Malware Analysis Report

2025-01-22 20:14

Sample ID 241019-ycfrvavanh
Target 6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N
SHA256 6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894

Threat Level: Likely malicious

The file 6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4368) files with added filename extension

Renames multiple (4221) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:38

Reported

2024-10-19 19:40

Platform

win7-20240708-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe"

Signatures

Renames multiple (4221) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\LICENSE.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\bin\orbd.exe.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IO.Log.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Inuvik.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\CST6CDT.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac.exe.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe
PID 2468 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe
PID 2468 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe
PID 2468 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe
PID 2468 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2468 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2468 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Windows\SysWOW64\Zombie.exe
PID 2468 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe C:\Windows\SysWOW64\Zombie.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe

"C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe"

C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe

"_Firefox.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe

MD5 ed890e3aabd06c5102c3816c0f8c2009
SHA1 8bdd1a6a367d4802966bf0fa5c7e650811d45bf5
SHA256 8205c3a402ec6e57f52b265cddc7319200b3897056b6b3c851b8e0ccb6578113
SHA512 435827e875a77300acbbe98390cddf7204ac5b2eaca05a12f5c2bd85bdf960ec6294148c48854d3522cca06f401520ad1e63ae0fe4e309194c2112c3fb289ae3

C:\Windows\SysWOW64\Zombie.exe

MD5 8fa409f56eba1300760b5dde17b73486
SHA1 8e9a005583e82fceecf63e3c50a3f10d588fff2b
SHA256 72f47860c773408192a18eb82f2fc0befcbd5e07974c5ea61f9272a92964e12c
SHA512 5a438c6df3801e14d4179f9a4d39a7ecd2a3e8246e20163dc19db97d31b20153bceb930a079c3c12e757efa68417233cb6c61a9361d1a239d4693187bf3c67ab

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe.tmp

MD5 b9dd7d17c8c8816bdde0e32d9b607413
SHA1 3452136ef8409108b88956ab1c98be6ed52648b4
SHA256 0f2ac6428eec11a1d1a897ef29f4edac5b3186c1644e175a454e942c623d9f1f
SHA512 8385c17beb2ff4d17afb26f32a9142bbc082c739f33fbd1b0e6d3d62b7abdf53dd608500f3a88b2be79b5e9f81065832ed22142d23931c8d29c48782f314ed84

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe

MD5 75aaad4ae54a60a2e25173c7e8d1f731
SHA1 e88d108d8f430c207be0ddfdd9fb10d1c3ca1fbc
SHA256 1a85ef753bf8c820400e31ca72b5e899d2607c12c5b97a69d09e9cf9e2658c7b
SHA512 bf57da395b9ffc7c068278ec9bdce73cd725564e03e0a71c484df882136095eb133003464c8ae73b6dac4c967474d2999b58169573253c6a5de31eccf50c51bc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.tmp

MD5 f22d24b62421f4d857b1ba2c534f5dab
SHA1 30cbd14ef3564b9394069bd1c4e5c841cbc088bd
SHA256 5726b51cd692202d36ac510bc8f86e7387a14cf76bdf911ef3bd1cbef8825809
SHA512 bb0abcc8eb113e0c8a1daaa0ed116f285841d523ccbce55b7d066ad1d2a32d95bebfecae85d37c8820d071576ef06a9234c4c0f236d4b6ede1e993b079a3b06d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 843172a0527b79c22f72b956dbb7fdf3
SHA1 23ef994b0a1e32d28d637cd01504601689adf3d3
SHA256 fc4df7986346b905526ae71ba76a6114dda778f9978a7559f8373c611bc84e10
SHA512 226221e8f1217b006c0ed1a8e66dbf792031a7ea14ec08fba1915a91e9d15caf9084063bdd056dd337d92cb31e4334b08c78e27a6026358489c2ccd2cf90aeac

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.tmp

MD5 52ce941b5831f841a2e285a691d82e60
SHA1 6f25d98c072024df43d92f8c23b56c0b2d2f4c9c
SHA256 a377fd9b42711c90ae3f3cfcfbdf02fdc0492659a0e5607a24d2cc590c05a2ab
SHA512 48cf68946a02c63d0372393c78195fe34c0d58bfa4ef3749495ec54e164c6f19c653f969e32ec5d7c083a93cec19a51cc080832fadcbca1f4bbbadd61df5510d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.tmp

MD5 421996a3b5066c9e64ad5ceb72b07a4b
SHA1 94ff7bbf297fbf291767a425feb9d8d93c07fe63
SHA256 3315c0e140ea20ea0d1a03180e3bb0dc24ebb918fcd05b1af82ba85fec207c8c
SHA512 a80d0fd36199d98393a210bdd383ee0307de5514bcb50a6ee74c9fb2c61762a79289ea45d94efcb0f26f5db3492657361e2d6df27cc315d909e958c38eedecbf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.tmp

MD5 c325a4c001691b669f505e7319e2d735
SHA1 37ba419fb3f090b331b07c3c969307a53eac2bcc
SHA256 8cb36dc13108ba65f8643ada52f77e7a5ec371b16f0690ac5a28087b365fe8f3
SHA512 03848e257e79d5e16317cbfdd016c54357d2230624c5f32aaa640663946b38dd93b47f130d1723708eb7e2cecd12215386935c456d7dabb1fb6d83a01ae9effb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 f7c5ffef61ee68b12dc79e029054daf4
SHA1 25d593a8aa74a26cb602f7dd9e2415457916b4e5
SHA256 38ff1c35a52124bd7a1d986d646417d5bd6f51ae37ce501bcb9733cf0db6d96c
SHA512 9eee7eea5bc1ef41fd1e263899b22a0c61d641982a383f74ed9cce148bb6413db5fef475bad7dcb109fc33057a213ef22f2d8e9a9ca3626151840c7cd5b9e0c9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.tmp

MD5 cd4770a46485acbe957a0b051a2f6577
SHA1 2974e00837f4c9b3bedd19acf818978e7dc65eb4
SHA256 6852d478eb4964631bc09e0d9046dd6419a412ba60e96fa4351055081efc9041
SHA512 8d89ba4f29b8237f6a5260c02b0080556e6f33e2e8442d91604d9c6771b48c0781fe131eec352244d76d2f5f8c9e56e3a78849a3ed550504ef2952e075b898a1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.tmp

MD5 af022bdaa9d498597cc758914c4a3361
SHA1 82a2e5fc4302d971478a08164127e24a9fe62344
SHA256 1dd4e1914bdf54b6d54f66b957934e9f01270b74ee5dc85e9b5aee50427efff5
SHA512 bb3768d76e25167643943e05f88ba7cd97007647c8048cbff431ce5dea35c751760bb386c6b8524c59e726a13df2e702b3adbe3274bdf776d3ba532dede2c86c

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 60edd900cbe4f23e6482435dec8f7deb
SHA1 a2026ad3046271452762f167b0e52061ad68e367
SHA256 ed5be10479b1fe5ca403b25dfca02ca1fc8ada06ae6a9fb083a408d4e0cdf799
SHA512 893f68b3546f70504033488582a14d61b9c532e393d56dd19672e8be479877e695a5072cbc68ba48ddca45252781245ce5e426c94db80d54657d30467d339c34

