Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-zkcktssake
Target 51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130
SHA256 51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130

Threat Level: Likely malicious

The file 51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5199) files with added filename extension

Renames multiple (4363) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:46

Reported

2024-10-16 20:48

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe"

Signatures

Renames multiple (4363) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Eucla.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\accessibility.properties.exe.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jre7\bin\rmid.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.ComponentModel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-14.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sr.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ChessMCE.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedQuanPin.txt.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Toronto.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Windows\SysWOW64\Zombie.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Windows\SysWOW64\Zombie.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Windows\SysWOW64\Zombie.exe
PID 2792 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe

"C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe"

C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

"_services.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

MD5 b2d98726ecd9060ca199050b8a2e2e7e
SHA1 4ea096f3291ea3fcb806d0cbd87f685db05b866f
SHA256 591b9c19e547b74f9bb0ac1ccfd2afe8c4f582132ba64e45499bfc1bac89529c
SHA512 6bdfe9fee9fe6714e6aa9939cc848493758552d0d0214201a41b33f72c8976f87b5a3378c970192b1ffaabdec9e06b338ecf2640c51a213f8c825e1dda66836f

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 d1a18a0b74365480a7965e63d7ced13e
SHA1 5eb4fbd8037074f75e6150da87f5bcb5bd28aae2
SHA256 03cee550817884281e69aee7d365401666ebef23331c937822831ee20748a412
SHA512 01c8bb656b1b404a0c9e628c80c2e45714f16c8a126774b9268a30ee91407a5cb1eff34f7912721c14d0d77436ba1bcb0b4d12dcc0c5e0b69b9ed995dc092c4b

\Windows\SysWOW64\Zombie.exe

MD5 3faafa13c8a4e5d0cf81a0aa4ffcda70
SHA1 d98db8fc91a084551880f9dcf20871d5cb0739ae
SHA256 9b7473486213fdc20202e3278470279e08741ec6f20ba9f19567d452686de09d
SHA512 a9aa65fc7c9c8024077e783a34a5ac57d0893c61d254584ca9e2468c0b9a4fb0ec4dda5967f283ca9e419f6b2ee4d6fff0bb4356deb9b56dd305e6d76799bcba

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.exe.tmp

MD5 749b314782f89044aa8152f774af52d1
SHA1 6561d759651fc8065b7e790c35191e3e7e3e4fbe
SHA256 926a91846073bc491c45b045a00c2a22cda9003805ada308fc2f43e77a6ade74
SHA512 2b2c6dc2f1fd8066eb554df960e57923eb98081e3cf632367cb41d3031bc21fd399713f5ddf045728d1a90170bcc11e77100ad5d3d129795d33a7d599379b357

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 5202ef21fe097ddea08d106ae015459b
SHA1 feed34ec45ddb76cf92c39df3d11bd39feb517b7
SHA256 5b4054f4d7830387825351b516392c67cebbb5041e6c654962ae4bfe2312076d
SHA512 14d2bd6ab55074fcd5b212b101ed801d317d9e7af3bbb4c08e2754ad9dabf147e24cc94aa480c5271262a20e813ff45048a7dd85feb7de336c58a0c4a0ee18bf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 44a22e71528bf91458c1d1dd1e03ae10
SHA1 fcb6f41776f16e33a3337972bcb54f47c0a53d1b
SHA256 f7106de6497c0fd37fa50a49bdd3f66c245cda8493b611f5eb83b6f198b46f00
SHA512 e5ac337ebc8d508725ade298b008bc5b8333eb08a16981b5ae4e0f4d23c60ecebbc2109178deaa8abdf25efb04023299fc1e4d72fa27dc89b7e75edcd6b49ae7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 86a00a6782cf6fd5f825799a07ca1319
SHA1 5b641fc834823bec58e5c61e558bff717719bb49
SHA256 46f3c3d6329f0f305b7c62abd3b18170c9ea8034681dd086466e65f554a5a010
SHA512 e8058bc3d2beb96c8bf18fad077a813f450f2396929ece5630337fa5bba0add25cb4d628591d7044712eb55a2c9e55b8d14d468d51113559aa7f76d4d89c2231

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.tmp

MD5 ca285e3fd9dd5871adda389b7f4cb24f
SHA1 49ee3ed0691996be6533a8275e2f95723dd96b99
SHA256 071a736fe15c7f8f4b2d5b26003528443bb79d2789907af2fd9e8d8387b1a0e9
SHA512 028c23ca388e6d8518990f11665d55f2f791a89383dee0f56f0c78775e1853be5f26b5eb055c68d2824b721e70e080e7648d9c8ff2a2ab45a6e8bce0a36c6e90

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 1b0048346caaba03ab69205c1716cb51
SHA1 f39c1376ddea8d9faa26a012ce9fb847ec111269
SHA256 94af2ee10f5951f01ef0ebe62c5c07cd2e01d12dc5335069dc9cfc2df4664d18
SHA512 16849cc0ae21436d97f44b28495fca7190a85dbc31c1e9f94dd9ad6a6616bbd21d6945a9b38d2514c60d2fe038ba62a79f9868de6e86f2c1d85ececdd13f7ecb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 24ee5d74362673cd6fd970174567bacb
SHA1 229496a43b7f94bf3d2f316a2d36cfebc5318167
SHA256 7fcc7bf9db75ff7d451821daddda54d7be7604e932de47de9e4dbf5ea5e93369
SHA512 e9bccdb49360d04fb2c4084582be059967787eabc718aa70e328c8d6c3f88fae8dbff4521efdf55af87892ee0ca5547c502d6875ed9c11f4c0eaa794c36abd5d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 650a85c02ba3aa55c5cf146eac8c2f26
SHA1 7b9f5a370c163d1fc249e7a3253cb5563a8936e1
SHA256 0cedb7303bdbde1643e690215a2bbffbf0643b4b416846e870e345e05d288c01
SHA512 1aca4c33ae7b4bc2bb80466d8708266b7184f3f207e26bb1f82c4822dd5c334f084e8b2214021efb8df945fda241a63678bd0a9cee574069549cbd3c734b0e91

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 c62a0ba05bb97061a3919e1f4a595c96
SHA1 a5cb9698b052fc535beab89aa2ef21ed200d8329
SHA256 ea5c9897b6e8f245700ca051c37ffaa0cd983ac9db2549aa3a6b3925fe541654
SHA512 f5a73c2b4afd193e0dc6d1b3207f1b770ebbeb50f64b1778d22c260a10c4cf0c980b2c5bf8a5b8da79633c4dc5e14363db96a780f2ca4166fa98ff5523c3f943

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 c3f1ba0b1279cfa8644014382fb636e7
SHA1 d8687c8eb7c018a0c7fd3a54e55c1fc5ee4077d2
SHA256 824e569b5d14c8287085f44f6df9e3b5c74eb047993d4de9fc31180cd151a904
SHA512 1e3c38a0ceca16e31a0fc212ff3a804484106130422587c28c0fb63e1416a6c723931a90e3a407241f642ead1bf9e619628ea4b8cac2fd0308aafcfb26148725

