Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-vy1scs1hmg
Target eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN
SHA256 eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112e
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112e

Threat Level: Likely malicious

The file eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4029) files with added filename extension

Renames multiple (4452) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 17:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 17:24

Reported

2024-10-16 17:26

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe"

Signatures

Renames multiple (4452) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\AddSuspend.vsx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jfxmedia.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ul.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sw.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe

"C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe

"_Access 2016.lnk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1832-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe

MD5 d014ee4ba2372e53ab252396900fd6b2
SHA1 e37c8199e602c1d229945772c50295aae0ec0f44
SHA256 4a37d50c1e3fda958968325c43b1ffd3728196fdce17fd0138bf7d8f65c420bf
SHA512 de5e0e1ccee22b36ae70657926b52175a59ef0ba5a97ddc6c7fc43e7c7832f94e9ba98527f727bf929bbfdc17c2abb6d6393309b91051a62040bf95c34b8a556

memory/4200-11-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 c531f91b75c83675b859064b1a898537
SHA1 502a83f2096e1699caf3a484319f3fb3417eb6f1
SHA256 5ccac8aa1413558c79db228ccf981e0d3d34eedf302ef84fbae8c7e56d393c12
SHA512 24ed26723952d09d099886e45b91639c0219eb1d736c01061a53c3bd7b93cfe08b19607b0b3fe82337e8820074342f009aff0d9402fce7a3b79551e9b79d6386

C:\Windows\SysWOW64\Zombie.exe

MD5 266a9c2eb02fe0678759ca8e3b564103
SHA1 ddd1ed3d96f75a5760298956c67ae2fb36577882
SHA256 451c24857875369763f420401b87268106acef10eaea270c6c816b9968824c9e
SHA512 d3ba28a39033e185d83fe3ed3c361322b51c05167f6002e889797c70f6608f004ea16580c2cd57fa7846ded616b9ba1e62628974480a0ed539b1cac6e892fcc0

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 77f4108f67ed4fa3bb4e8c104d15d722
SHA1 ccc8fea6f53acf10633be568813ca28a08a3802c
SHA256 58ff2b6a61f5dbbdd024b3aa25be1758f08928c05c5c0c267f74604a92749605
SHA512 162306578dcc42d8aa22d4cddb10567002d544137d271aa05e5cbf4accb759ac016d34b6b17bee8dbd76a26586e7715d286dcaf1e910457d22b8c2e691c7a58b

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 39edd5a40bf4abf0702a3a4711aa90be
SHA1 fc7e32544fda07187a4a487b5af5e42e0bf214d1
SHA256 c0a62ca2fc40833dc41bee299d1803f318e6297d5ac376ac7235af77b96b0f7c
SHA512 7979e037d2a5f4903abaed376c9b41dce518eefd085030f55e1f1e3dd554f7c3f520c64515cb21b07b2b528d00ae5646cc35871bf3ccbf91160be81489852214

C:\Program Files\7-Zip\7z.dll.tmp

MD5 b179e9b9a3a9e993a2ba7a7b13a677f7
SHA1 e650764d041a049ca80c2889da80a26c4e8e6216
SHA256 46d1e22a9fda4f96166b53a318d0c15cff5990ae9f25fc29fcc305d4ea8dea91
SHA512 c7ee99b0328f7f463ab6dd7137be5ffae2222131143247fa0214fa31e1b6fc9bdae5fa3b1cad92369e29a6622c7dae89c64aee2fed6a4b12e3c93266f63b04ae

C:\Program Files\7-Zip\7z.exe.tmp

MD5 19ce1093391e4a4a88b5582ff4c7f2bb
SHA1 34ab25296a1787a6c071f016d2fc72f8614f0587
SHA256 bc60f05f9774f2263444bebb713c2efd6be446b0ede54820367c3144bc473a48
SHA512 87c490462b5b11190d28e76aa59ef67ad80cde51d717ec2e9b7e1ec231d714568479f2508cf3a943ffd413b02f3f586c94f366cd6a9c82e11e9e81d0df3f94e8

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 48717bb3492c26bafd150c51b3c9d9fa
SHA1 7086e38cd48439be5b8e52492eaf2af2a51adcfa
SHA256 e763188e9ed849d93e74dafeb6b06f78874458ed00d675fec6a0c7761fc399e5
SHA512 0a4a2e670a872659d2bc58df5a40fc1e5780bdfebab87a5a278d851dfbbec8294b41e0cb0e3dfac5af4bf645cda1376fe4a715974cb670eb48b9a20145c0f7a0

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 9cad315b7f07c53069e88b4929430d71
SHA1 2defc7c1180cd48dddaf7f5a4d34c2a6065e0934
SHA256 2d68184ed05da8db3a602d299fc4b61de93fc982d4e1281d007084dd46931f55
SHA512 22718546578360dc5596cdc42a18888c74f7141357880eee9268c4821ace978ee45ebf9bfedf9e74ed42cc8d6b737faf6290f3fe9d09a1606eb4095006c5a6b1

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 d347023b1e433cad7276d6a6017ad8bc
SHA1 c62933f95db9041e0373e0753b9b296163214c38
SHA256 ffd83277920273bebe9e4a7ddddc7b1eb3ec56f958bed5397704424537a3697b
SHA512 cd3281e4b9eeec695c36c5e74bc66234335431d0f92836f2c7d1096131b8fee12953503004798628f713d11a1eaa50672c1b44e5e4c85e70b16e6c1f2c7de923

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 7b2ce373029072b10bc833587d411403
SHA1 f66ed0c14d7b1c3fbf5074e2158cffb13e212107
SHA256 631f24f94292d377f116b44f83c51e762d0688dfa2cf48ef25b44a145da5c50a
SHA512 eb3332cce1376369e3639c72cf85912e7ac1dc97c43f2f28d6443ab617ef58062ee7bc414889571f146589854083628dae39b03de5e2be65be645af2f0999879

C:\Program Files\7-Zip\descript.ion.tmp

MD5 03dbf70b30e0f94a768a9551e86923ef
SHA1 807add4d9faa6df7922a9beb07fca91cff1536cf
SHA256 c70c0738b7c2e01d9a5599c0700f0a054f215261a9401f404888e581a340be1f
SHA512 dd3ae28f70fee54dce59d24490a41c97dbaf5629565948e75a28e64888a8b4797550a94da1b46e1e0a21d22647b5bfb5704e928eb12e8c5a50424447692363a5

C:\Program Files\7-Zip\History.txt.tmp

MD5 1439613c2cdc53fc177584c0ff0e72c8
SHA1 56e7c678eb4c5ac53a26fbf3778b8d8c2bceba6f
SHA256 66e690486417a2ab3aa5e798b94b099a4f997e5d88d5315dc006dcc39b666b80
SHA512 c66d385a99091f59a3700ae849a41fe3b4bca0df92b7199ad653d50e572e2c70cf3318c5d7679bb52b58a4d87bbb10b39883c3ad3bf98339198ae591ba05a2ab