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.tmp

MD5 e7c79abdf4d6550e5f2764545bd22881
SHA1 04835f2340891435f44fb022e86ea65428830947
SHA256 c3352165617df5579d1b9ed12a0f29c7896712fa79b3b12b393447b5888a5d0a
SHA512 8bf03676350e3254f7dea76ac906dd905df37071c69930108d22e5eee14e69d0856024025b616e6dcb31229a6810a7a2960f700410145da628a151142fdc2518

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.tmp

MD5 c6c163805d19f1c22a2feab1a013607a
SHA1 2faf82ca71f2ed1b0237d68b592da68e13317126
SHA256 3d5042ec82092468c331dc40d99ba070a2e278c8b4cb92af5de1ecfacf99b5de
SHA512 562aaed164442a5101c0e7f17bb0fa85065aeebc34b043f1ed229a51faebc987ce8d153a9cd9f0235cb036d0fcdfdde4acc54eb5306791947d4be003f560c27e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 2edeb84817a7583396901e7565d577bb
SHA1 2d6f4685c2ef748d771c500fddf5a0a0711b1746
SHA256 cfcf714f380fe3197aeaa7099e1612c38883fe0dae246f2e237e46a935904db2
SHA512 56e4ac5bb20a8832405eb4340abd6910673bf5edc2c2d8e891c5ba9a1cc6952b2ec72fc0234bdfe9131878a5dbb7311a30cbb35f25e4f8d3aacb13148dfcf9b9

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.tmp

MD5 a42d909581bc55e05bf286ce55d99add
SHA1 e6779d6f21950c384c652380e4d669eba1b2291d
SHA256 07a785ae1a8e137b0239b5cff34a78431f2b4da783017391f5370248a5fe1042
SHA512 a92235b93d5511bb4b63d84c709d131ca884c3df8ecf099e0813531d185b75c1a85928ab33f30098580bb8d98e62cce00c2bfa891a261c4bddbf8a6e3e7ef884

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.tmp

MD5 3f726b2e3f752db7cbbc7f740979f2de
SHA1 04f1659cd8741c688a6a53244372c6e2b2efaa77
SHA256 4e7a817eb0732f718a199ff63714665a88a263cc9de0862055080c6d0e65c060
SHA512 7daf03cca44db90b37155738e908a30427e01114d06e89b0899411fe116adab2fd34e85ef9540c64176a038a50a758d91373ae65b6882804ba5061ebf0cd2e65

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.tmp

MD5 dedf38651654f759ea52bbc44fb21e43
SHA1 3e59d0e7193ad80ce2e1f86730b89cf68510b3e8
SHA256 d0b68ebd28d28ff2584926eff50cf97a92b252a38ef7a110c8c2d79aab968dea
SHA512 43fa109857b95c85fd4d1a34c9591e25dadb32dbba1ed8d99d7aec6683cf9468f028a08452e5e25a47e1f2871c6a853fc67fa654b76023b00ef3adea62ba9dc1

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.tmp

MD5 d819e2018f4e2d113ec4d3d7201d05af
SHA1 cb1f13e9b382ea3fb15c807e7417cda3a48f7e8b
SHA256 ca0b47e328860a6ba63ce82b9a51d435561e823eb3163ed4016da33addaadf9a
SHA512 65932c3967d024d7c97e340e9557f9f59c2e7b0cbe57632c310418b4173c321dec62b9ab532c341ae89821cff9d0fdc274ca55805c53407957aa57ae0650c090

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.tmp

MD5 7016b9a87666470fdbf2ee238e50bec5
SHA1 616efb1996485f4b705c6e95ee0a330a72f394dd
SHA256 82c119e199337300dcafc02940b97f309291a7743d23a06960ce76ea2f8bd9fb
SHA512 55793c8e8b2f7f7069452c61c95dab08faa638fde54bcbfeb99796c2de0d3376609b71e1fdf7c08133d07772511a31955366d5e140ddf649c351cd46713893f9

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.tmp

MD5 ef45565250ce47174a1308ac9afa8051
SHA1 7b060aea4f0f94d5fd0db54791d7c7dd91bde4f7
SHA256 f4a2422526b2fefa0db39ecd0a6664aacba3b92957b5d44026f72c142350f4aa
SHA512 85d71706277862d5f45d29500bd1d107d675b62925a0afdf7be260e05a98eb4bd6f58f1018abc4c33fff7e19d3f0d92bd61955ac80bc01f4b6be875c3b7479ae

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.exe

MD5 472f3272216703940cbb57ad6c854ce6
SHA1 88979536b9e3ec625fed236355808d1935d56be1
SHA256 33c5e993a6cda93d5a2c75cb52bfd59b709fb2d6c7ece21fd8e95630ba1aef38
SHA512 c046203e1f2434b0f0ef2571ca563ed16268ee219797b7bd08b95cbe33531f2eaf563b7d74d1d1f80e3d03b82a8f99717714159cb6bb70cce1bb178af9778615

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.exe

MD5 c00d28b24084c7bf6ed5a7bbf8b5a05c
SHA1 13dfdeb2b52af8f0f17988b936c11e513bc1a797
SHA256 1af8d8f8bb7296d9974fb4e73d9a41245b5bf6da9f77726b93d1b7d856e38529
SHA512 868bfecc1d932eb18c952dd23017310357377eb57eef05d31ef6078e73918d75b268563ebc545a43e9c4ca8ec268c19647078ff4f442fa31eaa9f7871e87da8a

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.exe

MD5 8668feac0951ed7600ff2a59bfe6e262
SHA1 80b380a4e1731ea3061dcae9d06a1f80a5e2b9e0
SHA256 bd35b516c12b2a1665b88cf09ee3b38531c645f0742e8053bef1db8ff020cb01
SHA512 36bf0f47e24c3db271433bdb3d2383a2d3bd71acd3f7411be099294cf2cbc48a2af39e9e77624b951677356e9e6d57730ef943fe1e92ec9592114df83aaa080c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.tmp

MD5 2920dc20ccb77535193d2cd767555cd8
SHA1 37d05eac0699aafced99cc4dc9413e23af033c26
SHA256 ed460012cdb83ddc81922878593df2aaa0cd4c7478284dfd091e8fe518266410
SHA512 6d7ede58a6c517c34189f543ba3219a84aaba4278ca383fc2ec011d32f61475c112ee4dc733d0b07f45f6673b9821af3d3cb8b1c1ab8c592e7f8e5acaee2bf9c

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.tmp

MD5 8fb2e207af9fcee2657087606aeb321f
SHA1 191c6d9089b2d37ed762588e2dc8198177df692a
SHA256 43cbd9dda8494deea88ac0128e4b8fc6f59d272c5817e08bc5fa482e79fa90a5
SHA512 63e2c9403d48e24a3102e290ca539d38cf9f4be9cbea93009e9832801b60ad4cb8890c9136c186d99380dcc0b8bbd972c33d6c472535fb40d67f60b3b1ccb9e8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.tmp

MD5 c9a8acc5e1b66346ac5218979e07ead0
SHA1 949d61204319de6098a763eea047fdea59a588c4
SHA256 9d9e5c2bfbe1e9c89f69a131c88b6e27a1f92650b0520b3bb85e3971c47e8f1d
SHA512 23e4cc4d257caa42152b2a6720f729a35ac7f5d370d42b3003662c909c9c5a852cda1c27777de9a8387fc603a8932594367a2fb70c3ce462c9b2dbb28b2d945e

