Malware Analysis Report

2024-10-24 18:19

Sample ID 241018-c66z8svfql
Target 84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN
SHA256 84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3f
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3f

Threat Level: Likely malicious

The file 84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4384) files with added filename extension

Renames multiple (302) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-18 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-18 02:42

Reported

2024-10-18 02:44

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe"

Signatures

Renames multiple (302) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\fieldswitch.ax.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe
PID 2344 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe
PID 2344 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe
PID 2344 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe
PID 2344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Windows\SysWOW64\Zombie.exe
PID 2344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Windows\SysWOW64\Zombie.exe
PID 2344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Windows\SysWOW64\Zombie.exe
PID 2344 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe

"C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe"

C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe

"_Snipping Tool.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

memory/2344-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe

MD5 b51c55097d07696a3ff10cd42a58b866
SHA1 429b40208ed6155e1543a5245dab8478713769b8
SHA256 9c6bf76796f00d304a6106f2d2ccadfc311f7c16573be90b3eb5326b238e6fb6
SHA512 e5a2d73ceb2cee04ce0caadaa4cf3b7d7e32f1617414b35de957b58efbf02296ec1d95a71bffd558eb7a9ed3dd3b473af6faecdcab0cee7b2df7281bbc13d190

memory/2628-22-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Windows\SysWOW64\Zombie.exe

MD5 dd136422b166b9cd5d24e5e901d59cfb
SHA1 54b9d373275fdb43516b7ee493f5b77e80bf99c5
SHA256 712cdeaed4d7984ac111013315249a8668d238ea9d82c1180e4a5b8175edf5f4
SHA512 bdfeb1dc15ba224ae9d187baea6a0742a5816c9d5216ff3d402ee5b4843bafe3b6b9c7c55b1e7f4ca4c588b602de42dedd5e10bb19578220dca90990c182fb79

memory/2344-14-0x0000000000380000-0x0000000000388000-memory.dmp

memory/2344-13-0x0000000000380000-0x0000000000388000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 c23adc675c7a2d6bb88c25db4977286a
SHA1 9966c8d5a4d1cce3ca87abc81b0d87c7c98c1286
SHA256 ea81edfa3abd1e9eefe4d53ad10a6b9d9fece17e59b78309dcd2560dc28b7997
SHA512 b463972fe365382a1a040ee8c99f0902aa010e1690bb91283c652bce15e3971514b23fa5bfc1b020f16221f72bd9f599fc2b09cd35d73f54246f7badcbcfbe6f

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 fc817dc55128fe37500a9e9b30a6d0a6
SHA1 a4a51ff6fa3cb3029dc09afd5f5036b6e5994d1f
SHA256 fddb6491cb275bee8619f6f14cadefaa6f412e4942e9e8fc754054eea4fa2c01
SHA512 29eb4ab3a6d5f807c3e5b4c15a1a7f3f5ac6df8436dfc6a4a41d75aca9822c0730d99a6653c0e7a64565d57bc617b961ef36477682d6ea7791f2df93e2093988

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 2cfb2c85a2caf4ebe0103d9821df25f6
SHA1 db4617dd3fcca293cb449e200196b876cf2dcf1f
SHA256 8ffee97c6f9f0f5861c18b9d159153459f69c5b91ceb1a1fd6af1f1db0802f61
SHA512 3ca0f08bcdda097bec50ed6dce1e20925125c63efe4c0c1e80f4dc81f9cd1aad2d9d4c073c35aac41f83d8c4e9415feb06dfb0149626a717c504d79e4a34b4e7

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 171997041b240634594953abd08fc1cb
SHA1 280a901d828849e30fd050032709f4db883783db
SHA256 e948dcee5b04db5cde80a44ff96871a712d5b08ba188fa24f434b355bf30c1ee
SHA512 4104743e22b0ddc3657022b2df8cdd9d1009d75c8c1b02d03b3be05c49ca5a1cc339ac89f547cdd2a2ea86e07522cd6245d98453a50b872a633141de31a046fa

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 d03ab3b1be69b5ddd2ed58ff5384ad78
SHA1 b25c71cc7e13c055df90ee872648ce998528c269
SHA256 b2522217e54489c4ab76403edeef5ba1ce352c3ead0343764d6d5aa3644a2c97
SHA512 246472557ca2413b589495d037275c1544b9c47faf94c5056951b0e1b6a7ebd57ba9383fdb79f57ade0a9af2d06b16c4710cc6c0d13a86ca894b3e5012eb978c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.tmp

MD5 4b5d504f4f315f5f0483b0e48d86a06d
SHA1 61c275fc722ba2a01c0c1780e23cea33a71252eb
SHA256 90fa2916a5ce24d7c5fdfad26fe15853169eca295fc5b9a0fd97e8abe41d5365
SHA512 40f5f1ed00c6adfbc1255becb34c31e9c9e994e29d5eb2ab266ff3f19de8c0ad632aad9f1ce4e0fef2b15a6cfe553cbe5bc0ed978742b1423325ab5ea2e6cdbf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 b514c072026c24631aedf39d6c857818
SHA1 6bdfb505a7059afc10fb73e2ea63dfd4e542432c
SHA256 1fa3965382870ceaf10b814b94ef26ecbd159a95d97d37dd7f2e3703698b750f
SHA512 7da1b434601d9d09c8b21c482fa4325eb5233610a88ae78a4a61b559e856918aded04b2baa50085af1dc9f601632ed232439ae4da05a6aae9e3f385140c24015

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 74b1f6c6d480130da32434b214050562
SHA1 2c5a3e99d8d3a38303ea2431420023c92748d3d4
SHA256 9bb74c645390c56f4157e7eccd8b92ed41a7011ac0b64d18d32df173e2c0caab
SHA512 f448fd7d596b07cfd3065e389c68b5d4d7e87aa25b0e222801e5651d26432c722ac413c4de153e158f3c99403ab7fa4006c4c63f7dd80529c8bea7654da7b280

memory/2344-53-0x0000000000380000-0x0000000000388000-memory.dmp

memory/2344-52-0x0000000000380000-0x0000000000388000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.tmp

MD5 90b0274b121f2bd4576c95beeed0d264
SHA1 8b7df3d215e650e7a1c21c13222d70ec25b05898
SHA256 15decbe7ec589dac76f2d914d7f0594cb387928d60755be819bae4cd56834b72
SHA512 2d437620fe8cc3df90d23e8b7a4b0d20c87d55b14a9cdd145d549398f7236afdd53b2297b564b394e54f261896031f0ce4fa6206b4185a24868dadfeaeea7da8

