214ffcfe10ab72bb402fdd8234e93ad0402b228512cd2ed9ac422893e696461a12e8efd2c14858c19bd3325e2be2607f35154