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.tmp

MD5 d1e02b08c17908d5e5d63921db3c7a65
SHA1 d012573640274efa3f9f3d89b7eb7c72efe9a9b0
SHA256 26a7e5ac88e3b4cc03c6c7a7f6c1a27de3a428c28d7c0e37529de96f3bc1785b
SHA512 2f1534bff86b3e411b0f51c71997275a9a33b4af3555cd41af5a85d32dc171cc1a32ae0808583221f65ccb0c1ba119a638e8cea65686dca1f689c7119ffbb9da

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.tmp

MD5 2d2d79a69ee639800279ac1f6e1942aa
SHA1 18386d597b674becbf29a07e31a05b53fbd6a779
SHA256 0703ba7ead7c100e58680ef76bd1be8f2e47cd495cdeb5b2841110c745eb5a55
SHA512 efd7ed692d6fcd542a68777768160cfe3f2d247f37d7c4ede63fa52610906f1b69415a6761b1836ef51709d10846fbec567c3e89cd181ccc40fd446f74ce2897

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.tmp

MD5 fa8a2aaf453049fc70eeaecef012849d
SHA1 9902946ab682693c9e8687c480188dbb69dcf268
SHA256 d6dc391e39be58ef9acbaf353b638b9cab3a4adf778b64c40db4328b1c0d6634
SHA512 b4e4da1de80bb5c61da33a24cc3d41ab4f7b0f5e269da5c00d9267878caba1322be0679107dd312adcdeae35603d9c047f08a1e4cb5f5cf006761363bdc5076e

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.tmp

MD5 411076ec28ddc2a65ab874072736f0c9
SHA1 898f80480f6198cef17d4d61f761290d601fdda2
SHA256 88c5f153d4e144cc5209e52bc0e16bccadaff393aa8eba745add3fc1c9e9ee50
SHA512 a1efaed71d69cde1b1d4b4712c5cee7cb54bbab24012e35e24f0be781830f63a923dda41ebf15417a9abe04228dcb914e8ee8949c1a72df00d6620ddd67f8ba1

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.tmp

MD5 2896a91e0e45c628d01514b5d3885b0d
SHA1 d6b11158c28982a407a9da8514883ae70804fd3c
SHA256 82146a6fb975fde57d57ad003f9b9c55c9b6a8ce38f02d7e36ea84514ca40fee
SHA512 be60f41aa290e2fedc0a6a2963c053b1d38d79ea7a198ebc7d93649b81d78a309e48b58517eeaa50ad8ec292aafdc5e96db1ccfa42fe4acae916cad9d2e73b00

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.tmp

MD5 e43fcc7230972e4366b59a8b9f8a13e9
SHA1 bda64b4e08caf659241ae422da981069bddcb470
SHA256 7bf7283b5cfe2ffe2fc45da7d565cb3df95da4d2d4c49c70f7932e4426090b5a
SHA512 a559aad2b25dc347e789cac877de510726ad12d075378ef5ea18e7e50dad7a9b2fec0834dbfaddeccd55601621da340c244f39c0e97c1638989e760fce74d3c8

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.tmp

MD5 fa1ebc1e0cddefb9a632e4ed68ceec8e
SHA1 cc645bd87d20841c3af83b61750ed6ccdceab7cb
SHA256 bfd1dc0fe8c9da776b5c784d4b326a05c8f60b8d9aa7f825dca2e9fc47ad8724
SHA512 7fb9a2d198cf299fa243accd0ae8b956b850eda02664dcf6700880c55a6f1bca45d3b20c5838e9de413dc9b73b95c3de1d54f49fa896cbdc879374bac8e0f3ac

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.exe

MD5 70171b518b0069696495a6e6ebd26bad
SHA1 0fb8c9d2a7219c199fba6ad432e58860424e3636
SHA256 8769ea7deb1747a8a2f9359d7caf9a5a560ec810f115f6b7eb5fff26d1e055e1
SHA512 e9d2c8a608ef581614471e9b4f662ba6567849751a829de2e9bc6a2f513549f4e03c522064303cb0a8eec32b537eca5542e7b0531b913804c7a25aafcd3fa950

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.tmp

MD5 ec98174e486475fb32baba39e65cd259
SHA1 a992b88d40f365ab8c1a062f905742933320b452
SHA256 6aab39096adf73a036391139e93aa1c3773ae570d8a8e9de4e74b3e260267412
SHA512 b48ec15bbb2a4e0fb2f991ffcc36b5430c93504aba98edf9b9c47ddd2fe6251352e7bb250c0a1c074f7125f91de708301d847cef8b1e08388c6aaeeb809f565e

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.tmp

MD5 e37375bf768bcc06f8a7899919ebb735
SHA1 1393bebe60eb107def16bafd2cb6a0f5af06cfa5
SHA256 944634a5011bb9dc8dc6544d63a3cd66199de23d8ef22e6b93831363454590f7
SHA512 9c4d9579828b0d12017f41b16d23bfc4f972121d5041d04e737b8bfaf7a5903589bd337f54b05f3293dec275e397f4b33b89d3d8f71f35edee6a8af9bbfbf0fd

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.tmp

MD5 21d8a38e15c440a681788d9211a2ade7
SHA1 29244e552e220715fafe9200e9de9c98025ac0bc
SHA256 d657ea1cda3dbc70d312836281b75e576601e0d0a737a0af480eafcb1a42fd1e
SHA512 7a169e50f34ce3d746be67ef0c08c00401ac30b14d102b2c9bc226e860b1212d37af1a4fad4d2fc1918c2269e92e3eddc06b006fe8574d85c52cc1f0bd89da12

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.tmp

MD5 6262f6c9d11dde0c654eac35e2f207de
SHA1 92618a5285d18a976ccbfa23ac466f6cbdb9535d
SHA256 7b07771c5b5eb0453e551e0129693c17e18fd8e192142f32d3d68bfa49bc6f3d
SHA512 8fdf259ee8eeea5f5d09c9e72928038c5f78281a32ce25226ac95968d8a8044e9fe9620514e0052d95b8e11b6a7206e4cf4c45c5213f294b9de3530783dd6a2c

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.tmp

MD5 169f31619093aed0f9db66c77d5e4a34
SHA1 5a8791c6ba2514841059f8e2d9081a330436a9ad
SHA256 16139845a1e78c2a7983bf43c4e24633a70d418ce4d2f72e67439a6a661efc0f
SHA512 05133933f2e75a9a2e302f9745f3d8483622498615939662bc00e99c80818ad48ae5cbb0d524152263f17e283a19c365d518b50f299af5e7710d4c92125e1853

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 cc5f9e9e2f59bd94be254a98efae18ce
SHA1 6647d573932b4a83fa2481b1adaf0a4d1f1f6925
SHA256 33671942a191b9ba1a778b647b39b762e564d73efc4c011668e7fbdd2fa7527f
SHA512 eec70e3136ed77078c077de12ee59e92c4b152e58f7410a8b96ee86f14d1a1f2a6410fa560b670ae8eb194327d657fc1a1413ba474b11c8920d5124a302a2f17

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.tmp

MD5 de11b3bbcf70b507547ce49444deaf5a
SHA1 5711b004e37718b79b23b82d1c7d61ef6446be26
SHA256 18caf8fd7434c8be9ad186bf4a9562a2ccb0197447102425054ccfb6c48774a9
SHA512 13e455f779a51a8afa901676dc42c4f01334b09866d3f9662584a88e82dcceebd396713bbbd7170b5943044524169188f0e727398fcd25f02bcb3fc5a189690a