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 f2916bad6a9481dff41772afbb6bf372
SHA1 affb85c5309e1299024d24e7b6376b154bc1f148
SHA256 e4e5623edd9bb817c5720a3956fed5df31ecf862fde3ea40e195bbd9368946c5
SHA512 8073d7a29107ea5ac596b43ec91a6af189d1328fcd64746dbca419286d1007849e04d06ee7e206c2ce742671f28de98528ed114913aa93aa62d5374446888576

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 ef0c594a2287f21f67c5c975edc29533
SHA1 ddad857489979dcfe14e5c28e47fcc979ba73fc9
SHA256 5b202df225f066d25c9607e3ac3b3ca1bc7055a3f5e31a4c8545bd303bbacc2b
SHA512 14411beb64575184c3d0151d92003b71ddbb6f09bdae465782cf14a4599a87d5fc8280fb40102030ef769671d516c5ef01f1ec11fbd39e6d47bc959d03d9c96b

C:\Program Files\7-Zip\Lang\ast.txt.tmp

MD5 b2bac92f997c78b41be49222ba656215
SHA1 7bc5fbe4c65cdfd085eae7a06ccde714c1aaa069
SHA256 176bf178be73543f74a9fd176136f0b134d9e3fcebbe8b2f9e155c0616d7056b
SHA512 945a86d230757f8bacbc6eed0b660e6cf7a73ba7369512f45de2936ac9ebb1fc15d1c64ed1df919a23332291e62631bfd52fa10f78a3635192ee756a8d75dc12

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 457271923f3c09d3f5d89d9d736ed407
SHA1 c31956fc7812650f6cc932e5d3c1e138b8ef4324
SHA256 bd40e7772fe62103c652ee56a42d93099d16613afbe0c0bf010ae9ef341a02e9
SHA512 9d472a971c8801a79553c2524e2c5245bb5d49d69cceaca8c13e584d32dc91f0c46a88b1ea5b075ccdb5601799e33e3c641b151567991640258b1b1a4169d481

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 3e1d6a46f401a297c3e0bc9ec93fee89
SHA1 5acabd2b5650e7a2136328514ca71c0e3ded9bd4
SHA256 6c9094d0b2aa855aac0e0cb436e8b64ea8eadd4e9b4e2e31240208530dadceed
SHA512 fc7cdcc3410a9ad15794b414933729e03f3b7cc87bc0688c42cb9180361ab69fc76964588ca458b8c23eab3474cd85bd7782fbe215cdc6771e56b9442186f302

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 249941b415d92d4272cd820039584ee8
SHA1 606ddfbd15e8cec4ca74233badb253e46a056b77
SHA256 4a0110baae3db59e6849eae6670afe131988817ad4cf92ce7cbf09fdaf2690a5
SHA512 b904e6d1c4508c605995429feb8b5d9bb5a9bd257f738a93217343d89b578ab236a82a80247541f6c0a5febed911718070694a800a1af339ffca92e07733b9b6

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 c6a5021d5035c77fbcf7edd0b5812f3a
SHA1 2a8104aa84e88e8351712f729b8dd8f544404d9f
SHA256 9f401568fb02a054f0d543f9aaab21dcc2d0adc917254b3bb698fb2ec714a984
SHA512 e8e3c8a54e3e040f6fbc8ded2b6a4b6d8a389fe3847ec2138b0b77e36fad1cfffa4ca671b6f02d4bc7b8700e9c15ea6a0cb3ca47aa13bfb87e20fe6ffcc9e7ac

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 181197b04419241fc623674bcbc84491
SHA1 68100d865e16bae8ac9065d33b5baec9e2207aeb
SHA256 795f76549d8f90a6a6a86a43e7ca0111dc19e0a8166cd9dd2b8061bfd8a1db70
SHA512 bd96e1b81861b82f6be957948b5db00edcdb718bfb9d4c8a92fad45f263af021c050d51a015be575d6b4312fc05cf06d22a5b4c9bedf0b24990cd3af21ec60ca

C:\Program Files\7-Zip\Lang\cs.txt.tmp

MD5 e5f24f369ea4ddbbf16e115d09220378
SHA1 0532fa8eddc16f39fb3b0ef7baa3993bb5a1f0c8
SHA256 c2c8af71d7e21cd8a8efdf35caeb015e4f6677ac8fe88c7f022899e90c85ac89
SHA512 f2395188f4a15112a6870a43b991f43755085253b499aea1cc69eb2ecdd2146056034d7c3ec9cf8b280686bd8ee6ef38d1f6e3797c1fad5ea70067de81e7aaf5

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 92f482fafd52924a44c7c747fef41192
SHA1 7bf576e85255cb809b2655eadba5f6b951fe29d4
SHA256 3fe3dc46b762dd8b2741fd0006cd9656a81062481e719fdb2f12bde33090ae9e
SHA512 289b258ffcc6397431c1bdb4c880e76946c09809ec0888d8350aa182f97b46f42b669e233847d4836454ad37e8f918993dccb27d2800f2ffad9d1d0770066b9a

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 6f304ce475f423f30e4a1321dcc5c3f0
SHA1 05f4784835269d0f81b4a69a0b97e1b07edc332a
SHA256 6156df4ea35bcaa4b0eaac93072dd4f44c5e7aba43b56e6a20dc2ec6580ba43d
SHA512 1e12dd8009e10a3355313feb781ed7cac64d4a42fbb210533bf635f8772c140d52b22a146a959aa3efa3573e3046c9b0918b519ca716746ba2912e9447e08939

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 1687b2075f22beccfc1e4c5dc4ed7fd4
SHA1 c260c4882f3fc907963ef304540c9a2c05f707fa
SHA256 324a1c405759e7c80cd040b191dbc693783e7ab8964b050f0b59f69a7e33352b
SHA512 b72988cdd4a9003a434e80006a1f0fb30084246f6ab9532e0f7052b6401c79dd53dffbd63bd3a63207cdb424bfcaf82993602047d84ed77d39da309b8e80c70d

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 be174a2418a9e87cd2de9b0c493bd85d
SHA1 92709f55fb93d74af757f581938d5a1763cd2b80
SHA256 e68710ffdf5eeac682020706d59bbc08f5567587ef79f4bbc97b756fd73307f7
SHA512 b0bb485211cea9caf855508de5dec342ec698084edfe4bd05deaa8478511d3dcbe9009cba60dc70e16c9f02687275d51eeaf0ce0ef3d34daab54f5e3f57fa7ee

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 9b2447981d52478bec33d1c2c859b4d7
SHA1 30942ca69f17281ed13ee958257aef6b6042507a
SHA256 b2fc37c337989c99aea5d13f76aef505244875f07295996e84454b5637a6e09d
SHA512 c28b883a888d2197d16cee1e686119dec3f899b3e27ae3d170dcde3b805a58582e86c95c2af6f45dc881bada5bfbc28e8f078c30bafe247c97fa5f46da9efaf9

