Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-wmml2axelk
Target 001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0
SHA256 001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0

Threat Level: Likely malicious

The file 001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4898) files with added filename extension

Renames multiple (3696) files with added filename extension

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:02

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:02

Reported

2024-10-16 18:04

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe"

Signatures

Renames multiple (3696) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Atikokan.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\Hearts.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\psfont.properties.ja.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\DVD Maker\SecretST.TTF.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Omsk.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\bckgRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.exe.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Palau.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Chicago.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Yellowknife.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansRegular.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
PID 2792 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe
PID 2792 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Windows\SysWOW64\Zombie.exe
PID 2792 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Windows\SysWOW64\Zombie.exe
PID 2792 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Windows\SysWOW64\Zombie.exe
PID 2792 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe

"C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe"

C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe

"_desktop.ini.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2792-0-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\_desktop.ini.exe

MD5 65a36755832271ac8a8a0fbbce8aeb83
SHA1 25c339a01a9c12cd44b42bca8ea16c3f8845112b
SHA256 37e7d0c99e07cb1dbfea58551857bba35693cdcc63fd692226345632a257d2fb
SHA512 a7e4f11b2a96a32d79e1d841518ee418256482ee659894810b957d289824ec9682a4e59f5e048efec25357f875cf793d6e897ea490b02b7a6690ac0c9cc6ba06

\Windows\SysWOW64\Zombie.exe

MD5 55a665e3dc8ec8589a87709692ef9c9d
SHA1 54120d10abe2bc15ab61a0996a91f5c9a87beadc
SHA256 db97fc9f64de941cf6b2bd5c77656205fe5c07cd013cf47fb18aac982e415d29
SHA512 94db4f3530a4a31f0b0cb6e51461dc13011fa5986b9ba46f575e8e6e02e74b6d5c7f94021676d1bc4194ee2fb7e82dc5c6b93e2dad5251cec73bc8f29d306c12

memory/2792-19-0x0000000000330000-0x000000000033B000-memory.dmp

memory/2140-24-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2288-23-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2792-18-0x0000000000330000-0x000000000033B000-memory.dmp

memory/2792-17-0x0000000000340000-0x000000000034B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

MD5 b633d97e71e09a478d38e3fd6e94d790
SHA1 f5313a973d58ff7230bca8298f658ac24e1bd3c5
SHA256 b79405d4eadc7c97f2449a2c878bce9fb0e63ffc018031ee4979aa0a0d6be1ef
SHA512 d291c65ffd803b38579e923d70ed96f51bf214e722684638e5b948ef41e081b944f4516f9cd4922cee876170dcd948f3a9386a02ba7ea2f2998600f75147bed0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 b3099ae612d659337caf6c6071b7073a
SHA1 9a35c7949b08f2f6fe02e541ff2af5d75a68a3a8
SHA256 547608b73b8c8768cc268e7d3138e3144021c2e789f83df9fe1616e320442661
SHA512 b2fe435560f983948843de06de7bf2646b19e6be6dd4bce2b937e38295ce0ec9d426ea40df608b73e724bdf44e1d3e71f675bae766b4ace8b02ce3b75971a128

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 8e6431091fc086cd2206f41963e5565d
SHA1 6378dbd671a8924dc040cdc1321f4cb56e8a1766
SHA256 7cb21b98e9318a6854890cc05e55be3987b50dea32244ba8b6b55c988218c97a
SHA512 9ec159dfa89e43f4b9357a95f926e438efd06c39b0ab831ce3722c75d5cc1d0788f637bc0e8f66a3ed0d22bf35e23920e69dd797f683c96fcc2eae64901d6683

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 805ccd7b8b9a6ef4dfcbd3fbbe4046d4
SHA1 7a9f27e0c39fec233da76f3656c146bb38d1ede3
SHA256 a9753ad1ccf885821deb519d997821603d1c5312fec71bd873c335392af16883
SHA512 c33b81bdb14e493c7689b8f12a3a4f771e59a35575d1b4683ef04870c00d1e15764666263f6bf3b5ce09391b86576e31917fff5948365ba96aac253a57b2221f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 14c31e3c13ce80dff626360f6ac7aec5
SHA1 08ec1ef90e7a940766aa0b9760678f7311318c98
SHA256 bd961e854b930871ae1333644372c389d131ebd5b9cd1bd2bd2652096f977bbb
SHA512 8136516ba6b1ffd23827a72ace2f5b17b3e1fdc8fa9ca2ad96025094bcf8fff626aab58daf472c70cd959748ee62bb9cc867db24ad69c695286efbd91be530ae

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 2d0982194cbce3af1251940d8331e030
SHA1 040050b1b775a8571ff92d3f2dd0dd37da44e396
SHA256 8aaa8407335582bfbe88fa989f6e32806f7e30b37a1053eae91cfc4842c4e938
SHA512 796b9b91b45d53d1f2af65e2c6f1a01e71771b18d344df4939b372b2463eb158c57e7dc97b77b86041aea8aff9541a4a991cd5fa99019509bf05ac7764d2b8d1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 18f1b3747795a678ee9222d60a84cd00
SHA1 a8f49b6b620076d8ad35fdee18f13d3a2a13a98b
SHA256 ecc76555a6b22263a2b57f4ae97d276797a318abae5ad8e0f1e80e3df6012077
SHA512 a251c416ed9e4422aed9fd42a67d2c190d335e4fc8b8dc65457b1e93076a3546f18a24f49bdf91c3e69dbf1ec20b6e3ebea7a5ae4757b5702dfe9112b31570fc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 240a1e3653b7411d7236453bacbb8ff8
SHA1 fc95d3c72a1859be33bb2975b12fd87e7db58d07
SHA256 8e8e2996bb33b940b9344fab9da731f6ccd07d6c8b86be9faa0b9e9e03456fcf
SHA512 1c88441adaa7fa2055abdf2fa1c5ee9a57df54933b01018564824e3148ef229e03c970350b1a0adcb2552e0298d9d1454944b5a6de9506e6bef98656e2d8e1d2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 7fac2cafb852de292ce63d1e80297ba6
SHA1 f0e1031f1a6d55c6a015c689ae6f56e6ee71eaf2
SHA256 9683d6882ce961928d335ec938f066f2df13d428ddf6c95c881211914acc574c
SHA512 d13e6f3954795914eeaf4f76bfc190bdf157abcea59c03c0c13567e022f5dc68d628ecc278f07def44b0bedb37cdbe82a50395a9ebd0fca00bf8abade82495da

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 465ba83d38fabd41a75f35d722146959
SHA1 952e0600841a4f123a5c8a981a74e4d000456fa7
SHA256 b0752c8a7bfee52fb08e98b4f5cb2dc7fee6198481e5a8596154dd5d2af81784
SHA512 499561d13c6aa519b2486f5347f7959371710733996076646601c3c9a74fd6afebd877b3628c573875825fd37489425e8ef01b53124b77208814508307339dc3