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 782332afbb55500e43db503bd9616a29
SHA1 7698cc49148911be12a3b22f90787e287054578c
SHA256 c17a6ca007664114e17873137a06847f2199188216c01e60987561e9ee61909f
SHA512 74dae64fb74c0c3f311dbcf66678895c85c0f819946f23e44dc7142129e1d91f2297dfabd0e7cc2431c636d705bf3fd76275fbed06bc903402e923ae217ee530

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.tmp

MD5 8e58c5588f59c145e460c2c0ff54937a
SHA1 6c019a9a9f353ffeafa50b99a173c1dd54dfd663
SHA256 b4f7e84b1444d57ab553ea46b470c195855f30d33ec9f6a0109945c04c9341bd
SHA512 0dd949a79629475ef4535836ea4582a6c70bf701d762e2bcfac2f635dcac9497b45992b0c48feadeca527e0d907e579c201909e0e0aa3d4d52a474eca0b9783f

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 4676286c9abd69389d18335eb369e00f
SHA1 27b7cd9d8b9f51fc02f43f23e397825f6bc97d29
SHA256 0a9169be7d5fb464e02c5753c054301cbbf7b1d195433523512eec8147567f97
SHA512 4023b8abb5c66deffefcdf89afdb43925e329f2c5f7af1a1a68ce9e1d454ec28af8ff69b01177ad475cdbf91f78a8869ababa01309908201a147bbdb7ef56cf4

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 a6d710e233ed19031c3b65cc32b4ec70
SHA1 7c5a2decd43df31c3bf1c73ab2c9bb0a8f01d38a
SHA256 4bf77e3be444e942a8a31d31fdb5b5f7e69a8e276cba08f060d3abbcc8de7ed3
SHA512 c407359549327bfbc90cd209559e1a1e2a8a1d713b94b24f82afad46e2b70ab05a6e817e3e9a94237912f94ababc127e2b454a419257de0b82826782af154a3d

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 33813a7e553faa622fc0b0ff60abab50
SHA1 0efee961d170cb6bf9b707c8f6a03cdc41e1ea3f
SHA256 0084462e1a534998f86fbdf21626bb9d3fb1116adf3bdd215800f59d7486187c
SHA512 4b710e07f7534bbe8e589d48867b37a976103bea32923e2aea2613c9a541b5d2e56f2379fcf1aed10c72f0c365e1eb378843eca4ce15401c9d72a841a53419ea

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 19e3227522c2af98fadd70aad76b8d79
SHA1 71059d50e3e342a432e8c7d35ed2de872b801cbe
SHA256 af3d74c0365438fbec44a5ee46d416aee8100694bae4ef3ea3efedbd26e9d5ec
SHA512 5c6ea8a1fcc5c1e0d6f5bc3883e2f0c4819d2a2b0c8020df954e14d92a08494a07a0b30835f117b1cf3938ccfe57c60677dd20b6babd714923da72e14f71166f

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 c815563340e95eee49f3cd2698edae97
SHA1 ea950ac977dc1b3eae38154c99fe4cd0a67d6f6b
SHA256 8c3d82e599aabce75ea01033a28b0cf58bbe72d153e9b9a383e5df69fb4eb281
SHA512 83037b51205fb7a68dece678291a1cd6acc3941381f31f8bca2d829dffaff4ff6c12a9b83375d5c5d9789ecaa6050a6705f40de6463a4f841d61707ce6ab3608

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 1496b9f869bebbe59997c10cec09c48d
SHA1 71095cdc6a70fd68c969af67e16eb257e8bf5355
SHA256 a042b7795babdfeabe27128cb1ad9a3660d43f361e215c603ba20d21f772d9db
SHA512 c8993bed39559b6ab249784b200cc9e331d736eb4980b2281bf4e5960ba4d5a0762270f4c29c8632491eb4b58c7118958605f94a2c4df05e1669374e2b2e3293

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 ea015fb4e1b835fb69edfa5361f48f3f
SHA1 3425fc31e8d25cf169f20c7e23c5a5a9dd754b59
SHA256 97a6066efd48232694022271bdb7f9c1a1fbb013a0f26381d277ee86fa6c1ecd
SHA512 6704356ffa7a96a28868cae568092068143ac546760b9e3af41cd0c1c70ee03c0c47351cfc1f40c50176ac98d0fc03351948e65805c37398ed8a9d5edac6cef5

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 c95e9da98cf186590d41a95b56ac3ac2
SHA1 c71c1e12b799d01ccb590bdc7a0b4f4108536a3c
SHA256 cf1cfe906ba8550f5df3e985830ba795c6574b5e77ecc9734ba10c8b3f2a6c9b
SHA512 721169a961ce5ca5b6743303635cfee7d5e646f32764f4cacd6825abb9cf8ec75f72e6024bb9bef7817a6f0eb062f7658198203c91e3d8d23129bd95293da1b4

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 954091606c30794a84cf1d084cda6b66
SHA1 960cf01affd814ed7b824d2d9e6790454fd50df3
SHA256 ef9760f18f997e8942bc7994f31c2ccc658a5eb72c022b42645ad6765b0f6c92
SHA512 f83ad90c9d1cd241042fdc34b36bca3fb2eac1182a3e6adf49dee3132d9800c45f651eaccb34eb292491d14ad2c78da7d449d4c610a5888c9218c5bf567c19c0

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 06a13f995736c24fa673b5db7f89f34c
SHA1 817ee06ad1f09ef0d2fc9b77545911aeafff45c8
SHA256 54e2c2d45000859686a77d9c4d1d1000bf151749487bc993bde5313900b5ee0b
SHA512 e38b4a1963d940e95d5a0e73dea2f5750175689887db6f1e30b67809c77e0471ce979843d7113e31cd7ce4d410ab7d23f67196edea74b2ac086e1acea19f8d9a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.tmp

MD5 89dfaab60fec13298d91489dd5fa8751
SHA1 aa3781c6980c865fd2716e4293fc8ad2a8ad47c1
SHA256 c4d8b1ec4eaafffb98e565ccfc1008af0404c63f3598380b525a24ef9f322c13
SHA512 8bfd1c8c23871f0ed9e4893af5d50f9fabf485963df5cf1814cfd28be12d61fd478168fd7050fed19a1602327d9ae7be14c757ebbc61598a8ba9b5806ec80b04

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 ad475c1dd8284582b5d2a9cd14d44c9a
SHA1 a5a01fa9af5a99e5c35f74cfc9b457ab1104c62e
SHA256 7c4303d3c7ef644cab2446812206e0cb48aadd4f57573822b1b573fde63f5560
SHA512 1f8acc9a9b502506eb6ce645a87f4058810d29d9b110d59c2ab26edbb336c6377fd690d64eb4630f97cd4fec24a5af68a8e454a727d7d540e40928328998774d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.tmp