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 d90587ede7357228a8e3d2ff3fbf2a17
SHA1 67a6c31ddd6d6e1e1f8d91f3ae738739048a6f5c
SHA256 ce3ae813bac849badde875e0d88c58ef2216a8af605290140054e823caa6dac6
SHA512 4994b5f498004c90b0acafdfcb232408fef2be134b2c2c1eb7ce7ea0ea73790e61c8921d58da10aecfa368d84fb8f4580626f357f805f0dc9683850fc602546d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 28ce85adeb6216e16e1a396b8a0faa32
SHA1 7191c7b707086db2c27ad2be162324c9e58d0bbc
SHA256 841c7d88c819031409a115d3f838e20113d237ce2846502a64e1d7f7ab5671e5
SHA512 fcffd6bdaeff3944226a29a73c491ea473030a62d0aa385d12affa934ce4b759206a75014af93e83e54b08d361ac4afe03346d7b0725e86c4ed669c1dca56236

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 b5330dea8d40500a2a7b2907a28000fd
SHA1 fcfd2e172334719def4f5bb8738cb72183db97c3
SHA256 648ad1264b8b6e97ecabc8c85957e4455a0e65148688ed860825f6e376597270
SHA512 2c69f860a9f5e7f9c570d92d71e07eda7dd3d7a4c2350362d78f2a7e425bb371ec57fe1ea7a0a2532088a73af24ac5b26841727afec8c818089bbae2c66115d0

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 466cb5e4e0470cdf0e002718162a8d3e
SHA1 6dd5d9ba955a2418616c14e0d5723d70545cb9ab
SHA256 b7a3f0e9ef780a631f0c32a5cbb368e9e2e152db1c57f48a0e2bf839c2f5fae2
SHA512 1c4f1d416b91767e91d973acf71614c98b5b69ba5153e0d725a9fa60cd8ccc57a2e99d4d9f8d4b7fe1c18808a77dc27d4e58187d2ccfd4107f54d078f3e08dda

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 2e1a97607c87e47da4db321b4881fb29
SHA1 ff0057c53cfda4d02e25f181c247a4f6ec1667d9
SHA256 23e50de8b773865e3ab06195889be553f3670bce9e85a1ff7c3f6185b94ff672
SHA512 5b1ada5d4b70abe80903e4c88887328a4f175dd205336407414a768ed8ed2a2b34cc4753f8c441bb1302579f8e28d84ce5556e0b17064952477f40cdc66a800a

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 c98b298c725602410081fbb4cb1b88e2
SHA1 5a623753eeb8922ab56656aa14b48f4fae353cac
SHA256 4104bf3fbf70ac848a7b82671e46eaf6c6563a8a3aa5e9714bdc66281b4bed4a
SHA512 9e1e542053c4aa8e9f0fa3729b84eb34c74e90c8d7784ddbfeeaf5e7cd38449718e82031d717ab49c4a4443113f94bcdf2f0687b40c7bacf58cfbbc150ba5a10

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 cb654b90b2ffb4d389f6b020ca375031
SHA1 a7815c2e6de6d5f9272cb5d0b9cfa2e872a58ed3
SHA256 39bad36ca3750963bb3168c37dbaf330534f5d1fcd26f98310d0235e97fb799c
SHA512 8282cbda05a89e8e26e5847008afca277306a3095822c4058659653e4da9d5d1b212abed50795b0273b88a91f8b72b8ec92fd2fe9817a917a1f377a218159fb9

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 b1087a360f279840f2fd3e695d1cb3a1
SHA1 eaad996c0f8a13560276fdaf48750adef62ff532
SHA256 d3e3597c358e28aacb48541e25a932b2831aba0771f3da258fc4fa5936458f0f
SHA512 74002d909539d3ad6a7dcda61118c946da930103d64020db5cc8e0077c30cad52f2c5c5c3a23b650156e25ef941716d6cdea198403b2b1e0561cdc323db7912a

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.tmp

MD5 f548e9eb4fb27b0d62303b7799925652
SHA1 4c8a038cf3cf127b6884c3da3a34820684ab34ae
SHA256 dafe3102ceee5531aaccf6bc4118621fe098aff33e1994f6b966ec3a86157291
SHA512 923ec6c691b58f88d8bd6ae73eef6e830fd883e1271688225a04c716b7e26f5e36b05fe24c1829bc1ef2c374a5f8a19fbba324470917ef1b92a3653582c2789d

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 4df71f7e09d622b55d17eb2b3bfcbe21
SHA1 ba9ffd2b44b99bbe42612c750ecadf244afebc63
SHA256 5f81a47feb03140c85c0645b8d727fb3d33569056ecd27b1346ed1dabf0990c0
SHA512 d5a9b063f33330a37410c1240b2bb280bafda3f66f41b21907ba5ff749d27ab013a011e2528596b39f535eae8d4b9ad5b241105bfc37142b04b1b54f5f758b93

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.tmp

MD5 d44247224ff2157fe8bb00355c77a4fb
SHA1 8a948be24d5b68b8171cda097ee2f815d486ece9
SHA256 bd6cb91c7b33451a460d6e3fe8f9229c6f41bf1ffd8d1a5e0946ea7411464768
SHA512 3aca51e8538aab1ff993c3133986e545ced8db986f489c0541f74fca35436056be570c0facf1ccd7d7e059492f7b261d8e7dd85c741bace03bc24feb7b54b24d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 d2ca35dd038abd3f20d1b3ac58b56752
SHA1 5a5089f73da180f03b72c8622af550d79d012cf8
SHA256 70d56b275e6a3438add9fbd83a6e83c14450293e24b9952e7e57c023cec7da08
SHA512 60c5430efa9e79379e3374dc4601045691b558e33e133b42751df16b210ce18898c5681863fb7471863c0ef10fe8b11321e3bfa9f6f52f60261ef93b86c82dcd

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 1f0f5d82fafd3f2aac32839b3761a498
SHA1 9f17c2784cb76409c8a13d87ea45c6320c40e039
SHA256 8be0ddb4e1bea10182bbc4f6a25288e7065637c19fca042ceb372068e8196136
SHA512 6ac4afeaf9a7ba0dc21006d3c1021f929dc8adf9f68ecb605cec286673954eaa0f1984616860c2a85186e4072303eccdf4a3573569fc5b38e068a3f89bea2f7f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.tmp

MD5 b52c417f1583adbc9763b88dd87e60c3
SHA1 175922c1980397d80396b8e91921102a808b0a20
SHA256 125eee4259b77e5b58a9e23c31b74094a6b9cead8b02906302947d05d74637bb
SHA512 9a4d3aa4f2d4cab85e110dfb1b6c237ec6804febb2a6cf8bb4f31b1fc5e325d59d74f55b664bd0c84ef4aad90b42cac706672b52cb0cc61519d05618e8d7c0f2