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 6de8f2bdab24b222d8541f65e1ef8433
SHA1 960fff6e336a3fdf00f868f2e5e6ffd80b3a1354
SHA256 59d82e7b73bde9b7524b7a98719ef95a82f974c859cdda70e6ca771ff7c1cf6d
SHA512 2328bc31bb006c131adbf3e0a52d9f7c882523b528ffbfb8d1c445441557d87226b045de5159d0914de0822ac7121f6d0693f77c9f22836d5fd50a754bc47985

memory/2792-69-0x0000000000400000-0x000000000040B000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 4c056809a5b13f56a308641340c1e662
SHA1 5de3e780a3457594d17690680e3a049dcd5bff73
SHA256 3093ac867b5ca8b61271848ca1adbbd63c239b1237194f4811a4d43bdb4a8cf5
SHA512 25240721cb31bbf74ceed2c28a18c58e2d9f065af23a0c404643ef49d07265742a41336ef158e3b8ceef159f66eee4e403b2e718e0280ffe64aa328765e6cde2

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 448323e233065d38ce52bf42567e915e
SHA1 691c429c79bdffef1e7950c6f45eb89fa966d6d7
SHA256 24a64b69586506434fa2f06056b0b7f58405a9240cad77f7719a5ad4e7cdd8ea
SHA512 c55a17385d8e95081ecedc084a0dd65fc0a20c5dff183cc119dff37f6faf8a73b9e2e03aaddde1798cc8da06c0c660bb97531436928f60ff04507915937c4935

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 3f03edf86083a7c6444e36d2a6280dbc
SHA1 ad610a2c46b67587835f228dced50f0d1a651711
SHA256 749d64c472a6a8a8aa1d14a9e56234b00031e8f5b129773540b37e61d598662e
SHA512 e985a537bcedae89c6d3ab0642ca20fde437efd6ad3d2269bad9c976af0f91cfac5a8d1da8d9226aba6fbfb268826c1cda462c8c8f1f13a7041ac279cd70e075

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 e5d77e8dfb5998c9a656024a313dfbec
SHA1 633c4719f3e74437b307a39cbbbc6246cc86420d
SHA256 de64258d0719159ade602e8b102fa65187d456708c426893ecc9a42ce560fe01
SHA512 641afa893ed674832f76b0aade60f37be302c83b5a920edd3512d82c0133565f3e60406b1883fd6dfe38ff294ef932ceac6dbad64ca412230179c83bd3c735c6

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 cc35a9a6964ca59e05cae4b6548b71cc
SHA1 f69b198f0dea432ce7d4b9a374a636311962c302
SHA256 eb7c1bcef52fc492572186ff75074e34a2a4152ab4ab0acb8796fbdb61854095
SHA512 d6c238d9467dc1486a216b29bf14405fc29a89625bad5105543d731a2fc8b8e8adbbf0a53e682a9b6da11d52e5dd538cbee37177154379afa95c7027e296e5a7

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 695f76430abe82b84559b4b9e2d456c9
SHA1 5f4fa786aea95338f1c316d5ec47f7013204a356
SHA256 5a39e18ea979551862cf14bda00afcc92feb98b6863cdc638466ea745b487190
SHA512 3055a2fa8265d5262cf9122ea838e04b2b1f64cec2483065ae26c59d1aacbc5b40fe780dc91a4ab8070fec6d37e484964c9f2193fed60640c44d94435fe8df14

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.tmp

MD5 c0cb8f25dc6feac949911997a649b3e5
SHA1 d1c0fb16a4ff5ae293203ca8d1b2cff6594ee4e8
SHA256 b71fd447fdd204fc740ad5bfb27eb3ca641963958ee7c7bf6baa50ba39edce82
SHA512 a50760dfc2e61a316d29f8fa25305bd92d801aee3026973896a7291d1e38e091c20d2b2b7786360c5171b48710363ebdd54689d19a1ea3a5d7e3cd23f6f49c9b

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 9fe16af74b93eb23a91d137998d21de9
SHA1 ed356ea913e9a77994fea42bd3f6e9daf5c8e1a0
SHA256 25b5cbc359b6c29e19ad445589600be2cb21d7facd46daf3fcf5d97b4946d176
SHA512 f288602e6e23a392efe5a971ec73e81480bb1d613561eb14030260b3524dbe0e43662483b0ee8a3bbac4d29cf7da23053ecd349427ccdf0f85e8d5f541efcfe8

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 f54df19f230f81c0ef9edea66c524f94
SHA1 d6fe5717cfd35cf1b209f0143d8b7f0b1a2742d0
SHA256 9604868e7fc6be1436ea29e3babfd344b555f4001de9b42adbf8388d82e6ee9c
SHA512 d618a5203a6d96f02450b80bf32b0299af99778ad77fb6a874dd423daf533b982055bebd38c793f18832d1d1248563744dfead1b707bcd618855ca740408e388

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 b1b51d7939c90800a18dcfd45c21cbc0
SHA1 d359013994bdc9142b480db456b7a6348db3ca42
SHA256 8b3c5ff989f092c983c48a02825f8674a5a5065ffb0438125b9fbce5ca7bf63f
SHA512 8dd57c41ead29d9748d162fd50d27132c33987a88789e9f7ebf84aca9b886790035f8ee92d7a52c7fa7e5fa9bcd79733f61e61d6cb6eff67df265bed53f04f05

memory/2792-111-0x0000000000330000-0x000000000033B000-memory.dmp

memory/2792-109-0x0000000000340000-0x000000000034B000-memory.dmp

memory/2792-110-0x0000000000330000-0x000000000033B000-memory.dmp

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 0067c606b446fada15b0f2ec21a51d37
SHA1 f9e1bf7c921232508c271fc580154393dc10967b
SHA256 374ce24f3d1ad6a72313e57fd208dc8e09502f44a24fd55dfb9ad917d5bf464c
SHA512 18a7a27530ede0de3ca7f64511e53712cec1d6a996a6f7992b547baa94c1f8f1c9e81cf310dc5a3e7df54c906fc7fffb9a94294978eb476997ab768a527dac46

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 d8b2fc42fb8e6634809b4be09630b4d0
SHA1 0ca5c8c13a2714b99842e046d3da8b2ce578cc00
SHA256 586427ed080ae983b818313dc76e181e77fee2c0d1469faa4a3de369ce820dbe
SHA512 e0afa0b2d77f15e6bc7e6af8d2ecb1f430e5510171788441cedbdaa2d93df9b049733c34e85a13de446d45d4884e53b87c1628707b0bc03707a3be3495c33672

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 d06065bd7ad7791868b5e24b8422cacd
SHA1 459da2916492e524e1b989cab727adcbd289ee78
SHA256 173be1f11ff1ed123e570ca078894dde0eb83ac16e5cd62b7fc21cd50cd8a26b
SHA512 baa9f77deea1d13f1e81030e939616fdf308c4be4683253c05080b5df9f07998465971072c92881a957f58d194f147482c09c0a40eb419aa8dabdb0169ad41ea

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 a182196ad97afb9d76a0bf813928f4db
SHA1 b1f2e793ccbc109aeea4fc92bcaa29affe6fd29f
SHA256 4d945dcd59bf1c1a52d8bec5252062a06ae0b4297c69aa42fcfaba738abfded8
SHA512 480cd80b806feec22a8b5310e28201ccfedf279f0fa730eedca6a9dda461cb3213e03a63ff58ba9f5053a31db0c1907bc9ca26f5e251aba9daa90b5085ae69f3