MD5 a4d7835bece1cce67f94ec5f12ec645e
SHA1 eb8b70cb7b3c84c2211a8e0738d5b3a0ff82c08d
SHA256 2b7cfabaac35c3ae144ef6fd65e68d91386e5b96494e3b3ad60292a6e463b64e
SHA512 67731d921541e7e5b284de39846e50bf7d8321096a58e87295dcda763c04891cf19936debc04f56be95fc34d4c1f2293c0ec3f08072979cb18fd12f9541f6b93

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 d9e0ad4478d8dfe7d3a66faf35c4b2e1
SHA1 16fdd71358ddb04542ecbdf7828258d50a09680f
SHA256 dbc643cfc9c4c538620d5b30addc57035ba6b6f7f19414dea904e2c8da1d47e8
SHA512 c603071267216d8052d236a6019a1d1b8d9eab1dcfea2ea0ad26d8121ca4d21a3173d4f01fe8550880286f84228b977d9a2b8aa7d4cfdc678c1d50f55ada9225

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 25526e628ba1c3eb5217a3890586e0a0
SHA1 fab27d11e3274b70f7efcc83fdaf2582a2956434
SHA256 e119ad120185069cc86a75620cc7ac26abfa6ab4ca8a25c101c144ba09c0ff22
SHA512 2e1b37b04e22c092923fe72f56ffef4ca3b380c8be14cfad712647f0ba782a561631357151771afbe39f5cb41dad0a2fcb0b530f1d672774d43fc114eb0a34f2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 5ad528260bdc4e867149c0d525811fd0
SHA1 529e5a03f97dd0879a55ae46a38d0475141f8ea5
SHA256 c3b9a6f4ba13b55a6c8b9a89b58ded8ec2cbfd7505201b659a8ca9056b441366
SHA512 0191f8994ac2c3b0b19ccbe587ae1269953a67f6f8b90a411e209c2bf9ffc2225877e8bbcec58f70c33ab67e8db177a9806c6d34f012a66d299fe8beb76ef40d

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 d97924dd48dd007fa9cc515d54d25bb0
SHA1 b42c7ae7ef6f32cbf4c9890ab0ec3c016ae11391
SHA256 b167743b8e95d456c72b82cf33161890cff049ab5679e8bc0cf93a911f7d993e
SHA512 3fd52cd82dcee5f53c810daeb7c2a13ec179ad6af46f967d0ad8256261244cdc493b2c87b14426bcf8e047c3e611133d4dfdf2aeb7278abd32b283dcbb19b868

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 c868927e3568d02759e225ad76754ae5
SHA1 6e4d8ff33c4b023a829493356fcaaf1b1dfc1725
SHA256 15afb41c451a0e5eb9e7e4746943eb538ae6a8654bec0014e5ba00fcaa44cbb4
SHA512 3b26e2f1997964ab2af3f4b3f8892064d11360232d3636086f43f97a2e27b72c18bb6ae123f9856e5a64f18991fe7ddbb83e750683675c7261e9ff9d726e88be

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 ebfea2b6c8601c0e28108020bbaf33ec
SHA1 72198d0215a0fef3b22597c6941959e050bdafff
SHA256 3bc54e5da1b89b17758b5ffe5bc05efbbac3954c6401f7b8c0b583a88d5fa866
SHA512 5dd80ecc4e9a96785b58d92df63f69cfb816348feea8f64d2638f20d7f6b4e7d65e9a0372cf7bf00cd3f7338c97c0a1bc36d7d046bbc69b43c5004098462579a

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 0701f4fd8c4d844e7bda0a5ee9c72c91
SHA1 7d3ced99107d272efbc7f10270b5578e98adeb7a
SHA256 f9da4cf211c165caf0a692a5267f3853c1375331249343fc33a6f540bbb68b23
SHA512 036ea9d639c0ac0e28ee3b27e2441b147bb892ab70e3e377646527eb70e7e0d43921bffcd30941f00a6c7db32b450cedb9930d34779820fd007f96982c159a8e

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 f35dbfbe76c0b9888e87a150fab3c186
SHA1 5d51f83c7d2c8d17903b44368e822cfec9350d42
SHA256 9daacb0d273bc562fbd4ff809ff4f612b802291506c382e99fdcb9a3370d29d6
SHA512 da8ee35a8dfab0ea20e919ed8ec3edaaa2774a4340f40643caf88c40bde4cd32fb29e4a59f02bc5453948c77bc4aaaa5828f267396d1f1596939773ef7e86a21

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 3131726b7198ded55cb176f476544df3
SHA1 dd309f2b1acc58b2f7f63eafc5a3ff113ad6a7f8
SHA256 a0621ed4432a1d4f3f29f118a1974434a6cbe2a7b06a2df71d7a6da0bcd1401b
SHA512 f5bfeeca271790e16d430e29c891db0c7a74b754915f9e043e8636a1e76c6df246097481c2788a23dc8bf5f84b4a2fd0a2049ca5d3f497b4ae3c823b3fd472bf

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 a25fe9d0aeda2609d0c3aa89dec6184a
SHA1 3ec7f1844de428d0e77d37ef1001a63eea86d3ed
SHA256 6a79686ad1c18869781e736450835102311ee23becabde447d440b49e633cf86
SHA512 6c606969511f9a45da79623f8e0db7d9c90c6afa47f290a7498457efe2f15054959c7a04e4b262f900e91724e8789457c968b10415ceaa49ff1eead87cb8022f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 ff36b3438042f799476d57c290e1b7df
SHA1 866b9dd135a2af7ad6216b12d5c217f5eeb1c748
SHA256 e3626751889d0d1786bf0480a390400ccefff3eb0c80ec008f7c3cbc043c735c
SHA512 486dc40f69afbb5537ee71114c6123eb6d1da9030d38f9c7e61a28b2f4587dfc05f7ca80df191edac9f49531765aef9d5c41f47952afd3aa678ab4500fa3feba

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 cc9311cc3b6820a80de6a7d5d8ad3459
SHA1 840b9117f29653793633368c76876e5f06c0d126
SHA256 aac97fe31c7ea8c7236377a029594cb274d2e3d8219e88da03b45d448beef450
SHA512 51ef83bf82fb1e3733586b6efd4def92157ac99593c4cd33178ace2981981f223a87e8a5e78c1b3c7d13e5571f97aed43c1b4d1ee9c013ceac0b878412661d07