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 c5dc4bbcb1871234674e57fa4584db00
SHA1 6f02b393174b7bb6f4785154b06ca2a1fe7d4ebb
SHA256 00a58ec86c83a02ae28d628768bae14c6aa8d04b660099933e702f8e5221fc79
SHA512 57a5c49e303fe8a4d1e2fc7eeb892e914427f7c553fdef13bb5f4fe8c6bc2bd3b5c04401dbba3821b2e5f946a95b8ef41448a5c7b75ddcc573ac679ee16e2515

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 39977268a7ad0fc1d0c3e5ba5e96cffb
SHA1 712ac5cf1c1025d4ddaef88cf720d1429a573aec
SHA256 c1782335ef9330936a1d6757c320c588a6a72b1efd0ea410a5aa7306b656a897
SHA512 4fb0f670ff15cad4fc2e81058d634433efdfe745eef499981e210635bbd0b2ce1f2c32b4660615fd442ed6297f9a5bea3e33575b3742c6713d8203bc36a76e6b

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 784c4202364baaee29c7c87df439a020
SHA1 20c8ea31f89a1a85ed81a2e5d5400770321430a8
SHA256 f23d7276848e7706cce1659ca167d16cc1e72bcef5737eb3c2eb01bc179cdfcd
SHA512 7e5bb4a5f45d56354ead235f98ab86e4533905aa80233aabc2b0b5e1d5a4ec45ebb9d304811acb507dd7e96afc0debe36836344d5fad1586796e59b4b13ab6e1

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.tmp

MD5 30ed8465b4c2df04c4c817f45b66eb4f
SHA1 cf1b5a0c2cb2abc7e8865685dbbfa85403b5fe9e
SHA256 9e1ce10d553cf465a3cb4ef6a2043d542e85cbf0c73fb2a700b6b249d82393d4
SHA512 273c8036cfc685b8469230a2c81a77cdd193d9fd317ba9c8d00d7106851c7deafd88ca35afd32c066b90609597f1a3c60d61030fdedbce123ee7c4822cb08593

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 4995805c99712b5f971dc3b2455a1b6b
SHA1 cd1c9ebf75f9a0c9de2fcfdf079988b94a8ecbd9
SHA256 21319c9236c56e4dc2be0932b5aacc2a979e5cf8d6559b16fa082cf0e510c36a
SHA512 709874e99658aa23fff72af35b08bb81c28641c13abafc3768ad8cc80dc1b9475e35dcd0d515def78563426ecdb868edbfcd6191f4f5e9c00bf60896e0843d39

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 ccf7c1b5814421581f1ee1e35186b040
SHA1 a81bd141e62c06f3457eac8be8d2a1010ba475b5
SHA256 f2b1377a6a98d34ede405bd76629d615d1541d8b30121aa02d776a53652b825f
SHA512 9cc946165ed58ee428d7352b0e897b48bf6a40d2d9b3f730f2817a77e504a50163bce3df3cd8e66c59671088356cdb31261736f25b4edc7ab8d321b38a5016fd

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 1e0947b1ef1028e711c987119de5ca5a
SHA1 fd6e4d8c9c2727b046c58897c78c95c0430baabc
SHA256 6f28311983fff6b381edc307c322972d1adeaf7a1a79c7a5d811ae4271b52d8a
SHA512 448064fd599e0b5cee220e79370bcccd42b7d599a3f30365fbf1c427c5b302eeb9fad108b6d635562fd3309c98c38a48930cc216aef9245211e0e8aef987bed6

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.tmp

MD5 4a1f8a5d0f176bcd1dbd2475b0d6f8ea
SHA1 d15647373b5915dd406598c732373d5f7dfc5c9f
SHA256 70f2172aa47be045019016986e2041ed01d7b8bec47151b188fcdcc948d774d2
SHA512 58da86ad06d44c5456c74140bb2ac45ba6c54b7afc9f90cbaf41dd31d8a61c17fa9ba86a7bd3096f1fac6e9691dbf639eef513f4375f33c8f65acce053b9bd99

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 7f3f22c618ea04c0485863727984d5c0
SHA1 f316f32c595069ee7eacb5f34683b7122b3cb3ca
SHA256 e9845a6e4a725cf2281fb2c2650e603d4cb206486aed7dec8c906eb8972b0e5e
SHA512 c58dec69d95daf4ff9f4e773e328e6c270f69df1e30d93e1448d610da1e29b1eb49d54eb2053e8f5dd61dc01f10766534ff29cff893e4ae61d646697b21605df

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 abf2bd6c3ac354a226e705db289364a5
SHA1 ea62c1f90a9c899128675989ebb891c580001870
SHA256 fd5f1cc79a446e58e3c4bcafb87e6ba7a0aabc4eb56ce22c7c367ec85a1aec76
SHA512 22f03b64a0cbb89a628e7fd94d6401a6903f4701fdd60f2ce9958cfb3715927e0cc03fd8600d576dbac9293f57e655ba48f9a30ff722460295c764cbe8b2f779

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.tmp

MD5 8b514cb1904e629f673dac64de932f61
SHA1 1b1b26fd2b66b60bc7ddf10e19ad8a247b7391b2
SHA256 c917984d2332641b6845bf1b62c4878cc0c4e4f4a67fd79bba3e2224d9f25e61
SHA512 b9694285123838cbd5c9a3288e78f1d043098d98ed1a75a7419b84d0cf2d9100715ed29a27b76b0cb772d37dd04509d0b09fbc1f8e9993b5db7c9ceb37a59a34

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 56487ddd4a4a7dd2a53f2377a62c5f31
SHA1 10423f0d9b58f37e8c9c5ac5ccb1fa3e621e6e3c
SHA256 ea8d66f15177b6433c833c9c0e51b6346b2b567133a7c929b8dd75507ad6a409
SHA512 6f15f3ba8e72000f823817dd8319c965406564e787e92b66fc1f6d335acc200b942be13388589151ed584327770f7558c9bb347540109f15a3b73108381d1002

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.tmp

MD5 469d5727ab4e746463a17a8f24982276
SHA1 2b84977d12e53a6d0efbc825d4a17619a57146ab
SHA256 717d096cc3510b1b0337e1121888a47b42dfe3a3770e8fbc07d9a64dfd1f9fa3
SHA512 39a3e05d060ae8ab91c10d8ca0f11e52964f6db3090c2d1ba9f11902e6520791c475a08103efade815b1a0427c62274229a5877d52661c934f8a3a17a2690e4f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 af252ce0811114a6d5b503243dc89549
SHA1 713c5590045f8b576d0f08e0b35f9d0c521fa563
SHA256 1e76e130397dd1abe6e2df604e5a8bc5a094372d64e53a4e8bae267b02b06dfb
SHA512 0f92b6205e5d95c3714a39a3521e3315a4eb4f513b73fdd4bd6cae39d3ffae46b38ae755d4eac449ed44c117319ff211676889aaa20a296a5c4216ea925b88d2