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 0b20a5aa9d167c7ec1ebd8c59a765b2b
SHA1 beb2e1b8db4ffd41a3335186a25801c1bd21fbcb
SHA256 049026ce188138a265d3bc7835acaf78f2acfbd6e74dc0a45806f1002a976ab3
SHA512 93abd61f0c48e180f66abaddd7bcd48f3254fa39db8a6600eed464bd15e4e4d90b6ef032260f3a436a82fcf708210cacb0e03fb333f0174c67d201c6c882dc93

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 5e3ce8a017ae1260b715d3c45608bd61
SHA1 cb061dbe1ecbfd7141e6d9acae414cc269fc5e47
SHA256 1b56f409f112b73f39f5ec9621e01ff186a1f091f81dbfdc5c4bfcbc2bde09e3
SHA512 e2a6c92014b0a06233873839359189284f19374f135862a6da4a8f47fcb5d05b5c652595d2af821307f225206a897b1b264f6894b9593b07696cce8f9a60546d

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.tmp

MD5 8ce6ede11866d76a3cb951c8550bbec7
SHA1 c8e7516035ccd9ee3e43fddd7552648299a07a36
SHA256 9d6fe2387d84c62b53d51a6bd10e585969585f76c0b63f03f59d70d7ab06dfa3
SHA512 c7c292e58d97c566fb6ecebdc97cee6235b7c38c709d3080c21b30cfc6e07e9eb4f53d9e87ea8c632bc63152c3ec0fb31de843bc7e7f5f4e1a3de7988c43cbcf

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 f5ce38615936f11d448f5bd29f3e778f
SHA1 bcb4f7d8b7d408d3620943749ce85c8160081f4a
SHA256 2bb1fbae1a841067d111135f7a7a7e5c37e50c0f6c5f3dc4f43af2ff3e86ce3c
SHA512 e4ab904d630af802d24e0bce62f81f292d184069cec0fddb4bc2c1e31c769d4742743eeb6d57b799c45c049ac8f6fb4b8f53c29177719cd78223acccc7fc3dd6

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 833cb57635fb23c5a59f529a4cca3f42
SHA1 db48cfbf2c05fc451ab0685897f833ecc5b2cfe8
SHA256 7690fba7adbf360fdcbdf231a0f4b0e7f717c87728883e6b56c7fe66659e6dbc
SHA512 4f58996b29d7f9eae3ba3b8658b0e62112b3bf3a456f43730ac187b13ca3187c06849e31298bf9d53f88ca41a63c3d70fd2e878514c6b5683e035eb5462c72c4

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 ffbf2c4fce838c1f3524b67c52911b42
SHA1 d583681a43f0e2df610dc845e9a28564232b91f6
SHA256 4b2d9f8e7ef556fa24ca01557e6474b549650b228e9b64d6db8f65c9e6e50cd6
SHA512 45be93047d2e68601e42bef890ff5848f93b36b6e9fd5e031e23007efc13f690fee019e756abaf5383db7880f14b14b2d056864dac64e07cadf1b3072586dc3f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 4e157a2d32da62f55c1c61fb211530b7
SHA1 c35eae5634d8e689ee2cfd6344ec07ca84893e56
SHA256 960cc19c3f60959d8c518660c53b4c7cb2a3a793b085f2dad1454613a35f9e0b
SHA512 f45a42c2101d724282d8cb54086d32b91e0a872794dd678b9e3dc3eb41bbe128b1ce107cd406fb56bf9117030ab0fbab9ff5b9ceb1775ee52a74f6692abdf22f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 6b5bed7dc1a34fd808e19bfea03688ed
SHA1 93673594e852684d9810923e9d49afb6cc4cae3a
SHA256 f93f1326044ab47f0e02e09adac3cd24fd8f00ba251a1da359e0fdf996ae5585
SHA512 e4ec042bfa48f38336db9f49ec6ecfd66f6d5e9b084bb403665764789b08af80a1157905e896e2d9a403aa7c1ac5ba8aacb5f937f6fdf9ecea2a4e3bd6d9bb3b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 c4d50e7a819743ceb56a19d6179d3190
SHA1 e2a1c6d9e4d637404b42269accead9549812508f
SHA256 750a1a56e7f955bff1f8515368684dd6d9d538c180e0c0d5008090b43c11f384
SHA512 fbda60eb4b9f933b8c494648096f498f48f2f93fa884546a75a44f64f8a513b7803821041e24bf27fd6ee50e68940a1f970e3e73f174526aac24c19c705c4e22

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 ee0011cae8c8d2366890633e239eb7d5
SHA1 effc19dd09ad5e9ff496a0baf76d38b708922dec
SHA256 923732a98e34a69db35a1ba84985fc2148ead6472b93e76f54c6e7f90e1c0f7d
SHA512 d9b9019d43b29102a511df0df228dad10afbab2e950ab2561113c9196c5d85c9496ecfec87074750ccf62a646f47e45dc11b492228a3b08ac7cb7147207b053f

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 87de537172e71b906e923b1a6711ddb7
SHA1 e67f4c556416c7802d3bb42d73f25be09e5ccf7c
SHA256 46041d56fd634a65c1485a07e3cd7a9d67a45906faa583e2fafe636a11d6892d
SHA512 3d4c702df906d5c85bddf75ea2fed8a8ac9457477b7777df2691133bc53c0bbb318bf498a5e2b82ee81f74be0f9d1f51bcb384c25b538034a2c3d5920342777c

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 4fd4c1740f1ded8461c717ad62256f2d
SHA1 6b1a9779dd8d7e62715b84fdb7bb8c7c1c5ea9f8
SHA256 cfd04940b810ead55332705c6b79fb0ea6a76febf0d684d3d8dcd622f9f90c4b
SHA512 720f69de8a96858a49ec5467a4c84d082df44f42362f482e29ad34623ccea31e6d1441061930f83757aaeb48fc8a5ee9cd929ea15740a10cffb6bf5d06d9d06a

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 06931803ec03348edba8ba8a08d65d75
SHA1 7e45815497c74d601b0adede4c0d867917e87591
SHA256 178c5d90ad5dbd02ad64cac208f297ae1d3d413d70bdd35ad0375e802b842c45
SHA512 4290106a08cb35866813d0cef83f5305cca8ef041c1b5fd7ab5ba46fdc6c656f5448d2736df9d41c2546cdc370cad8083fced81cdfb0fed80a898eb4aaa7043b

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 3dbc2a1e9b53174014ef8ccb649f6132
SHA1 6edce6582971b01c1b2333fd6f21eae0553e93e9
SHA256 e4904308d00944f03d738cadd0ed5927c7c50ba5903139bf9dd5f57b1d500f28
SHA512 4c4d03fb77a11f48c7342680734693cb33244b44b264d7ec40d58dca91560f07c559c19d0a573dca746880ebf6c52f33515e8e3e1e9393a3ac97bfa6b4b21781