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.tmp

MD5 82163fe32045f1acb609aeba086b135d
SHA1 566afb617869e7917d35893e866078ba75cb9307
SHA256 537be425fba73c66fb75a2390f88ae5adf4dda58a5b7933a41d43ce18239b1fb
SHA512 c92594c3afc8d5209ab8be39b7a36a8c2878d853a6c1bf1a750a7c14cf9cbbdf9f53c98c48faa74184f3e53fdc126910d8aff45a8eba3611a4002a31dc79df0c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 d779c98dfcc2f50d16de53a96beb8e2d
SHA1 d19c355cbfc1f741090bbd0ee7e2e788476b3745
SHA256 d18d0e9b7e3c76d579428b91e1e7c07974e83cb6b3132b83e02bc9c61efe201e
SHA512 3d7e7057442133d7d03e1178ea0dc460ff0f3fea46c6f7204f498f01fcef49b305db1f21c37e1c77cb6bc6e82e44315823a5779324c1bd83b31384831c5964a2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 67303aef3a1bd71801cc951c25803415
SHA1 ea643f607dc212c577c8d8441401f6b5aef12092
SHA256 eb8473bc9226bec3fb4658172b560712c0ac45f46af978d4d27d6b844fc78f7c
SHA512 0731871f3c1ffdc7b9efb042b9d0a307db4af9bf4f3cf2517d1f92fea7b888ed3a90bcad6ebb51ed9da7fbf70c5eeec9ce72b40e0dff2a13f03cad2a9503c7b0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 6308b9c704357c69372b8c6b88ad959f
SHA1 fcda96c6b26dc6d0fdd9749ef2ca6fff92c69423
SHA256 3183031594905037a3e4cae90a93a7db416c0b4ccdefc50cb1f3784d2e8de29a
SHA512 6fecf219726f09de4b5b5f5df3a755a9cad7134519df9c0c2ee8172ee7014e9f58ebc08bd0624a6cb73833e81c9122737155e5879589fa74a3e12565d49a0e89

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 1949e495cb1a69a998809c8d111769cb
SHA1 7b5f960485cafd86a5ffc698fa828cf97ce80a0c
SHA256 c242313818aa639e1f42afc529d90a302faaf8e6d428458c3f08fdd34907b788
SHA512 8f03563ac42bb8d09ce1e3e3e29b33a402b608820d440c81010e8559ef006819d5370b17ed37d03dbfb9162c06a853635d968edb41352620ff62e6574694b7fe

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 3924b58d4e63c550e0a9be1bbfc1ca45
SHA1 62dce4d57af4b28ad3ba3d3ac26afcc811b5b885
SHA256 0fe3ee51b92c0dddd5f87b999430872e713b1c9b951c338fa35d45038c3a6977
SHA512 748fd1c8de4a822dc256d93b2616683ecefd7e5352c11cbb89fcf894ebcf8cd5bce3a11475959b91070ac37abd801c48fad5a9491294ac00b2a7ae52b364f8c4

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 c2ef2beec6318eb74082ec3f404b5657
SHA1 5aea27cbe14307bbcdeae344887cb61125a39ba7
SHA256 0e389b389047ce6a3ea15d227ffa62f8e3225363a594769c22d42816f2276945
SHA512 edbe4da2613acb4d330f68cff2f49fa7e1f1d024404b8190573fb0d1a14a02519beeefe71fd06186f1e1928010e8cb502e28f0dde1b386f576cf5e943a451a1d

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.tmp

MD5 a51cffad61795fc1a5048b1589734414
SHA1 588909d7f002d0a300e2d15850c0d4cebeaf9aca
SHA256 9c5af131684238bc14e4e853a2dddb08d1ad70ad07dfbdaa07425502f9d2e0f6
SHA512 c8fe4f0d125f221abaa2d44997e6dd2350036bc8a0d1a0363b3d3dc9c3300484bcf0f51347e27043966fc86e972058244d8aab26ea5ed5a47550411abe215b7c

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp

MD5 73b34b9f8eef375204b6627cbae6ca19
SHA1 e20c98abcc961d02ab1e7e64ced159474ba291cf
SHA256 a8a2ba99b3524e834186333c397609550a494ac07864ab6e96a48fbb67f74b0c
SHA512 91d5878a2036bfa16511072876e0d0798c95385bb629f3984f6aa67913c0d83a317db7ea08edcbc91ea3dc5468620123fff7f1739b59a9b594179c6857c93806

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 db2a85973a681b7d3ba64d91d9ede7b7
SHA1 e9b35d627b00676da68d9bcd63d6a092d12ddfed
SHA256 5dd1a2ccbba711fb989214251d2eaa10f5f1a1eabecf4ae890c23e934e218e40
SHA512 7112ac721dfacaf9def225a13b815c186abfa6c133bb40250f61c15a662c4b1c1dd8c91a3d720eda4e2b1e1246e72473b388024ab2e428a52477d01eb3473431

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.tmp

MD5 2778dc7e37f40cfe67f1551e261e49bc
SHA1 67a38bb3374a552fa81d903d6715d2402b75894d
SHA256 b0cde219b412f62361a4249d428b884180461d14c326d04d2e1bfcfc6099e88b
SHA512 03ea1554deb3a424f61f5e47a4ff6b4256eabde247701c84f7d01bcc0022827161c3da66563f85d77f8164d49b11cac1401f130544ce52c85c5e6db93b54dd2b

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.tmp

MD5 c2c070cd6adf4e417aa63c6c05386df5
SHA1 0057e4cf265c4ed808f1bb5a652c50bacbb36ad4
SHA256 02851ee8c5c4432eeed98b05ea81cc635c326809bad3fa36e76a56f22fe44334
SHA512 6b8cf5a5a3f846c69b0c6928c95cc939c56c4fe350fa5a8ad199e2ea2284bbc4db1b63e8ff10e49ac9ff71ff5b1e11440e1280b9b629fe68d287a2705a6b5c06

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:46

Reported

2024-10-16 20:48

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe"

Signatures

Renames multiple (5199) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\cldrdata.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png.exe.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClient.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationCore.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\CompareUnblock.mpeg3.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe

"C:\Users\Admin\AppData\Local\Temp\51af165d9a2265f7e4847f6063c4528950a63f6dcb9d22192802c0cca132c130.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

"_services.lnk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Zombie.exe

MD5 3faafa13c8a4e5d0cf81a0aa4ffcda70
SHA1 d98db8fc91a084551880f9dcf20871d5cb0739ae
SHA256 9b7473486213fdc20202e3278470279e08741ec6f20ba9f19567d452686de09d
SHA512 a9aa65fc7c9c8024077e783a34a5ac57d0893c61d254584ca9e2468c0b9a4fb0ec4dda5967f283ca9e419f6b2ee4d6fff0bb4356deb9b56dd305e6d76799bcba

C:\Users\Admin\AppData\Local\Temp\_services.lnk.exe

MD5 b2d98726ecd9060ca199050b8a2e2e7e
SHA1 4ea096f3291ea3fcb806d0cbd87f685db05b866f
SHA256 591b9c19e547b74f9bb0ac1ccfd2afe8c4f582132ba64e45499bfc1bac89529c
SHA512 6bdfe9fee9fe6714e6aa9939cc848493758552d0d0214201a41b33f72c8976f87b5a3378c970192b1ffaabdec9e06b338ecf2640c51a213f8c825e1dda66836f