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 5f85a235fc095be84f85811427f69d81
SHA1 7529e8c181148f282491d1bb040694a3b458ddff
SHA256 1fda150fcce9fcf24b6d58d57672354b2a1dbebc0be2d27138ef1f1cf849b07e
SHA512 c071438fe1d2face7b99d6ca3d46697e2775876dac2165191db2c23ddb133e95a33d4a177fb43ce14a87fa037f418e48568dba8fb86d41d154a179b96387e4e8

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 bd580d1a222c187462cd745fd61e4f54
SHA1 b84c7d3d69158b99f0dd96bf4d7dbb5eb2345b6e
SHA256 eb8e5a4d9cbb85af94e0879031af399c8521dd5eef58dc83b568a15de2033a1f
SHA512 736aace4987bba96b079e73cbc2065ff53008bf8a16cbaa028cbab03cae84cd464f893206c9322d3588ab08938c2fb70d7ec55b479a25c7909380cd306a2fb88

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 43f4a2f4a6f7b5b5828bc9a2c04b6041
SHA1 9bc19187d02416811ecd47b2ea1122b94ed53e69
SHA256 7e06739eded5136f2eff3b54abe6e2b09b2c23c4d2741eb70ca01e025b920374
SHA512 4bdc3b2cbd2053569e9cad361767a4b6401a008fff95b56fb9a723a75ec408a6fc6f42c325628dbde17709af4a21ec7ae4245a9b931ec3f7a6971e008eacaa8f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 3ba0a3937147061f20a746fe7d2e5cd6
SHA1 fcef901b6c5f7f05976c2bcd9e1f77a47e41d40a
SHA256 5711d19dd3eac1741fbbda726bda703d99f9014cbc4adb3ded12c9dcfdbed06c
SHA512 a6535c283b77305d698b29889df69183b0e5f8db8fd5bb16277e44a610ff3816242365622f4a5ea5ae8474a475fbf265814a26b3370903fa17a2d43a46ea922d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 fe527a96e3fb1c5be98ff5dc540a301d
SHA1 b5f45cd19114f66696ac3f30de1cbf84de09143d
SHA256 d56879808351d56d7a2e44b5a2b597ab7039ec5711bb0d06ea67c3b507575b8b
SHA512 0f105d3fc02a3e29788473563cb2f8a175d40b137fc0243d6224120d776aa175bff2e240e7b800b435fd65f2900374b675303432c927cbb60277b3dd1265eb24

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 6c70b79cd260349670539d589e0cc8b5
SHA1 13fc42c60fcd1094dc493d2ccf9748e772e689de
SHA256 4a99e5bf8ebedd3226abe955b6c8374408cd7c4b24f06f303c47147967598c87
SHA512 6c1b06133ae5f0705987898c525832da0488b0524a2d68352766c8f0fc41dc0d7f6d80aa02f21ae64bac66e9ca37e7c71cafb46a8f235a3851635dedc4ee1ba4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.tmp

MD5 9d6ad8cda3a9fc9690e4d983a67b33f9
SHA1 850c4e34d866ea964ab8990ff4fdac80455627b3
SHA256 2f2ea1ac9b1fbd102436b970e131409c975e790be465b33818685d2f472a6886
SHA512 392793e96d7a0c7351540bdd624e4c93ba38881a2b16ef76570d7f41bbab41d10d0b40b9996ea593c34dd70651e07dfcd061ff4f377960d5b5901fed52615062

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 46e07d71efd48af19ea084a85f4ddc66
SHA1 0571c41ca853b3f516a83521daab92c17f11e98f
SHA256 6e716bab9d163ec0685e8d4ccc963520b9a665228c391f75892bbe62abdb7732
SHA512 b857e57385b491a63a99602b2d7bfec2a3d2c629190017764dd3946f076dd106a1ba674e0c0611d281a025777126e2f215982a7cb529eb8df91fbc28046ce4f7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 f4a42cf81a18286e7eb19a7055a81ed6
SHA1 339aeedfcf0b8ebc435b12579de212f86ae59759
SHA256 5b1e98005477ce2ecfbf093b752ca1697f35662ebea67648eac579b90db51f92
SHA512 a7f8d4d68fec7dd96b5a2ba50b2c3d84c14a63626bc27a9844183a781180fc639779db67beaf0c82b5efc0079867685d95554fbc765ff54e70183bf9e2dad9ad

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 61a831a1696b29195e2a92f926430300
SHA1 261c1f88ea29a1a68e146d216ab56778025183b9
SHA256 d13c94ab91fa5244a00e0f84699a2210352aacf2d7a00996b4828b9d421793e7
SHA512 033c6f5d4244e5bdb506e2679c89d568a79775ee62459f2a18a7323f855f3c2721fd76077db0c0b6ed879550b7cb52a0381d662f4eadcd8f71af00373c4d8561

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.tmp

MD5 9fb21d57633e6713e40c8868bae0dd6b
SHA1 a99e4940d75c6fd4f3b7bc67492c31cee2703282
SHA256 7fccf0c8ae1f5347fef31b99c4446f72ca2dcd4f14b2bff89db8fd605e7976a8
SHA512 67a9c3880a60c6d6ae610d67c3e8d6356f4ea7a443a7831038c8d0877f907424ac4b8d249caf91cca7dd14a4dadec6a229e2533f7c17fcbbdd41987dedb4532b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-18 02:42

Reported

2024-10-18 02:44

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe"

Signatures

Renames multiple (4384) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Design.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.deps.json.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.Vectors.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe

"C:\Users\Admin\AppData\Local\Temp\84f28aa2e4f4469730ddf7c864410a0605c02707b73ecfd2b81a08e09db5ef3fN.exe"

C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe

"_Snipping Tool.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2028-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Snipping Tool.lnk.exe

MD5 b51c55097d07696a3ff10cd42a58b866
SHA1 429b40208ed6155e1543a5245dab8478713769b8
SHA256 9c6bf76796f00d304a6106f2d2ccadfc311f7c16573be90b3eb5326b238e6fb6
SHA512 e5a2d73ceb2cee04ce0caadaa4cf3b7d7e32f1617414b35de957b58efbf02296ec1d95a71bffd558eb7a9ed3dd3b473af6faecdcab0cee7b2df7281bbc13d190

C:\Windows\SysWOW64\Zombie.exe

MD5 dd136422b166b9cd5d24e5e901d59cfb
SHA1 54b9d373275fdb43516b7ee493f5b77e80bf99c5
SHA256 712cdeaed4d7984ac111013315249a8668d238ea9d82c1180e4a5b8175edf5f4
SHA512 bdfeb1dc15ba224ae9d187baea6a0742a5816c9d5216ff3d402ee5b4843bafe3b6b9c7c55b1e7f4ca4c588b602de42dedd5e10bb19578220dca90990c182fb79