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 d7ba8ffb733d72e3acfd6008543d8dd2
SHA1 af722b38bdff67d7982257b59b522868442d3846
SHA256 ec1136b21e624dda3a9da371c7d9c531a41355bc7d1845cf8ab286999c9abde3
SHA512 718d6c06e1724a730a0a94bb9cfb25603faaa1c6870aedb7bb2d948856c1fb28493689ff9008e52c714a986f8fc83bf1763849d75e53f127bed0b2f68095bd9c

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 b61303542304f1d7e912075234a17fde
SHA1 afaed764b778ddf4dee4b81e0e66bf94ea9b8252
SHA256 3110030fdd38ac0927401ad6410f10130a0fd618b49c94a3699f46bf19a0a5f9
SHA512 4a4ecaa9e5b2d29e7ee4e43dfa9b85bb499bc147844868d7face69e79e2f0a5332fb986a1dde3226db532e38403e04f5f5ee3bd07b7a2a9b0b9f4f5e22aea618

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 8613e9c81f0807f0b42dfa6470abf7ac
SHA1 45e1b358411bbe98250cd55d1412e0845a8c2629
SHA256 ea528525dd4f59b910ad9f2f6d9dd536c1a2baab8ba307a552c72e8a4a6ed6a0
SHA512 b40fa9d7add3362067c01ce571e6e8e44d569430573440b3c2f55f1289a3a9c663a4cd99002939f1ca77ea2c44b40e9feba66eb3b48a7d3e5fc66feb4a8b2bdb

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 869d037c9a2da2ac44051ccef1cb6ecb
SHA1 91321030c3213d1f12572b661f970fdf0f735d67
SHA256 f9e95828d9940c8d3ea03abf928580713e4e4de30589daf6bbee30454af51c84
SHA512 9cb8fc324a22345cf78e96f33ae6527437ceecd694d14218fcf3c6e34693a54f506489f1b2971191e1affa78deeddff59286a8857c176576738330d0c91994ea

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 a6647a3689e6562adb17813658dd1ea8
SHA1 82a8751487bbed75a0da28dfb8228489172561ba
SHA256 bdb0b23b7bd33ec6f8ac97b437329615019eeb2725867d3c0c11f0bd30056228
SHA512 9cf06762d9c300f10d148f30ae5d5a872d5f70a2c7b70be750429b094d59931530e25c8c0731e86dea6251c69a877715a7b6c68a00986a133794a7e8de371843

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 684e7702226edf1f5c83db354527b145
SHA1 5e7823b898dac6d9fa0df1f97e0013fec8104d79
SHA256 dd78b4fdf214149603f6237a26f0eac4a51b129b4c5a07bae5c489cc05a41f43
SHA512 363d0366346e6f997493b6eea3c62d43df80f1d450a3dba5a41131286de80dc3605332ed6486deefc15e89310309f689398f915a39546b475cd1ac9677de65a9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 719b37951b741365a8f03d4681a1b946
SHA1 f89cf44655aafb3b5e635c6ca36d6983ea57e43d
SHA256 60ecec4a5098d92bd448c1910bd0367b6ee4ea898f4be2cebb715691713e2ef3
SHA512 02e15afd46124fbd9b0ea501f03470104f6406f8e20e8bbfb275d50d319c1845d4d27642caf808397a4ef6e9a578d285f652c9cb526a47911b16ccd7e01c939a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 63c6b7c2867cb2f67d7cfc87ba88448c
SHA1 a7a5066ee96a4d5abb6d4d941420ecf319483a9f
SHA256 d35271441c15c553566072ea8d6ffabbafa5dc9e0c3d1e7e6cb79388aebe9d46
SHA512 088f50f7ed9a595727b99188081860f512bbcb9187630ef10bf38b33405e36965415e821736a81dc509dd8e8395ddc0be4bddd037c73a4cdfc1d2fd4729cf12a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 9953149b713a22f4f1b103138ee3974a
SHA1 1086f27a84887103b0e8947016cc0a4801b69417
SHA256 dae6ebfb1451c1a9249878a29f0e8ccfb5a3ce8006a63ec22f7ffeca625fa0e6
SHA512 8148e7fb26deb9c25d9bf1cf86d38b248a051adb6294fa423686b22dbe2fd21e5804f9e053a5955774c32ccb1fc90dd014b89bef5fce10766e8ff676bb846b8a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 0c392f375c67c11f0b5be434a4a74c87
SHA1 22181614d7520c2f34aef2cb443597ef0c959936
SHA256 956044e1e6fa1b0c00b9e5e5969eb89c4d8f8837d17503e00efdb50032019119
SHA512 f17d0697fc717b133d0bbe203d12a2f3945c7cc62165cbba0dd3dd6be4e1e5bc361e054945822e8b3a7bd4d97df1615e23cb4a43d113956814bb15bf82f1f273

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 90e44b82bcba7bf1eb062b364ca7dcef
SHA1 666c4c93003bb8dead4b669baa1886efd760ca59
SHA256 759fbf7207f607d0e4b86f758e90c19b50df946f4dfe87259d899e116f69baa5
SHA512 5f986f0179954255e3e62879720d6e167b957810b0ea5c7da7948cefe004eda890ebfca5da9107ced1ad314075b9c2885c2d9585790176ad14dd16f60270a3b5

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 f266f4a11159a6317fcb3c03abe69432
SHA1 6a0165b1549db482cc42a6982c48e80a0f94db61
SHA256 b5e9b5af4406562ea758df86143de8f8b182fdbc433e2e8502745c21fbb7bc4c
SHA512 af6ecc8dd8010bcdae7dcead927bea0c31da4b538429a4d59689c511adc049e1a852173209c7538a35c130ddca8bc34b55626f5449e3c596438341591d8ae6ed

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 4066d0f2b88fd343b74b4bccb3d8f6a7
SHA1 57d624378e9f927b9b79cbe40763818d920517fc
SHA256 907dc9c0a12d8e3758f4f4b7fd21136e8272122fec61ec4309b5ec01a542c943
SHA512 63af2a71339126774b6964a3b0e57112d3bb105f7acdfd7e2d1b2fd60ac454a041a4bad0b2c7d3d32ca3ec60b1e71d14255e2f6a04ffcb9f6ad6b7400fdfd0f1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 ad8aa607f3c07bbd9e726091b3110d3b
SHA1 d313cdde09c93976e971dd3875a8a71a15cb3a95
SHA256 b7297174f63d765d45ff658e53ec7a77e3f056c4da7ca5e8a2fcc786a06669b3
SHA512 5c43b7c87bf3cdc899e88f5a47312c203427d14e62abb703c82cbbdbc195dfd3505a86a536dcf3caf74f7e6d3a54dc965b573b7803b15ccba9c7ab9c2d0c0be2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 bc708c903bd587041752ad952a898c1d
SHA1 6881df058de9aa1a9f1baa4cac3986e89e72d875
SHA256 ea760274a8bc58d4a950b891a8fdabbed451a34e5e20e8d1e3ab0a1c709eb678
SHA512 dc06914f710adbb210975abba078c94045ccf8a2e23c23a6c3b7fa291e01c55e4fb67ed99b834b7b53c70847bed496a57655f21c76e80d0bf54f635f6e2f40f4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 3425aa298506b84350ef99b792879e9a
SHA1 b406df91af113808b439ac63f9b076144a3fb3b0
SHA256 a443db2e940bb757cb5bd6e29f54aba95d05c298e918af1ef11aafb883b6991f
SHA512 1af5f6ba26bad71459a8f000108f2243cde629c0895a2088bd8acc315e0412cdda91058b742a770bc05b5cb6d3319736191a5492b2bceb9516861ea1b8cc29a4