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.tmp

MD5 0f79a6fc0946833a17491ed3f39abc03
SHA1 5831fbe5c442e611d1e6473ce73930a679f6d310
SHA256 4b52dd40b714ad781a17490c376a4d8875bad6c352bd92cd2fb2288520853243
SHA512 c6622841acb1d09c6f61b2d58c0bc307c311233d869d64a6b64e20778bf4263238e5fe874da51b5ab09ebe2344e57718b5ff6370cf24e6dad31fa2c18ea3d080

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.tmp

MD5 607d000a4ba37987645c8fe1930a5bd7
SHA1 43ab7a021c42cf967d5597a2a39e7177d9d7b056
SHA256 9aa2bc36ca031c55f22d67c6315e48779c86d5ebc6f4089b09a9d4a870ca9db1
SHA512 834b05b1ef30be438a4ac25d99e9a219a8c9cd20b2c618317d5411a5360b2096079ebce0393de76f8d86fcb8f054d2bd89f356666363df07451ed0b37f0d4eeb

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.tmp

MD5 15df39c3f1071324211ffcc429fc380e
SHA1 270b883b28f1c402c0303e15bd9dfb2a2bbdcd00
SHA256 449a663f5dd42caa91bc06cc6927582952fbf56d9e5992c4824a4bd76f02eb10
SHA512 00529225f49ee3bf546fa9929e99f6cd4f7dce18473c39091ff99008b0c7e2757939189b48cfd66df6e5f0e2e029bb8bf80f8bff544f78843dc4266a12052ad9

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.tmp

MD5 cde60ac48a9ebf4d9a5ff603fbd5e23c
SHA1 3e3d56c0dab6aa5bab82d3fe72fb72bfeffa14af
SHA256 aaa81488f1c84c03c2aec882627dc2917bea09a62f98745e89708e8ca57c4e64
SHA512 573c2ebca9a9a7af9b7c36cdefbae536e01a34412e9c2a30952ee8a5a7e6e0ed29757b031a599f34d6547781d78eeda4bf480c979f7027a26b1fa853ab00f0c1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.tmp

MD5 80fd8b80406d41d8c29308832ff960a9
SHA1 566f46b60d484b1c7598d5a1117aa84ae7ff4b93
SHA256 457e04f14f6afc300a3c6c7eda2db245ce6431dfcd72b58b25c4d770c891e724
SHA512 a2ff1739e424c9a1491746b99ac9b74f9572e6eb5ce336e232c3acd15d509fc5971f1a74e11af2bfb6c664c5f750a46ac38c74ad865b76b1c09bc6f96f10ff43

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.tmp

MD5 641092c6b8f06b499b91ac34040cfea1
SHA1 240b66e9e3c6c87eeed6cbed11ca84d4382287fa
SHA256 b1df8a18abc74c237cb99957c3e68ae1ffebc8432a4df34cfbe509d560b8ff14
SHA512 8766a909a84803c81679966f9bfb02d75e13edf0d4bb5462fef313529e77dfd4d6182257395f3d7016b447b24a87d0881acc5a8090953816d2906a5998d7ab6b

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.tmp

MD5 ce22db1741c7f1ef68e74162a87657f6
SHA1 110ca217cf26bea7e748658948dea0aea284789a
SHA256 26c97ee5e945d0e78dd0f57b190946955955afc2561798cdd57699a591feaab1
SHA512 7581ac073563bc07c73a03a1793033f84b611d1eab8e0d2a5e092a2e9b892d4b8588cd598065fac403d528efaab23d5d61dd2bdcab1252bc0911961980573e57

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.tmp

MD5 f51b5d815749caa52c8d48b289923c7b
SHA1 7c6cbaf735c3d7d8e4288ce532b6d5c096c14985
SHA256 c2d0b58131034c76f7d4394bdb0a638e49dfefa06be1cfc71fd1cf2aa81045ea
SHA512 e34b9c490980e9555a63e0126a0f312681b576d7633f57c3fe4d3415c3d703bc2f6d6037bc625c8f39f84724d4b8a3c972b5bf06774438b1f8fdf4b57f8cd927

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.tmp

MD5 19b2fefb2c78add2fb0068b0d6e3f7da
SHA1 c994e79e0d5acc7a58b1d0db3315cbed73568b63
SHA256 731bb9e51f0f7bb60feaa3dc287e558de0f184295a049bb44b72467779211f2c
SHA512 6f58e5592ab01bb7f0076359f48f7887de2931f3a202ac1196f42b9ec852de98eead2e0a88ef9794312a3e8ced428c182a7018b2508907269a9e44e1cd7ed5e4

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata.tmp

MD5 9f2eca2afd32a2c91a410333e486b5f4
SHA1 f2bc42362a27dff07474e991bb20e20272223bbf
SHA256 38af2f4b995ddb754772477bfb22bab8cb4e36cd463020aa2083764516570efe
SHA512 5386c7fa40a3081f8ac02e3550906d3bf600477a6f2706e7d836c6fef8065d7633e2a01951d2c130bad80e034b7704edc2d7ef46d16711b5d76614922b34360b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:38

Reported

2024-10-19 19:40

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe"

Signatures

Renames multiple (4368) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
N/A N/A C:\Windows\SysWOW64\Zombie.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe N/A
File opened for modification C:\Windows\SysWOW64\Zombie.exe C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansRegular.ttf.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\DirectWriteForwarder.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationProvider.resources.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\EnableDebug.xsl.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp C:\Windows\SysWOW64\Zombie.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Zombie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe

"C:\Users\Admin\AppData\Local\Temp\6332c4278ffaf582df9f07ccfa001ab06c0a28fc490112700017cd1bd6eb0894N.exe"

C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe

"_Firefox.lnk.exe"

C:\Windows\SysWOW64\Zombie.exe

"C:\Windows\system32\Zombie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\_Firefox.lnk.exe

MD5 ed890e3aabd06c5102c3816c0f8c2009
SHA1 8bdd1a6a367d4802966bf0fa5c7e650811d45bf5
SHA256 8205c3a402ec6e57f52b265cddc7319200b3897056b6b3c851b8e0ccb6578113
SHA512 435827e875a77300acbbe98390cddf7204ac5b2eaca05a12f5c2bd85bdf960ec6294148c48854d3522cca06f401520ad1e63ae0fe4e309194c2112c3fb289ae3

C:\Windows\SysWOW64\Zombie.exe

MD5 8fa409f56eba1300760b5dde17b73486
SHA1 8e9a005583e82fceecf63e3c50a3f10d588fff2b
SHA256 72f47860c773408192a18eb82f2fc0befcbd5e07974c5ea61f9272a92964e12c
SHA512 5a438c6df3801e14d4179f9a4d39a7ecd2a3e8246e20163dc19db97d31b20153bceb930a079c3c12e757efa68417233cb6c61a9361d1a239d4693187bf3c67ab

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 3d47564e8d1e3eb95c98cab277f8e0b6
SHA1 11b32f8acd0e09b370322cd4c00c1818384e6c7a
SHA256 8aeb16e747aa2152e0ccb582a096bdd22fcd30a5169c42a8a8f7bf6cce36fa02
SHA512 10a6c5039ea2e5706f9cee9397925a8d4a5cffef757d680a580011e850a2fe743d0c705894a8d4607f06b0c6940b3f00bfad47ef3d3f60709ef0a3296b6fc61d