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 2963685ee152cd27b1ab4e92516322e9
SHA1 aff70871f7771ab56d5f5108b234a79b2e00e09d
SHA256 7c595006fc583f597923cc91366590f8cd9f44758d303ca8c696ebac4c526be6
SHA512 07d88e701faf5d41aaaddf147cf4bf6979692f534223152f25d0e55d76931369a7f77d219986f6c3d51cc11d6e59c939e87e922a7be616d5b78335bd9d360d73

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 2d570c2ee09887cf49b0b05fd7220797
SHA1 045afbe545df7ee45e21f1e86f1e0e3dc987c2b3
SHA256 8eeb3fc8048fe2d0ebfca0ba47c9cf036a21a969f4c60e048623e1c01c9120aa
SHA512 27edab5c706422e5cbbf28a83073ede4162299b7c760978510e0f310ecee13d1b399163af41caf314aecd44f15b65dd2a0c96c174c33c8479e4933605d327a25

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 de7cb536d89df2b22627a9d4be1d0b25
SHA1 2046dc3e7e21624b64997b92d844c940a311b1ac
SHA256 f9f672c1437020c7d4f7af7525b7c0fa7c4640e6374b9a397b94e8625e4733ee
SHA512 573f79e9a8cc4490df10d5729ea6aab9c3db53c01b0e47ae18179b56eaf02bc25716cc588c20b4548407471eb922a4064b4b1d8d3caa1ef2295d2735ce297119

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 e46131f490e5a506f0516367f5fc47e0
SHA1 a563fd5d4732f08863baea82efa0eda373b83240
SHA256 75d07ed6ea94ba3cfb5a9d67f3b4ab169fb66ba5b62ce23ed6166e20762f22ce
SHA512 50d77d55e122210257458d12516d215617a02c9a6ac289abf5b6bb672443a8bb7f0013a6a727d6fac65c750350d952b1e6e44383b3fba4dd5e4a8d1052cc7fa2

C:\Program Files\7-Zip\Lang\fur.txt.tmp

MD5 497c72a5681cbabec6becf3a49ac50cd
SHA1 3ff99f82e29be337f2c28e52ac62883950139a1e
SHA256 f0dc380840b9fbe7b6b9722a1be8673f9ff3a20950f94de77275038205ee6df6
SHA512 5b7684ffe4d537fde641bc435237f1e957f4874a5418b794a6a1f37eb49f77c7350b01c44a06d3edf3afc8beba27ee96034f0eebca4261c7e760f5d171b3e66a

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 5107984fed00756a70d6214d326cfe37
SHA1 bf228b7c7a1be01569ad550d445c1d576411e4fe
SHA256 d0bea1602a01b8b3caeee7cd520edff8da6cd791fb3cbcf377f14ea18f332b80
SHA512 444706293f13b4b8caf10e6f67131c5942da032ef0a113d779970d92fce44a92128d608eb44e9205f8124cce2227a20548255bb75546569da64ac7dd95b3461d

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 a386fdedfd3681b92e4fff6675223253
SHA1 2929714daca2e5709d4f4c371776992a0234791f
SHA256 43b1afa24486aff97a3ec3e91c088643e3806444adcacd542c0b4cc1fdbd3eb0
SHA512 5cebe45a4cda01eca5f8ced938e6e913298fbaaac05b76d805ba64b90ba6c20b5b5f3095adfcd597d6162848ec12953b9ba2427c8642bbedd65e7a92af97ce3c

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 15c54555a5db56c62e85ab0ce8b817f8
SHA1 8c03fe4f9d8e056f28f53bb29827b5295c0aae94
SHA256 d06dc18f66d58dcac59796512715ab633ef6bb2d7f75becba9ba4e37942f5e1c
SHA512 297277c5c68981f0500f4d038ba4933ba20f5bd60b0fee24d7d47fc165fb4169399bf7b612ae6bb1e96eca78ff0ee9f8ef2e012af4b9c94817881c18a28c9555

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 3c9402c7476328209910ac5781f0e3dd
SHA1 75bca67c20f2a84ad54c219f88b24ab0f4e41ce2
SHA256 bbadb0b005f0378fb99a815ae42da9853e4391f6144d1d50c6589dd7d4775082
SHA512 92072e43b838934fdd354cb7ed33141111fab36edd90f7f890d2f0c10a8fac11dbf965c0db3c3fce66af96e9c94a75adb7ac60b869b66c1d1e6489d1f2edef40

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 eef590495a8c9770f0dd8441ade059a4
SHA1 3f84fbb8832d5e6bdd7705f4f10b971cb8b4e7ff
SHA256 ab50ee07204c0950eee1e0e2085ac03a132f186efbb0de4e2fbfaf9eaaf0572c
SHA512 56f9ee00e44dd42c118225679ae468b04c3fa9146b9728644f81e8aae7ff2f45fe323d82fe8b5b7aee75bb726c9075b5ee091c11adc7023d2fb7cfabd6f1c258

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 4d3ccb205776064ed33b4409dd55de31
SHA1 bca6b4e03424d900d870a8a8ca9a9a6f8d6f2b2e
SHA256 477f93cfac3663497a531ac9d0fdb081caea0e1502f0006cdf997421c3e21043
SHA512 18d2f248b8b2e922f198716cdb29eef7d569ea3781f0ccbd51029f8cb621f562c7dd1b95b28892d700b02f218aa43affd103a6b97a57b1c46878881fb4381e38

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 20fcb663c539687d3d4dcd547cfa3008
SHA1 14f01e2ecde7bb66f572f2d12c396eebe33fa276
SHA256 a914397dd54d3cca292f9c35ae1e5a7fcd671688f6cd0756a163ffcf92c38cbd
SHA512 a674edf14758b5af1a6c86240549c581253de82b49a6c2ca0df96803881aff03d20a57dc435a080608f7140d94fd04a23aa33d767859e43c6f73a2048d32cfc1

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 64a905d11ed3c0e2bfc27228de8d543c
SHA1 4dc8a7a281e8224e53c49fe4391116369179dcd8
SHA256 56b9dd725e652cc28d1bc1a67c95b61587f08abd9070b3c326d2ecd841d255e1
SHA512 c1ac6dd7670c5d9f0bbef6e396642b6b65e5daf6ebb7025ae518ce78cb630506253242e3b4f48a264d4b9e61af920d744756fd3520631592fb1fbd6e5b959edb

C:\Program Files\7-Zip\Lang\io.txt.tmp

MD5 b3d5c4bb13406c589dce994da432b107
SHA1 7317f70b424d1f629b8933d1869076556069456a
SHA256 57dbe6e547b559710b310816ba4c7ef8ddab0a6a98e51aad72d92e7f1d15d270
SHA512 3e40650cb60ce87fe792799639d0295918ee5a339601e86fd86c60a3f984a34c5b7d7d1d6a3c8e588b5217ff9bc6b3f1c48be6b4efc338101c0eb8b85eb71b7e