C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk.tmp

MD5 0e0fc024923336604ba9c09d03a5e2e5
SHA1 35e97dd1e13a5331977cfefadda9dd22aed6378f
SHA256 c0ebd3b6a3ade5d48cda2fab7789726f96f575d90f5b17f9e58c3a2e666995a7
SHA512 7e8bc13363e8209833476a6f98b28c5dd61fb9e36ecfe1bcc9ea2b25b55c3979e3b74f17682eede0581b5615dfcd20a2df274099f471bb0b259bf633cab0c89d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:02

Reported

2024-10-16 18:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe"

Signatures

Renames multiple (4898) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\LICENSE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NetworkInformation.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Thread.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe

"C:\Users\Admin\AppData\Local\Temp\001e3a87f2178e1ab52efd33523d27dd53a69a6a2d6713b66f377c990a4b8dd0.exe"

C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe

"_desktop.ini.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/2788-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_desktop.ini.exe

MD5 65a36755832271ac8a8a0fbbce8aeb83
SHA1 25c339a01a9c12cd44b42bca8ea16c3f8845112b
SHA256 37e7d0c99e07cb1dbfea58551857bba35693cdcc63fd692226345632a257d2fb
SHA512 a7e4f11b2a96a32d79e1d841518ee418256482ee659894810b957d289824ec9682a4e59f5e048efec25357f875cf793d6e897ea490b02b7a6690ac0c9cc6ba06

C:\Windows\SysWOW64\Zombie.exe

MD5 55a665e3dc8ec8589a87709692ef9c9d
SHA1 54120d10abe2bc15ab61a0996a91f5c9a87beadc
SHA256 db97fc9f64de941cf6b2bd5c77656205fe5c07cd013cf47fb18aac982e415d29
SHA512 94db4f3530a4a31f0b0cb6e51461dc13011fa5986b9ba46f575e8e6e02e74b6d5c7f94021676d1bc4194ee2fb7e82dc5c6b93e2dad5251cec73bc8f29d306c12

memory/2276-10-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 6f000057fe0d9369c50c7ce4474feefb
SHA1 68776846a04ece5469e7204f7ce4c37ab252bfeb
SHA256 c7f1ceff43258ece75da76387cbefa65b272f00d5ab47fc8ba1a48bbd9252f69
SHA512 0970da20fb13dc7d6210f98932942e41741bbe63b940928a9d2dc0a08c14b1413d93c5eb0cba45f941d8f83701d71cbc84075f3cada1bfcaddc2fc231642e5e5

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.exe.tmp

MD5 9733b56dd13d62f124163004d0d33987
SHA1 a5655adbd6a628a68fd2159a01674173c13c90f3
SHA256 36a104595a6c1fa5b7ea6ff2ba40a9dc0aadeee40064db8dc78cf5836c87b8ea
SHA512 b70fe971bcd14d0c51389da998a0f3cefeb6f480724921498cdbf30ed7167497b8d9e7c227bcab0d4ef42c45b2096c897228fb5b9146bd6ae2f14ee012330967

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 310aa580d6da5790c8b4ffaa849e3745
SHA1 049d196b4f97ca93a6788067b01caaccfd05fd98
SHA256 da898aaf862dca4be6ba67f2f1c4c7cca556a9e0fad6be51cb3539081d423698
SHA512 ab7d3aa9d513329af86c663ffd92a93509db52eb505fd02920070066f3e1ea29a789405087abefce580720e1e9558dacb636973bb47b51018c9ab02cc9c1730f

C:\Program Files\7-Zip\7-zip.dll.exe

MD5 2ee7ed252e2c79948d3dc8bcfd176f71
SHA1 5a2cc92238cb15e3e2303bb18625bdb039b68e6f
SHA256 2936e3d377d76f0e020fa7ede3569ea80986ecd4a833e8b33a5e4060af8c02ea
SHA512 32b23df5b19b75909315a3a3a306be954f7762ea205124dc846c6d536041a1f21fad09c0b2451abccdb842f3ba13ba31c18e1f4c20f1001f54995820db59b8b7

C:\Program Files\7-Zip\7z.dll.tmp

MD5 2da4bf24d5392d2c619c5537870701fb
SHA1 720b722dfc250df4c6198c6fd3b76096ae9fd88a
SHA256 3088cf170b0031d0513b78ed806deae6d8a051828172f83aa5ad663280c8b3cd
SHA512 f598d180d9f471e6fe7a52bce1d1f9e8ddeb2851ef7754a41c41de921a2a8199f0773ae09963edb2b8c4c7275620d9eca6005b3aaeb9f7de247b7fe882071b23

C:\Program Files\7-Zip\7z.exe.tmp

MD5 f12212adc64e883617224ab214726678
SHA1 57e79da74ba904c1f94facca86a75e2947f4f37f
SHA256 2b0617c11eb39ff3ee8852b83a1eec1898cafe7e96c56fe76fe37e218b05e259
SHA512 b2878a51180237360f9b458bb96531bede182f4d1427fccfa4010f53179aec6b7a58507882dd6983c19f88183162d590b593235cfa673a9b969be756ba188034

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 2497475651c565e0ae443228687cf768
SHA1 8725eedf0794f327448a6e89be12d635c063854b
SHA256 75bb6115773a8d39462d3d0ba4b68eea3d28b2916a097b334d05a714d2364c8d
SHA512 93de7da8f48551c6eb1566134da30ba7bf8da81ab353b41ee023f531bb66e58377e39621be6890d5dc8e1a766e2c4498f19977d5f0f8eac0fc878985d5afbfb3

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 82d9e747cf39e777e5744b75d4fd33ad
SHA1 0e7232a9097986ce00acb0c765755229a42391da
SHA256 b74d56c40d0232fd9d90fad4ebbaceaf1a8747b501524cded2bf117644bb2fc4
SHA512 b9cb55b95162a5bdc1141b927b4fab13d8b2d8d235ae1554a7bc8f905fbdd124e27ec1cd45e19c9bf9d0ac0efd87205582e6c413678d8b6fd3eb5412bb9ccc20

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 8fb5a2db23333ca8f3b2ba14b1f47d21
SHA1 66961f186784053612d16c3ea94a0d39cd5dffdc
SHA256 7995313995e1ef09e1042e84f8bff819e8e10050a4c0dd1ba9723108e4873989
SHA512 39f54cedc20148418d27b015e7a84c5142356bd62470a01b95f0bf7292bd46e6d64ef86c9b52a75e582336d1b66d020202eaae51e68fc3844dad954d2cf9823c