C:\Program Files\7-Zip\7-zip.chm.tmp

MD5 2d57b89104c380e8d5195a425b1602ee
SHA1 562492919b7b91aed9d2da8421dcfac4df830c1f
SHA256 7465f86c379bbdc1a8bad2bf25b0747fb956b30c131eb6f3d956344f659affbd
SHA512 19e2ec82283eb04c11d6487da17619b88af03a6733b8e05e9f6e4b7fc35d289c560f4e389b18c90526c24d37c01decbf8c47603db2414890b59c4587c5592efa

C:\Program Files\7-Zip\7-zip32.dll.tmp

MD5 4fc4f53bec8011c6e09be99b47099902
SHA1 049f11648e5946ba64dbbf7a2213a5fa6fa8c8a6
SHA256 3b6efa61d7eaf6a7ac0fd2f51a59c616f5894ed55ccb66565f6b48942d940b5c
SHA512 4a0da1a38c6cdf14f10ebbd78c00fa074126edf8b7f6f4d954c03b1841cfe40ab6ac5d643e012a1702b53fe1796ceed7d98e53204a3ca3961c2945a58e896106

C:\Program Files\7-Zip\7z.dll.tmp

MD5 80a75f5d53baa2674de029067e4b4f1b
SHA1 fac5277b623a8e06d581988832889c028656ac8d
SHA256 fec30bdfe2a21ca45c1af7ea42f47dd10066f265cf8f0a73041f5e883a21ac79
SHA512 cb761b39ba34f22f987841811c1cc81fa4afdf7a1598f38acfe2c6f686b44ee804202525bafec515b73bb4fa8f141b2ed8822093da87db47b619de9ae79676fe

C:\Program Files\7-Zip\7z.exe

MD5 4c14218ffe26f20e21ad045cdda1621c
SHA1 c8ea5956ceffd12778a9477ca8b34d7512a5eaf4
SHA256 51738cf291c7f7109ce07e43e2d3c570ac4c227b2b0d4c65b79201fb0e3ab478
SHA512 c8b379b9a9b27d17c0ae0cb826fe6be19fd07f2d4b7c568715f900e5f407de676326e6be42ab914a46a15955034a4b41a02050af9e7c91962ac58ea8bf8db2cf

C:\Program Files\7-Zip\7z.sfx.tmp

MD5 8f972aa55a284767c8eba68d1d32e84c
SHA1 10d6567b87e1edc9ad71ccce2f169e8c3d00727a
SHA256 548904a6ae21476e8e23c58d300f02939d19fd036a2983cc8e5da04e61332ef9
SHA512 563ede0dc0beddaac68e82d9fa6f1520012d0528cc4a30b17b0b691c605885681179334396ec7c35d06adf16ed3170af35427d3fada4ea41df267912408cfe7f

C:\Program Files\7-Zip\7zCon.sfx.tmp

MD5 ed3801248473896b3c8cadbfeaf8b0ef
SHA1 77ddaa138548177ad1ea61f5473367b95b3b3c7c
SHA256 868ab9ecc6e0f5022fdf41443d95b0a6686d9e8f96992bef65a5de652049ceb2
SHA512 67daf01e7c39b405bc5bba1fec021a8da990ae2919fe294f0d7ba2cb538841e42ce6d4712ad817db958e88313d6487fd5bf21ebe47ac25e9cfbb745ae042b4cc

C:\Program Files\7-Zip\7zG.exe.tmp

MD5 5796d8ce007b4be94696ee6e66f48854
SHA1 7f2c2d139860cbcaae1f92d44e570ce347a83e0a
SHA256 e44be6851e894ce06051b0e38cec8b380e38673f05e8e52caff31b583a6376d1
SHA512 b5317908bc9c6071f1047258526aae7d4ce87ffc941ea7c04c0a745d225b201b0d1ea00842cb2b03cb9cdd23fb422743c055265b1cf9a58d6f60a6cc253a9c29

C:\Program Files\7-Zip\descript.ion.tmp

MD5 e5ea3a9fd9255b8b922e419036da7bf8
SHA1 cf2b55124f3aaed872024ec092ff3385208ad8d9
SHA256 8564966702aa08537475dab7836e407a56c9dd03260ad3b53fb12fb911410d2d
SHA512 16280abeb953137f99ce76c1e989a2b95758827185ae69814433c86d15347565c2b7606e43947ca007830414d2e88d0ddbc9b6b1160d0468023afbaa805aac1e

C:\Program Files\7-Zip\History.txt.tmp

MD5 b200621dd54a7affdda55ebb6be93534
SHA1 f0d910772f833dff3e5f1f3d49c2f64ffb62e7e5
SHA256 6df587124bf7ed46481b51374f848584ba7c082b19ac90925f72a1dc237eb3f6
SHA512 07fae85b8c31020d7db26f3c1db2f27f71248644c946e78709f85fc930d06ed28595607bfba99040b5de14f13bd8276ad670c04ed6cb06616cdd48a6c4936906

C:\Program Files\7-Zip\Lang\an.txt.tmp

MD5 2905bc0e0636b06e785e904120bd781d
SHA1 76e39f32ee51f9b7147421b4037f24bfae88b000
SHA256 8d6f8cb5947a4921cd9b1fdff70bd8abcd795e72ab76cd2388d70dde73daf857
SHA512 0b1deeaad60d9bb46e9ef3b9930f277f778f18dbac9a6a74242c62fd982e2e19bab31663715c0d0955a4495e2936f46b870bd37465d4dfb77cdaed2fc3977970

C:\Program Files\7-Zip\Lang\ar.txt.tmp

MD5 1b6bc0504b9fb3a58957190c273ef45a
SHA1 5033d2c3a767072a6a1f98eb28fd2fc2c73044c2
SHA256 45d2a4cc35d8557baf29ae2f8a0f92c499a5ac3e60274964497a53f6705e33b2
SHA512 6110387efe6c2a7e9c44bc51843825eff4012738265e1d402632d5ffb6209fcce67b9c338f182262cc75d3abcadaea61cae3dbd4bf8dafbd60ca24522cab98de

C:\Program Files\7-Zip\Lang\ba.txt.tmp

MD5 51f435d25a1fc6b739b7c08382b273d2
SHA1 e652812695241ff17eb7a1f75a86896185a3a408
SHA256 c1125e76c40a0197671d10d62e87b5d4767eae0b09efb1e5ef1fb680873e15e2
SHA512 90a1af3da5c67471282c2f822882ef4f444c03959cf7e1f017d23c79239a61a507d19284d26f32e565354c08f47213b276e2799ee6fd64120c3a2dc744f39186

C:\Program Files\7-Zip\Lang\az.txt.tmp

MD5 82393df101a36dadd33e7a6c0fc2fb07
SHA1 13059ed383885199a078aab7f68c8fa3edd1aac1
SHA256 64bf5060ef6a27b1b8fe6a91a08bfba540801bd2cf393358c0a713e3215aadf0
SHA512 e64eca0b34106f60e4b7b7608b1a48535fb8448c335cccb4e49a6b1250174aa800a21cf167fd7805ad2b14a89a99e2858e99aa65aedf6df25a367f7c5eee2c62