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 0c896c263b540ca7fc7b590fb2d8c799
SHA1 732b88b2bc4b884f908cb411d988aedd5fed91ed
SHA256 f43b2656a3e47f7d15f824f17de1e4fd62da721236fc183e9636548c2e5afc3e
SHA512 cf121ae3823564fce446c06b8aa3cd473c70aa24368697d21b57d14510f8a80e3de66f25f1d955f2b80f8ab474b7808b772bc50061f2a0f455a68853119c447a

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 72cfecaf878c22ab568b9dc678a24f2d
SHA1 2723379c554bf3c80e9d3ab6ca204518a930555d
SHA256 fc3cbb9c19a6bdf46dc64f2e1b686057d142688a1daf4f99ec5ad70347427a82
SHA512 71930b5d56f4f14a5af71de15c59bcc3a34a3eece3a1aabb7106f80c03de21e0d78048c16f2276ef0e6c4097615dc993e4ff66bd08dc6e253afc6f6d780d2da6

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 1c8a6258e23b2e9e33aecb723ef37925
SHA1 34398092e5244590849e98eafe3c298ed88f2a9f
SHA256 63cce4f631c544219d060925aeb99a20124be1528ac8d17b9ac85b9fcca16227
SHA512 8467354c4373640fc547a3014ed59cf005a3d606d02ede284e437f0463b74273aec03249a269c390a9ab53a9b9f22093aee3a5640eca1a9b979b985fb4d972bb

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 4b225727477dffcc6258d51a851c2fcd
SHA1 783cff6a423a51695168092fa773903754e5d705
SHA256 f022d6300686f973ce86699c70bc9608713e5c968df70de500554bb5d41cbed5
SHA512 554823040a47b35923d8ccfda649ab37877dae0475a5c1306b41daff3671dd3e57a1ce1a8871f27483eaf226ebb1ad40b867a7fea5c743c61d52cdd816e3f0e7

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 36d19bbff40bf125667c07bde0f4421c
SHA1 a4b92d600be83694640500402a99362abd025044
SHA256 a4afeab7d4d63d5aa270c13c43edf22297fb485eb1662f0d8f52cb812191bdcd
SHA512 5e5f312600a1b57e9b5236abe4cfcd079570595c34841b2015eda8664200f4ca432e8ef4b5d5c1d52a3038c57cd0b9df10a8778bf74790fd50019ff5e57c8a7c

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 93c03312ed29b0c9d8c889861f6ccee3
SHA1 69ca3ee4e84344b585d6518a98bb61411618d824
SHA256 96635e5b1b07d2353a0efc4dccc67c890fcfc9bfc2d5ef6f3bd7db0040bb289e
SHA512 cb659e4ffa8ee11a217f689dd078f90697d29f9c127cf5d252fe07bc8d7ca39566793ff5c1b8b6da67b32c053dfe71f1848c33c3a5d7282ed392e5f3a344c98e

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 49e098b02532ab5dd5ed898ab44e1f15
SHA1 6bc8361be76403488db9fa140ded751595a89eae
SHA256 6f9e4ef2dd82a8b1bc7c0dc34fc0017c51723133637e18068ca5f06926d28b66
SHA512 6172dc24504704523a27be9b84b12874fae1df421e887fdba7f83fda5ac6aaf01bf6b6e0d37ac8576533f5bb5ca615b558672d1fac84f14e8f35fe84045ee1cc

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 b270fca00206dee57f422e1008f22aba
SHA1 e4fa36dca6018a6628e9c67bc514fa5448212185
SHA256 876c1ce05fbb7e5fc83d87b7d214f9a4acd3d9d114992e0fa426bffb2a8518fd
SHA512 3a7042ad5a09d7c41e3ffd39f7d7bbf2cad88c9e0412fbab26d853360aa1099ab527f157a002db83bd42f98d768317e2a5e2331147183949bef140534802ce66

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 ce7f55cd4e5e08f74bb155d705aaa22b
SHA1 0dba5d0989b27e25663f540829073f65b70036e8
SHA256 3c40851a619e68563fe3030c82d2f4891b7779d6baa1678c2c5bc31430c052db
SHA512 417591c6095ab7d81d8559be214d4a805633c767e814f20709f29fbdae11cbea888a3a95382c6966d3a67efb26593e1afc87120fd9918f11c0c686443f593deb

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 8fa5c31cb04787ff211e4d82ed3a9df9
SHA1 cb87f3103174535a4f56be07570092402874063b
SHA256 aab3fa678ba32242f639f986317989499f1d48ec12f842da88e064162a026510
SHA512 8296d690fa31fc9384b1e6185baba38138b88f8a6747d135a19cd3366b9e7be9bc26e55e805049a8d7cd26b00af7fafe391cd9ac673f6ea382991645afc5584a

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 7098d333aee3f906502bce529b3b116a
SHA1 978ff024ef01bba4c8c0d8e11d80adaa8018e631
SHA256 1f8f464bee8f6d2482d4879a39d0d68473a6dce94595ed60084f568cdd63cb38
SHA512 be9e7267978848ab6d326dea129d5a8d3cf4fd090b1fedd9055ebb4ee76b10a80d0392ebf3a34e1643a50bf88d02a1403c3ef3458846abb53fc1cdf2b2856ed7

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp

MD5 cf27c35168f10627bfabd9ab8cb1ea83
SHA1 0d78d7433de4d4d739ed0e17227e2c4c92a62c9d
SHA256 fc9f6f6df33c67b033c8a28333789cfb70e9a1cd5fd96827cd36a800f671e299
SHA512 28186a489c806334d446bcfd68b79130ae49bb2bc3dcd957105b39dbb3596612967ad34d24953f7f0cb17a1c7cc570924ec5e2e89bc69778da416cc7c638caf4

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 17:24

Reported

2024-10-16 17:26

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe"

Signatures

Renames multiple (4029) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre7\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Internet Explorer\F12Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dili.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\UTC.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.tmp C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe
PID 1972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe
PID 1972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe
PID 1972 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe
PID 1972 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 1972 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 1972 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Windows\SysWOW64\Zombie.exe
PID 1972 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe

"C:\Users\Admin\AppData\Local\Temp\eb5eaae10c8c0c0be551b4c9ca7ae52f74ba29d467d313f3eff5656aa424112eN.exe"

C:\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe

"_Access 2016.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/1972-0-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\_Access 2016.lnk.exe