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 c96c54bb6f9514a3b96e5bfe62869580
SHA1 27434a2ab865cf876895c461cf8800e05ae9cf0f
SHA256 2a993da076c5acbe37db48320a5a56817b9a4aa118e098bf2dd0a39c23ba6bbe
SHA512 d6b9172c5962755e0a2b00f3ab03520ae1f69c0448292a384d2e642c8efcce2e9c5dd59115f9fde8dfff9965a1b9ad0ae821753a3004099d44b0ffd8b056ad46

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 3306e9d6bcc522f0d43c17d0410f2b96
SHA1 da3be1e23b3fc3fa735323aab8c2e46b40442177
SHA256 167bbe9bf9b38231794cef4954a1f13f7ef1073e5451d5a6195fa9d58d689c24
SHA512 9fb12a40802456015e3192f87fed3dc498a7eb45419bba2ad55d18ff908b1dd4609ed40ec6048657e6d2de819d146e5400a1a05f93c34a0b11b5acfbeb76dafa

C:\Program Files\7-Zip\descript.ion.tmp

MD5 9977c9105ef91ede24161fe6189cf0df
SHA1 c807e284030b6f90fa520f4b657ad7dd4a857a9e
SHA256 9394b32adb9b744922d73f74a8e8678ab35de8f3049d4b76d1247d3119ec6699
SHA512 f9fa026611724e8d0d4716169d2d10456c592f91951b71cb9253e48876be894834d473b5d6248fbb54ae70bbedda9e5e7c10bebe9d6f10610819b513d420d7e0

C:\Program Files\7-Zip\History.txt.tmp

MD5 ce33e7e7ff15f2d2adf664ae68399283
SHA1 3ac80207d58602812a04bc585d25464aaa343c2b
SHA256 71754f34d42fb57268ac2e01c66f42c2c7598e6c355ee9bb682766a7caaac099
SHA512 fe67a79b92fdd066b9e7b2480782084f0f0648a4c649c6e9fcfe0d554553e3b38b8c1f5ecb952bd8449d7f467cb1bbc46c9c9178459a50b27c4ea3a556c7722a

C:\Program Files\7-Zip\Lang\af.txt.exe

MD5 89d529dabb3bb747716a7c58f23ad765
SHA1 45f6dedb243891a3bb7e623327e3ebe753f57366
SHA256 30b0702f26e52ea905a0b9ff15224035605fcc6b3cd5f4039c5f31160fae5890
SHA512 63b6bf728727c6a628f5bdec5f04e644356db6d913405318c2e13374925c2ec42b993593467f8818916a5768ebe5c831471837cfa09950393d855de58452c059

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 8dd40d2459e22bf67e52a64174d10e38
SHA1 2e0142532f812b1a1f8474c5af0e325eb718a46c
SHA256 f2ab73dd2efe9f3a4162b72b165765c7e19f724adf37ee77b4bdad90e29e05c8
SHA512 223ac757d62e48422741fef30d1d76bbec37811207fef634f57045f16393728e4e85c19b2d45d3e3ee01160b2d9814e14908330c4914b0da47662c8547121b33

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 973dff76be637a690b42c223fd03db17
SHA1 7e2bc51afb7dc1f93a527aa140d7eab94f34db1e
SHA256 95abf216a62c72b083150d05792c8b2f53c3f63915133b4f3767186cef67e18e
SHA512 aa6a7dd863e251fcd87579340f841be60b6dd33fa2335c84607d27c78f581c62257e44984c5d8ec076bd204b19f9a2fec4e840f4f8965f5c8dde097e92929054

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 0749e1e7c426ede72e64635cdf9f5792
SHA1 6487616d54eef618560cdd50208f4a73aab89dfd
SHA256 06d325fea6c65ffd080c75d22537fba338cc969e3aeec64b9b90ad29dc8735b5
SHA512 4381d12e342ae882c24b1766f3826f9158465e0c357c615f85b41f924223f673adb3053a81a0419e0bc4038cf03193f28a9b0fd4a6530c2552bd744562707d0b

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 9677a74f036dc132efd0a8622b365c31
SHA1 6e11b8953c914b7c972d9c8323a88a92dcd916b3
SHA256 d283cadbff140a25f9a5ce0933f9125a672286f793781894ebebb0e667ba3619
SHA512 483b7ee19887f19c62cfca957a78b3c463e49c48678a9c8be363f4825cd4fe8ddb2fdc7ada42b06982146b8aa4da2790d871a9598ca9431c2f4fa8f50ebf2e9b

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 c8e9655dc9090fd1b6113622e235287e
SHA1 316a31badb8c47802df67185fef3843f0611a060
SHA256 0d9350b41020fa44fd5ee16728ec1b560dc9d49b67131e180e23dec6ec42dbd6
SHA512 5930a371e7aefb00e0fac5e2aeede42a06a38f028e5ddf801dbd3aaa0d46bd4c2359354ce116725cf05010e15faaeae023fccf0a5b25b7d559b92154ab7407d0

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 98796e3aacd171518965e8dd415d344b
SHA1 b018cd7334b216f71a36e8401bf12827fca51947
SHA256 6faf95b5cc35875b1222f7e537759942ff14d169e6fe6c914493eb4968b45023
SHA512 c84bf2ad6fa780c545491f60f5d3a297b52b9cadde742edfaf9b7f7abfe2e13d5702289e427e34830172d5c0b5de7cd7855382ca4098fc8eb96a326f7018157b

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 714366b8bee955e214ebc6b17ba894a0
SHA1 f907a9727ac6f0d63a238550c6eaca4c5b7ab202
SHA256 f86d025c0f7e7b6301f5b2e6a449fb6112abff7fb75a1cb4a1b4c6c55fad92f3
SHA512 1a60aea48d2ef97d8ebfa520cd1e6d1313a174992f1cc2fb733e4605a65b57864417e14c7df04ffd7a9ee518a93f542423a83ad09f224b30eeec1a3c93a587c5

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 1d89192b11a6a0ff7e99cc2adacde85c
SHA1 48455175e6fc2e934d0ed8e7f89f5d2341feacba
SHA256 e2d032a74fb122637fc58d448d874aa8446f481af8a25c27f105f98bdbf71dbf
SHA512 fd9fc5d4aed0f31bd8631aa719a9f57873a631ba9880cbd729f12a0550f56426f1d996355f3b3f29995d3aa05c9fd3f8b05d147d777a3354a1536029f029d00a

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 ed4f66a8963162094f4b5acae6e08b7c
SHA1 d6ef14fa97da5e9c5706021c276b4b82f3a67c56
SHA256 61356c3e7fe6a2d9db753f9b6293e4e72d7f632e94111182f35e286a008f54c9
SHA512 c79fe8fe5f5f6493cf30f6283502ecc39d9f49ec49a2792b18de1269d47c88296c4113cc6e4f730a450acb38eda6c4c1e94c82d274a8f9d2b6dabc908d65e3ba

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 c53b8ade2122f3c09b875f6189558089
SHA1 cd2abd6006bd83853a8cb3421ec102615f2192a5
SHA256 9cddbfc05578ac2ab2e666e5427522fd5c9c999e14904a53bdb1f81c89d1b8d9
SHA512 5a7dc5c8f514d0eda0bead5f1d643159ed3e065b1297577f699daa6db947d043a303fd27ee4c5d4cada692d9b1f5b0f680c10fd6e5a64a179667af6afc7cd11b