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.exe.tmp

MD5 686f9706ff88720cc7f565fa75fd14b5
SHA1 6f2d99ac8fada1f3932ad6a4914fda31c3173bc7
SHA256 fc455bda8c0ace4b475a5075c6396eca774d91772f35db9995fd9467adc06812
SHA512 458b5703d6b5ce6717bb2a9950919422e75c87b01e0d8ae84f6ce1d36c25465f7eff2d0e330914d372aef7ea65a29373013cdfc74273959c032b3a5fec62ad5b

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 9c8619529326b05942bf6c68a8a5f5bf
SHA1 2737f0f1805106ad54522bb6359a0abedd4cd716
SHA256 1ba06dc9563932b5da0cd7f8c9281815953a059e5e2dbde3feb7f82a275a8cfa
SHA512 7db8fb44f01d54b0ef973b1d42e710617de255696803cae96fdf11780f09a74874fb09bd89becf8b436c8d7fc16a08c5ee5b8e222712081d5e0fe076cc46dcb8

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 442974f49fa01cf81c98275698ef650c
SHA1 e92b1d7286262c44f8ae93a56ca0459996e8239a
SHA256 ed0937b4f67db28407e0d29d341c438c5228752761d59c46b29280f456e33fbb
SHA512 e47cbc0f0583fa9ebd2803b6a1e8f87b3e3fa1722c15f1033cc27ff0a2bde02062729a5200cd95eae2db81ed27353030dca306c4886c56da7c568b127d9f62b4

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 8de54654a456795f671d994170482483
SHA1 413b7492323a0b4b76f36461cab7c641cec421a9
SHA256 a8c76303cd4e6cdbf6795eb5c8f72c76dd16acd3da675fc5c327e81886d7d012
SHA512 a0a0b321b43d9d7affbe226f0796d5af49cd513642fd5c5b4bef71a21aba6d49ddc303efc2d2c65a09dfb81e7bccbc55b748b7b87b41f3ba672f6a56c2268c3e

C:\Program Files\7-Zip\7z.dll.tmp

MD5 f8160780851db8dc820562cf42f06882
SHA1 5b368102e8a14271f8026a64ad90f93bd243ddb0
SHA256 c37779e6a6ee7651a1ef2cb3e872a8408b13dd3e34f8c14c210f0cd6687cee58
SHA512 a597f40ae13d3a8549f7ab36fe71029adc0e1672d043b468020b7024088a1a168a4c45ad519002eef88f7f93bf5960800412a2301d54751637003ee341c1f379

C:\Program Files\7-Zip\7z.dll.tmp

MD5 176cd9554fbb6e78e255ec6413b70517
SHA1 81bdea5c671f0f42f547611877e7d677edc9f02b
SHA256 5573c77529bbaa4bf13126bd59173510f383a120c3b42e0190e60a61f68a0cff
SHA512 15ec10376bd5e21fecea0da0a2daef012caa0d1cac04a0c77116b8b5a7776445fbe569d0dc9e447b5d4aae4e1c4614a524664800b19ec70b42e671eb8171f61e

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 847383a351d042fc4101a465ed193dfc
SHA1 23fb8c1d917d826e10b2762e901f5c618546f9e0
SHA256 685d4d9e9a861a2a2d978cb0f6cc4fe7f6bd3c8cfd873f4b57f0f068da2982d8
SHA512 b7ef8f0aaa815a22773c04bcdf9deef566e20414e89d5ef99b87115cc4193e23c33664d6b65aa5d9522544babbb750ef5f762f9f51da9bc571d62b8aa772e0bf

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 8ebd53e9148ee1175a58bc6e39033bed
SHA1 cb95f581a7264c33e86ce7f01d4ef76b8ec60118
SHA256 84b4b128e0cf55082184fc80527c6031e3c489156589da70d2a81336cf4941ce
SHA512 6b44845af221558d25b6192d6df5a67939708a234852af256ceffd4ba6ab6062c0f43df89438838bb599262bc1d59630cc358b12d9f93dfcaba92ee69d43896e

C:\Program Files\7-Zip\7zFM.exe.tmp

MD5 0b8c937b38259934a6e9ee9a89937733
SHA1 0bb48acb483cab24fa919651a43c554ad191fc59
SHA256 01d34ce7a983a571afe55290e97df75fc4d259e1df022b7cf403de6e509fd8dd
SHA512 1dbb2834c46ce272fa699f2ab62c1d050dd9cb10d84e20abe70a7d2a4a6ccf8840db042471007c58591927abbdcb5066974f505e034fbb4032263ea9546ff820

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 423562d50a2649e33c0810a105e1ccc2
SHA1 f95cc0346f8ae28f94c8976b15d018ff95359ec7
SHA256 8c820d2cee63b13125ba340cb5a1267c8c084bef4f0f4d6a72c691454b06630c
SHA512 edeba24e69a86766e7773f6b34be5aef4d0326bcf957f60442d1fafa5f39b856c00f951f7a1f41e4c919aaf61acd3c1cb65536703daa0f0c04c28764e6f4ca78

C:\Program Files\7-Zip\Lang\af.txt.tmp

MD5 1485c20363cc36c1df512d28f2a4360f
SHA1 634d560f09f6655d45b2067e09b79ec62e26b65c
SHA256 b97e010a9b09e129f746d5fb954cd337023721db8e8cf588cf3d13def57436d7
SHA512 fdbbbf29a4894d8aa13e867d424332fd71f668965baa8f0af453106808e377488241492f27391f3de5bc87a8e1843bb0f316f73f02ad4752c2ae6f8bce1a348b

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 5280db14cdd99cd9094234c051c3ed90
SHA1 ee8b52994cd60b151a72c940d081f68a687c5ac7
SHA256 ed7e9e6faf6f3cf7be5bd0494dfb87ee2499e73ba9efd598b36e3a3e00cba4cb
SHA512 35571d9b077f4eff6df3e057b9342f7aeb55a256d79b9cfc649d008526d7e828e1ba8b1ad13c8aefe094a9405d266666ef9b8d10588923fa4f91eda4d5e4c93b

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 b843cb2ae3dcafec18ced5a9cfec1a07
SHA1 11c0eb7d47f636a52604789d2ca2363ad0968f01
SHA256 33154b654192f007b05eecc70a107dd24498e8616d26ceb90c4c9cbe4b6a654c
SHA512 df2ef70be8f5afd65055ca9f0ade5365626a50ee5350b8a8ba87f7cdac725c0b92ad4ccb09f117eb871627380aa116f12ecd39a2248c43e9fc04a6c29ca757c8