MD5 d014ee4ba2372e53ab252396900fd6b2
SHA1 e37c8199e602c1d229945772c50295aae0ec0f44
SHA256 4a37d50c1e3fda958968325c43b1ffd3728196fdce17fd0138bf7d8f65c420bf
SHA512 de5e0e1ccee22b36ae70657926b52175a59ef0ba5a97ddc6c7fc43e7c7832f94e9ba98527f727bf929bbfdc17c2abb6d6393309b91051a62040bf95c34b8a556

\Windows\SysWOW64\Zombie.exe

MD5 266a9c2eb02fe0678759ca8e3b564103
SHA1 ddd1ed3d96f75a5760298956c67ae2fb36577882
SHA256 451c24857875369763f420401b87268106acef10eaea270c6c816b9968824c9e
SHA512 d3ba28a39033e185d83fe3ed3c361322b51c05167f6002e889797c70f6608f004ea16580c2cd57fa7846ded616b9ba1e62628974480a0ed539b1cac6e892fcc0

memory/1972-18-0x00000000002A0000-0x00000000002A8000-memory.dmp

memory/1972-17-0x00000000002C0000-0x00000000002C8000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 43e877f3c71827d1f18cb552ee930cbd
SHA1 cfafae02f06c11fe58bfb66d8ea13fc020ec1ca1
SHA256 33a5184b779ddd8ad0d3786fb263675f251b102d79ff8f3d6659c10deaf6586b
SHA512 53a94a6d3c2eae62f3d02849a104ab8e1e2b5b35ea405b506c872f744707d39870b42c9d40ebc26a97d4ad905f3a19854a2491b09e4de1e83ac99538e4618034

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.exe.tmp

MD5 74b8ecb227dd83378c52f850e36cb6e3
SHA1 a84383eac5bfb4e3b2fff876f2c2e180dd7e99f9
SHA256 badd684a8d3f8a88001a95f4dafcebf978f1c26fe8622a19a5543ca8242bf4b2
SHA512 15e01575622cd076e3ddd30f7b975454f0100bc502256b1c47ce369af500490844579af18447f1bc25b21b94ec4c4ab3f300a4a78984177ad38f331f8e411889

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 cd109d753923e99f91a8259001289fa7
SHA1 fc4b26cbfaea7f9e03d11bf423c0c4c97aa16a69
SHA256 59da3398de73df7d245cad2e651056f49db8c4991cda93476142b3c62dc793b0
SHA512 8ccfe77e853d2b68ecfb2ce29f984a3a5eacd8c75f5c7f0d57037ac23ed40dd289164f3b64e092bd37895d699778ed9006e408dbf10677215d769a6e49754b3f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 8f2e38749aeab795bf05ffe26df479f3
SHA1 e1485e3206aab860ba6f2846ecb889428fa6aad8
SHA256 11e853ce722b82fd43ed2a05e8cb2b742c2b76bdba7d281ccf8807ec3625a544
SHA512 55751209cf5b33fcfd8bc50a54158ffea4afd9d44dd7d4d2b85ef33cdc08c10a8fd7c8d6ed91f16135f732d272b1de9dac428a5a137addebabd0d3fe9c15a53e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 2df20f722da99865cdfbee511f454072
SHA1 e0ac4d4aca59d17a07e92b3ef75854ae9673f868
SHA256 687b47284a553e7185ea297d2636cfd92485efecb7030e94902c48fc35157904
SHA512 c9bd5b0de3ee2e934e5ff8a019880d290cce6ab829d1322cefd721cf2604b52924e97d623711ba0d5a1ec4b47f3631f982f9b22973cb76b9f9a363bd32a4c8f6

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 4156f889b448e912d95bbdec0f0e5c2c
SHA1 f1c662eef4291c842613b976dc1f2f774c490244
SHA256 7ab3bd23b78008270682f4fcfe77073288e6538bf2a54643662716f522085fa0
SHA512 02c6c0ea76aaee24b4048582b44a767b08db0778726f9c5e17a8ee6e652b61f7e398de0eab133d7a3057468a98421b80cd9ae660d7183c204f85fb4d0858a88f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 ae30770b3f0ecbf6cafadd62c2ae8543
SHA1 7a1364c2e2ba18e29617fc4f837ed650893a9b2e
SHA256 7f5b20c513b702a198c066c099a72aeaefc9d88ccc399e17187ab25d65bb8fea
SHA512 98984be4b5b4675903311a44ffca5b47719416fa9e895a3ab50eb08f7e11dc4025bf2b243c162246db186b0aacb021542fc1031e481684af70160670c4331742

memory/1972-55-0x0000000000400000-0x0000000000408000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 c70197a1bafcb40002ec9af076707158
SHA1 b9db43ffd9e2c77394de9c5a067461a07f083267
SHA256 192d6c7728b534876877e330ad0f93c146fbca67ff4417e40e7cd988210823cd
SHA512 6404fd570e6af32c5379a206f2d63305aacf2b1c6322d5cc4b829d3c3e2f27e6cdb37dbb889547242f2ec488e12f06d8bdd1c8d0935290ef7e8fdef869906ab0

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 be894d4c6d8be97b843235713bbb3a76
SHA1 53aafce5c753002c850ec8fae6cf0b3e2c24e5b4
SHA256 9bdc11671a677f7dd773e70c3696ad2d59da6634fc830561bad0cf8f95472556
SHA512 358650ad84ab40f8f71ab00f98869d34609e8e2e794d5eedd0162eeef98ea53bc94982555ca0a11cc496a32159d860198cb76019f4e0ea5bbc188d2cb4280239

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 de5c2b23955450be1d95e6ca244db733
SHA1 b4559062bba9cfab35eb72a2d8560c888ec80a4f
SHA256 e60d58139ce1a259bf800be921f3298c5ab0423eaa2dd826f49bcb423a69f37e
SHA512 76efce149e7cb6bdd9057cb75e482f0a0d9970dca8abad9602c3139fbe536aaa4fc976738a224d5c2ec361741b043ee3a40784546ac5a88abd4e83dce6f49d05

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 01b96a9097ff393a4a0b6887258ea39f
SHA1 a19d14bf5a20525bdea4e27eb8856ef7ae9f7d27
SHA256 c3766ee4cc8dfc23ca120ecb4981699f3e2baf2ad2153b23432994e3334f52d2
SHA512 49cbac9ba67ff3b24e55623e30463370edc49e490e6cea4bfd8b5c2e88f67080e3391d7504a4b6c07ac1cfd5d6279af875bbbfa37f460f67d28abf4482e8637e

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 0d6062517e871708a60cf40dfbae0799
SHA1 b634eefab8ce9b8898ec470ab641cb1bf042039c
SHA256 c3129c38eaf58eff63859c9928e2006a68a31765fdbc0dccb3332934f7bdcdaa
SHA512 103854473c73b7b82eafb844e3a847e182b64ac74e22537644319ca09e3dfe2b884f4b2874c98e620aca5196adc5fd47f3588991a193c4bdefc2171ef24a966a