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 8b3912cfdda2c8b470698cf6ae60defd
SHA1 9a72a1410864d8c7f3e4802b802b9996d16c96cc
SHA256 c7a7f4674d11212a7b5fb03732e6c6804403f0954e66d06e044d654508216fc3
SHA512 87dfbcf7fb8d9f6f3b760f8a5c0f5e2363163954a9060f3166444e24754251ae7166f15b341ea7f60352cc00e9e4522869c86c2945f14aa22eb36b25cc883673

C:\Program Files\7-Zip\7-zip.chm.exe

MD5 acfa603ecd1aeec5b4eca83035979e64
SHA1 64d7edfa87990677581410714a3742a5f5ac2fc1
SHA256 29ccca55e474b813c3a792c7d9e2164cd4b3ae9f5795a9119bd2964877e0009f
SHA512 af40c394170cdc56029cc6e300988a6f9785d354c25c3c5d951296dc74bedeadb85e0b2c4e5e70fe4b0dfbe1ac6b7525c4c5e5108e06a0296bc53b06e1c63c6f

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 f355068b65645b4c519bb824af87fc90
SHA1 c4dc48eea99a75fade7e09a124566afae16d6ea5
SHA256 4aba6a38a397fb01f8b6e5370c59d8995ccb845180090d1ee4a1af7417d9938c
SHA512 6c0fb570de9cbbcf3ff4c50c71f2cf617d0fb93d2f3bc0d4025875f8c6271e1de9acd3fd0154972f07ad0b0d2a39b52d7bd552920899661d44eba7d4065b9375

C:\Program Files\7-Zip\7z.dll.tmp

MD5 fb9183556400504034cb78ad03884487
SHA1 dd5a6187fb9cb3feeb94437c06ff86e8d78de047
SHA256 261d83d2dab47977f854e256079b009eea19252eaca773bf9990a88d059a1318
SHA512 efb5e1c740897e2bd20e8d37861de8123cc6ea18520e833d5a9891fb2f1ecd404f29e8aa01e1ac327eac7719ef1b57ac4a74c6463db3ecb1bbf804df7d3f3212

C:\Program Files\7-Zip\7z.exe

MD5 69e73f5605013b9226e98a609ae7e347
SHA1 da0450768df1aaaff9a2ce6c1fad3d04b1243add
SHA256 445994d57af6a5e8dd3cdeeee658200ae6aa4c1b3b681fa3fe0ff0178b03664a
SHA512 dd03c27108e0ac1e7ca3c8e42ac3a13338d6ba463e5b5f387fbe23d50cde892154773a9f720e4bb4b3e8266d3b22cf2626657715a8d13fccecfdb367e1da9daf

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 31e31924ee77f9d91da2bbbe7ce30260
SHA1 cef10e99bff660c9880b210eaeab4642940bc831
SHA256 bd58a1ae6a4d7d7938dc7a64336e76d30f3499bd47de5f7827b3416dcd1c4f63
SHA512 01b7b1f463a483c20ca0f43d4a85ca99042f2c606d33db7285b52a25ec5e5abdd76308e9d86132a37f79039a48f14603e4ecfcfd002f181228987be45bb3ac78

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 18379daa53558947865dab5e816cbafd
SHA1 834d96f19c3e20434b52ff88b5f26987da22af9a
SHA256 157bde22021a0a2297c1fa5246ca7d1d5f3266ac343835eb97950d14bced8e36
SHA512 02802e60d7546a11d6f0af2c1cae269d4a288ce7fb622960981dd27107a84ce1171d82dc33e3303229e1f0db489246e46619144aebd036329bc1b8137c4128d8

C:\Program Files\7-Zip\descript.ion.tmp

MD5 a162a94d2669a3888cfc11d61ebf58a7
SHA1 e93e301a789d767677899e5b45d959ae069d006c
SHA256 0d4af73641c627cdeecd44ffdd43bebd3d93f8a09f9d45b39e7caee01ee798e5
SHA512 3a44673e5e3eb06d0b086ec271998e74539075a78cfab90236106d7763871886e74bd15608acbbc9b9b4de1b9b8c98819446e29671813ea422d0bb958c625297

C:\Program Files\7-Zip\History.txt.tmp

MD5 e1f344266f0f1011365a07c929d7bd82
SHA1 191405bc3abd477b9a9502869db36b6d83aa4da3
SHA256 9c7114519afbe647323718f692ef8f4c79df175d445b6e10e2173bdc6099c7f0
SHA512 495d714969ec202de0d54cd50bd971295c77a268e66cc90fade2d8dab97f1197e5024102e9ae82abcbdd4b961c259871defc8ab859132e82b3da2a0be4a8d399

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 569e37c45b91eb0f709ba722af111da3
SHA1 8d6694f8791629552ebd4028af60467c08663a94
SHA256 13775ebb0781416802e247d4ecc2e779d60441daf1049ced576afaab185daa52
SHA512 05eeac3b339ef9e3b31ddc9d333a3cfe23641653daefbae0e71a81dd8855e3fe15c2c6120ae5b40d14c4686529bad81bb5e96c190720f7035036129927eff844

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 75fc627d33d6d4f1f54cd31827757622
SHA1 576596d103c7ff6e4887cceb4f3c3e6610f71a63
SHA256 4eab87ed76372b2e069bdeb54e4ea57c374b07b96c4c68ac7688327111456008
SHA512 ea910c77e7b92757e6b99ffe98c3e6f4c68823087d2f56bca0b82924259d28f4aa1f9895f0ba3d064d48ef5273bc4970c349adae432feb0219400467b3a7b76f

C:\Program Files\7-Zip\Lang\be.txt.tmp

MD5 307c7966e69764c8fa689625f0fc1b03
SHA1 11c5c932d8ceb28e4ad6d9a0ea536dd89710956a
SHA256 f39034415c6d5567e8c493ecd2e99a360048de87930c95ec2a063265d4c948aa
SHA512 817accc76bb1c78b144cbf906dd1ca270d4888fc8ae0a16c0000ad7601f011a7deb30bdcf93015c01535022c373d328a7eb5753f7e63ab9bee955f8ae824aff0

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 93fe36523c72b499ff6591e328807b8b
SHA1 536104293cd6deb65c40e19884f7356cc730d8e8
SHA256 10f55781ca433af2fe894b07519693773133068bc89323d09cb39d42acd6e17f
SHA512 a35598b0d2f8ff6b3b1740031b727abd95ab35d00143db2e5f3d3428863bd316a5f46d00cbbb3489ccf289772b6dc274641b9601fe0f19eacf2cadbdfb09c431

C:\Program Files\7-Zip\Lang\bn.txt.tmp

MD5 457a270089ac02d91826f8910f2c2ba7
SHA1 631f96992336bc4c388050073e455b1cdbca8a30
SHA256 3be2806325e6bfc80c19ba5c2a4efaabfae3f4889953b4d48710b20e9d2c247e
SHA512 46f378af643eb9214f1e1e66c569ba99e52db07d38cd28710e122a06a372ed1804052df7ade7ca02d64e43b7d9d8abd6944cc02632f6a8a1618bf6c7d1d758e5