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 b2f3b0f7615407bfb4790248a32b74e4
SHA1 786ac0ae987695edbb4ccb272edf749b1c4a23e2
SHA256 3f5cb8c75132b851f1832f06436c7f8a9f87cb71a5fe941a2d8d0ec4d346d21a
SHA512 1051a6eb81206dd5e31fe4e824cbe5cc849708935b74129cfec7330bb7918c9d85fc48fb8cb13cdea838df9dd32f8b021fa3a6fd383d9501b658a3ad5c3b9deb

C:\Program Files\7-Zip\Lang\ca.txt.tmp

MD5 9d2340372514e46479faa5841339cd5e
SHA1 f7db6c6e60f70eb997ca32bd9b8248f5fceb7f55
SHA256 a0f7c021913bacbbefe2e6698d29b1704f272e5abf89de516ed3c4eaadbd6bce
SHA512 d40017877e75a182a25d452e731a97b6619b487b9bee6a7898e0ba64491056e9a9804d78840f70671baf3a74acbff2fced358598140d811e92605e487ddc74c4

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 d0be51ce03104d3132cce0a165568d0f
SHA1 aa2d98d60bdb7e7678bc755494846b95ec4db141
SHA256 01f026add6a0a1f0714cc7544a5ebc3cf280b64fdee982f675685ff43fbddf6f
SHA512 8d87953ce2d2066867fc0402e16ea10e255b72eee69bc84f50d8293523ef6724143cb079637553fbc378bfacac4b13efa5d9eaa164ad26eec807c7632f8246a6

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 5badf2f73ee270be0173c6e64a19c7e8
SHA1 0aff0c95324759054411e6d22b2a01cdcb937c7e
SHA256 7de040c2f7fa4f4b8e2fe11801386437a1e6d0ed8b988ba6439e07cc66ca872f
SHA512 0f8abbc96903526266f50142f8687c5dc73c1f1f49a3dda3878109c2dfb276328fd4c80e428a427b2afb8a28becccdd0a979eedf3b2fc4ee170ece23cb5501bf

C:\Program Files\7-Zip\Lang\de.txt.tmp

MD5 b765bfa7566f108469c189960765c7ee
SHA1 529a36cc3ed52d34c8c1662041151ea9ee82080a
SHA256 f57040214a72e3bcee2dee0962d6dd4498de97c8e7776886e58a599575b17b1b
SHA512 f52f5bdb557dd5bad0f18bfcf44e5bb289516aeae76d8b7c9b29c9bd5d64a74f645837f810b598e502593f5409a642dc76c27a6491e9c778196dc5c6de0510c0

C:\Program Files\7-Zip\Lang\el.txt.tmp

MD5 9b09d07233864497ab0cacc4538827f3
SHA1 09435ae8201de0dde629163195af482e89a3db0c
SHA256 52438b08cf01e8a22e2e24865138f720cec3d7f5c7e6fed410d2635031918693
SHA512 567051ca5d59c4809396a3aafc8f586ab3fe9140e0eba64c0ac03bff261bd48d544888455ba6192ff5c23766d947008e0627155c0977f23f5dd143737de92aab

C:\Program Files\7-Zip\Lang\en.ttt.tmp

MD5 ade960a3d2fec61ab25f361ba6e00016
SHA1 1ad44bde5f8891f4bf8661aa360bc331e685198d
SHA256 b446bd768d7f6272962fa3a66bd00e473dc9c7d289f1e64ca6b2f57eff3eb78a
SHA512 0ea91cc202aad9ea51847234791c26b9c6710fb1689b19e415a7ec1040fcd348e8fedbbb1403eb0b60bbb2d690839a4aae96a61dae23edd5ca2e5fa8f61b219a

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 35fb44bc75ce109c98b6f223859b3802
SHA1 4cf917f2603a35c2031d4bca8c72910ceb735091
SHA256 c595fa5c735b80a2e6633cbae53f1ee08b28e395f3273ca1df4adcb1b3880ed5
SHA512 0d98ee6df436673448523232f5bf77727034f9de42df0d6f636481e1e93ea8fc969015396cfb10025f2f9b7b7b3c4afdd415eb6748ed214767a9a6c6e2e186b0

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 556f166cf98b3de4075a88470f1b3961
SHA1 156f4bc3a873308ac71bd42ae309a82f3818c3a1
SHA256 c689c7defea79da19e7b2351ab7fd7c717b00e43d688c55f611dd61d7bbc7874
SHA512 40ad2632ca8f58acdafbfb99ed3b675164f6d8989863bc8151511d5c3031e61c00e2bbc9e41918ccc049f1ced4a10e547c3c4bc52a1750a776f0cbd5012875c6

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 4cd45aca6ef19431049bd458181e4767
SHA1 cacbd41ab25c946930d7b6a81147914580e4c19b
SHA256 e5801f5f6c9e621f69961305f5360de7a6b62e34bd0ecaef6c31671b0745c692
SHA512 215810f1ad0d9714153757fff47999c00a43eb086a97b3f12b990f3f0ee977e81e3404b773ea5c01c410d82464561821c8b028154b336f344080b176be448061

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 f230547d8de69519e837b80743f759e4
SHA1 7a27bc00f88b2dbfb215b13eb5b2b7f4359daa53
SHA256 9f32b313df97d7943db88fb5b4f3308557af458c3a7612c9316c6d40f5ca5d7f
SHA512 ef9597bfe67b5a98a5c3509c46a7699e15c8d765f84accb99fd091c3b0b80249c1f2b7aae2210fea621669a9231c219324c25f70733f6cfcad104f50b52aa181

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 c326618a89d47248640ee7f67eba685f
SHA1 e8b9c33f8036374aab84cc944c96637ca5c19991
SHA256 9258cc257f1f1a6262cd1ae9cc8063bdc6bab0d15a2235ca220398b3f81f86d1
SHA512 9b8e5880dcfe48d684ed1fc4e737c8ff3ecd5b590b85ceea380d23d3d5efd258a53c038cf010902a7f56626cf2e9915ab3ec0a0ebb036502c1e7bd15501f9727

C:\Program Files\7-Zip\Lang\fa.txt.tmp

MD5 2a1b02d2ad4ec9c3ccb9c8c590587c9d
SHA1 aa260f2e6d29922c95c97b3a678b031acb787bb1
SHA256 caab78ba1961ef6d73b4d3c099868d6a07ead6038024b83f727b414d84db9022
SHA512 e0f653895836b2d13000d091cd6f50747a347e9821fed4aee93ba31664e0a8018a19febb3504e45e7af35b1d89920a3d05033d1d7c199bb8bbdb2f76b4c2b9cb