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 0e580c855b93ceceb9bdb33856acf5a4
SHA1 4ffcc5f768133cfc3c70b79b7b68201dcdb288ec
SHA256 aec887bf731a6920cf22cb7aa6fd0f32dcaed76b087cdf7a60f3c73a5f18141a
SHA512 4efd74e94923219cd29113c625c1d169a13dfd3c2a717521b252defdf39b7f503b92f7feed26206ce355c123b2069feba53a62f559d3b9800347bedf2bc8b809

memory/1972-94-0x00000000002C0000-0x00000000002C8000-memory.dmp

memory/1972-95-0x00000000002A0000-0x00000000002A8000-memory.dmp

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 2c58797a87dbabc9d5884e67847fb3a2
SHA1 503d629bee3bd7eeb9fae758c27c96fb9d2ca391
SHA256 2e1de0814c6b2b809a5aa0fa6091efb9f4da46200da9b0292c435a83acb7c004
SHA512 389acfe801639c85015d579cf13c6a27f2e4b8b46e1113f09b8bee123af136e2aa5188274b2b63ab4c7a698fb125ee3ddf1bd57360e12381c1d1048ec13952f7

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 93665b5698ad3dfbdda1ddcf0d6f80bd
SHA1 9bdb1cd8d73e777e1ed929eff9bf3b9bd051585c
SHA256 fec2e2ebeb1984dad51b1f4ba837ee00440a4e8a65ddfb884b7f26c3170fcb56
SHA512 75bc46d3a2116effb3fe7130fbeb201aa5bd11b45a1274c211c7abc79439da142fa831c3ce39f9bf66b5f6127a6921ffcdc9bf025ea128975933d998f5858152

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 f9de4e2634b75f81c44e91ea175c97a8
SHA1 9f53eee2420236df0e8790149e2fb3dadb86cb71
SHA256 e55002bb779d26713306b751de9b02b8959a85c7372f3284e05547d210b682a7
SHA512 ea3ce374e99cedaa7930f9f5436fc704c4f5338422de8b09c7d6c86ac1e9fc850bd9e4c3b9c1e0d27308152094b5b158e4f23569276763f85d5d83aaf44200ad

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 176b798b8cbf49d4803577363aed1d0c
SHA1 51408e6fca5038564fbb06a58c8a41a231dd94ac
SHA256 e5dc59d14f127747c2654392e7dd2b1ab0903b2d0cf5306d941ec1ff399d29f5
SHA512 e85e79aa5011d61a07d8eda01661514d1f4fba3e42fa563512f908446cc47cf1cbc958d32707641085da2631ed33d933eeb65411f74347fa6ca94ac21bc1f00d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 2665af14755f100b92e0b035e8fd9517
SHA1 07c39bce8f6e67ee20f6a9467ee27fe9bea642fd
SHA256 c1d2cf981ba4220a8706e1f271137146775b2f0e62c6a5b4bf3933c0be27c291
SHA512 883e4663b59c7192ef90b0c22d9d4bcaa3f63fbd956fba5c10925c80f2cce30f49ce541653cd087dd4bb7e7b6f3e107b3641c67280cfc8d4bd3c12194fe27fb9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 daac0e8cdae399f99e3793914b78ded6
SHA1 872b21074d92a9a2e92689017bca808fc8662dc0
SHA256 99fc61c4ef7633e104f3359a1596b4742faab54c431a13bc6852bc970d324fd4
SHA512 7afedeea53a821485cd3eb50804cc500b42be2d897e48d91208a57b218cb5d65b35ea0c4791ad02c705e1b59405ce2f6832fcb210ddd52fccf1c5f409cf884d9

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 c49245b7006f9a40ab45d5b88cc6f95b
SHA1 c3a9224f3e80550898ce5909544800e648fe4c45
SHA256 54dec12da83b3ccefdebfac359c70f6e1f65f1eefc64e11cc13475db0e15cc62
SHA512 e7dd040793d0af7859efec4f1763d4b3cbafb1d7f601455feccb169b84507c901489a6d767c5a30c354e26848b77fd535f146b169f0a82bcdf8b8baf4fdbf1f6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.tmp

MD5 51b59d7d807790f2771d727c09abf059
SHA1 1dc04ca87742519cf4390480133178065b69ec68
SHA256 b35fa5928e245e36144422d5767df904df28579959d33374f3b13d9b93b07e1e
SHA512 417260688a12324fb678d90a8a4d95ad3769af1dd9885ef14f2a55a3d28a1432e0c9e4ea58f974c7555117a8d2ba4cdea0ea93802a46ae7d306d2a46eef79514

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 8da4cc7b488761bd9495933827ee7c9a
SHA1 74fea70b9ba767d22497aaf1063ae2602e4de018
SHA256 1138f8a95dc0b1f2afa42c5aa534085b471f0c63a99107b43919517bcde81d59
SHA512 fc43e2c39d4559c8c3550019c0ce6cc125da115fcbcfba42738751393c9dfa3bd0c93256ba6a76ef46523dbc5209b0ff80463ce6556bf6090d66e5ffdcaab41d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 ba05dc8690be15e8ce82d99c5281a08d
SHA1 e671ac7c715ae8adf84cddaef9df7b365432eea8
SHA256 c364ec1e5cd8073ffb65eead02e79799f86a44521292f9fdfc86f94968c002f1
SHA512 a5fb855f9afae9cb87a0db80e3d2ab385a19dcd4a24db78a837a3efde206a0420d244444093b22d7aeaa38030cce8e642275f4b782a3c0c6d2e484fd4c842b3a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 be73dddbc9bc48dd70964baec3e262fe
SHA1 9b97b069eaf3c2c19c4097c6ea2fd37950397d07
SHA256 4965540e61cf74af2c261550ad4364d715b359ff98123dea5bda3febd7f0e507
SHA512 ab3f57d36e87631fed181ccf1d19c9d1101cf456fbca46f9b4912c4db44a62102dc60ecd18d0a5ee2609b807b89488e87845cfb2c1f30ad49f6282bf1f1ce114

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 fa4d74b567790e8349e6dff361e17843
SHA1 85a0ae583aac08b1a4938ab87067e10448f05e11
SHA256 7b988e316f7a3738c391f8350bec732f58c6d25ec9ea6f5f62345f545473ea23
SHA512 fb98b99bab3c9e8732a7f2b083a4125919d14b4d750e96e1e4d15edb71d0e42ed0d93200be8bf24ac0f222d8490f08905c81c4839e7b32d339fb1cd3462eade6

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 35227aba049246f1eb5a17e149af6962
SHA1 9bb7a0b409ef01f85c9f3e9b58b7f8c105497131
SHA256 9a5ae22a60498397fd4bc4a2a31a1c4532936830c3d9006dbf51543f16f3abab
SHA512 92c738ff688a7d3e84428e76516cc90ced4fe276bb1674a60babe6f3e9b515a8481f693f02bc4fa1c48adbeb97e1f44b6262cbc9afa954d700b4dc8817ba17fd