C:\Program Files\7-Zip\Lang\bg.txt.tmp

MD5 2c09d6d1b3a6d1285264fbeae837a111
SHA1 6200b1209255b639de81863c242275cb55d27bdb
SHA256 c50f3ef5a58fd158e35a23dba53ce820e74818ef201973bc817fe0e5d1e4a800
SHA512 26fa3dbc168d7ad0d97dffd170fed3f4f439bd3022255fb24feb4c808b3a5e90f95710edb858610e260594b276841a6fbbf4b45e8f29dd383add224aeb9bd8cd

C:\Program Files\7-Zip\Lang\br.txt.tmp

MD5 d85c7788cd744d9156338c05007b874a
SHA1 b4a92419d6862a5e5623409f026d692ab52ac7c3
SHA256 33d2b91e420f3a97a19cb4aabc503b52ea481334c4cbf1f9e89d1e64a46a0172
SHA512 69e98f2616f72080ed8f011f8b276682d76e93396cfdd075ba16541a85b0bf515d7022606c66e5c5d624569074d5318b1b62984f7b073da177d4573e93b0c39d

C:\Program Files\7-Zip\Lang\co.txt.tmp

MD5 9e3422040e0c01d7d7aa99d8d739c8d5
SHA1 caa768ce6a098a958208dbf2ca1852780213d78b
SHA256 61e9b42944c7de8bbc06ff908bb31675e36b5e64025890ed46c6f910b35bb89e
SHA512 034b138a4e36a2beaed1ecc144a4fd44ac59e79802c503d03f64b5bec3a717e4757b9acdc1713cb234a64f60a63587754fa8cf10cc71dcd85d89d67e98b8fabc

C:\Program Files\7-Zip\Lang\cy.txt.tmp

MD5 4661f0ade194f51866496bafd04eba2d
SHA1 d2e320947d98c04eedcc811fbd2a37bfd4600c79
SHA256 7b3284c798e9f610ead28149a428c6e51faf4ef624c43abfcd0fa67e3cea78d3
SHA512 de25cd32f4e13b1b4e5d8f70c3f2e3464ca3a7c7545af8dc019aa0e7741999af076dba30eb57bf1f7417dc0733f94973b71cddb7c4b63c3fe5a0a7f753447e5b

C:\Program Files\7-Zip\Lang\eo.txt.tmp

MD5 6cccd3735da4db18548406ca335c4263
SHA1 004474d32b0333eb2021b88a6436c2613f933426
SHA256 6785583b05b7921db7061e5e14e5732f1e4f4949e5201a2c6346291cb7cbf32e
SHA512 1d3145a44d64c9b1020791c91575d26c6781252106de50a8dfab9c253e4521ec9a21c9451f9fc6c43a943a9320a64bd133c2472ec4f27430387159fca198127b

C:\Program Files\7-Zip\Lang\es.txt.tmp

MD5 950bd9873afacd889977ef6f540f3e25
SHA1 a67c8e74e1ce38185ddac16f087fb2b0e475eb07
SHA256 fa26dadba63a7abb784ead8a0a527fbaaf8390ba5773af694115300e05f961e5
SHA512 1cb78f79a7df56cafca89e78d1dca7c03e4e248b1d38988feea71ed51020fb46930f92c9469474d95485ab4c7edd4654089166bf8d41275a883a4faaac8e3871

C:\Program Files\7-Zip\Lang\et.txt.tmp

MD5 cb4c5b36c5209427df12b6ecb7410074
SHA1 aef9eb16fb48ac8d52ca780beb8f10b85102e4a1
SHA256 cdbbfe3cc4b7615c080b9f8438937d56846024e84a4fcdafd47eb812b773ba73
SHA512 01a23a33a7240bbc506e2a2e8c7e31f0805f0ebcc1bea5b9487ec66dbdb79071be2672548d4e4af5cda63aecdbb243213767df499c18def5aa55ac5b11d9313b

C:\Program Files\7-Zip\Lang\eu.txt.tmp

MD5 8192295063c885f1d5f06f8ed8276040
SHA1 78f8c9f3a62a092d830860ff3b5e05213f34887e
SHA256 9666ea04f4f626bdf7674faa80ac8eb8fdfd21a5d7646566c0b43dbc548e573b
SHA512 3850cc7cebbd5e5a17bb6ecbc89e01481ef393a1a3be838db9c607249338c1b1a4b7a5520925122a77f63f05c2a2dbb9dcd86176e251983966e7f677271f4444

C:\Program Files\7-Zip\Lang\ext.txt.tmp

MD5 ce3d9e672fd8f64167f2c6e6b30dc2c5
SHA1 3b43f8887982098ed0c58998ce816f304fe6c7bb
SHA256 6edb3cb95a2f1230f442d0d62a3ed1057c4ae790e6089dce84feecdafb9ae868
SHA512 e7ffb19281a2818703d6bc2e8fe1cfd5898442ae65198fe79cb935dd46a5e2455ff666d0480bf3dcfef706815400bd9492f5d2b78c0ee2490ec3c463e2b94d7f

C:\Program Files\7-Zip\Lang\fi.txt.tmp

MD5 64dcccc04b3a21dc2689e89ce88a93e3
SHA1 7a8f6dba46c0d4ca25da76df8e2fe84fbe090080
SHA256 de9ca8aa5d78ac802f06e8a38fae55be3bbd542c2ec5a612f2de006e57c3947d
SHA512 2a3bfb3b0705c3a2cc1ede2cf3a5bada1015f78152c10173412e7b7e0d23f1a5c0be0b94b69d65ec0d6616f432556356c50e2ecb2d8c26936ee8da475a33bd9d

C:\Program Files\7-Zip\Lang\fr.txt.tmp

MD5 d8d21a6d1ac1a3353482e371f14db749
SHA1 3b1cfa53ebda5503eddfac03dc961dd2e11e8799
SHA256 c9955fd1c5233a3e4bd658760489e8fb3a30c96cf857addea127be8f25df4900
SHA512 50d651076d78bedab11ab83f6abb1d2ef7e2c65f9f9e960a3d51d60745f93538f7687b10ee84556388f7d5b4c39526b9644451ee05266eeaab4af1ccfa98cdbb

C:\Program Files\7-Zip\Lang\ga.txt.tmp

MD5 20c0e5870fa3e8c7c13fdc7853fb927e
SHA1 c312cfb424b1895ed736215648a7dfdf6a62f443
SHA256 423acd751196c0c0421c6484bb85bef9f534e343066b0ffc9ef88ba6e381c12b
SHA512 736d2b27b0cde6c3916a853e7ed47a4cbe734a6e11e38b81b37de1e45bed5846a6f401aca93dd8d8e29ed634e42cf15c2980348c81af95fb82210b84bbb9edbd

C:\Program Files\7-Zip\Lang\gu.txt.tmp

MD5 cd7bef17aa15340031055008261ca46e
SHA1 9f8b1f46328bb25251cedd96a1acfba8cad2f0be
SHA256 298b7e423718e5918fba82c7a8612b3d40f0693f5aca0a42800b9d716ff658d8
SHA512 de9ec0ecfc79d16c8995bfa6e6d0be71978f4fb2b2b0c91a20a3052c06f12ef7e2aff99a9607cdfdfc37bcc867e5149473d8433987d812fbc02413704b895182