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 02f1a504d53026e1a1be120cb87c2e11
SHA1 d08a458af6ca87cfb1b4bf22d497a89e2953b21c
SHA256 a094b8e72811b3954722a664e821c912e741d07834c0d6bc066bbca9aa2dc8b1
SHA512 4f74e836ffb962fcc254281837e42624e9806ce61db025274ba6c802dfeef9c04b513f9f51871d29a2412f296977c9e11caaca9166c253ff45244e7eed966f80

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 a6c5d4bff7cb9d458a7d9a1e1c30b7ed
SHA1 4e51921ad554b94fcdf4512c28829008cf1d5398
SHA256 1c89db7c461506bfd57a47aa71474ec1e7c8846d593213154dd59cccfce2e3c5
SHA512 14cda1ef1a0decf2f6f5c62e68a061597d951b8f47a2b0b0746922edb1cbd853d074706409e511ba9c9f9ef8802b239c1009d504900b51e4cd66422abb324e7b

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 9498f3f3f691b756877bf350e86851c3
SHA1 cc152ac8298ebc186a22ed75b89a020b2ede39f0
SHA256 06cf3fdf2f1d652062bb177e42d5fb382d1006dd7a3eb2e2bdd34e345b321fc7
SHA512 7e1164fbfd745153b1a7df15e9dcdb0607f11f7f8cd17f692ed61ac8100ffd8adebf1e81fc95e5485143314c0a8f7273bc257d6ec713231385cbdc64f4f2b749

C:\Program Files\7-Zip\Lang\da.txt.tmp

MD5 ef7f7740e2d0ad3d8da45601fa142fd8
SHA1 ef870f87b57ca746ac46cf69d5092c1df48c7c57
SHA256 9dcd44fb7025fcd76988f7d86420dd10923fa6dcb5aa79c6a28dfd742bf71fe9
SHA512 f24109a58d19653d83a94f56389216c96e6e14ba9b5c2ebd67d345cfac80685edff09f396d686700955c49463ee547039d06f8516a16e8501934bbc2577b7e98

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 7ad1d963769fb2635cc7f8ce991d9c51
SHA1 2b2d9a12d60dd132bd3f98d7b56909147a3934c6
SHA256 c02b751725e8d727b853e94e08a9393465aa034eecb966fa4f88b81a8d9afbbc
SHA512 369009e995ab2bdf8a88d45c815dd2a6fed8dfb2f945fa3d7748fb3c7db272b604f4aaead98c05bdf8909a9c02b38f745470a27ed35fd71b2a73ce4a817f283c

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 723439b9e79a8b6b5ca90599cd221df2
SHA1 f1c05d842605be75d362ff864939fcdd581229a5
SHA256 af545abd512a98d0ef84e3ce1fd4da4e48c9700df5c67d811e898b3fafbe0384
SHA512 ac9ce330941dfd7fe46b060cc96320ea221b2d9cbd1c7ffdb64cec9dd106c80fd4f00055f1403660de0d249c6ce22e50e8ae133c5bf85137867bb43686041a88

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 9b08a39704f397324ef2024acc1c69dd
SHA1 1f82944d8b9afdded902a12c78fcb74e4ffce5d3
SHA256 ee8e7d780a93fef5b951fa20acfa5351fcdd7b32af428d96b1d839412309d48f
SHA512 4cf4c05ebbd8c303c355b031b22bd731416f240d7392d85797ae097ed09fead4a902594e181af33c65abdfc8f5e0fa769af194cf0f2d5cf91d9a93c8724ee804

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 3ee1c1a511af64a3c0fa56cef7112ba7
SHA1 285e7ab3fe05f79a33da8a61bc9f10c26a540f71
SHA256 434969c3a85379e19380740f722593e9d6122f4692f3d5ba8ac1a30fd4760608
SHA512 0527bb5750917f84c2005e8a68c30c9f5b52f845f9e115a6718ed7d65db6db3409f3ff4d25eeb4a5e107897bd6e511eda41bcd6864b554b5f71f5eed17352e72

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 241a56696508915fa69f8e605561c39f
SHA1 87d0736b4438dff79450f8f45c996939121a231f
SHA256 c17ec15d957bb27cd39f13922a655568de8dd5d21446e63db4258fe32e69a519
SHA512 04e7b1f2fef532857e382ece6c63bffd4e2997020c6dedac825e80ee9276e18bda5c99bbee877b27d6921fb8e53ce72c0233a8675217137bec6bd476bca907e3

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 9ad6d930b99f2daffb1356e297692f62
SHA1 eb8e0007fca020798d85ba21b331c1bd626692d2
SHA256 ee253a2070b5ce610f21e0ba0f76b4fc8d4f3c4a69e9c3308db544f7e7c4219f
SHA512 1c23c14242c8382e79bfc4107f273534afb91c4d92375875756b9a845e245b38e4b05119015e815e694a3ade78abe1fd25247713c1d7c4a7e60d431319e5a95a

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 8b77730ec2e4df52b53bedd2a40908ee
SHA1 4740a62c9e418db445f14bc85aaed8c1ea805c77
SHA256 7dcf4f42ffd1e87f263d164a24c8e4236ad84a2527db46667f06906e1f6bfd9c
SHA512 76ef6d11db7d16aa4028553444fc66e083c2ef39c221c7f96f21468938f3bc813fc6aa6c74e27eae16516d966d0ae43af9a4f79cd71be0457153dfa831735656

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 cf40cbc7706830e2408a253a3775859c
SHA1 255962b06ba53fca66ff6a65b49b836594c3dc2f
SHA256 7e3bc3902464f259a4b1da59cdbd828c84ee337028074a56a821ae7f15f73179
SHA512 a61cf16f8d4ddea3f654e7f3e1dfbc2094e717c8c4e41607891d3a57708168267f0092421255837425ca4143507904fba3adf15a2926e51b1bea31d78b2d63a8

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 6911f308a7a8b3153b61cef0b47d9ce0
SHA1 fd8f1094efbcd736738a0355b4e123b8701a54dd
SHA256 a57bc46f87221c8c886279eca1f0748a2a76b2861f8b42fef250eb0ce60861d7
SHA512 56b28751226322c3b2eca8166fa4db068a7091d96e2655e69bd894f38ccf615df8e935584c784795ee6f1747eeac82c2fa1ee77eb6f5df305ce0e5bf80a6bf78

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 06226ac985035c41d9b827d62aab11d1
SHA1 3da3ea384c2ea68461471dce47a35dde0d1eff1b
SHA256 3e84fc6cc199d298c598357a76209aefcfff2bf638f2f08d0aed173cf6d384c4
SHA512 24e268058b3878ee66e4707034b427690cebbd620195ac9c2a3458b6337df045e00eeda52ca312ff07f87270415f8de4d510310f6b80aba23be5144f115b2ea3