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 088339788c8e83041b67755327081644
SHA1 ad662193ed5f80220f795f5f245c13a7244255b5
SHA256 369d9803dd6e4a125fd1062e5bfe43fb73c2103411d995f9b2c6e1d582600f21
SHA512 c77e2bdc8c9fbf1538e53de2d87d8780af48c8fd2c1f29f6df354383594a1fe65633398606ba62c0e5fb54c14cb32a5b2ee9ddb6edcba643f1e945511e95ffc3

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 ca2b08b4cfbbee1daa17f41b665833a5
SHA1 feff981e174b0222e8f3f6f1422cb1449e665f78
SHA256 6323da0ba0c00499f23fd26bc4452199c3014f7d081f537328b975a2c5e93a68
SHA512 72d6ff38f428b784083e8e409c6abdd7b5a1fd4f138f7cfb009a2ce602deecb1d08d0a1ad2896106fb7054a552c676fec5a611a3785e2e5b412eed6a642b0fcb

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 8df0065f3c92b79f708361cdfd82d8b7
SHA1 1548e1d6449aae62498c6d32be58d6cc9e84155d
SHA256 cf1c5ea2bd662babaf8bbcd4785b6352c636374b920c0947b62404fe3b59cb32
SHA512 aac890d657c33ec2aaf07fb9aa81da1ae80a9a928a717b9b5c159411f2ee40d548fa15c3d1dfcb7227e95e2638679bf1654aae1155f88621b353091c210f70c7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 9d444c8ae976ddf8d7cbdfe6786f1b30
SHA1 7809484aeadac7851c6476a75426076e9f8a6541
SHA256 b19dec37e02702fda21114fec00e8e07d6e6fb963cfe92e6432a9b91d66fb643
SHA512 8cf3742537d53b7d2633b49480ec5b297bf88b7aa5e7ea004cefa4e079f41f0f7a56f42cbd8d3541b281e3ee109d2054e0ec5d51ff05c4888b1b9c3f9ef6e4d5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 cd77546edfebbe5f21638b40d1102179
SHA1 2d9b30526b3693ca84faefa9d4d06f41207cea0d
SHA256 2c3a9b5d93cf7cd48c35eb14e94a4d9f8003819ea53c2c0cdd2dc88672386ffb
SHA512 75e32fd06e06833bb6e499e0c029769de7738ade5038eabd0c38f09474a2258c8984d5d8dbf4b58433e74490af58acda301b35966d81b6e163152a8c153e493a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 ffd8f786432277ce02245bd1f7a74ee8
SHA1 f3cfbde95043a056847ba90fb6b18f9baa4c56e3
SHA256 fe7f1456f89a0dce2958c41ceff159f95c7b7cc601fe89d2a75dccb262c0c638
SHA512 d4cd9977cf807999302bd5e76954d5fb33fc5d0cc5c8d661e5f55399a58da7d041a812421fce6c8d1a0f361d8a6ce7312605736e88c84225c69451b846c20a15

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 d3caf36c2d4c995d537b1175163b138e
SHA1 f4e6ab3dbe50f60cddc27c29b180fdc0fb21f004
SHA256 f6badfc45e7e9bdce6831742d7aa91ebac62fb1c03fac9c802ca8d04bafea66c
SHA512 459cb555e99679e2c7abbe6fa84edae36d526380364ba6a8f778245e8e3ea4933c57b497704dc809de114c882c4ce5959bbbd2b4c96f8c0d8053174e5a49a233

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 64500d44de47578cc2eb2a478d34746b
SHA1 f792906f1802404d7226efcf8a0ee840a55ecfc9
SHA256 a2af01b61561b05a12460ef9007688293070cbb1e70115ba3613040ad92f7786
SHA512 3f51dbb33db3dda6e76a0a69505c4f8de8afaf9bb0e358096c8af71c6e26656c9dfa4ca30e9ec2bfb16d2ba98601ece50285ab74586d6918b984dc639b2232dc

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 245511c36a279055100928aa216e262e
SHA1 00efcdfb7c227ca0f0777ac6c11f2766b5ba6f19
SHA256 81c10d75cda4257d500a53796438e50f028ceb4ac183f6542cfba9236ee9d455
SHA512 4686b0491fe2abe9a999982e51516e7175544fbe86c2901cc00065af8be719e5a6236735ca2980451e7f4d13bcc93d003c0bf1f6d4dce1a2845b04ee14974f17

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 5ff6b2416af2406131f66a695869f173
SHA1 b4322671e46494b10db06df340cb60f52cf3bfa7
SHA256 579a510766179a8a624ec8acba1df598208799d8558af2dbc9930f6abcd27067
SHA512 3515633388f759dfc738fb52a47793f7a0c6f1b1f1b6eac6e814e271359a788a9e35c851b061c62695dde88fcecab4fc75dfba1aa899eddef1e8c09799bfec25

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 8cdbd957373962dbb087ab1ad379451e
SHA1 2e71ef5d44747e0f727c157f8310141946aabc93
SHA256 2bc781c8101853f15ff74e6dcf9e7b5598b40e6f6e065c81137169a52ce234a5
SHA512 f6b9a8b9a9df09de507c0de6b34cfa36781134e24eea1fc6f8a1789009f16a5785d822f3e2f13852ae28e3ee9e9f0640846e971dac61ace4ef6028ebbe470012

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 36e9af6f8fca5e752ccead17142685ae
SHA1 2b353b50016b82f3536e5bc21f9e1bf38df78ff2
SHA256 c2db7056fd11b3ca909e5556e4245ab0c27e2340e3bb25716f653abc2469f6d9
SHA512 823bc1c805f02ba6788ea30d5d1e3894e399bcda08f76f3cb8cefc31990712fabead7ba4dd64868b27d74baf1792865ce7f0dd237c0f9fbeb35029d0300bc575

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 0d40b161c1cd7c33323142c02e66f9f8
SHA1 bdeb1e2e41100603279f61f5d68a944fd342ccb2
SHA256 6ba74020acaf997f49aec58b37ab608747a86cd2e11d93d050fb5ed53e288731
SHA512 046aa8f7f9be07247a6ea14ff4e75972d644c4edbcee10768e6414b1da9e8c5b529f4e6512476536a8d6941add94160ece28a48e3e7ca7c44d6dbd13da662140

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 007f0704270d4a639437100f76e2d466
SHA1 21c54ef9cb6d98bcd10a22210afcb8a01b843abe
SHA256 ba3dddc5095f0dcafdec48e29d1270374519e49b9c769efeff97cb51a751c2bb
SHA512 c8a86ca1a8ddc93e4057ec6a12256120d465570ddffcff9dfd9db62e4c121f0308838950e1cae2fb8d2bd5cab3b2f42f8b30c40f78893508a80d6be743335a01