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 6a2e5c59c0cd0339e40efe04bcf5002d
SHA1 4d92615ce9d14a35571cb92000133e346f262b64
SHA256 ddd2dc76039b73ae7baee8be1e487b43bd45c3e573a26413d658534d960ecfa6
SHA512 2e6dd3267cd6c17138849e43d8c273966ca179a24e834b3e3d60ad520e46cf8e7b3275b9123098cf6bc9f1f847d3d251afc3e85f1f9a4d6cec4324801284e69d

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 da80c96e7415cadafe11eec9f80672c3
SHA1 e23119eb526087b916e59697c2d4b6571f31dc46
SHA256 ccc495ddfa59f503d195e11d50044bfcac87889fe2306c44b90346831cf79139
SHA512 34f55647590f360bc56e9ae82b8248856e0ae3dff37ccb6e3fa91b4f53213689e6dc79f7dd0350eda17cde247614e62bcc09ed73fb4dcc2ab12b6b55be151f85

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 29fc7942700fc589491bb9a067a69667
SHA1 9acfec9ad0eef57c7a28417627ca6e90d90c749a
SHA256 4223de6da42db551de36a0ccea374fc7a8cdd59e70d38bc65c9679bbb4ab91a4
SHA512 cfd64354f00ad86a460dc4d5a0e59756e33796e40965e2b5f17907a5411c58b3a6d22718e95bc1ca04682b3c9d296dcf790d32e9505770323e466bffcd164a9a

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 22479c3227b0749e94d963b0c5a086a7
SHA1 21af98999024d8e08ccc2e4511330e0ff18554af
SHA256 c0e983855f9cd89d3476eac3bd6b32dfda7f419ab13e11ace3b5dbca5d60d837
SHA512 0db5394bd60b1afedc986666f1f24bb4f1f3ce16798741a2b7a4a2596775b839d1a163fd6fd98792c1422cdce17bc1ece9c97cdd1ff6c1ea1d362c086616f332

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 a75bf9f25d371fecf083b87b49a8156a
SHA1 6a1c3422e66072310e3562aecf014081f1c3a16b
SHA256 39ae9b96821d2194afc4962d85f69abe1325729c15f23fbb856e891b0ad3fd5b
SHA512 edb37f225a0251348729e47095fb42dcace0ca6421b59537c6b8228cfbf18e5facf1195fdde183ee2f433d64e7d4b8345dd01e9657ee918bacd8aa9851484735

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 05bbe2f628a9bf0de812608ec82f736e
SHA1 3c87f476459d025cae10b9af0006d670f3acb642
SHA256 29a3da1a97e045f379749d9cef07e909f9d226cdbbbb35a6c791e3f23b12aee9
SHA512 d1cec151e7b0fe2bac91bd5ef0824c376405be21dc40203245f6c2ced7fe3b56a40710eb4157a3d6d530f7d17ae2298e08bd022012d0581c07420c116d0f0351

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 ec876fa4c5406cadabf27971db27067c
SHA1 73a9089e44fce5556d4bd2254568ee5dd23870dd
SHA256 4bd5860bce2ad71e99cf4e01ecaedf9ecbd560f1b11752005338c7739ef62a82
SHA512 718ba4e546d3f2d0ff1b7e9d326def8f9ecd484aac7dbb456bd7c6d5934ce4bb85223dabb7a6fafbd71d5f29ea5aa34cd218fa1eab307c43b0b63fdc1aaee4ba

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 2d09a6d96940f44f859e692392fb8561
SHA1 bac7b001e4499654daa07126347ff9cced403e4b
SHA256 fb3a24bebd15cca0bf700880aa96463646522f09866bc712d551d071d085524e
SHA512 48317e15528f3d659a219ea1522e896db30cde23365ed9baac860aafe441c9a3763cdb1b2113259805fcebede1535f478a7299e8f952cb53d0e6a9078100b8a2

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 6eb0c85bfb63c2e5374d0f47f18c1145
SHA1 7fed3724a594c3d38144fe2157d149b4a08e352e
SHA256 e71f899ede7bf1ed61776a5cb0ba3f0a814764827dda0890a6f6ff480cc061d2
SHA512 e90f439aab5e85068b14b7ece35ad4b9d6c4fcd5b198358b4b65ac874b89cdb85439538b104839a74e2889d05599a3a4e4356d7c03ab79f83eb8738e08557cec

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 c151bf4380424ce58d0b91702be58186
SHA1 f74c31bf95208e251d977f5b9f77a3dd783106b9
SHA256 fd558818b38509a487b938ae004541d31e31274ea8390b086dc1e5d7bf51d45d
SHA512 8cb418ed76c16f9c1fe5c3cba0d8937c606317f6c9d84f1ebbb7e6b4e7019ab2115f18b640f0a9084769031adeb7577da78e38278d8f2bc8a9ebd3701c423e3f

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 5eb9e360293b43274ff5182625b51348
SHA1 ae2ea8543f7d9c0029c01ada27dde4d4fb3dcdf7
SHA256 c158d7d37ac8a79f5344ba211baf5e537aae3eb46587bf95c7591da95ae76ef5
SHA512 9de960619600016515c745d7484059e60a8ccce51cd83cdadb6cc98ec6601b62d8171b0d2fa0cec9157861ba7d523edd959c609c64d127f8e77f865f7bbeb901

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 e11a3fc12db6ab7f4d8510d025dfb35b
SHA1 d21360ece60992f3e17909a8c1d008f943f7dc9d
SHA256 80736e0c9c177a08eda86f837850dad49a66450ebedf864d6e0dc6e036a6001d
SHA512 b5ed7ab5ee5720b60d176db47f5dbb4e8517c3d6d1a0228d7fafa3843052f3280ef97726ccfaf67fd884ab9b10906c0f6174a34a1190d0140c737a3665eba875

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 803575e2cb358d84300d552170d21a47
SHA1 35ca17f5e0bd37116f1612f386a241ca9974952a
SHA256 4cae27b6f746c46193416fefe419c123296152fc9c58d26ac5f1b44b1aa24211
SHA512 71909b0cd1ebce01c093ba381718fbd239db463c239ee0230923ba4f6feccb02c81a1471c99dbb6137a8d61cf9f8a03b81723ffefa9eaa6d6c15f787167495b8

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 cd3ad8048bc4ffd5d8466d482022b5a6
SHA1 f2b8cbfd444c9928239321d1f07cb3727f7af7ab
SHA256 b6e8f34608e715767b5fb1acce03d43f9bfa545523064b2f0235c75a397b7076
SHA512 ddc68ea7d1c2da242f3c6ae267a58ee345e89d6699b3f3db438fc69b61ac080f49c7ebd5d0f5714669c17fa0cd131be145891d5ada7068c6ff10d48943c2385c