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 bf890914bf0b1eafcd72723d9f4eaafb
SHA1 ed2fbb7000fefd2dd02295294374515b52bb0f0e
SHA256 8722df7e5e64d96e808fd2876fe091902027b8ca4c525ce096c8d1ef0efd1ae4
SHA512 2a1e203a3c98e0d263ddeedd50fc32ae961e55c9c18bd82e58b116e7109565fe884a67fd4ba2979640e419823fc698e2778ff35cb8d0420eb1f15ac1f4afec04

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 04364a9355f9fd4ce75c6aa9653d632c
SHA1 2df45f387d7239022e11969d14178e58d88749ed
SHA256 c33d7afb5a3b0ff0ef856b41b6df03aa73f121218a00e6e6f3e9913002a8db5d
SHA512 139e0b2fc8f5ecc31b261282894c080666d8509fb9552517e972c5e08ba30db07372ee015e7b7e46f95c3b925082179c0446f4f435939ad2e025e09e15a39011

C:\Program Files\7-Zip\Lang\fy.txt.tmp

MD5 e01e87ffc721e8c8365afb0972f2eb86
SHA1 a63012aec7ab62f3bfa4ec4ba3ceeee2c9700ec9
SHA256 f823db4db722d2a90f4b38a311b2a9f257351be9a4651817d957edf7c130bbbd
SHA512 0d49cfaa02630796fccd3fd659fd6b54109d51a8832a5a81cf5862f4e3cbd6c07486c867de99d990d2cb62624fa69449dc1000b5fcebee54ca5fc64a2ff065ae

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 ad04620ec58ed10fd98e5b35caab5585
SHA1 46f33004e611a1b1bd718d300c3c3fe9b2a50beb
SHA256 2c49ea5ced5b51f272aea23bb68c182f55acda67e8944370c44cdb79cef38528
SHA512 7430b4d8b0d8bb0c0ff06532e2dcb99bb7a2b5e07385a817179a1ac6bdfd82c2dba7ad8f81ab1d8bb4ac3db597ba10244645eeafe3d9ef22460d4cf1d5769c86

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 d92929bd63eb3347f40aebaf3809a0ea
SHA1 bbaa4c1677cf844060f53e1692fc6ded5f18e153
SHA256 5e93fd26cb0633f188cc8f08d6eb07be2094cee16d649073417359481a2fbb80
SHA512 503c141f7bc8c2c9bb5ccc92a9d28d1187540f4b578acd11b9a4af55aa6cd835d9be83dcb4d960e08580bf0e29edd576c58f50e9c4ccadb67f295733a816e850

C:\Program Files\7-Zip\Lang\gl.txt.tmp

MD5 87b7927b3ac88fe069ecd360f54683b6
SHA1 0a2853593dda089aaa08f063d3a7ea24606aca03
SHA256 287ff2f502e801ef3bd89258d81b8204f5d4ff31a3f490be9154b45faccb2e9d
SHA512 28208ac41114f6f96bfc00301a0fdb7ed72b30c7f8f8726aea030553f3861e0f2e63ce0159fb4a1eacd1a1a89c6b248918e5d05524148dfceef6555cc789973b

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 f015141a751472fa49a11d9c32503680
SHA1 506cb77a4b425db3dae0478a77b33acd656c35b2
SHA256 a8f6b4855e485b47e58aa770148e0cc5885d7ba2caeb21a100906f524f9dc9d3
SHA512 3dc00ef9a9cd5790ee9be77f01cdd3b5bcf5b6224150bde0580c3f5b090724d7b71ec68703b3ccb881698c0e144aebc4d90cb446a008d2aefafc718a183b2201

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 14b99972166d914e8c8d7967d4064fd4
SHA1 83c92e573d5b1ee06edbc6925f76bf82dc67a94d
SHA256 4a9bab23193848adbfb3a71766d09c9c03176bb8676f818925b11f367219b7f7
SHA512 f289a605967baf11f1aca380416bafb4ecf3c9fb10061550b4c3ca1ccd70cc1370b5c157cb73513a7dd52865d4552e9677ca278e9d5c3dac0b01e562c248e373

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 37bd5cbbf21f1d88e3c8a51ac6983f76
SHA1 19f7a8a790a6917db0535f311289440cc6538128
SHA256 8bfbd6fdd6ddbe73bf61c1deecca10cd2e10cc41f46d01bb06ccd8484bdf0371
SHA512 84f41d4a6844cf5302d247e32ca2908d294f360491fb148ea244703d595032c1ba7fa6e27460ea0dc0f4236b671b2c916dc6e5f312f2ca2f7845a510d2e5d3b1

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 ed4745a3c7df7f1db037f4b0ad25daf0
SHA1 4615534b0e54046a1f8ed90452924339dc090ed6
SHA256 eec6f21c50b9b265e79fe46399b53b4ae59c9f872462d01e48f056c87b5bc386
SHA512 7e383a69778ce4ef1a18af45bd75e825f8cd2627daa8aba448ab4d6edb1b8350a74e1ddc04f7cd88128ba6b81dfdb9cbd65b2330e660e81b9609eba6454bedf2

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 a9e816c40a507b29974533fb46d22333
SHA1 13f2e56a0351323c497be5af739eb12a5b51c169
SHA256 628e5213605f66903dccdd8d1a152f0177e120373df86fbde506a6375e741fbc
SHA512 ad47b029fa50e7754b3e1a6f3081383d262318d8f91b36f6161d7905fcad79e9846d6c4c4ad83bd9f373d284075fd21660f0ba19cb870b096c51ef582401d34b

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 809058a3acb78f52369b7f8d82bf3a34
SHA1 72f619bc028951a7bcbfac5c9c66d3199ff4e261
SHA256 bd9c9228c74c7015c9fa98299ee446d93f8ec2f932672cc657e475c1c87f370b
SHA512 4684ad0201f15b04dfae1f7d1ceca1dd33236a604b08910d31c40727c915287c2b76f9ed89d4ffebc83975c7eda473d1845d974fd6eb93ec571857897fce1752

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 b810d309331fad55051178dc6be99b03
SHA1 c929f69f8b5cf6ed4685237e0d8508bcee6cb590
SHA256 074a1e859c519ede47b70c4b7ba915939d5d6ff2e7fa6d0ce46f31a2240476de
SHA512 e706324f0b3ae724cc19904fe52c12d8e17e16f086212d088a306843a7612463ad8c4c099d1633bd0c95fb9dadcd56bb61c0a7be3abfbaba6c94de78a983b3ed