C:\Program Files\7-Zip\Lang\hu.txt.tmp

MD5 a6058eaf528ffc25bd522b6615ed7166
SHA1 12dd9a8220fb0ef782831500c3de4b960f26d9a3
SHA256 74f55c5da4502d6d4140bcf65ffec242259ece026bf89d6cb31b2a3438269dca
SHA512 4fd1381d1f0fc7c46a5fe22f9ff36157e4a1a696b8233ea57d0f833a4efd8b7f318ca6813940809112880b62cc24453983c30f7576d57f26f68dede8a9a745e0

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 ff566e8034c60e25814c46f47523eb77
SHA1 d76397f556870a3b9e894b048aed2c5d0c93fced
SHA256 caddaedada272085544390109460508cff3394930a41a43ef1e2fec4f771b6e0
SHA512 71ae73ebc2013627b0ad7c2feecb6da18216608daabb104a08bda75969ba6fe6a84207aa8072a6a0bab7fac94ba5a9793b64e1ccfcfbd9119de14e464652b9d9

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 a00cfd00bc2982b62cbd72a60f753c09
SHA1 a7c3ef2aa5fd5520d29eb068da626e8278a74560
SHA256 06af2312e1cdecb8a396e294d487fe1525ab59fd1ceb383cf6d869c82c83b6e6
SHA512 6a972b7cab35c5e8e3669ab3cb6ccaa59ad7674fbc8084cda460699b0cf6d66149b76bf4efd14bb1e6dded57b2d3db32ef33234ba59266a2d86fb7169cb1e417

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 9b6433bdbde6da7ab195b55f7a1db420
SHA1 9943842785911d60498e3ad8d0b771cb7bce9c9d
SHA256 71e1cdc05bd352cc9dfeda1279fcd202b05b29027d707430f6e8764ecce763e6
SHA512 098d0b43f2a5b4bb36d0f153d5516a39f8c79ad1b9015848ad4f0492f3e62bbf61fd75fdffa8bb4dc398fbb87c23c106d4111fb2da51177ca6d7c77a432caa86

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 11ec6a49d2c85efbdc66c15300553b57
SHA1 95ed5260a9907764f434f67719272b7edb65a830
SHA256 c8f8f3ac73446f3f6157cfa0a12d8c0506ea4b5b510e945632a56c0d662642cb
SHA512 f2d295d624235e1a056ff57085fdd3c90f756b6238eef054a94cbdfc4e4ce444b0347b8e5847f8bc2717c3ea93efc72164c8aaac9f4740cead0fb64f5516921c

C:\Program Files\7-Zip\Lang\ka.txt.tmp

MD5 2a6d5c8b3752b8c666e77cdfa0339940
SHA1 0e39f0050a95c70373b3cef9e6730d4fefd9b44f
SHA256 f731e4132fe15c8bd7cda2567291ad865a60bdbecb72c8593db7258dfbfa79a7
SHA512 46fd60918a5570bf9af1f51457bf1094fa0eba99601fdb6a873ee909105b6153ee4ee8f746f67fbec389fced45d8f64a59229397d63f2367325734420f9a4004

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 ad475c1dd8284582b5d2a9cd14d44c9a
SHA1 a5a01fa9af5a99e5c35f74cfc9b457ab1104c62e
SHA256 7c4303d3c7ef644cab2446812206e0cb48aadd4f57573822b1b573fde63f5560
SHA512 1f8acc9a9b502506eb6ce645a87f4058810d29d9b110d59c2ab26edbb336c6377fd690d64eb4630f97cd4fec24a5af68a8e454a727d7d540e40928328998774d

C:\Program Files\7-Zip\Lang\ku.txt.tmp

MD5 41151167cf3a4bb9cee5fc4146d7c9d4
SHA1 a55364e78bfe4994d26131644df57821b2f9fa6b
SHA256 6594f380d08b4f80d55eb240e845b112421f512fe61ba5a10fd6c134f8dcab12
SHA512 a9daf91428b0bb2ad7afecd8eadd25d0ab752fa05e1322a05d7af49938dfe037b51362e3e793f656daf033b31d9c322b448ed334d53bd742ad46124cbd419cda

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 a27d6e3e746f8a4e904a82f9e32b555e
SHA1 b1802fb29910ee1e29a048e3f1fdc1bda07896c7
SHA256 122339195d473216e6675cf1343197d3fa2776394a65b8368228a32d2d58a8bb
SHA512 4815c8598411ada49d7b27e0782afffc3d82c6ae76a1ca8ec77aa59a39f5a55f45d822c560305eedd582f9cc30de9f873073c9358c5fbca7780e66b5ea6cfda2

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 c9f5269f0d6ddf3cad729b0bde1e5937
SHA1 5770dceff6daadc5b9ff00b0403d739fb2911364
SHA256 c580aeb2a686b6b7b404d00e70eff8d0578083d50c5e8c10241919fdb202ec8f
SHA512 e59d8ae3aa4697f34be04d2145d2bdfe95175444fbd6ed50ba96e59e29a71faeb49d20928c60319786a42fee395b8efdbea2341817a6456e8b54a28df0576021

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 6b4ef636d9f5efbadb59d8cca47020a5
SHA1 a777f838136d95b514b401749764a84890a85fad
SHA256 d9194ee5054537088d3817a512cc137eea75b88db71169937946b976f156d0b9
SHA512 0d8f4798ae742c43d02a7194f5b1833b06d0919e1c28d46a30a494d957726beb2ed52ea84dcb0d5055dd9a7a8ae5274f7fc30e18848ffa3548f333111ea9a5b0

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 93da90c35634efa7f7f8c66aaa72c828
SHA1 053220e02d274ba375d1c83043c5dc6fc1f091c6
SHA256 9bbeb274983ed41c8fccb9671a68e5336ec436fd36922db31a62b0a4b31beddf
SHA512 9256e31ee42eb13b0e3c7d44be60c1b1dae4fedcc44ff06a4042b65ed79543ceab3c61377b8a32a7e77ebb1028e4e8ddaccfc8ae4be446884a322a3a3c9dac19

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 56340523159632973e0c6ae3e1bdcfe1
SHA1 ba079a8ab90b3993bd0e18bf73b8c0d609c4b68b
SHA256 4c7f7e2361fb1643efbf8f09b0e5640e66a94d96148d35983539dcc640ea8b8c
SHA512 f0adc0ea18713466b3907b0c604ab427cc95488c401bd5a43a88b35fe8f565200ee1541f82a56ac65cb8d6ddc3c80d7dc8846781e30e37258d8f6a89c84847c4

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 bd9cf1d0014f3cbc36bebda87948cb05
SHA1 8d04a8ab87463a7fa7c354f6a7c3b17a1037765a
SHA256 0e30399a3eafbc7700cc03dc42636415481edda0e3f6b3765cd0224fa159e37e
SHA512 ac1ab9ef0c4d5543f306128ed8501eb2ec07871b09075f2acc56ce2ca861f8cc46266f917ab87eb3400129e8bea6f68528c1e45b693a9510df5eb64bb935d46e