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 44c56fd7f6d2ba829622852aa131effc
SHA1 00170007a751f5c4be6436a89dd337b77490d126
SHA256 2d952ece11c3e8cbe17b26aee3b108fceb2e054910867e2dc2a377e089962e18
SHA512 31722c59648958ca16c54e05464feed2ba3abdc3631e1b77cf8b5507612e80a3e7626b8e4d8b436d29ef152a2f8b69b011efe72cc773f4f1adf55e29f0054603

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 c4b758ced8be63a5db9867b44f431ecb
SHA1 5e9e63877d8cce02aa218392ad91602cea7d0206
SHA256 a3b629834e89e4620e10765ce7726b19615262545108b05d8658732b07176054
SHA512 aa10d339db08bb26c6534515c2774068b74f62f54551f498835c01a45193606e6327283b8d167754814fe0fb0ab81817078d0d15e029fb799e9476c6ae780154

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 a63c18957a4c6a55dd80ac64b11eaa45
SHA1 21d0478c950e98c5b61a42cb5201d44669bf60b3
SHA256 5c5cec3f79c949ada953080d9c552dd028c6a6b6a3bb23dfe30216f002ad3823
SHA512 f1a311774c920faa86abfaa5b5eb3a6f5ab1ab80b03502aaa4a192bc5b9cfa8a85b67de476e6a867e20ee17a0e7e35c725785a390e5686a00f0c9c5009eeb0d7

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 fbe87d9dd03b1f36c2f0e8e7c13994da
SHA1 82e44e9dd0752ccec4e4a04872653d8ba1c06035
SHA256 2c967a3be31d5b51a621bbd0dbd14697913b2e841eb2575e13cbea1319f04eb9
SHA512 f469eb10391a2246e87b97b146557c04c34c4aa2794c680d0465aaf6c76c7f529e717f656d19fe6374f0993aeaee0772dd9d45def7fd4f62c268193ea62e3a1c

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 294c2e6bf193fe956228808399053ee0
SHA1 228d7cba72a3e5f062159a7581ffb6f67602b6eb
SHA256 cac148b68f1c574686faabdc9302c7706da1a2419a49e15c9aaf0d0a42229f34
SHA512 bf5284befdd912b4b02987cd6db84878ec9feefc48b5d99f3081b522674dd0a198f19e63c531dfe9ae8d4b98e938c7f014e420d186b6201c8424491033f7806d

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 f1df202c22d3cd61588c7d292e9af3a9
SHA1 8386a6cabd4b942f9e5d235329ff960553377b7a
SHA256 988020f9a531bfc2ac06a2e4f406a15a6f8f85fd5db2fe51b076e749f9443bf8
SHA512 6fb7d273cf2b0bcdf268cbb52bf311352d840f2eef8ce5a37f9be0281badf22ba0ff3735b9b34643467f831a6d381d12a4d3f5483298cd3a004bc1211fecd07c

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 9e3e9116c317aa316892100dca7025ef
SHA1 ad86857014188ff024f008802b653339c8629564
SHA256 2f7599e8c45b75fa6c59eafba7fc78926865ffc00899d7f66ecbdd962cf3a356
SHA512 fc4a6ebf347a7254f106b34df3b08a009bd57501d2c99bfc4e0048e839c972d63dda9f4e3450e093fc613166aede29c8ce36532fb6f6a1c3ce1a041d25a28633

C:\Program Files\7-Zip\Lang\mr.txt.tmp

MD5 5b3600ac90d922b37736325440b328d6
SHA1 3a323401cb7af088b6a10bb64f6c5ab858c4b7b1
SHA256 691244c5f79bfcc118257484c77c5a515cbeb0715ac9583cc96c8fbfe5e65baa
SHA512 bb0f9e44b1afca93303fa145e7445efbefcca5e104fa5fc51eea59a5eb8362f3b3b010dae2ede8d6c588147e8085194462ff227891135e0203a1249c85366006

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 160e8f5d8466ce88f8618e1f63f11a5d
SHA1 058ea28221172e94159df2214ac409889cf69783
SHA256 91f4e61b8d432ed09d05182ce62ce9cbe90d06216e4cbab2fe9f54c73059d639
SHA512 eb34273e787f8bd3bc839b83e122dbae0ebd981fd29d5b6fe856edf88836c0a717504e84a303d6ac45a5b825040cc8d5cfdd34bc08902727545870e9935391ea

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 7c9e80d40fb65bde2eb17dd1def9ba89
SHA1 c3c54b468b4a66350ca59d3acb53fad4578ffbe8
SHA256 7a89b0c5ad59ad6b902fa26949f0d13c24ce5f894a20c9d9b38c3e63dd7095df
SHA512 160bae25a03a786e04ad17f8887ea9cb85372d59386fff160115248f86782f1f5cb80d6d156413da7d23ecbadbb50c1d24151ab51857c8a49bc19e376dd835fd

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 68708468dd9d767f86c938f07a57483d
SHA1 d812dd0a511dc99b78b085402437128026b0da19
SHA256 dd3d88b83a0e38b913779ca1e575b7c6efe27ead091e1b956cf1689de290f467
SHA512 7ac63a876d792a8be56f5402502af6f2d989b9ab6f816e7a2c18b9f9bc99d2b5454b7a81c0101e9d1185c5945051296d6dff83d48d3197e06c3b825604a602df

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 6a01217199a430ed8800aca4f0ab0798
SHA1 30ea9dddf35c99d6dde0e00999ff43042d9ac1eb
SHA256 9c21ce952aa934eef221065e3f46b2830f5f81536c229865f86857aa3c131873
SHA512 b9dbe8924fa6303653c6b1f4572ea354ba564cf1e174f279dc239b448262a25a233803cdbf9431711aff1c4f729e0ca0edbd8554d23c70593950fec628ecde65

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 38f50b13bb1035552c3b388aa29b7537
SHA1 cdc25946a374aa20c1dc138cbcc021298d528644
SHA256 ac433e64c68b93cbca79d508dd014eadb1656bdbf9344fcaa182c0cd22c3dd0d
SHA512 93080e94be01fefc7685920a87a6c1ea6faffecc49bec51858990e4c8ed6a1ece070ec61dc9ca4b89654adb8a4806eba98a79207f9d43f025104fdc87c63fa75

C:\Program Files\7-Zip\Lang\pl.txt.tmp

MD5 1eb82ba4881cd81eced06e1c3dea6ba0
SHA1 d6c5cef5f965cfff712dabc386f6b309c447d84d
SHA256 7cd69e6332262c156f2aa5f2b7f05cf6e5c0735cff14441b611027a53a5e9c9f
SHA512 92c7b3c180d95838b8237331a2241eda56be5858ba3902fa17565d9d2e0b93f74976c69dc97a317ea8413dca3885ad797f0ccf5ced5cb1a9fa3d4590ddb9ebe6

C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp

MD5 3bd10dc44aa15a6d2ddce8e619d8228c
SHA1 6feba0991c691f634e03c91a108a5405786730c6
SHA256 e979e1f879017a1046375505f78529e20d472eb6b5701c0f904e592c0819e16c
SHA512 3f64ce9169a4392cfaa3354f4cdd65be3c235e27d066981ae89ed83df8586173802d380d75ec1dade756522b5266636838caa91d5c5c080c1889bef811698122