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 a707dfa7a1bb7db093acc07150681739
SHA1 fbf1be033ffebf6c3fa6362aab0d382467efdb23
SHA256 36942a9cacae8ee29f5f35a049bdda99aaac1a6962d6cd4fc249b861774a0760
SHA512 b774ff0ccbd97c766add58827245385b25240fc5da62e8e6c6691f7f8452f939ece8da803e92bfb0d149e9c92784132da343737a45652f2759dd75f0e5553774

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 313b212d033f5ca8793be6fbcbe9e1bf
SHA1 648658051022a9052ee67aadb298b1c5df89a891
SHA256 3bac27ab75b2664cf7486a5cd7e4ef85f4348fcdd2654efa13610416c90c9e1f
SHA512 e591b567355fbfa46146a149236581ed3fb499fc00f296cd5de14d43ec38e87406e148a07cc4d2f134113b7c91819c9711005a5b24de5296e69e43714f6eea27

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 1e9fef076b4aa8af5c9369b8df6811d4
SHA1 2a54eacd916883f758ec9d5bf31742fc3b2f0c46
SHA256 8df52ad509269090a6a6fc7c6beafd4666316c66057f3221dd71bc1f57e0195e
SHA512 d213b4f8ece97b580ac7e1cf2de922373494ab28ebf00201d9f58465c006c46c32929425d770b65007d6fc9b1dbcc5fc46e2366ee922c427a5d6fcbbd5f445a6

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 d5b2005ac37acdd452e1ea92771b197d
SHA1 2f83a45a6ec0786b3118401a7a27686f744a7b10
SHA256 4ab0945c69f04c424c59bef1b65f20558bebcb5488ccde101d0eac05c3786862
SHA512 f8b0eda6e8c69b295e964ee1992fa7c9536022dfd9fa3e63410ad68ae28eceb23d2416af0835e8fe4123d99d0504719fa7f021d0f3fdde62aa667746fd31bf58

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 5666ac28381a8381253cf88eab37e193
SHA1 59df9001d37775665e2b70ca90af15fda73537f6
SHA256 b0f3ef263c0b17043c56aebc801d586870676e5453d1c1505b83c92a261053e9
SHA512 1e1588294f0d7723335aa4bbf38807192299639c54ad84135b56c7928a7a66da1debdec5141c47db4f79eb84205ff3ebc9fcdd19b36460e6c0e4b838c67b35f3

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 32e78cfa61dc9a17b4d613060c986ec9
SHA1 8588528c6ce07ff4d9a36821361025a30c74e913
SHA256 11840a02cc89261f517d4120f4b31b48c755f5903aea5c74ae9363ba8094ca1b
SHA512 b57abf391db48a5022b0b30c5425dc23482d4cd2dafb9b8dde32c8eb37cca5fbb4c8c38ad473ce8648cd1453755dca01bc08a5175046dfe7fe87fc724eb96cf7

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 69cde297444231afd6fb7e372c09d942
SHA1 076134c8806d0eafbb536b7c0164d4beff3aba18
SHA256 8332b72c1f4ed267a284161e88e7465a40bebaa11b2b9b97b7b0c3d3314fc27e
SHA512 e3800f939ccb13beafc4629aa37db97916e0c8f548ae8b52084bee37818a8222b4a3b2c8ec20953241fd2bccff5d499cd3beceadcf6ab8530dcdbd1b81142512

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 2580a18ea62e1c6197831724c740a39e
SHA1 6fb794e43c2101eaebcfeaa1c07a7767c1ae84d1
SHA256 90c92deeab3dce6b7506d58b40481d0852052f3b21de44470063410bf99af8ba
SHA512 6c2c62968d496009e23b34ad77d2619a5329472aebb7d44a66c16dd278fd4790be634d86858c6faaad1fd86743b2d563ae53b8e4e48a32b384d3bcb0acf826a4

C:\Program Files\7-Zip\Lang\mk.txt.tmp

MD5 4da1adc7393c464771872ad713594d9d
SHA1 fbd4a0f698fe16b7580dfb4c036ebdfa5849811e
SHA256 350fe67fdd0a695b0b50ac9a986088e409b359bf3781d4efea2f40c42cb3ef14
SHA512 99a0ac2953ee31313e070d57f58bbf485c599da3729543149dcb5d10d6f3538c77c66c5f8ba5a3cf14d9fad64df0783150af78724ecca9597a5a9de6fc01feeb

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 ff6b98b994618d7b84b8dfe0b860b915
SHA1 e69e2af582942c4990276df17215cef9cc195227
SHA256 f46116cfe6091e5bf249ba143d8a4ca369f00c3f5f58cd842687934511e78812
SHA512 f73af10813d76fd98933b6c69dc59cc67fe311fbb0e14b6022b846c7ab26f1d972dfea85e582bb64c14a3a395f3a8f5044822e711ae707ae451a0dfd0650116f

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 bebfd87ec2b0a4cb2d921fef27a41d64
SHA1 6fd19dd4aa68e581830739d6a3fe55c634f98902
SHA256 c9d06a089e525ee4fbdb554060aed5d3e3abdca2191090b09cd253ac74d33aea
SHA512 85f470e7594ad139f3acea4fc689b40b6cd9878f7983839282ddb48ca11fb631937533238afc2d631ec53f708c272bf686abdb037682a60b3aee9b6a3481ab7c

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 4ea2a5258cd52c0a1eec1124ffb6e29a
SHA1 535523e764841f1ca12f07135464a429f3bf7660
SHA256 1e999d9322982bd10b0b821ea1c2b2b6c7d3bba3f16338bfe90d282e071597c1
SHA512 7c18a03b0bfc96d8bb7368b5ed2eef5ace399c592ca19d37d64b958f79b8a3445390f0002bad91eda7776f778d93a267f976d8d393b897f98053cf8b78b20f15

C:\Program Files\7-Zip\Lang\nl.txt.tmp

MD5 b0112ef1d8f543de58795bba49a1a746
SHA1 cea8d3673a94d9abda603058135ae84acc799e73
SHA256 a62d60a3e62352c44b2d4081e17ff46dd3fcd1406ab0ff68be9067396b1dbe67
SHA512 68d306900e206112d026399e78e4efef25a6c4af3652b09933876bd998095ae14a249232cb78eea2651ba313d540dd5a0e3ab8599323de7ccc4c1cd8bf4c9dcf

memory/2028-976-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.tmp

MD5 6d3a04203ba184e9d1c99842ec3509b8
SHA1 9bb1838be5201e3226a68ed2881a22f7c33a9641
SHA256 bcc9b0dbd1daa99e4606590d7c12bbf2feb170c03514ba7fc69dfa4ca007cd35
SHA512 fa6ba4f5593d38de2b682241d174134053b8ef7c5d206e8dc6280b90b3267bd2ac01111994b77ea095d95d79aff3764d8401333d111c472c2a3fbebf15bfd4d9