C:\Program Files\7-Zip\Lang\he.txt.tmp

MD5 4432e61c4e67630e6866c06851d6efe3
SHA1 4750c8c0dd0ec3ff8592ead7330b22e005e8b17b
SHA256 72a7edc30038c0c9d3f245ead2438611e2e014809746a7121d017f298b284983
SHA512 2eb24e8c9c90182080243eedc284d03be0dd8aa5716622de695d41756ba767900902f80e548afaafdd7264bd9f69823622278f149733ec26745ddc35f1a06528

C:\Program Files\7-Zip\Lang\hi.txt.tmp

MD5 56b7075d03b0515597b005a6311a6a42
SHA1 09f85ae739731f1cc6c04712c73326928efff6cd
SHA256 f94b91a47471f9162410b5b02b5bad29fb1e53dc33f6f9fef7027d3aaa6ad6c3
SHA512 e92c8fd7471ce21ff968fa58a65f8c00c0835dde7a217c3f76dea6f11ecbab12f5c91dddaaae6c20f0f7b755816ff862cbe6e0cb4c4c516b1c3fe6cf1e54a016

C:\Program Files\7-Zip\Lang\hr.txt.tmp

MD5 ac545c8aa40582755f30f46d435fac4e
SHA1 20d3043cca22628e133db162de617fcbb86c6778
SHA256 edb2730e931f971b4e5f89c03d60e88fb9ea0cd0b83e3ece203351c602a81396
SHA512 51f01a040a1abf8baaab016a0c0bca70d3919c80cca4fea71f37b7c78f3b88f782d5b91bd36f3e2a3392cc30f4900b34666c3044594a8bc4809731da16fb72e6

C:\Program Files\7-Zip\Lang\hy.txt.tmp

MD5 b8ac5b9aae5ff7eade8d6a3abf64ad1d
SHA1 b9d1f1e7277911400994566073ef28e5c49865ff
SHA256 0eac0309fe6f0247e299095c8b04bf8621a246270f555bf201ec7844a7f5fcb6
SHA512 245169fedf1e96c8e7c7eff6d13345761d7c5d95b1af201fed7f86f43b1a90c92db7a6359b6c38eb2784fc755b768b5b3608cdcd127662c5dd87a08f67b50187

C:\Program Files\7-Zip\Lang\id.txt.tmp

MD5 ee9d755d477852c7f892aae7f16ec0d7
SHA1 b13f0b40cf00c878b000687cafc671922e8b311a
SHA256 7584f483209dccf5471ebecafd8a0707a5fd7473283488a3dff7cf87035a1518
SHA512 7375420972b11ce2e74571900bd816b89be7d66b970cf31659cb6de765e333fab0bf9ab2737aad5eba8441dcad0f1f9eaba3e9c6f493b9cfc8e157049d16555f

C:\Program Files\7-Zip\Lang\is.txt.tmp

MD5 e715935bfa107f2624ffa3bd83cc43b4
SHA1 eb5e1eb8435b5b3878da856839956bf9f527fceb
SHA256 5082a3f62cc7deb1ccd1c4a529a8e775b96149019a6b5bffb4e97fcf3256f90c
SHA512 c20afdf8b36a53f36141277e2a408a4ed1f2d4da78732925ca09f78e90ee33851952cef30e097d2f148832807e24808303538e7c5e7a425c5032fcf5b97f94c9

C:\Program Files\7-Zip\Lang\it.txt.tmp

MD5 3460276399101998d94c1001a1c81d30
SHA1 2db5cc6c777eaa1a40e02c57d63a4a6ba8ca74c9
SHA256 c527e0bf190ead12e91d1ebe071aa80ffa9e001efd8de7d47f51cc00eb8f810f
SHA512 03a0525661177e28bdc33a645c95867d8d7f66f2d4903d163abd15b676ba0ea95aa6bce3701729129eecda7e85703090691cc7d7abfb86ce922d767df5919073

C:\Program Files\7-Zip\Lang\ja.txt.tmp

MD5 fbe4cdbd194f85127a4b862dce60e8c2
SHA1 e13294d056248642d1aa77e6bdb9c3498b0221e1
SHA256 e5f1efc21c339f97d6ae0be8afc4521a387f1dbcbcd8996f40ad0732095f6016
SHA512 12d8d94e58bd0c574d1b115cbe7903bd7219ea1d641e4d8016aa9b78e3bbed763980554ec1fed1f04518e3c6df036b4a048d39818be58084d7ac41064f16fe7d

C:\Program Files\7-Zip\Lang\kaa.txt.tmp

MD5 7c235340d8e17f63147bf624c62f41a0
SHA1 bbdd1a2236bfb1c434326c8cd2d17168b81708ab
SHA256 28da7f2dbb277c1b9d3734f9c2737bec618314851ff61946ad1c545e4bd0e8a9
SHA512 40ab79c40fe2de46e8253f1c7807874956a7b102df4096558ebf39aeac1242a33831d821275367971b3def27e964990300ca571d16970469d4155609467f2666

C:\Program Files\7-Zip\Lang\kab.txt.tmp

MD5 ef4c2914df5fb70ecaadb2743684ddf9
SHA1 a01a0d094693bbd830e11c7f5f75c4f00c5b8a51
SHA256 a6c67af3e384d8d5a7a8d76b790d80649b473a38dee564b92159f3e8691a39ef
SHA512 a10dea7d8dc55a8edda39b9fddd60344c9a912a6c70a1b75e4cc8949b8ef0f5a05b8e301c772b49b0b22413cc433602b68a467891d5fdb99e56a46394527b5ac

C:\Program Files\7-Zip\Lang\kk.txt.tmp

MD5 f96dfcd17632257c31384fc698c6e84a
SHA1 f0c10edde838783cd25e5ae4ff9f88f297a9dd71
SHA256 7c737da6d0d6f037c8091f131fdb2858e5b5a55b221aa523c6a33eab77579b64
SHA512 fb522b7b0493523d217a341502004a6f6c70a0b79e161c86e169b2ef95a42cfbeae9bbfcc3e9aad761f9fd617fd57a357c16e8b6cdcbc47d44fbc849568a66c4

C:\Program Files\7-Zip\Lang\ko.txt.tmp

MD5 79539a4a0b49718999d22a0968f31f22
SHA1 6707d3a4192015c5bf26547647da88bbe8d8e538
SHA256 c8aaaa657112a67c05e09e49a4ffa6d935a188c0e456798d816315df52c19622
SHA512 930223879432dc7826fa9ef350555f47ffaf58bcc024926d878f5f15a6344be0d960eb135cb280c5646c0772b2e6f111e99d0e859069c24d16a258a65c207736

C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp

MD5 4d644d4408382e751f89ab1c02fcc773
SHA1 ab1e281246ecb4cf872181a7912657a06ab359ba
SHA256 8aee214721de083b3eaae3c8908421a417ad860397b876431624828f4942a12e
SHA512 bf19ae8b58f800a64fc705522859d5edee3678620e090d70b0826696c2ed6bcd15fc90220c3cb4ffa2fed8af824c71b6e9c1c5d54b00f8f85f41bbe5a837f200

C:\Program Files\7-Zip\Lang\ky.txt.tmp

MD5 138257971ad707f8435007bcfc5f16bb
SHA1 f0f1df6692385da0f0067d53f378f41f31603ffd
SHA256 73bf350300595fdad8c8f5b2aa66fe7dd3381b24fb62912791d9306442590a2c
SHA512 9809c5d975daf564378574523dca124201036ec447f5d3bda97bd6e58461a14223abb9fb4c11e13ee2cd757d9b0a2d5bf8b2dcbfc9b5bce52b57d7115fb17326