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 8a6e845a85114914a1707800416b9638
SHA1 da638dafca552fa9723947e650866b440208d6b4
SHA256 479a3822e7162628bf443a52d858832681d311880e76a0fff93b6bfdb71b8200
SHA512 06927ecc057123a5e81964dd9180189f13d1cbd10152848dcb2a2402bd3073c405b5c81e9369bc4db9cbc519b591c8c297bdfc2145f7cc6a24cbcb88d1075605

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 011d018b18e1290a63a5775dce1e1cec
SHA1 f7c0a6810a616fb26cf482dad3365af563d60bcb
SHA256 781530811315e5b85a7d40931844bdc98d87c57f0757f9bf53800a2ef39f305e
SHA512 f3246752eaded495becf0c93a05554fab9f4ae6c3cfc18000bff268e1fe3f9ca3db423114d3dc2079a4e9448d1890b207320592e426bd460bed0a285fda30ae4

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 47a5e3018722e8f950b9c5e587f55ee5
SHA1 9d8d726ea7e4fe996f9060233d77492f18a296ff
SHA256 f6f375e4c00ba3c6a7794b5e410c57967e19eaf423474110f0af1178cd7bf562
SHA512 b5fd3c6ead55e6c75f18549473566d957d45a6dc2b97e7f0792ed2e0965e0f937f593e398187b1e0b96fa0bb6fddce63598a46e3f8ad169c85de4c1c0a704ef4

C:\Program Files\7-Zip\Lang\pt.txt.tmp

MD5 0ef73a9fcfa08e958751ecae48311015
SHA1 79d106c582f06f9304f853df345312576adc6396
SHA256 88a8025661a112533c50f59f27c120b7d7f4b576571c72cbb7790526dff3f5b3
SHA512 154c5efc51c5f1f3d6f197accba949a50f65c46036e9ef08235a47712cb854a6e8eb3f2d999669baa25792b940c3ba883e14d435b45b06269ca7bb2b97879053

C:\Program Files\7-Zip\Lang\ps.txt.tmp

MD5 bb21c5fdf181298f1523fd6c22679428
SHA1 0e8d5267b8b034a0f517c2b7e9cf9ca918618d1e
SHA256 2d9f012179d7dccdd81c457921b0e1a25a62ca42bd88ad5b4445adb399fa0609
SHA512 24a521a266f5369010eab94f85ec689ac9cbcf7b3d5c6ac2584fbf0468e0c6ed17804313efcb3b683183fdb7e93a4ff8d38df35cbf2265f137ea3a51c214af46

C:\Program Files\7-Zip\Lang\ru.txt.tmp

MD5 231fddf02e10dd91188d7d21db5428f4
SHA1 fa7d06b0e47ce910c59fa2d27dbd6930ba4de8e1
SHA256 cbbd5435fc039f53dd975b5f8812f9f1d168240f0e4a4481412c3e7e3e848dfe
SHA512 1b89e0a9e61c52cbcf7b45245c77696472ff0a0c577fa80bdd31fdfb7123025ed4eef788a985c3976c24dc693cdb120807ee4db2a55404932a24ba3d16b8066d

C:\Program Files\7-Zip\Lang\sl.txt.tmp

MD5 86785934a97105b28268ac9e7aaedc77
SHA1 5c47b22971a2ac63187670b84aa660dd3a747949
SHA256 a0ce6b1430b55975bacbc15f33d3a125a98e573d2917da8a9485d87e7740a8a9
SHA512 00baeef0648a5778f80f9f08977ab36606fcba566cd5b8601a18716811faa8a4f942386beddf0e832890980aa3c64b1414295d703400a6aacdb6000e1cca42a7

C:\Program Files\7-Zip\Lang\sv.txt.tmp

MD5 46b5257d2a0b3cd8876c93275cefa224
SHA1 c6e7a7d29b8a473a3e15b58a68e567f92892e639
SHA256 51222481e75fe6663e88ce72ddb791c364263e05e3aef70921ea29f64c75cb21
SHA512 6e3d8e5796ea05d72197c097db247cad4d6281ad927bbd62a75a99ef01290cef6e2dd0291c06530f9f8d61ada9b70d9b5ea6ebcb65486092620f51b7714ae241

C:\Program Files\7-Zip\Lang\sw.txt.tmp

MD5 a999548298a2f7d5f72e92ff58e75d43
SHA1 9fb2d01df061e761164a6f0421c1d3e836b38e4e
SHA256 036f6d62f87673a3b9216d7298095fb30407cd33a912a58e3fec75ef53b2e28e
SHA512 a7cdb48eaebbd924008c72b4a750b48f5867e863872efdac41a5d92c13192254436cca0d35e06546692684b877af3abfa5b75122c073d7a4fbd744eee303c3b6

C:\Program Files\7-Zip\Lang\ta.txt.tmp

MD5 df77dd987386cd111a658c2eb04a630a
SHA1 e91c4271ba3dd3a434e8764c1813b2cd77fb9e5a
SHA256 7e5719eb9259889cf9c9715986fd0d5c819a5c9fe7d086d23a20f356488186ee
SHA512 2eacedbde57a5ac101191c1ddd29101915cc5d8e5256d74ad4aa11c44fd82c770e8629861cb113c2f37122e12c35b7f69c75d9afe87e25dc5b131c57d421217b

C:\Program Files\7-Zip\Lang\tk.txt.tmp

MD5 37669c9baf9aac93b359f5a0559f8911
SHA1 1efae8a8215a162eba4e06016de109e860101ecc
SHA256 abd5568eb93ebfd757a1d409279f700ec7cd40b57031dd297f8017b0df3a3cf1
SHA512 e60f2cda2b264a8cc4aebe0d836c59ab94af7c7e04c4336bfe5bcbdecc5e0d2694f0061633e181c8370a26929ca7f80e653ace7e9fd672046cbeff502c7dcbd9

C:\Program Files\7-Zip\Lang\tr.txt.tmp

MD5 5e16c02a4c3bed0ad0af0e1e44fb3556
SHA1 15d1b34a03b08d456abe6fe12c6a8b11cc915827
SHA256 7ccee34a3d32161a1a9361a15f4238c18cae4c387a2ecebd33c46a7068c73049
SHA512 960e83712bacbb1d8691e3a26f884b01d338b897b13ddbf39b393ae6a9b7f1ceb164bd29a3c0bad238da1362ad96f956ee39710b1d33066377ca580db0ae2552

C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp

MD5 53e740cb375d41d007069be97c22c472
SHA1 1c8b974065d0f0cd9128340290b6884326b159b3
SHA256 3996569a639db26deca73d476d5d0b743cf0c2579d182d18eaf16998def95a41
SHA512 ce73821e43836059dd602e4d604a6c3c9184e1916fca6a7782f7aa4f441f6aeb65fce60995e47d4682d4687b8c47d9fb8f0d597bb636c7970909c6f89600abcf