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 9f4a3ab5fbb46b31d730dc2b00595ae9
SHA1 78e1b5fbb7feff36ff63f031795f4b8440fb1d50
SHA256 04c4f6bd06328685e62267880c0ec03ca598754a15623a6bfa6f9766adb4409d
SHA512 62f47554330e48097fb83f5b25fc64fbebefc9eb058f897e59485c53ec3a9b8095690e773e2926d47235b3f19666dabfd9e8e56596d53512d0f5dd212203e26f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 1421cb2fbf82f5b63746c14db0d16335
SHA1 10fbbc29dc5a33ecaad3bdc27f7bb4cead3cc65e
SHA256 907db6c4f7870259f61e6e931ddb5aa8abcee86c7da769251df0dd56ac870d73
SHA512 93f18d04e9bd2a4a1133e6c4d87293657fb572ad750d12d02c532a9e379f0eac925d815dd2f9e202e9e05b7a0e4f4fccdddbd5e544defb468ae175678b28fec4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 4a2711a776c05c2bc05289fddb61fecc
SHA1 b6bcf241519d22b78137d0f85363dbc3f8864907
SHA256 dc7faeb9fe05d2fc196ca7b15096214c0411fd03eb3175851e775ebe039f2aa6
SHA512 c3f83a890651045e782d7711ac8a8fc843ec9afa806b173f3dfc6906d5d774b6ac9c3f6e10a8d84a6092123ce17f64eed87b80d7413761378016cffbf1fc0922

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.tmp

MD5 7e912379f9bb15b530824e099f975dd9
SHA1 8c362e0b34251c81b145aacd7c4f9ef4fef81d93
SHA256 8d0e680dd9ad1131fd843fbf2bff982e53b1dfed7faba2bb19fd546b1e345c7a
SHA512 f9bff72a07a7d9f45c3c84891c7f2001d32c6a105b74bedcd692e444a69bb52cc29b6ef34dd2e7b13c9308930a48aa9d03325d8c43893ed2a7559bbc75bcc327

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 5eca7cd5e38193073bfc6364381700b2
SHA1 bd58d8fcb48893309402c2f708bdedc949d9383c
SHA256 c935cc57220f8dcefb5bae785372a0a9529a5c004927117a356233f41728bc89
SHA512 785a596a55123d5439c1c67ed582b85a4530f84bcbc174872126bb52169ba17f52c2d5d92f03352420040d3580a09b0e7cf577f7eb1be434c6b33b473871505b

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.tmp

MD5 16e456e3c4b6a0be3fa03e7eb9f2b7a8
SHA1 41c95614c10b5aaa61d11a40396d6d450c0e440d
SHA256 4a14492047b67b5465ed8b6b4140b5bf15757a1ad87c4b1644052be5e36932cb
SHA512 75988355550f34075f34cee44e1b62334e3798f37d52ae149ec3fcb3506e6f331824b31f3efc71cf4d698f518b3141882063630b43ebe21f6dffe510f9361ca9

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 fe7d3bee46de5cbac3a180c3c50edde2
SHA1 59fcc0d33bc6d3d4af6d96fb75594b81793cf400
SHA256 56e10d75f6937edbfe6414ca9d4f53cce541a4623b1fe4aa792989993b78621b
SHA512 5febf6d77f1a184cc0b0f6dd6f4e4409fb58df53f3fc64d712c6fa48c12b6275ecd3584632628602709384ffbcfecbc13a35dd890a507e1b21a2f5e36f8a6d8d

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 5b2378a1567721cca598624f8f39ece4
SHA1 df47a5c082ef9629770d77faa057b9fccefcab41
SHA256 39a28917bba2df99ba5dc9339e742fc39410770808abe29344fcc28c26ccf43f
SHA512 7019543ed3ef1605df66a8fa7be5d3d799ef109ace132950a14712837c46a396383656ed49cd987f329c679ae378d6e716f1426e46bd41d6ef552592171f05f2

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.tmp

MD5 0e410a3bf18db69913ab842395fa8ce6
SHA1 2ef5d2377866b4502a17a0220b292d0eccabb399
SHA256 85d0aea566fd9fc925ab052eed6123a41e8ae5e6b2eb04afae5b51735804d559
SHA512 0ca16aa3380b971299fc28b3b4188a5223bccf97f7f2e7a72ea72f77e917c92ff2b144efdeb90038f77cb405f64224a3b38d2e721334200c6580e2618d01a6e6

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 bb86b2d8cd73589557ed94db59c36e11
SHA1 7004e364c8cf49962612c9bbb16e7aaf886038c2
SHA256 cbe7e1a328b4d4bde22a550ada82bfb6184b9cf238d3805247ea7ee4924f92fd
SHA512 460fa06b1c39fa67f8996884542824c1ee239846f55489008329c91feeb9cd3078ebbfe8f81beed499198049e3f359641009393ce2946546f754f00a18def37b

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.tmp

MD5 78db5dbb589e948ed94b2c37b837600e
SHA1 65ca7e1f5657cb8b62f00d978a8f2ef32ebfd865
SHA256 3fc5aeb7c454226cd45bd684183ce58017240b61a52d6faff17714e41d1ae8a9
SHA512 d20e11d9c64f3d05a945137ee8779a0b4c5cf4d7335a0b8ecc60536a17cc1c395be103c69116a74b0bb615152e3bcc12cc57c06aeeee5d393fb7af94bb7db527

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.tmp

MD5 e1b34579fe957e83aa1f34d4bfcb6243
SHA1 317d4bd69954c6dfca29a4b2a30d00c65c256c72
SHA256 c14179684fb150138d52d144f86b4fd89dfa625345b90458f43c451eb9528ee7
SHA512 80f3158a803350ef692c5a4899e8219ea811c50c728009186ed6e1ffc56935279ace9653319ba4ec2005de4c2ed808b5cb02ff8c729f336264ed377c152326f0

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.tmp

MD5 00c77dd77a94efd294d4f815ec84037b
SHA1 27e684d7aa457664064c1aeb639ed45cf0a4041a
SHA256 8cd571ca94084436203d6cd3ae97b793bdac598cb425224a464fefca3200a644
SHA512 610775970e22f627b7a808be6344196d59ea8cc69ae353e3a9bf261b39ab8015a321116175dd51c4d710f9bcc382c5553a33cd8fedf9dd4c479a9576cd2242a0

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.tmp

MD5 6f8a197727591349285f423ecb5e0dec
SHA1 b583847d113df98abb8b31ebbd2a3f2b5464c7ad
SHA256 6595396ab712cd5edd45fbb382dafacfeebc26f98e155766bb4a5792f3a795c3
SHA512 a56f4a14fb7df939cc1a512aa9a2d7308ba8ab5e205715f6470191e2b8d0a0ac7f01329f6c5d8c965021a92619792c1960134c9eb984158b070a64ab7b3fee28