C:\Program Files\7-Zip\Lang\lij.txt.tmp

MD5 843172a0527b79c22f72b956dbb7fdf3
SHA1 23ef994b0a1e32d28d637cd01504601689adf3d3
SHA256 fc4df7986346b905526ae71ba76a6114dda778f9978a7559f8373c611bc84e10
SHA512 226221e8f1217b006c0ed1a8e66dbf792031a7ea14ec08fba1915a91e9d15caf9084063bdd056dd337d92cb31e4334b08c78e27a6026358489c2ccd2cf90aeac

C:\Program Files\7-Zip\Lang\lt.txt.tmp

MD5 7c9497a86a97cb14d4f306d583418a15
SHA1 e17722d0ae51a4607fcbb03ffae3098ddf27eff7
SHA256 dc2275c035057b71bc96753f0787d72dac0ac5024a64844d8e6b02b1a080bd69
SHA512 77bf3facb0f6f58c24ff99e68e3343aa85803364dabf6b48cc3157a10c4bdd678fe338c24533cbc2c1c0d1da10ce38a210f41e318a116e7a17fa3bf85041779c

C:\Program Files\7-Zip\Lang\lv.txt.tmp

MD5 0030ee34fd45647731192dbcb135d4bd
SHA1 fb734026e8735c5fca153971cce8045af725b433
SHA256 49c30a2efe65bcbe4fe9e8990ad84ad245562de551fc71f856719b2dcd0e58d4
SHA512 a55ef2277afc161500ec9765f60097e92863fcb0d680ccf2f3266eb804bea423d079fa0f50ef080f54756b7ece3c50d2a90698e1c113bae04a4c742266c68fa8

C:\Program Files\7-Zip\Lang\mn.txt.tmp

MD5 0ce5c5999a86365227afaf5af988e474
SHA1 bc172d52e7c61d0533d8cb6f44acd5009b92ac09
SHA256 b88f10335c7055832795f77b55ccfebc654efaa4d89b5d671d33ba9a4f7252ad
SHA512 5114def5a2d2263b89ac4f8b47f5bf64d86457e9335e960c9214334432088b69d81d5ce912f82e5e5c1b16448a257e0d2af1c5b4e30c5fd56800153290a6b9c7

C:\Program Files\7-Zip\Lang\mng.txt.tmp

MD5 ce3a7430ed75666078f3f48e192528f2
SHA1 3df399be9c037f063fa4b109c1aa6e14ed3adc41
SHA256 df0acb3654ce1bf12793aa7f84d01f0a00048e924caad75693a339f255a2346d
SHA512 052b60b2cba43b4b4be1f90dd05ca4808f009ec6712784c4662b95ea3b248454beb9da1aac5440e8babaf05bc76ff5d596f399284857e11d638aa1df289ad0fd

C:\Program Files\7-Zip\Lang\mng2.txt.tmp

MD5 7ed1c5738ec1ca46b0dbb4f03a24a217
SHA1 61da44e95d6b97ecd2be6729e620f4798a9c1938
SHA256 9a7933ba872d6307a532ea80b1c1b76f0bfc0ca3ec710f8b6e7b532a56699cf2
SHA512 6d3065672f3e6adc3f5c8fe483798bcc80ed3f618c6ff54137369e127feedd0f0bae84ab51e466c0f697a69223e6058188e3d17fa1ef7b57b9c2671e77c490a0

C:\Program Files\7-Zip\Lang\ms.txt.tmp

MD5 11cb29443c3e32e6a8b30379d745124a
SHA1 b08b841186176952436010a8c821beb51daa9b27
SHA256 07130eedda4d9fa467de7680d350f08fb18f22f7c9c222440a614537b42ebaca
SHA512 3a2ed60e886399341f80719ae678b2dcc355a557e309be76c9db07e095328ec1f9e3141d2a42857426e07c0a47ad2a49b5a0d5fe9b70747c651cfb3af480f428

C:\Program Files\7-Zip\Lang\nb.txt.tmp

MD5 21cb8a71f65869d70a2865b65fec821e
SHA1 32dfb0ba48168e9a39f723e0742d7b684665c3b7
SHA256 a4bdaa4820e9e2aa27578ee29ea3b135a2aae8219d3ad78160131f1e0fcb284d
SHA512 31bb19ab1e74088b2a5c8c92ebc123cb2feecf889e22542800416be61cbfc0e66773d2d7a3c2c18c30afa0fbe60df0eba3a4ce7e86bd507e1cd0514a0f7e1dc0

C:\Program Files\7-Zip\Lang\ne.txt.tmp

MD5 4a187d71ba1ab00e39ccae1deca23234
SHA1 2b3015c13c840095aaf03d67d0523680487936f1
SHA256 f88a258122d07493dc7847bfb593016548895285cb62c7163c51e30d4f488ebd
SHA512 eb1f3ff948cb2533e33e47054e8e21eb03cff184d1d67be0dd7c449486830a1bcf4e7d0b2b628fc4e6a36b720cbd8b27f17b9e31c6fcade05757b3e317f7f19f

C:\Program Files\7-Zip\Lang\nn.txt.tmp

MD5 bd8a89528647ec0d1bcfd425783378bc
SHA1 90fe50ae980e54b87522badd1a44dcaa8debe8f7
SHA256 132d79e0a839101c532aca702e3409c19c620a694800ad333e8ac10a87a24efc
SHA512 1278072d3dcfd86bc78a85bea6ff032841ed821a510e893a05b5915b928e16338fecf4d995f10eae04db4d0a6fc70683052fcb21bc7ed3c9dde51eeb63b42a37

C:\Program Files\7-Zip\Lang\pa-in.txt.tmp

MD5 d9624e10fb99e9a9060234fe34834766
SHA1 278ddd0ab9c0d5e754911f030203d1fcb434c1c5
SHA256 5225001dd969dc0bec5aef777f782daf2a373c12f72c26a08693d2b2edaebd63
SHA512 53111f81d3df9aee3d1c4e942adab782d2f7702707521a31bdd50ec3e51ce2677b1933357e26d7201607803ed67db3dc47f5814ee0c1bb0bd59fa36a1fb66fac

C:\Program Files\7-Zip\Lang\pt-br.txt.tmp

MD5 fda2f765a5c3865eb16f82c8ed76acba
SHA1 1507b7001ba4ba0897ad6b94a7aab27afd33e7a0
SHA256 0811c3fdeebe8e59d89344ded423bb68757ecbd1f13ea4edfce47b81c822ca8f
SHA512 230fe74d1400e46844ff3c4951be6534298eea9dd584e65066aea7c1c75777b81c46ec8843399ca539d854cf03c4b7b681ad3bc18942551164df4859b8bfefdf

C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp

MD5 027c82e68d5cf90935b550800829dfa9
SHA1 be64463232e26b966db752aaa4d5f8ce792e10e0
SHA256 3261d70af34375b43759ec8f66a93e609e8b45af22df40c1ec0c34324ab66783
SHA512 b83622d015fb9b9a8c73b262e333e0e5ff49873befcbc7f47bd2d1c933ad2b03ba6ae75af4f4e648f9b86d5accbf18bfe76c846cdf4274e613d3e19315201567